April 18, 2025 • 31 mins
Funding Expires for Key Cyber Vulnerability Database
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So I'm in home depot this morning and some little
kid called me an old fart.
Speaker 2 (00:05):
What.
Speaker 1 (00:05):
Yeah, So if you're missing your kid, look for the
red LG dryer in Aisle fifteen. Hey, welcome to security
this week. I'm Carl. That's Dwayne and Patrick. I hope
you're having a great week as we are, because life
(00:25):
is wonderful, isn't life good? Speaking of the LG dryer,
life is good.
Speaker 3 (00:31):
Unless you're in an l Are you reading the logo
while you jammed that child in there?
Speaker 1 (00:35):
Yeah? I was.
Speaker 2 (00:37):
Now he was thinking how roomy this is and then
he's like, oh LG Okay.
Speaker 4 (00:43):
It was gonna buy it, but it does get it
and that would be illegal. Yes, Dwayne, what's going on?
Speaker 2 (00:52):
So?
Speaker 3 (00:52):
Yeah, So speaking speaking of children traveling places in LG's apparently,
So you guys all know, I'm Mentor Robotics Team Team
in two, three four to two Team Phoenix. So this
year they actually they made it to Worlds. They're down
in Houston this week, which is awesome. Competing, hey, which
is fantastic, man. But you know what else is really
(01:12):
cool is there did take you?
Speaker 2 (01:14):
I know?
Speaker 1 (01:15):
Right?
Speaker 2 (01:16):
My food boss is a slave driver.
Speaker 1 (01:21):
Right, Patrick's boss.
Speaker 3 (01:23):
But what's really cool is there's there's six hundred teams
competing on different fields from all around the world. Right,
and uh, I got a message from one of from
one of the software kids, like, hey, Dwayne, somebody came by.
Speaker 2 (01:37):
To say hi. I was like, oh cool.
Speaker 3 (01:38):
Who he said was the guy that put me in
the dryer? I know, right, this guy in this driver No,
apparently a fellow mentor of Team thirty four in Alabama
is a listener of the show. I heard that our
team was going and like went over to the pit
to come over and say hi.
Speaker 2 (01:54):
So that oh wow. Unfortunately I wasn't there, but I
said I'd give him a call out.
Speaker 1 (01:58):
All right, so we can bump our listener count to three.
Speaker 2 (02:01):
You've been to Worlds though before? Right? You didn't go
with it because we're just so busy right now? No?
Speaker 3 (02:06):
No, no, I've never been, never been. This would have
been Oh I thought you went once.
Speaker 1 (02:09):
No.
Speaker 3 (02:09):
So the only time I was on a team that
had won to get to Worlds was my daughter's team
back in twenty twenty, the beginning of twenty twenty.
Speaker 2 (02:20):
And there's nothing going on that year. Yeah, exactly. So
when Worlds came around.
Speaker 3 (02:24):
They were like, oh, by the way, nobody come here.
Oh so yeah, that was the only other time.
Speaker 2 (02:28):
And your boycotting. Now I didn't want me during the
pandemic because of my germs, So.
Speaker 1 (02:35):
Fine, never go.
Speaker 2 (02:36):
Yeah that's awesome man, Well that's great.
Speaker 1 (02:41):
And now we have some you know, regular stories. Yea.
And what would this show be without a little word
Press plug in love?
Speaker 2 (02:50):
I've never heard of that software. What is WordPress? What
is this word? What word Press? You talk about?
Speaker 1 (02:57):
Most popular web platform in the world. The plugging architecture
must have some kind of problem. Well, it just lets
you do anything, right.
Speaker 2 (03:07):
I mean, it's like roadblocks in the gaming world if
you want to. You know, that's where all the bad
stuff is hanging out lately because it's such a big ecosystem.
It's the same with WordPress. We make a lot of
fun of it, but it's a big ecosystem and that's
where the hackers go. Yeah.
Speaker 1 (03:21):
So plugins are a constant problem. And this story says
hackers exploit word Press plug in off bypass hours after
the disclosure.
Speaker 2 (03:32):
Getting smaller, Yes, between disclosure and attack and exploitation.
Speaker 3 (03:38):
Well, especially with some of these plugins, I mean they're
not massive software packages. Right, Like we've been set to
reviewing software where there's hundreds of thousands of lines of
code that takes weeks to go through and see what's
wrong and what was not properly written and whatnot. In
this case, I mean a lot of these are open source.
(03:58):
You can pull the code down or just to install
the plug in and then look at the code, and
then you can obviously dig through there and see what
might be wrong.
Speaker 2 (04:06):
So according to you this On March.
Speaker 3 (04:07):
Thirteenth, word Fence received a submission of an unauthenticated administrative
user creation vulnerability in sure Triggers, which is a WordPress
plug in with more than one hundred thousand active installs.
The vulnerability can leverage can be leveraged by attackers to
create malicious administrative users when the plug in is not
(04:28):
configured with an API key.
Speaker 2 (04:30):
Not a good look. Yeah, so here's a couple of questions. So, Dwane,
you're our designated showdown user. And for those who don't know,
shot on Showdown is a tool that lets you identify
black belt exactly that too. I thought it was a
long time, but the showdown lets you know how many
(04:50):
systems are affected by these kinds of things. Did showdown
have numbers for this as soon as it comes out
or is there a delay?
Speaker 3 (04:57):
So no, no, no, Showdown actually does have numbers for these
types of things, but it's more services than it is
typically you know them tracking plug ins.
Speaker 2 (05:09):
And the reason I ask is because it's possible that
the disclosure came and someone is like, I'm going to
go exploit that, and they figured out and exploit very quickly,
and they started exploiting it before anybody could patch it.
It's also possible that somebody was in the process of
exploiting it and it was discovered just serendipitously somewhere else.
But I think we are observing that the time between
(05:29):
disclosure and exploit is really getting smaller. Yes, yes, agreed.
We probably are getting to the point where like automated
patching is no longer optional.
Speaker 1 (05:38):
Yeah, that has its own problems though.
Speaker 2 (05:41):
It does, which our next story we'll talk about.
Speaker 1 (05:43):
Yes, that's right. And so this is from Bleeping Computer
Microsoft Windows i net pub folder created by security fix.
Don't delete it.
Speaker 2 (05:52):
I mean we all love a good i net pub.
Speaker 1 (05:55):
Yeah. So, for those who don't know, back in the
day when you had Windows end and it was hosting
with Internet information server. There was an int pub folder
which was the root of all your websites on that
it's I.
Speaker 2 (06:08):
It's basically where I lives.
Speaker 1 (06:10):
In anet information server, right, and so now it's back,
and why can't we delete it? What's going on? It's
Windows eleven. I don't have a web server.
Speaker 2 (06:23):
Microsoft confirmed that there's a new empty in folder and
one users not to delete it just I don't think
they gave reason though, Oh my god, there's no reason.
Speaker 1 (06:32):
Yeah, that's all a little suspicious to me.
Speaker 3 (06:35):
Yeah, and there were there were all sorts of oh
my gosh, your computer might crash up to oh my gosh,
you might see instability.
Speaker 2 (06:43):
According to this article.
Speaker 3 (06:44):
They say, however, Microsoft totd Bleeping Computer that the folder
was intentionally created, so this wasn't a mix up and
should not be removed as an empty folder should not
have any impact on Windows like leave it alone, don't
touch it, especially when I is no installed. It should
be left alone. We learn more from Microsoft.
Speaker 2 (07:01):
I bet it's a future plans thing.
Speaker 3 (07:03):
We've been Computer contacted Microsoft once again to learn the
purpose of this newly created folder, and they said deleting
the folder has not caused any issues while wind Will
were using Windows in our tests.
Speaker 2 (07:14):
So I'm going to make a prediction. So while I
am a Microsoft MVP, everybody gets a web server, I
am a Microsoft MVP. I have no knowledge NDA or
otherwise about this, but I'm gonna make a prediction. I'm
gonna make a prediction. I'm going to predict that there's
a feature coming to Windows eleven that's going to do
something like the widgets of Windows eight or something Webby,
(07:37):
and they're gonna need the i net pub folder there
so they can throw something in there in a future update.
It's my bet.
Speaker 1 (07:44):
You know, if my Windows eleven machine starts hosting websites.
Speaker 2 (07:48):
It's gonna be awesome.
Speaker 1 (07:49):
It's awesome in the worst in the dune sense.
Speaker 2 (07:55):
But if everybody has away, doesn't that sound like what
might be going on here?
Speaker 1 (08:00):
Yeah? Why would they do that though?
Speaker 2 (08:01):
I mean, why did they do Vista? I mean, why
did they do Microsoft Ball? Yeah?
Speaker 1 (08:08):
Yeah, remember, Bob, oh my god, be hosting our own
SharePoint servers in the future.
Speaker 2 (08:14):
Some VP who's never had dinner with us. He's trying
to make their.
Speaker 1 (08:20):
Will replaced. The entire file system of Windows was SharePoint.
Speaker 2 (08:25):
Oh, I hope I'm writing, you're wrong. I hope I'm
righting you're wrong. Oh God, but I bet there's something
coming down the pike, because that's what's that's the kind
of thing. And it may be they're trying to gather
data for how many times they're going to have a collision.
Maybe I just that's what I'm betting it is.
Speaker 1 (08:45):
Maybe it's for tech support. Let me connect to your
computer via your web server.
Speaker 2 (08:50):
I don't get it too, Like, I don't know.
Speaker 3 (08:53):
Honestly, our advice has always been if you're going to
have a nine net pub folder where a web server
is running, there's been so many exploits that have allowed
you to jump outside of the of the web server
right to get deeper into the drive. And if you're
on the sea drive, much more important data than if
you're on some sort of other random drive drive. So
(09:13):
it's off from that task. The other thing that's interesting
too is as hackers, we're constantly when we exploit something.
Let's say, for example, and like SQL server, there is
a file exists call I can make. Well, if I
can check a file I know is always going to
be there, or a directory I always know is going
to be there, then I can look for that true
to come back. Right, So if I now know all
(09:34):
every computer workstation or not has an i net pub directory,
you know this helps us with enumeration that sort of stuff.
But yeah, so I don't know. It's it's a terrible idea, and.
Speaker 2 (09:44):
So that makes it likely true.
Speaker 1 (09:50):
Yeah, yep, okay, this is a good one from CSO's.
Speaker 2 (09:56):
Everyone likes a good slap squad.
Speaker 4 (09:58):
See show what the hell is still do that?
Speaker 1 (10:05):
So the headline is AI hallucinations lead to a new
cyber threat slop squatting. Even like the picture.
Speaker 3 (10:13):
On this is like a liquidated face with a bunch
of weird arrows, like you're playing dance Dance reservoir.
Speaker 1 (10:19):
What my grand johnor does after its pointing sandwich.
Speaker 2 (10:23):
It's pointing the way of the hallucinations. This is crazy.
Speaker 3 (10:27):
So the way this works, so a lot of people
obviously have been using LM's Generative AI to do all
sorts of things, write papers in college, whatever you name it,
but also create code. There's been a lot of code
created either examples, which would be best if it was
just examples, more actual code where you go to chat
(10:47):
eptor or co pilot and say hey, can you create
me this thing?
Speaker 2 (10:52):
And it creates it.
Speaker 3 (10:54):
So in testing, what researchers have found is about twenty
zero point seven percent of the packages in a pipe
from a Python standpoint that that are referenced by llms
don't actually exist.
Speaker 2 (11:12):
They just made them up in this dimensions, made them up.
Speaker 3 (11:15):
They're like, oh, you want something that talks to l
dep you should import the talks with l dept.
Speaker 1 (11:20):
God, Hi, you know I see that sometimes. I see
that sometimes in code that I ask it to write
that it just infers the name of a service that
doesn't exist, or the name of the API that's in
point that doesn't exist. And you know, if you're a programmer,
you're paying attention, you realize, hey, that doesn't exist.
Speaker 2 (11:40):
And then it writes a letter to the to the
programmer and says this should exist.
Speaker 3 (11:44):
Yeah.
Speaker 2 (11:46):
Right.
Speaker 3 (11:46):
But what's what's interesting is attackers are now like, Okay,
if we can find these packages that are constantly being recommended,
why don't we create them and give them the functionality
they need to have, But then also put a bunch
of malicious stuff in here.
Speaker 1 (12:00):
They say, these packages, these hallucinations are particularly dangerous as
they were found to be persistent, repetitive, and believable.
Speaker 2 (12:09):
Which means they're predictable, right, And that means that just
going to check that the package exists is not sufficient
to show that it's safe.
Speaker 1 (12:19):
Right. So the c CT says you should go get
the Carl Patrick and Dwayne library.
Speaker 2 (12:25):
You definitely should.
Speaker 1 (12:26):
And you know, after a while, somebody says, hey, I
think I'll create a Carl package in Dwayne library, and
it's going to when somebody puts it in their software,
it will completely ruin their day.
Speaker 2 (12:37):
I mean, the fix for this is not going to
happen because two fixes, both of them are going to happen.
One is users need to actually take the time to
figure out the heritage of a package that's referenced. One
to find out whether it's real. Two to find out
what its history is and make sure it's not just
newly created and you know, in other words, invest some time. Well,
(13:00):
if you're letting AI write your code, you're not into
investing time.
Speaker 1 (13:03):
Broh. Yeah. Yeah.
Speaker 2 (13:04):
The second would be for the AI vendors to only
allow their code that's generated to reference packages that are known, safe, known, reputable,
And that ain't going to happen either.
Speaker 1 (13:14):
I think the other thing is that there needs to
be a comment in any generated code that says, you know,
this package does not exist or may not exist.
Speaker 2 (13:25):
Or do not run.
Speaker 1 (13:27):
Yeah, now, just doesn't exist. You know this is something
that we made up. Yeah, you know, some indication that
it was fabricated.
Speaker 2 (13:34):
But that was That would be assuming that it knows.
Speaker 3 (13:37):
That would be assuming that the LM understands it's hallucinating
and can let you know that's right and it's and
how can it detect between hallucination and it, you know,
creating new things for you?
Speaker 1 (13:47):
Self awareness is the next step.
Speaker 2 (13:50):
Well, when there's three chairs, I always aim for the
middle one.
Speaker 1 (13:56):
Well that makes sense, Okay, Patrick put the down.
Speaker 2 (14:01):
Patrick's Patrick's the heavy drink. It's not a gun, that's
a knife.
Speaker 1 (14:05):
Knife, all right? So what do we do about this?
Just be aware of it.
Speaker 2 (14:09):
Just be aware.
Speaker 3 (14:10):
I mean, honestly, if you're having co pilot right code
for you and you're not checking it, not understanding what
it's written, just realize there's a strong chance that any
of the libraries you've imported there, you know, may not
actually exist.
Speaker 2 (14:25):
So I'm gonna tell a story. Dwayne's used to this.
Speaker 1 (14:28):
I knew a guy hang on at least sit down
on the rug next to it in front of Uncle Patrick.
Speaker 2 (14:33):
Got the round. Children. I knew a guy twenty years ago.
I still I still know the guy. But twenty years
ago I knew this guy and he was doing offshore work.
Was he was basically running offshore resources, and he had
hired a team from Russia. At the time, it's twenty
years ago, so the Cold War was over. It was
(14:54):
in Soviet Union anymore, and you know, there was an
opening and people are like, oh yeah, the world's getting long.
And he had them writing banking software on behalf of
his company. And I'm like, you're going to do a
line by line code review and audit of that, right
And he's like, absolutely no, He says, why would I
do that? That would really increase the cost. I said,
I would be willing to bet you any sum of money.
(15:15):
There are back doors they're building into that because the
laws there's just no laws that you can use against them.
They did aligne by line audit found three back doors
and the vendor was like, oh, you guess you got
us and this is the new that this is the
new version of that you have. If you're going to
let AI write code. A qualified human programmer, not somebody
(15:37):
who knows how to do the prompt, has to review
that code or else you might as well just let
you know, l.
Speaker 1 (15:43):
K to write it, right, You're right, You're right. Okay,
So we've been talking about this on dot net rocks.
It seems like for the last several months in that,
you know, and we're not just trying to keep our
jobs here, It's like, you know, a human has to
be involved somewhere.
Speaker 2 (15:59):
I'm I'm waking. I'm looking forward to the renaissance of
our auditing because we're going to find so many more
problems that we stopped finding because now the code is
doing things that a human would never do.
Speaker 1 (16:12):
Just dressed up as an anonymous attacker from for Halloween.
He can just put his black hoodie on your sunglasses.
Speaker 2 (16:21):
Yeah, we're living living our personas I know.
Speaker 1 (16:25):
I know, I just did a w t F face.
All right, with that, we're going to take a quick
break and we'll be right back after these very important messages.
Stick tuned, stay tuned, don't stick stick around, stick tuned,
stick tuned. Are you and AI and we're back. It's
(16:51):
security this week. I'm Carlos Twain and Patrick and uh hey,
before we get started with the next story. My car
died yesterday and I or the day before actually, and
it didn't really die, it just it was leaking oil.
I took it.
Speaker 2 (17:04):
It was reincarnated.
Speaker 1 (17:05):
Yeah, yeah, that's right. It's mostly dead, came back as
a goat cart, so it was leaking oil. I took
it to the dealer and they wanted to spend a
couple of days looking around, and they poked around and
they basically are like, oh, you're going to need a
whole new engine, you know, that kind of thing. And
they may be right, but who knows. So when I
did the math and I added up all the repairs,
it's like, you know, this car is the twenty twelve.
(17:27):
It's about time. I'm not going to spend ten grand
on this, whereas I could take that and put it
down on a new car.
Speaker 2 (17:34):
So or at least the tariffs. Yeah, that's why, too true.
Speaker 1 (17:44):
We laugh, we laugh. Somebody out there is swearing. So
I'm test driving a car, which I'm buying, but I'm
test driving it, and my neighbors is the car dealer
and he's a good friend, so he's given me the
family discount. Anyway, we're out test driving and he was
talking about security, right, like it has a thing where
(18:07):
if your car is stolen, you just call and then
they disable the car. It's done and they know where
it is too. So and I said something about the
keyfob right, Well, you know about the keyfob hack, right,
He goes, no, what's that And I said, well, RFID
these keys, that's how they work, just saving your presence. Yeah,
so this is an old hack where you can get
(18:28):
a computer with an RFID reader and you read the
values that are being omitted from the keyfob and you
can play them back and pretend you are the keyfob.
And he says, hm, like I kind of doubt that
you could start the car with that. And I'm talking
to Dwayne about.
Speaker 3 (18:47):
This and he's like, oh no, it's actually a great
way to steal cars, but go ahead.
Speaker 2 (18:53):
Yeah.
Speaker 1 (18:53):
So I said, well, you know, I work with these
two guys that can do anything steel cars. Yeah, and
the one guy can do anything, So it wouldn't it
be cool if we could like have him try to
hack this car?
Speaker 5 (19:04):
We should, right, So he was not actually my neighbor.
Speaker 1 (19:09):
The sales guy was like that would be so awesome,
especially if if he found something like some sort of
you know, then he'd be like a hero because he.
Speaker 2 (19:19):
Well, so, the latest versions of garage garage door openers
have a cycling key, so that kind of like the keyfob,
the RSA key fobs. Yeah, yeah, do the key fobs
for cars do the same thing. They do? So they do,
so they do have a security code. Don't work, guest Wayne,
you know right, I'm nodding vigorously.
Speaker 3 (19:40):
But imagine this, Like let's say you push that button, right,
you get the next code. Well, let's say you push
the button again, you get the next code. Let's say
you're four hundred miles away from your garage and you
push the button. The next code just played. So there's
a backup in the garage door where it's like, oh,
if it's not the right code, but it's in kind
of the right sequel, and it's okay. Right, you probably
(20:02):
pushed it a million times in your pocket, right, So
there are ways to manipulate those systems when you replay
the signal to capture that code and then replay a
code that may or may not be the next code.
That's sort of stuff car systems the same way. If
you want to steal a car like they you you
really shouldn't be keeping your keyfub anywhere near the door.
Speaker 1 (20:21):
All right, play the music.
Speaker 2 (20:22):
Cue the music.
Speaker 1 (20:23):
I was going to say, cue the music.
Speaker 2 (20:25):
It'scrimming. Listen, car thieves.
Speaker 3 (20:33):
So what a lot of people do is they'll have
a keychain right next to their door. Open the door,
come in the house, put the keys on the keychain
right or put the keys, you know, right on the
cred aza that's right there. And the problem is the
range on those key fobs is pretty far, you know,
sometimes it's ten fifteen twenty feet, so lots of times,
for example, if you guys are putting your keys on
(20:55):
this this credenza that's right next to the door. If
you notice that your keyfub needs new battery like once
a month, it's because it's constantly talking to the car,
right it's too close to the car. But what attackers
will do is they'll use an SDR software defined radio
where they can literally have they have one guy walks
slowly up to the house until he picks up the
signal of the keyfob and replays it to your car,
(21:17):
and it will unlock your car, and then at that
point they can continually replay it while they just drive
off with your car, so they don't need the keyfob.
And there are other security mechanisms that are added in
so that that, you know, it makes it harder, but
it's always not impossible, and there's definitely some exploits around.
Speaker 2 (21:33):
It's always an arms race.
Speaker 1 (21:34):
If we could just get the car manufacturers to recognize
the driver's ass.
Speaker 2 (21:40):
I'm sorry, is an ass? Is that exactly? Either way?
Disable it?
Speaker 1 (21:47):
Yeah, you can just imagine, like if I lose like
fifty pounds, it won't let me.
Speaker 2 (21:51):
What you get in my car?
Speaker 5 (21:53):
Sorry, car, it is not your car, it's not your ass.
Speaker 3 (21:58):
Then you just have to use the Grandma attack. My
grandma used to let me drive cars.
Speaker 1 (22:01):
Yeah, exactly, assuming there's an audio interface. Okay, so let's
move on. Threat actors using cascading shadows attack chain to
avoid detection and complicate analysis. What's this all about?
Speaker 3 (22:16):
Yes, so this is a phishing campaign, but they call
it a multi layered fishing campaign. And this one was
discovered by Palo Alto's team Unit forty two. Actually, Unit
forty two is fantastic. There are some really good teams
out there. I know Mandian's team was fantastic. They went
to Microsoft. Palo Alto has a great team Unit forty two.
Google has Project zero, So there's there's some pretty amazing
(22:40):
researchers out there. But in this particular case, the campaign
delivers malware. So usually these the malware it looks like
they're deploying is remote access trojans. But if you look
at the picture, and I know it'd be hard on
the podcast, yeah, but if you go when you go
and see the link to this podcast and click on
(23:02):
the link, the picture actually shows how sort of complicated
and multi multi layered this attack is. Where you get
an email that then either has a ziprar or seven
zip file attached, which then extracts it's a chain scripts,
then goes to the web, then executes the PowerShell, then
downloads an executable then like an on and on and
(23:23):
on and on it.
Speaker 1 (23:24):
So it's like a Rube Goldberg.
Speaker 2 (23:25):
Attack, which is which is what we've seen as far
as like as as as early as years ago, five
years ago. The attacks that we were that we're seeing
against iPhones were chain attacks. They weren't like there's one
big vulnerability that gets you everything. It's you get here
through this, and then you get through It's so it's
more like intricate rock climbing where you've got to make
(23:47):
a jump from a hand hold and then that handhold
leads to another one. It's it's a chain. Yeah, so
very very complex.
Speaker 1 (23:55):
Yeah, all right, okay. The next story from darkreading dot
Mac severity bug and Apache roller enabled persistent access. The
remedied flaw gave adversaries a way to maintain access to
the app through password resets.
Speaker 2 (24:12):
This goes up to ten.
Speaker 1 (24:13):
Oh my gosh, not eleven.
Speaker 5 (24:16):
It should be eleven. I don't know, maybe it should.
Let's talk about it. Yeah, so what is a patchy roller?
So it's blogging server software in short, right, okay, but
the problem with that, the problem with the way that
a session is managed is the issue here.
Speaker 2 (24:33):
Right.
Speaker 3 (24:33):
So, as most of you may know, Right, you go
to a web server and let's say it's your bank
or whatever, and you log in and now you have
an active session with that server. Then there's there's a
couple of things that are exchanged between your browser and
that server. Yeah, okay, and that active session is tracked.
If you go to Bankofamerica dot com For example, you're
not necessarily always on the same computer on the remote end.
(24:55):
On the server, right, they may have a server farm
with thousands of servers, right, and they're load balancing. So
there has to be a way to track your session.
It would suck if every time you refresh the page
and you hit a different server, it was like, oh,
can you log in again?
Speaker 2 (25:08):
Right? That would be obnoxious.
Speaker 3 (25:10):
So the way they keep track of a lot of
that is typically either through a cookie or a session
value that you're sharing back and forth between the browser
and the and the server. And then when you log
off however, right, so you log out of your Bank
of America, you click log out, or after a certain
amount of time of inactivity, your session is supposed to
(25:31):
go away. In this particular case, your session doesn't actually
go away.
Speaker 2 (25:36):
How is that a ten? In what world? Is that
a tent?
Speaker 3 (25:39):
Well? Because the other problem is it also doesn't invalidate
them when you change your password.
Speaker 5 (25:43):
Oh man, so okay, but still no, I hear what
you're saying.
Speaker 2 (25:46):
I wouldn't have rated this at tent either.
Speaker 1 (25:48):
But so you have to change your password and then
somebody has to intercept that and then go steal your
session that way, right.
Speaker 2 (25:55):
Well, or say your password gets sacked, yes, and then
you change it, it doesn't invalidate all the existing sessions,
so the hacker can stay.
Speaker 3 (26:04):
Or no true exactly, or if they were to, if
they conned you into, you know, some way that they
could steal a session cookie from your browser or something
along those lines, or hear me out the Apache parquets
who we talked about last week that allows their ce
Maybe that's it's a good way to maybe steal sessions
up the server and that sort of stuff.
Speaker 2 (26:23):
But either way, you know, yeah, I wouldn't derated it
at a ten the right high giene if someone changed
their password, you kill all sessions, right Yeah, well you
at least let them absolutely decide to kill all sessions,
and it's a good practice to do, just like you
should reboot your phone every week.
Speaker 1 (26:38):
I mean, I wouldn't ask the user do you want
to log out of your existing sessions, which they kind
of do it like, just inn't balots and stuff just
innvalidate them.
Speaker 2 (26:47):
You might want to warn them that this will lug
them out of all existing sessions.
Speaker 1 (26:51):
Yeah, but don't give them the options.
Speaker 3 (26:53):
I mean, Microsoft does that. If you go to your
Microsoft account and you can then invalidate all your session
tokens for all the computers you're alive into and without
changing absolutely.
Speaker 2 (27:03):
I mean.
Speaker 3 (27:03):
The other thing is I mean, this is a cvs
S score of ten. We said we probably wouldn't have
given it at ten. It might have been a little
bit less than that, maybe like an eight ish yeah,
seven yeah, seven, eight, Well that will compromise seven to
five maybe, And it does have a CVE but nobody
can track it anymore, So you know that's fine.
Speaker 1 (27:21):
Is that seven a contagent score?
Speaker 2 (27:24):
Yeah? I think I think seven, seven to five is
what we'd go at. Yeah, that's what we're That's where right, John.
It's a thing. It's it's it's a big deal. It's
not like, oh my god, I can just walk up
to any system and exploit it. And you've got to
be under the right circumstances. You got to already have
a bird in hand.
Speaker 3 (27:38):
I am confused, though, What what is this CVE thing
people are talking about?
Speaker 2 (27:44):
Well we actually, yeah, that's right, it'll be old news
by the time this comes out.
Speaker 1 (27:51):
Our clickbait that's on security funding expires for Key cyber
Vulnerability Database. That's the so CVE program.
Speaker 2 (28:01):
That which is run by Miter, and Miter is a
think tank, if you were going to call them anything,
they're the government supported think tank. And they came up
with the CVE program. I think it's twenty five years old,
if not close to that, and it's a great program.
We reference it all the time. And the funding went away.
I guess the chainsaw arrived on that funding and we
(28:24):
were all ready to report that then, and then we
got an update that due to the outcry from people
in our industry, Go security, it has been restored and
it is not on the chopping block anymore.
Speaker 1 (28:37):
Oh my god us or is you ain't? So the
next story, of course, came out shortly after that, on
the seventeenth, which is when we're recording this. A critical
database tracking cybersecurity threats was on the chopping block. What happened? Yeah,
the CVE program was hours away from losing federal funding
before experts raised the alarm.
Speaker 2 (28:59):
Yeah, and basically this article is a an interview of
like what happened, but basically the funding has been restored.
It's crazy.
Speaker 3 (29:09):
I mean, the day it was announced that it was
going down, like my entire LinkedIn feed from Jen Easterly
to crabs, to you name it everybody. This is what
they were talking about. And Easterly had a great sort
of analogy. She was like, listen, for those of you
who aren't sort of steeped in cybersecurity, think of it
(29:30):
this way. You have a library, right, an actual library,
and it has tons of books, and each of those
books has super important information in it about life saving information.
And then instead of having a dewey decimal system where
you can actually identify these books relatively quickly and go
get them and see whether it's something you know you
know about already, you don't. You just have a pile
(29:51):
of books in their nowey decimal system. You have to
try and dig through and you don't know if it's
something you've already seen or not seen, or you don't
know if there's something you can validate, and.
Speaker 2 (29:57):
Your only hope is security this week.
Speaker 1 (30:00):
You don't know if they're new or if they're old, you.
Speaker 3 (30:02):
Know, right, And that's what she was saying. She's like, listen,
so imagine the chaos that's there. You couldn't go to
a library and be like, hey, do you have this book?
They'd be like, I have no idea.
Speaker 2 (30:10):
Security tools vendors. It would cause a lot of damage
if they let this go away.
Speaker 3 (30:14):
Yeah, scanning scanning vendors who scan for common vulnerabilities wouldn't
be able to do that anymore because what's a common vulnerability.
Speaker 2 (30:21):
There's no database. It'd just be a nightmare. Yeah, but
you know it's film Glad they fixed it. It's funny.
Speaker 3 (30:25):
I was talking to Carl and Patrick before the podcast
started and I was making bets that someone like Google
would have picked it up. And I made the bet
and said, you know what, will fund it because they
could because it's a database, and so is their Google
thing that seems to be doing.
Speaker 2 (30:40):
Okay, I made the bet that that the it would
get the funding would get restored, and I got lucky
on that because that was that was a crap shoot.
Speaker 1 (30:51):
So I guess CVE is.
Speaker 2 (30:54):
Still going to be the thing, still going to be
the thing?
Speaker 5 (30:56):
Is you is?
Speaker 1 (30:57):
All right? Guys, This is enlightening as always, And of
course if you have anything you want to mention to us,
go to our discord discord dot security this week dot
com And of course that is a r l DNS name,
so don't put an HTTPS in front of it. Just
typing in like that, and we'll see you over there.
Speaker 2 (31:15):
Bye everybody, Bye bye guys.
So I'm in home depot this morning and some little
kid called me an old fart.
Speaker 2 (00:05):
What.
Speaker 1 (00:05):
Yeah, So if you're missing your kid, look for the
red LG dryer in Aisle fifteen. Hey, welcome to security
this week. I'm Carl. That's Dwayne and Patrick. I hope
you're having a great week as we are, because life
(00:25):
is wonderful, isn't life good? Speaking of the LG dryer,
life is good.
Speaker 3 (00:31):
Unless you're in an l Are you reading the logo
while you jammed that child in there?
Speaker 1 (00:35):
Yeah? I was.
Speaker 2 (00:37):
Now he was thinking how roomy this is and then
he's like, oh LG Okay.
Speaker 4 (00:43):
It was gonna buy it, but it does get it
and that would be illegal. Yes, Dwayne, what's going on?
Speaker 2 (00:52):
So?
Speaker 3 (00:52):
Yeah, So speaking speaking of children traveling places in LG's apparently,
So you guys all know, I'm Mentor Robotics Team Team
in two, three four to two Team Phoenix. So this
year they actually they made it to Worlds. They're down
in Houston this week, which is awesome. Competing, hey, which
is fantastic, man. But you know what else is really
(01:12):
cool is there did take you?
Speaker 2 (01:14):
I know?
Speaker 1 (01:15):
Right?
Speaker 2 (01:16):
My food boss is a slave driver.
Speaker 1 (01:21):
Right, Patrick's boss.
Speaker 3 (01:23):
But what's really cool is there's there's six hundred teams
competing on different fields from all around the world. Right,
and uh, I got a message from one of from
one of the software kids, like, hey, Dwayne, somebody came by.
Speaker 2 (01:37):
To say hi. I was like, oh cool.
Speaker 3 (01:38):
Who he said was the guy that put me in
the dryer? I know, right, this guy in this driver No,
apparently a fellow mentor of Team thirty four in Alabama
is a listener of the show. I heard that our
team was going and like went over to the pit
to come over and say hi.
Speaker 2 (01:54):
So that oh wow. Unfortunately I wasn't there, but I
said I'd give him a call out.
Speaker 1 (01:58):
All right, so we can bump our listener count to three.
Speaker 2 (02:01):
You've been to Worlds though before? Right? You didn't go
with it because we're just so busy right now? No?
Speaker 3 (02:06):
No, no, I've never been, never been. This would have
been Oh I thought you went once.
Speaker 1 (02:09):
No.
Speaker 3 (02:09):
So the only time I was on a team that
had won to get to Worlds was my daughter's team
back in twenty twenty, the beginning of twenty twenty.
Speaker 2 (02:20):
And there's nothing going on that year. Yeah, exactly. So
when Worlds came around.
Speaker 3 (02:24):
They were like, oh, by the way, nobody come here.
Oh so yeah, that was the only other time.
Speaker 2 (02:28):
And your boycotting. Now I didn't want me during the
pandemic because of my germs, So.
Speaker 1 (02:35):
Fine, never go.
Speaker 2 (02:36):
Yeah that's awesome man, Well that's great.
Speaker 1 (02:41):
And now we have some you know, regular stories. Yea.
And what would this show be without a little word
Press plug in love?
Speaker 2 (02:50):
I've never heard of that software. What is WordPress? What
is this word? What word Press? You talk about?
Speaker 1 (02:57):
Most popular web platform in the world. The plugging architecture
must have some kind of problem. Well, it just lets
you do anything, right.
Speaker 2 (03:07):
I mean, it's like roadblocks in the gaming world if
you want to. You know, that's where all the bad
stuff is hanging out lately because it's such a big ecosystem.
It's the same with WordPress. We make a lot of
fun of it, but it's a big ecosystem and that's
where the hackers go. Yeah.
Speaker 1 (03:21):
So plugins are a constant problem. And this story says
hackers exploit word Press plug in off bypass hours after
the disclosure.
Speaker 2 (03:32):
Getting smaller, Yes, between disclosure and attack and exploitation.
Speaker 3 (03:38):
Well, especially with some of these plugins, I mean they're
not massive software packages. Right, Like we've been set to
reviewing software where there's hundreds of thousands of lines of
code that takes weeks to go through and see what's
wrong and what was not properly written and whatnot. In
this case, I mean a lot of these are open source.
(03:58):
You can pull the code down or just to install
the plug in and then look at the code, and
then you can obviously dig through there and see what
might be wrong.
Speaker 2 (04:06):
So according to you this On March.
Speaker 3 (04:07):
Thirteenth, word Fence received a submission of an unauthenticated administrative
user creation vulnerability in sure Triggers, which is a WordPress
plug in with more than one hundred thousand active installs.
The vulnerability can leverage can be leveraged by attackers to
create malicious administrative users when the plug in is not
(04:28):
configured with an API key.
Speaker 2 (04:30):
Not a good look. Yeah, so here's a couple of questions. So, Dwane,
you're our designated showdown user. And for those who don't know,
shot on Showdown is a tool that lets you identify
black belt exactly that too. I thought it was a
long time, but the showdown lets you know how many
(04:50):
systems are affected by these kinds of things. Did showdown
have numbers for this as soon as it comes out
or is there a delay?
Speaker 3 (04:57):
So no, no, no, Showdown actually does have numbers for these
types of things, but it's more services than it is
typically you know them tracking plug ins.
Speaker 2 (05:09):
And the reason I ask is because it's possible that
the disclosure came and someone is like, I'm going to
go exploit that, and they figured out and exploit very quickly,
and they started exploiting it before anybody could patch it.
It's also possible that somebody was in the process of
exploiting it and it was discovered just serendipitously somewhere else.
But I think we are observing that the time between
(05:29):
disclosure and exploit is really getting smaller. Yes, yes, agreed.
We probably are getting to the point where like automated
patching is no longer optional.
Speaker 1 (05:38):
Yeah, that has its own problems though.
Speaker 2 (05:41):
It does, which our next story we'll talk about.
Speaker 1 (05:43):
Yes, that's right. And so this is from Bleeping Computer
Microsoft Windows i net pub folder created by security fix.
Don't delete it.
Speaker 2 (05:52):
I mean we all love a good i net pub.
Speaker 1 (05:55):
Yeah. So, for those who don't know, back in the
day when you had Windows end and it was hosting
with Internet information server. There was an int pub folder
which was the root of all your websites on that
it's I.
Speaker 2 (06:08):
It's basically where I lives.
Speaker 1 (06:10):
In anet information server, right, and so now it's back,
and why can't we delete it? What's going on? It's
Windows eleven. I don't have a web server.
Speaker 2 (06:23):
Microsoft confirmed that there's a new empty in folder and
one users not to delete it just I don't think
they gave reason though, Oh my god, there's no reason.
Speaker 1 (06:32):
Yeah, that's all a little suspicious to me.
Speaker 3 (06:35):
Yeah, and there were there were all sorts of oh
my gosh, your computer might crash up to oh my gosh,
you might see instability.
Speaker 2 (06:43):
According to this article.
Speaker 3 (06:44):
They say, however, Microsoft totd Bleeping Computer that the folder
was intentionally created, so this wasn't a mix up and
should not be removed as an empty folder should not
have any impact on Windows like leave it alone, don't
touch it, especially when I is no installed. It should
be left alone. We learn more from Microsoft.
Speaker 2 (07:01):
I bet it's a future plans thing.
Speaker 3 (07:03):
We've been Computer contacted Microsoft once again to learn the
purpose of this newly created folder, and they said deleting
the folder has not caused any issues while wind Will
were using Windows in our tests.
Speaker 2 (07:14):
So I'm going to make a prediction. So while I
am a Microsoft MVP, everybody gets a web server, I
am a Microsoft MVP. I have no knowledge NDA or
otherwise about this, but I'm gonna make a prediction. I'm
gonna make a prediction. I'm going to predict that there's
a feature coming to Windows eleven that's going to do
something like the widgets of Windows eight or something Webby,
(07:37):
and they're gonna need the i net pub folder there
so they can throw something in there in a future update.
It's my bet.
Speaker 1 (07:44):
You know, if my Windows eleven machine starts hosting websites.
Speaker 2 (07:48):
It's gonna be awesome.
Speaker 1 (07:49):
It's awesome in the worst in the dune sense.
Speaker 2 (07:55):
But if everybody has away, doesn't that sound like what
might be going on here?
Speaker 1 (08:00):
Yeah? Why would they do that though?
Speaker 2 (08:01):
I mean, why did they do Vista? I mean, why
did they do Microsoft Ball? Yeah?
Speaker 1 (08:08):
Yeah, remember, Bob, oh my god, be hosting our own
SharePoint servers in the future.
Speaker 2 (08:14):
Some VP who's never had dinner with us. He's trying
to make their.
Speaker 1 (08:20):
Will replaced. The entire file system of Windows was SharePoint.
Speaker 2 (08:25):
Oh, I hope I'm writing, you're wrong. I hope I'm
righting you're wrong. Oh God, but I bet there's something
coming down the pike, because that's what's that's the kind
of thing. And it may be they're trying to gather
data for how many times they're going to have a collision.
Maybe I just that's what I'm betting it is.
Speaker 1 (08:45):
Maybe it's for tech support. Let me connect to your
computer via your web server.
Speaker 2 (08:50):
I don't get it too, Like, I don't know.
Speaker 3 (08:53):
Honestly, our advice has always been if you're going to
have a nine net pub folder where a web server
is running, there's been so many exploits that have allowed
you to jump outside of the of the web server
right to get deeper into the drive. And if you're
on the sea drive, much more important data than if
you're on some sort of other random drive drive. So
(09:13):
it's off from that task. The other thing that's interesting
too is as hackers, we're constantly when we exploit something.
Let's say, for example, and like SQL server, there is
a file exists call I can make. Well, if I
can check a file I know is always going to
be there, or a directory I always know is going
to be there, then I can look for that true
to come back. Right, So if I now know all
(09:34):
every computer workstation or not has an i net pub directory,
you know this helps us with enumeration that sort of stuff.
But yeah, so I don't know. It's it's a terrible idea, and.
Speaker 2 (09:44):
So that makes it likely true.
Speaker 1 (09:50):
Yeah, yep, okay, this is a good one from CSO's.
Speaker 2 (09:56):
Everyone likes a good slap squad.
Speaker 4 (09:58):
See show what the hell is still do that?
Speaker 1 (10:05):
So the headline is AI hallucinations lead to a new
cyber threat slop squatting. Even like the picture.
Speaker 3 (10:13):
On this is like a liquidated face with a bunch
of weird arrows, like you're playing dance Dance reservoir.
Speaker 1 (10:19):
What my grand johnor does after its pointing sandwich.
Speaker 2 (10:23):
It's pointing the way of the hallucinations. This is crazy.
Speaker 3 (10:27):
So the way this works, so a lot of people
obviously have been using LM's Generative AI to do all
sorts of things, write papers in college, whatever you name it,
but also create code. There's been a lot of code
created either examples, which would be best if it was
just examples, more actual code where you go to chat
(10:47):
eptor or co pilot and say hey, can you create
me this thing?
Speaker 2 (10:52):
And it creates it.
Speaker 3 (10:54):
So in testing, what researchers have found is about twenty
zero point seven percent of the packages in a pipe
from a Python standpoint that that are referenced by llms
don't actually exist.
Speaker 2 (11:12):
They just made them up in this dimensions, made them up.
Speaker 3 (11:15):
They're like, oh, you want something that talks to l
dep you should import the talks with l dept.
Speaker 1 (11:20):
God, Hi, you know I see that sometimes. I see
that sometimes in code that I ask it to write
that it just infers the name of a service that
doesn't exist, or the name of the API that's in
point that doesn't exist. And you know, if you're a programmer,
you're paying attention, you realize, hey, that doesn't exist.
Speaker 2 (11:40):
And then it writes a letter to the to the
programmer and says this should exist.
Speaker 3 (11:44):
Yeah.
Speaker 2 (11:46):
Right.
Speaker 3 (11:46):
But what's what's interesting is attackers are now like, Okay,
if we can find these packages that are constantly being recommended,
why don't we create them and give them the functionality
they need to have, But then also put a bunch
of malicious stuff in here.
Speaker 1 (12:00):
They say, these packages, these hallucinations are particularly dangerous as
they were found to be persistent, repetitive, and believable.
Speaker 2 (12:09):
Which means they're predictable, right, And that means that just
going to check that the package exists is not sufficient
to show that it's safe.
Speaker 1 (12:19):
Right. So the c CT says you should go get
the Carl Patrick and Dwayne library.
Speaker 2 (12:25):
You definitely should.
Speaker 1 (12:26):
And you know, after a while, somebody says, hey, I
think I'll create a Carl package in Dwayne library, and
it's going to when somebody puts it in their software,
it will completely ruin their day.
Speaker 2 (12:37):
I mean, the fix for this is not going to
happen because two fixes, both of them are going to happen.
One is users need to actually take the time to
figure out the heritage of a package that's referenced. One
to find out whether it's real. Two to find out
what its history is and make sure it's not just
newly created and you know, in other words, invest some time. Well,
(13:00):
if you're letting AI write your code, you're not into
investing time.
Speaker 1 (13:03):
Broh. Yeah. Yeah.
Speaker 2 (13:04):
The second would be for the AI vendors to only
allow their code that's generated to reference packages that are known, safe, known, reputable,
And that ain't going to happen either.
Speaker 1 (13:14):
I think the other thing is that there needs to
be a comment in any generated code that says, you know,
this package does not exist or may not exist.
Speaker 2 (13:25):
Or do not run.
Speaker 1 (13:27):
Yeah, now, just doesn't exist. You know this is something
that we made up. Yeah, you know, some indication that
it was fabricated.
Speaker 2 (13:34):
But that was That would be assuming that it knows.
Speaker 3 (13:37):
That would be assuming that the LM understands it's hallucinating
and can let you know that's right and it's and
how can it detect between hallucination and it, you know,
creating new things for you?
Speaker 1 (13:47):
Self awareness is the next step.
Speaker 2 (13:50):
Well, when there's three chairs, I always aim for the
middle one.
Speaker 1 (13:56):
Well that makes sense, Okay, Patrick put the down.
Speaker 2 (14:01):
Patrick's Patrick's the heavy drink. It's not a gun, that's
a knife.
Speaker 1 (14:05):
Knife, all right? So what do we do about this?
Just be aware of it.
Speaker 2 (14:09):
Just be aware.
Speaker 3 (14:10):
I mean, honestly, if you're having co pilot right code
for you and you're not checking it, not understanding what
it's written, just realize there's a strong chance that any
of the libraries you've imported there, you know, may not
actually exist.
Speaker 2 (14:25):
So I'm gonna tell a story. Dwayne's used to this.
Speaker 1 (14:28):
I knew a guy hang on at least sit down
on the rug next to it in front of Uncle Patrick.
Speaker 2 (14:33):
Got the round. Children. I knew a guy twenty years ago.
I still I still know the guy. But twenty years
ago I knew this guy and he was doing offshore work.
Was he was basically running offshore resources, and he had
hired a team from Russia. At the time, it's twenty
years ago, so the Cold War was over. It was
(14:54):
in Soviet Union anymore, and you know, there was an
opening and people are like, oh yeah, the world's getting long.
And he had them writing banking software on behalf of
his company. And I'm like, you're going to do a
line by line code review and audit of that, right
And he's like, absolutely no, He says, why would I
do that? That would really increase the cost. I said,
I would be willing to bet you any sum of money.
(15:15):
There are back doors they're building into that because the
laws there's just no laws that you can use against them.
They did aligne by line audit found three back doors
and the vendor was like, oh, you guess you got
us and this is the new that this is the
new version of that you have. If you're going to
let AI write code. A qualified human programmer, not somebody
(15:37):
who knows how to do the prompt, has to review
that code or else you might as well just let
you know, l.
Speaker 1 (15:43):
K to write it, right, You're right, You're right. Okay,
So we've been talking about this on dot net rocks.
It seems like for the last several months in that,
you know, and we're not just trying to keep our
jobs here, It's like, you know, a human has to
be involved somewhere.
Speaker 2 (15:59):
I'm I'm waking. I'm looking forward to the renaissance of
our auditing because we're going to find so many more
problems that we stopped finding because now the code is
doing things that a human would never do.
Speaker 1 (16:12):
Just dressed up as an anonymous attacker from for Halloween.
He can just put his black hoodie on your sunglasses.
Speaker 2 (16:21):
Yeah, we're living living our personas I know.
Speaker 1 (16:25):
I know, I just did a w t F face.
All right, with that, we're going to take a quick
break and we'll be right back after these very important messages.
Stick tuned, stay tuned, don't stick stick around, stick tuned,
stick tuned. Are you and AI and we're back. It's
(16:51):
security this week. I'm Carlos Twain and Patrick and uh hey,
before we get started with the next story. My car
died yesterday and I or the day before actually, and
it didn't really die, it just it was leaking oil.
I took it.
Speaker 2 (17:04):
It was reincarnated.
Speaker 1 (17:05):
Yeah, yeah, that's right. It's mostly dead, came back as
a goat cart, so it was leaking oil. I took
it to the dealer and they wanted to spend a
couple of days looking around, and they poked around and
they basically are like, oh, you're going to need a
whole new engine, you know, that kind of thing. And
they may be right, but who knows. So when I
did the math and I added up all the repairs,
it's like, you know, this car is the twenty twelve.
(17:27):
It's about time. I'm not going to spend ten grand
on this, whereas I could take that and put it
down on a new car.
Speaker 2 (17:34):
So or at least the tariffs. Yeah, that's why, too true.
Speaker 1 (17:44):
We laugh, we laugh. Somebody out there is swearing. So
I'm test driving a car, which I'm buying, but I'm
test driving it, and my neighbors is the car dealer
and he's a good friend, so he's given me the
family discount. Anyway, we're out test driving and he was
talking about security, right, like it has a thing where
(18:07):
if your car is stolen, you just call and then
they disable the car. It's done and they know where
it is too. So and I said something about the
keyfob right, Well, you know about the keyfob hack, right,
He goes, no, what's that And I said, well, RFID
these keys, that's how they work, just saving your presence. Yeah,
so this is an old hack where you can get
(18:28):
a computer with an RFID reader and you read the
values that are being omitted from the keyfob and you
can play them back and pretend you are the keyfob.
And he says, hm, like I kind of doubt that
you could start the car with that. And I'm talking
to Dwayne about.
Speaker 3 (18:47):
This and he's like, oh no, it's actually a great
way to steal cars, but go ahead.
Speaker 2 (18:53):
Yeah.
Speaker 1 (18:53):
So I said, well, you know, I work with these
two guys that can do anything steel cars. Yeah, and
the one guy can do anything, So it wouldn't it
be cool if we could like have him try to
hack this car?
Speaker 5 (19:04):
We should, right, So he was not actually my neighbor.
Speaker 1 (19:09):
The sales guy was like that would be so awesome,
especially if if he found something like some sort of
you know, then he'd be like a hero because he.
Speaker 2 (19:19):
Well, so, the latest versions of garage garage door openers
have a cycling key, so that kind of like the keyfob,
the RSA key fobs. Yeah, yeah, do the key fobs
for cars do the same thing. They do? So they do,
so they do have a security code. Don't work, guest Wayne,
you know right, I'm nodding vigorously.
Speaker 3 (19:40):
But imagine this, Like let's say you push that button, right,
you get the next code. Well, let's say you push
the button again, you get the next code. Let's say
you're four hundred miles away from your garage and you
push the button. The next code just played. So there's
a backup in the garage door where it's like, oh,
if it's not the right code, but it's in kind
of the right sequel, and it's okay. Right, you probably
(20:02):
pushed it a million times in your pocket, right, So
there are ways to manipulate those systems when you replay
the signal to capture that code and then replay a
code that may or may not be the next code.
That's sort of stuff car systems the same way. If
you want to steal a car like they you you
really shouldn't be keeping your keyfub anywhere near the door.
Speaker 1 (20:21):
All right, play the music.
Speaker 2 (20:22):
Cue the music.
Speaker 1 (20:23):
I was going to say, cue the music.
Speaker 2 (20:25):
It'scrimming. Listen, car thieves.
Speaker 3 (20:33):
So what a lot of people do is they'll have
a keychain right next to their door. Open the door,
come in the house, put the keys on the keychain
right or put the keys, you know, right on the
cred aza that's right there. And the problem is the
range on those key fobs is pretty far, you know,
sometimes it's ten fifteen twenty feet, so lots of times,
for example, if you guys are putting your keys on
(20:55):
this this credenza that's right next to the door. If
you notice that your keyfub needs new battery like once
a month, it's because it's constantly talking to the car,
right it's too close to the car. But what attackers
will do is they'll use an SDR software defined radio
where they can literally have they have one guy walks
slowly up to the house until he picks up the
signal of the keyfob and replays it to your car,
(21:17):
and it will unlock your car, and then at that
point they can continually replay it while they just drive
off with your car, so they don't need the keyfob.
And there are other security mechanisms that are added in
so that that, you know, it makes it harder, but
it's always not impossible, and there's definitely some exploits around.
Speaker 2 (21:33):
It's always an arms race.
Speaker 1 (21:34):
If we could just get the car manufacturers to recognize
the driver's ass.
Speaker 2 (21:40):
I'm sorry, is an ass? Is that exactly? Either way?
Disable it?
Speaker 1 (21:47):
Yeah, you can just imagine, like if I lose like
fifty pounds, it won't let me.
Speaker 2 (21:51):
What you get in my car?
Speaker 5 (21:53):
Sorry, car, it is not your car, it's not your ass.
Speaker 3 (21:58):
Then you just have to use the Grandma attack. My
grandma used to let me drive cars.
Speaker 1 (22:01):
Yeah, exactly, assuming there's an audio interface. Okay, so let's
move on. Threat actors using cascading shadows attack chain to
avoid detection and complicate analysis. What's this all about?
Speaker 3 (22:16):
Yes, so this is a phishing campaign, but they call
it a multi layered fishing campaign. And this one was
discovered by Palo Alto's team Unit forty two. Actually, Unit
forty two is fantastic. There are some really good teams
out there. I know Mandian's team was fantastic. They went
to Microsoft. Palo Alto has a great team Unit forty two.
Google has Project zero, So there's there's some pretty amazing
(22:40):
researchers out there. But in this particular case, the campaign
delivers malware. So usually these the malware it looks like
they're deploying is remote access trojans. But if you look
at the picture, and I know it'd be hard on
the podcast, yeah, but if you go when you go
and see the link to this podcast and click on
(23:02):
the link, the picture actually shows how sort of complicated
and multi multi layered this attack is. Where you get
an email that then either has a ziprar or seven
zip file attached, which then extracts it's a chain scripts,
then goes to the web, then executes the PowerShell, then
downloads an executable then like an on and on and
(23:23):
on and on it.
Speaker 1 (23:24):
So it's like a Rube Goldberg.
Speaker 2 (23:25):
Attack, which is which is what we've seen as far
as like as as as early as years ago, five
years ago. The attacks that we were that we're seeing
against iPhones were chain attacks. They weren't like there's one
big vulnerability that gets you everything. It's you get here
through this, and then you get through It's so it's
more like intricate rock climbing where you've got to make
(23:47):
a jump from a hand hold and then that handhold
leads to another one. It's it's a chain. Yeah, so
very very complex.
Speaker 1 (23:55):
Yeah, all right, okay. The next story from darkreading dot
Mac severity bug and Apache roller enabled persistent access. The
remedied flaw gave adversaries a way to maintain access to
the app through password resets.
Speaker 2 (24:12):
This goes up to ten.
Speaker 1 (24:13):
Oh my gosh, not eleven.
Speaker 5 (24:16):
It should be eleven. I don't know, maybe it should.
Let's talk about it. Yeah, so what is a patchy roller?
So it's blogging server software in short, right, okay, but
the problem with that, the problem with the way that
a session is managed is the issue here.
Speaker 2 (24:33):
Right.
Speaker 3 (24:33):
So, as most of you may know, Right, you go
to a web server and let's say it's your bank
or whatever, and you log in and now you have
an active session with that server. Then there's there's a
couple of things that are exchanged between your browser and
that server. Yeah, okay, and that active session is tracked.
If you go to Bankofamerica dot com For example, you're
not necessarily always on the same computer on the remote end.
(24:55):
On the server, right, they may have a server farm
with thousands of servers, right, and they're load balancing. So
there has to be a way to track your session.
It would suck if every time you refresh the page
and you hit a different server, it was like, oh,
can you log in again?
Speaker 2 (25:08):
Right? That would be obnoxious.
Speaker 3 (25:10):
So the way they keep track of a lot of
that is typically either through a cookie or a session
value that you're sharing back and forth between the browser
and the and the server. And then when you log
off however, right, so you log out of your Bank
of America, you click log out, or after a certain
amount of time of inactivity, your session is supposed to
(25:31):
go away. In this particular case, your session doesn't actually
go away.
Speaker 2 (25:36):
How is that a ten? In what world? Is that
a tent?
Speaker 3 (25:39):
Well? Because the other problem is it also doesn't invalidate
them when you change your password.
Speaker 5 (25:43):
Oh man, so okay, but still no, I hear what
you're saying.
Speaker 2 (25:46):
I wouldn't have rated this at tent either.
Speaker 1 (25:48):
But so you have to change your password and then
somebody has to intercept that and then go steal your
session that way, right.
Speaker 2 (25:55):
Well, or say your password gets sacked, yes, and then
you change it, it doesn't invalidate all the existing sessions,
so the hacker can stay.
Speaker 3 (26:04):
Or no true exactly, or if they were to, if
they conned you into, you know, some way that they
could steal a session cookie from your browser or something
along those lines, or hear me out the Apache parquets
who we talked about last week that allows their ce
Maybe that's it's a good way to maybe steal sessions
up the server and that sort of stuff.
Speaker 2 (26:23):
But either way, you know, yeah, I wouldn't derated it
at a ten the right high giene if someone changed
their password, you kill all sessions, right Yeah, well you
at least let them absolutely decide to kill all sessions,
and it's a good practice to do, just like you
should reboot your phone every week.
Speaker 1 (26:38):
I mean, I wouldn't ask the user do you want
to log out of your existing sessions, which they kind
of do it like, just inn't balots and stuff just
innvalidate them.
Speaker 2 (26:47):
You might want to warn them that this will lug
them out of all existing sessions.
Speaker 1 (26:51):
Yeah, but don't give them the options.
Speaker 3 (26:53):
I mean, Microsoft does that. If you go to your
Microsoft account and you can then invalidate all your session
tokens for all the computers you're alive into and without
changing absolutely.
Speaker 2 (27:03):
I mean.
Speaker 3 (27:03):
The other thing is I mean, this is a cvs
S score of ten. We said we probably wouldn't have
given it at ten. It might have been a little
bit less than that, maybe like an eight ish yeah,
seven yeah, seven, eight, Well that will compromise seven to
five maybe, And it does have a CVE but nobody
can track it anymore, So you know that's fine.
Speaker 1 (27:21):
Is that seven a contagent score?
Speaker 2 (27:24):
Yeah? I think I think seven, seven to five is
what we'd go at. Yeah, that's what we're That's where right, John.
It's a thing. It's it's it's a big deal. It's
not like, oh my god, I can just walk up
to any system and exploit it. And you've got to
be under the right circumstances. You got to already have
a bird in hand.
Speaker 3 (27:38):
I am confused, though, What what is this CVE thing
people are talking about?
Speaker 2 (27:44):
Well we actually, yeah, that's right, it'll be old news
by the time this comes out.
Speaker 1 (27:51):
Our clickbait that's on security funding expires for Key cyber
Vulnerability Database. That's the so CVE program.
Speaker 2 (28:01):
That which is run by Miter, and Miter is a
think tank, if you were going to call them anything,
they're the government supported think tank. And they came up
with the CVE program. I think it's twenty five years old,
if not close to that, and it's a great program.
We reference it all the time. And the funding went away.
I guess the chainsaw arrived on that funding and we
(28:24):
were all ready to report that then, and then we
got an update that due to the outcry from people
in our industry, Go security, it has been restored and
it is not on the chopping block anymore.
Speaker 1 (28:37):
Oh my god us or is you ain't? So the
next story, of course, came out shortly after that, on
the seventeenth, which is when we're recording this. A critical
database tracking cybersecurity threats was on the chopping block. What happened? Yeah,
the CVE program was hours away from losing federal funding
before experts raised the alarm.
Speaker 2 (28:59):
Yeah, and basically this article is a an interview of
like what happened, but basically the funding has been restored.
It's crazy.
Speaker 3 (29:09):
I mean, the day it was announced that it was
going down, like my entire LinkedIn feed from Jen Easterly
to crabs, to you name it everybody. This is what
they were talking about. And Easterly had a great sort
of analogy. She was like, listen, for those of you
who aren't sort of steeped in cybersecurity, think of it
(29:30):
this way. You have a library, right, an actual library,
and it has tons of books, and each of those
books has super important information in it about life saving information.
And then instead of having a dewey decimal system where
you can actually identify these books relatively quickly and go
get them and see whether it's something you know you
know about already, you don't. You just have a pile
(29:51):
of books in their nowey decimal system. You have to
try and dig through and you don't know if it's
something you've already seen or not seen, or you don't
know if there's something you can validate, and.
Speaker 2 (29:57):
Your only hope is security this week.
Speaker 1 (30:00):
You don't know if they're new or if they're old, you.
Speaker 3 (30:02):
Know, right, And that's what she was saying. She's like, listen,
so imagine the chaos that's there. You couldn't go to
a library and be like, hey, do you have this book?
They'd be like, I have no idea.
Speaker 2 (30:10):
Security tools vendors. It would cause a lot of damage
if they let this go away.
Speaker 3 (30:14):
Yeah, scanning scanning vendors who scan for common vulnerabilities wouldn't
be able to do that anymore because what's a common vulnerability.
Speaker 2 (30:21):
There's no database. It'd just be a nightmare. Yeah, but
you know it's film Glad they fixed it. It's funny.
Speaker 3 (30:25):
I was talking to Carl and Patrick before the podcast
started and I was making bets that someone like Google
would have picked it up. And I made the bet
and said, you know what, will fund it because they
could because it's a database, and so is their Google
thing that seems to be doing.
Speaker 2 (30:40):
Okay, I made the bet that that the it would
get the funding would get restored, and I got lucky
on that because that was that was a crap shoot.
Speaker 1 (30:51):
So I guess CVE is.
Speaker 2 (30:54):
Still going to be the thing, still going to be
the thing?
Speaker 5 (30:56):
Is you is?
Speaker 1 (30:57):
All right? Guys, This is enlightening as always, And of
course if you have anything you want to mention to us,
go to our discord discord dot security this week dot
com And of course that is a r l DNS name,
so don't put an HTTPS in front of it. Just
typing in like that, and we'll see you over there.
Speaker 2 (31:15):
Bye everybody, Bye bye guys.
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.