June 6, 2025 • 36 mins
Meta found 'covertly tracking' Android users through Instagram and Facebook
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Hey.
Speaker 2 (00:00):
You know, my mother always used to tell me something
I'll never forget.
Speaker 3 (00:04):
She get your feet off the table.
Speaker 2 (00:06):
Well yeah, that of course. Come on, now I'm the
guy with the pledgeline. She said. You know you, Carl,
you might not be the dumbest guy in the world,
but you better hope he doesn't die.
Speaker 4 (00:19):
Oh yeah, wow, Okay, welcome to Security this week.
Speaker 2 (00:34):
I'm Carl, that's Patrick and Dwayne, and we've got seven
stories for your amusement slash nightmares. Starting with a bleeping
computer story. Unpatched critical bugs in versa concerto lead to
authentication or off I could be either authorization or authentication
bypass and remote control execution. So who wants this one? Medwayne.
Speaker 1 (01:03):
Versa concerto is a it's a management piece of software
that helps.
Speaker 3 (01:09):
It's an orchestration piece.
Speaker 1 (01:10):
Yeah, it's it like orchestrates configuration.
Speaker 2 (01:16):
And now we were going to hear the versa concerto
in e flat by Johan's question, apot.
Speaker 1 (01:24):
Yo, No, it's software. So it actually it will manage
all of their the VERSA devices, right, so a lot
of their Wan devices, network devices that sort of stuff.
Speaker 2 (01:37):
Are these inside the firewall devices or outside the firewall
devices are both.
Speaker 1 (01:41):
So they're typically inside the firewall. But you're going to
see this in massive, massive environments like telcos, not like
you're not going to be installing this at your house. However, Okay,
it is interesting that even devices that that are made
to manage really large amounts of networks and that sort
of stuff fall prey to the same sort of security
(02:03):
issues we see in all sorts of applications. So there
are three different cvees associated with this particular bug. One
is a ten out of tenike CV twent five thirty
four H two seven fix score, perfect score, stuck the landing.
Speaker 2 (02:20):
Does it deserve a ten?
Speaker 1 (02:22):
Well, let's I mean, let me, I'll read it to
you and you tell me.
Speaker 2 (02:24):
Yeah.
Speaker 1 (02:25):
So, a URL decoding inconsistency, right, see, you feed a
URL to it and it decodes it in some way
allows an attacker to bypass authentication and access a file
upload endpoint. By exploiting a race condition, they can write
malicious files to disk race condition.
Speaker 2 (02:43):
That's all about threading and race conditions. They don't always want.
We can't predict those. Yeah, well, you can't predict them.
They could happen like one in a million times. And
only if your code is not protected.
Speaker 3 (02:53):
Right exactly, But there are some race conditions that happen
quite often.
Speaker 1 (02:57):
So you would have to as an attacker. I would
imagine hit this end point over and over and over
and over again, and eventually maybe the race condition happens,
maybe it doesn't. They don't talk about how consistent it is.
But I agree with you, Carl, I wouldn't give this
a ten mm. It's probably anytime you say race condition,
usually I'm knocking that score down no, because it just
(03:17):
it takes eight.
Speaker 2 (03:20):
Well, let me just give a little example. So as
a programmer, we can manipulate threads directly, sure, And so
you can create a new thread and then call a
method on that thread and immediately come back to your
calling code and create more threads and spin up all
these threads. Right, and if those the code on those
threads access the same piece of data that isn't somehow
(03:43):
locked or protected, And there's techniques to doing that in
every language in the world. There's techniques for locking the
data that you're going to access on multiple threads. And
that means while it's locked, you're the only thread that
can access it. And when you say I want to
lock this, you have to wait until it's slockable, right,
So that that is how you write code. That's what
(04:05):
quote unquote threads.
Speaker 3 (04:07):
Safe right, resilient.
Speaker 1 (04:08):
Yeah, And a.
Speaker 2 (04:09):
Race condition is when both of those try to access
that data at the same time and hilarity ensues.
Speaker 1 (04:16):
So it's what's interesting with this article that we posted
the link to. There's actually a video there and you
can see a researcher running the attack and on one
side of the screen they are running a Python script
that's obviously exploiting the race case condition. And on the
other side of the screen there they connect in they do.
(04:37):
You'll see at command that says NC dash l n
V dash four four four four, and all that means
is and see his netcat right. So it's a listening tool,
and you can connect out to remote ports or you
can fire up a port to listen on your local computer.
So this particular researcher fires up a local port four
(04:59):
four four four, right. There's sixty five thousand potential ports ports, right,
so they're pulling up port four four hundred and forty
four and whatever.
Speaker 2 (05:08):
The and before you go on, a port just is
a number that identifies an application connected to a network.
Speaker 3 (05:14):
Device, within a within an address.
Speaker 2 (05:16):
Yeah, connected to a network device.
Speaker 1 (05:18):
Yeah so yeah, exactly, So you are your computer can
have on the network sixty five hundred and thirty five
ports open right, per address, per address, per ip.
Speaker 2 (05:28):
Address, per ip address. Yeah correct.
Speaker 1 (05:30):
Now there's some of them that you can't really change usually,
like in Windows right the you know, one pint thirty
nine and all sorts of the normal Windows ports are
always locked right and used by the operating system. That's
why this particular researcher went really high. It went four thousand,
four hundred and forty four. Anything over one thousand usually
is pretty open. So in this particular case, this researcher
opened up this port just to listen on their local computer.
Speaker 2 (05:53):
Do you mean to see if anything connects to it?
Speaker 1 (05:55):
Yeah, exactly. So then the race case condition. What they
this researcher did is they told the remote computer come
back to me on that port right, connect to me,
and run my code. Okay, So when that that they
ran the script. Here you see on the right hand
on the left hand side, there's a status five hundred,
Status five hundred, statisfied hundred. Every time you're seeing these
(06:16):
status five hundreds. This is the web server coming back
with a catastrophic failure. Wow, right, and he's inducing this
failure so many times that then the reverse shell in
this particular case comes back to his local computer and
he types you name dash ar right, which just means
give me the give me the version of the remote
(06:36):
computer that just connected to me, and it says Linux
and gives a you know, a boontu blow well whatever, right,
so you can see, okay, cool. You know, this particular
researcher exploited that race case condition and then got the
remote system to connect back to them, and then they
could at this point run commands and that sort of stuff,
presumably under you know, root level privileges. So can it
(07:01):
be done?
Speaker 3 (07:01):
Yes?
Speaker 1 (07:02):
However, there are the five hundred errors that are scrolling
on the left hand side of the screen. There's hundreds,
if not thousands of them.
Speaker 2 (07:10):
Yeah, that's all you see.
Speaker 1 (07:11):
While the while, Yeah, exactly while I was trying to
exploit this. So is that noticeable? It should be? Should
be you should be looking if you have ten thousand,
you know, catastrophic website errors in the matter of a
couple of minutes, that's probably something you should Yeah, But.
Speaker 3 (07:24):
If you don't have a sock that's apticively looking at
Security Operations Center actively looking at this, those logs might
not ever get looked at, let alone in a timely
manner to detect this kind of thing.
Speaker 2 (07:34):
Well, sometimes you can cut them off the pass by
configuring the router. Right, you should just say, hey, deny,
you only allow one hundred connections per second from the
same IP address.
Speaker 3 (07:44):
Well, and you've also maybe they shouldn't put this thing
on the web.
Speaker 1 (07:48):
Well there is, but you're absolutely right, Carl Norman on
the able would put like a web application firewall in
front of anything that's the website says going to rate
limit and that sort of stuff.
Speaker 2 (07:57):
See what get.
Speaker 3 (07:58):
Yeah, the most disturbing part of this is the fact
that they, the researchers that found these three errors, contacted
the vendor and didn't get anything back from them. Vendor said,
as designed, No, they we pore the vulnerabilities to the
vendor on February thirteenth with a ninety day disclosure window,
and they acknowledged the findings and requested additional details. But
(08:19):
from what I understand, there hasn't been Oh no, here
they go. They indicated that hot fix will become available
in the effective releases on April seventh. Okay, that's cool.
Speaker 2 (08:29):
So in the meantime, do we just suggest you turn
them off?
Speaker 1 (08:32):
I mean no, I mean at this point these have
all been patched, so you should just go patch. It's
been a little while.
Speaker 2 (08:39):
Well Patrick just said it. Yeah.
Speaker 3 (08:41):
Actually, in lack of an official fix, organizations relying on
it are recommended to implement temporary mitigations. One suggestion for
the research is to block semi colon's in URLs via
reverse proxy or whaff which you just said.
Speaker 1 (08:53):
Oh, I love you know what. I love it when
they give when they give the information as to what
actually exploited it, like they didn't say it anywhere in
this article. They're like, oh, yeah, block semi colons, right,
and then all the attackers are like, oh, you're not
handling semi colons properly. Let me that's right.
Speaker 2 (09:09):
Yeah, all right, let's move on Cisco Warrens of I
S C and CCP flaws with public exploit code, and
now we need the acronym police. Please somebody help me.
Speaker 3 (09:19):
I S and Chinese Communist Party.
Speaker 2 (09:22):
We knew that.
Speaker 1 (09:24):
In this case customer collaboration platform.
Speaker 2 (09:29):
That's far less interesting and Identity Services Engine far less interesting.
But Cisco is the company here.
Speaker 1 (09:39):
Yeah, absolutely so, Cisco's i c their Identity Services Engine.
You know, Cisco's large networking company, right, been around since
the jaunt of time. Really handles a lot of the
backbone of the Internet, a lot of authentication, right.
Speaker 2 (09:56):
And before you freak out, it's been patched.
Speaker 1 (09:58):
Yeah, it's been. And so Cisco releases these devices, these
is s s and they come as either an ISO
or an OVA where you can then deploy it in
your own cloud.
Speaker 2 (10:09):
That's an OVA.
Speaker 1 (10:10):
I'm a virtual machine, right, so okay, yeah, so you can.
Speaker 2 (10:13):
And an ISO is a is a file you can
mount as a drive.
Speaker 1 (10:16):
Yeah yeah, yep, so I can. I can install this,
I can get it up and running. I can go
to Azure and I can run it in Azure. I
can run it in a WUS or whatever it may be.
Speaker 2 (10:25):
Nice.
Speaker 1 (10:26):
And in this particular case, if it was running an
Azure or a Google's cloud or really anywhere VMware, AWSS,
et cetera. Yeah, there was a an issue that could
be exploited. The c VE twenty twenty five two O
two eight six. Yeah, that would would cause a bypass
(10:46):
that's no bueno. So yeah, you want to go and
make sure that if you are running this uh, that
it is at this point patched.
Speaker 2 (10:53):
Okay, well that's an easy one. Let's move on to
Miter M I t R E. This is patch mill
you here, Hey, you guys, take a break. Miter publishes
post quantum, post quantum. We're not even pre quantum.
Speaker 3 (11:08):
We're pre quantum. Oh we are.
Speaker 2 (11:10):
We're post quantum. Are we poography? Migration roadmaps? So this
means you have some cryptography, how do you migrate it
to a post quantum world?
Speaker 1 (11:20):
So wait in a second, Patrick says, we're pre quantum,
but we're also like pre teleportation. Yeah, right, of course, Well,
like both are just as real.
Speaker 3 (11:28):
Not quantum teleportation. That's already here. All right, let's talk
about this for a second. So, as I've said a
number of times, as quantum computing evolves and we get
to from the infancy of quantum computing, which we are in,
to the middle of the road quantum computing, where we
have medium size quantum computers with thousands and tens of
(11:51):
thousands and maybe even eventually millions of logical cubits. All
of our asymmetric encryption mechanisms are pretty toast, So that's
our essay. Diffy Hellman, it's elliptical curve. All the things
that just that use the discrete log problem for their
encryption are toast.
Speaker 2 (12:10):
What was that second one, Jiffy Diffy Hellman, Jeff he
Jiffy pop with Hellman's mayonnaise.
Speaker 3 (12:18):
Diffy Helman elliptical curve or d c C anyways, is
the one that most.
Speaker 1 (12:23):
People But I'm just saying, we've.
Speaker 2 (12:26):
Had this discussion.
Speaker 3 (12:27):
It's jiff jiff natural is so good anyway, But Hi, Digress.
Speaker 2 (12:33):
Is corn muffins?
Speaker 1 (12:35):
Right?
Speaker 3 (12:35):
You are?
Speaker 1 (12:37):
You are correct?
Speaker 3 (12:38):
How I mute your mics? That's my question. So so
as we.
Speaker 2 (12:42):
Get to that phase, you know, you're just asking for
more Patrick.
Speaker 3 (12:47):
So, I was actually talking to somebody I used to
work at rssay about this just today, and we were
talking about the fact that, unlike Y two K, this
is coming but we don't know when. So at least
with Y two K, there was a deadline we could
work back from the deadline. We knew it was coming,
you could get money to pay for it. Well, this one,
(13:07):
no one knows when it's coming, and it's all guesswork.
But the guesswork is getting shorter and short. Some people said, oh, yeah,
we got twenty years, and now they're like, oh yeah,
we probably have ten years. I don't think we have
ten years. The thing is, there are new encryption kit
protocols that have been developed by NIS, the National in
Student of Standard Technology, which help you, which you can
(13:27):
migrate to. They're all crystals, most of them crystals based.
Two out of the three crystals base. If you migrate
to those, but it's a long process. You have to
identify and prepare, you have to get your team up
to speed. You have to then find suitable replacements, and
you have to deploy those replacements. And none of that's
(13:48):
going to happen overnight, and so it's a process. So
the miter Post Quantum Cryptography Coalition has this guidance which
I really recommend people take a look at and start
really thinking about.
Speaker 1 (13:59):
Seriously, Patrick, sir, can I can I just ask copilot
to make me quantum safe? Is that?
Speaker 3 (14:06):
Yes?
Speaker 2 (14:06):
I have it?
Speaker 1 (14:07):
Just go in something. Can you just rewrite all my code?
Some quantum safe?
Speaker 2 (14:11):
Is that? And by the way, if you were quantum safe,
you would have noticed that Jiffy is a partmento between
Jiff and Skippy, both of which are two brands of
peanut butter, and your brain fuse them together. This is
an example of how Dwayne's brain.
Speaker 3 (14:30):
Works, or doesn't or doesn't.
Speaker 2 (14:33):
He's making scenic connections that no other human is making.
Speaker 3 (14:39):
Maybe he mixes his peanut butter sounds delicious. Actually, I
have switched to natural jiff.
Speaker 1 (14:48):
Huh.
Speaker 3 (14:48):
It doesn't have hydrogenated oils. It's much I think it's
much healthier. It's still got sugar in it and molasses,
which is fine, tastes fantastic.
Speaker 2 (14:54):
I think you pronounced it giff yi.
Speaker 1 (14:57):
It's giff schiff giff with it. Hey, sweetie, could you
go to the store and get me some gift.
Speaker 3 (15:03):
I've never hated you more.
Speaker 2 (15:07):
So.
Speaker 3 (15:07):
Anyways, you should check this out. What everyone should do
is at least get up, you know, get updated, get
smart on what this all is. It's not going to
be a trivial thing. It's not going to be a
you know, swap and replace real quick. You've got to
think about it. And the first challenge for most organizations
is they don't even know where they're using asymmetric encryption.
Speaker 2 (15:26):
Sure, so my question is you know, if all my
stuff is in Azure or Amazon, am I safer there
than if I'm running my own infrastructure. When this stuff.
Speaker 3 (15:36):
Happens, They're going to go there faster than you might. Yeah,
but the devil's in the details. If you've written an
application and it has encryption in it, which it probably does,
then you may well have something in there that's vulnerable
and so you got to.
Speaker 2 (15:51):
But for me, all the encryption is in the plumbing
below me, like, first of all, the SSL.
Speaker 1 (15:56):
What did you say.
Speaker 2 (15:59):
It's in the plumbing step.
Speaker 3 (16:01):
Uh, it might be, but people have rolled their own
encryption before.
Speaker 2 (16:06):
Yeah, don't do that.
Speaker 3 (16:08):
You need an inventory. The problem is the inventory is
to find the things you don't know about, not the
things you think you know about.
Speaker 2 (16:14):
I guarantee anything that is of mind that is running
an Azure. I've never encrypted anything intentionally.
Speaker 3 (16:22):
No you haven't, but I haven't. But most companies have
a developer that used to work there that probably.
Speaker 2 (16:27):
Did you know? What about creating GUIDs like I do
use the system cryptography or whatever guid to create new
GUIDs from random numbers and things. That's about as far
as I go.
Speaker 3 (16:37):
I mean all random number generation and classical computing is pseudorandom.
It's not purely random. We're starting to see companies that
do actually use the entropy from quantum systems to generate
true random values, and those are being used for different
types of encryption and stuff like that.
Speaker 2 (16:55):
So there's a dot net random object, and then there's
system cryptogra fee yep uh random number generator. Yeah, and
that that's good. And you can use entropy from you know,
now dot daytime now ticks, which is some super long
number and you might actually have to trim it or whatever,
but but that's a good one.
Speaker 1 (17:17):
Yeah.
Speaker 3 (17:17):
Yeah, it's certainly better than just calling the JavaScript random function.
Speaker 2 (17:21):
Well you said JavaScript, I'm talking real program.
Speaker 3 (17:24):
I'm just saying whatever.
Speaker 1 (17:25):
Yeah, most but you know it's you know what, you
know what else.
Speaker 2 (17:28):
Don't email me. I love JavaScript, wonderful. Global variables are awesome.
Speaker 3 (17:33):
I have I have no high respect for any randomization
function that's not based on quantum data.
Speaker 1 (17:38):
Wow, just because I don't know, all right, So take
a deca cards, Yeah, shuffle it thoroughly.
Speaker 3 (17:45):
That's that's a very big random number that they so
have you guys ever seen v sauce V sauce V sauce. No,
but I know the math behind a deca cards?
Speaker 2 (17:54):
Well, how do you spell that? Is that?
Speaker 1 (17:56):
And I'm literally the sauce? Yeah, it's an actor. It's uh,
this guy who does science videos on YouTube. Interestingly enough,
if you take a fifty two deck car of cards
and shuffle it, there's a strong chance that that particular
shuffle has never been shuffled.
Speaker 2 (18:11):
Never exist, never occurred.
Speaker 3 (18:13):
I never will be again.
Speaker 1 (18:14):
I never will be again. Yeah right, yeah, he goes
He goes through, how you could wait for the the
heat death of the universe.
Speaker 3 (18:21):
Fifty two factoral. Yeah, that's big number.
Speaker 1 (18:25):
It's a lot, so that you could that could be
your random number generat couple of cards.
Speaker 3 (18:29):
Good luck?
Speaker 2 (18:31):
Duayne. Do you ever go to casinos and play blackjack
or anything?
Speaker 1 (18:34):
I've been asked not to.
Speaker 2 (18:36):
Yeah, okay, you've been asked to leave.
Speaker 1 (18:38):
Maybe you call that ass. I actually was the dragged
off of a casino floor and handcuff. But that's a
different story. What because of Microsoft?
Speaker 2 (18:49):
What? What were you eighteen?
Speaker 1 (18:52):
Yeah? Yeah, I know?
Speaker 2 (18:54):
All right, Patrick, Are you done with this story or
do you want to?
Speaker 3 (18:59):
Yeah? I mean we're in early days. People need to
start being aware of the problem. This is a great,
great documentary to peruse and try to get but the
big thing is to sell to your company that this
is a problem that needs to be solved and it's
not something to be put off.
Speaker 2 (19:13):
Somebody should do something about it.
Speaker 1 (19:15):
Now, how are you?
Speaker 3 (19:17):
I wouldn't pay this bill?
Speaker 2 (19:18):
Right, great joke. Okay, we'll be right back after these
very very very very important messages. And if you don't
like these are very very very important messages, you can
pay for an ad free feed. Go to Patreon dot
Security this week, dot com five bucks a month, no ads.
All right, we'll be right back and we're back Security
(19:43):
this week. I'm Carlos, Dwayne and Patrick. Okay, The Hacker
News says popular Chrome extensions leak API keys and user
data via HTTP and hard coded credentials.
Speaker 1 (19:57):
Yeah wow wow.
Speaker 2 (19:59):
Okay, Okay, which extensions and why this one's interesting?
Speaker 1 (20:04):
Yeah, So if you take a look at some of them,
there's a list on the link that we'll put out here.
But like stm Rush, MSN News tab Dual Safe Password Manager,
which sounds bad but really all it's doing is is telemetry.
There's the awesome screen recorder, Microsoft Editor, spell Checking and
(20:29):
grammar and adulte et cetera, et cetera. So what's happening here?
And I love how they have the we usually talk
man in the middle, and now it's apparently called adversary
in the middle. A. I don't know. So what's happening
here is let's say you run a password manager, and
let's say that password manager is pulling telemetry from a website.
(20:51):
Telemetry doesn't have your username, doesn't have your password, doesn't
have it probably has a unique identifier for your installation
that it calls out and says, hey, I'm being used
on this browser whatever. Right, So in this particular case,
that's what's happening. And they even you know, go to say, listen,
passwords weren't leaked. There's some data that's leaked, depending on
which site it's going to. Should they be probably using
(21:15):
htps and be encrypted. Yes, there's no there, there's no
there there. Yeah, I mean, I mean, if you take
the only like the worst one I saw was Microsoft
Editor spell check and grammar check exposes a telemetry key
name stats API key, I don't know that that really matters.
So it's yeah, it's I mean, it's it's an interesting
(21:37):
article exposing the fact that none of us know, none
of us A lot of people don't track the data
that it plug in in your browser is actually sending
back and forth right, and it is potentially being sent
on encrypted right, so it should be audited in some way.
But there's nothing or shattering here too, okay.
Speaker 2 (21:55):
Uh So if you have these any of these extensions,
are the fixes for each one of them individually?
Speaker 1 (22:03):
Said? There aren't. Most of these companies are going to
say it's by design because they probably get hundreds of
millions of calls per second and they don't want to
get the the have an SSL hit on the back end.
Speaker 3 (22:15):
But which is yeah, that's probably a conscious decision in
some cases.
Speaker 1 (22:18):
All right, and you know, and so in all honesty,
I mean, like I as a security you know, researcher,
I'm constantly trying to just remove plugins from my browser.
I don't want plugins at all.
Speaker 2 (22:29):
I only want one and that's my password manager, which
is me too.
Speaker 1 (22:33):
It's the only one I have, is you know, my
one password plug in. Other than that, I'm not using plugins.
Speaker 2 (22:39):
So I would try to find if you're using a
laptop or a PC, I would try to find, you know,
native applications that do the things you want, like screen
capturing and research exactly. Come on, you don't need a
browser extension for that.
Speaker 1 (22:53):
Yeah, Like, I don't know who needs the MSN news
tab plug in.
Speaker 2 (22:57):
Oh god, no, I got more news. I got five screens.
I don't need more news.
Speaker 3 (23:04):
You know.
Speaker 1 (23:05):
Although if somebody did give me a plugin to remove
all news from my browser, hey, now there, you tire,
I might do that.
Speaker 2 (23:11):
Yeah, that's the only news kind of thing, all right,
So be careful out there. Go and check out the
list of plugins and act accordingly. All right. So this
is a good one from tech radar dot com. Microsoft
launches free cybersecurity protection for European governments against AI threats
(23:32):
and more. Hey, look at that. An American company that's
friends with European governments.
Speaker 3 (23:39):
They said it couldn't happen, and they.
Speaker 2 (23:41):
Said that was a bad idea, those two Europeans. Damn
it happens, all right, I'm kidding, all right, So what happens?
What's this all about?
Speaker 1 (23:51):
I I mean, yeah, so, I mean it's pretty it's
pretty straightforward. Microsoft actually has a really big you know,
we talked about Microsoft. Lots of people think about either
like visual studio, right, the programming company or they think
about Windows right or Office right. But Microsoft has a
massive threat analytics center and they actually have tons of
(24:11):
lawyers and they deal with all sorts of jurisdictions all
around the world.
Speaker 3 (24:15):
They're involved in takedowns all the time.
Speaker 1 (24:17):
Oh yeah, constantly. So there's a lot of good that
Microsoft Security Center does and has dedicated teams helping out.
Speaker 3 (24:25):
And they've done things for the US States in the
past and help the federal government. So they're just expanding
the umbrella.
Speaker 1 (24:30):
I'm absolutely glad that they're helping Europe in any way
they can. And you may say to yourself, well, what
doesn't Europe have these resources, And you've got to realize,
like every computer on the planet mostly is running either
Windows or some flavor of Linux, and those were all
invented here, right, So.
Speaker 3 (24:48):
And all the trillion dollar companies in the world are
US based.
Speaker 1 (24:51):
Yeah, and Amazon's here and Azure's here. So it's like,
if you want somebody who knows what should be running
on your box, you're probably from the United States. So
I think it's it's good that they're going out in
helping the UK. My concern especially if you know, if
I were in the UK. My concern would be, well, why, like,
why is Microsoft focusing on AI in Europe? And is
(25:13):
it because there's an eminent threat?
Speaker 3 (25:15):
They don't want to be regular?
Speaker 2 (25:16):
I think there's more threats.
Speaker 1 (25:17):
No, is there an eminent threat that they don't know about? Right?
Speaker 2 (25:19):
I think there's more threats in Europe coming from Western well,
and they also Eastern Europe.
Speaker 3 (25:25):
Europe is much more likely to regulate against big US
big tech than anyone else. And they've already got Google
and Facebook in their crosshairs.
Speaker 1 (25:32):
Oh see, you think it's a play. I mean they're like,
we'll help you out.
Speaker 3 (25:36):
I like Microsoft. I've had a lot of dealings with them.
I think that Sachi Nagel is a is a very
moralistic person. It could be both more so than any
other CEO. It'd be a shame if this place is
burnt down. But I do think there has to be
a like well, and it wouldn't hurt us if we
were if we did some things too.
Speaker 2 (25:53):
It's probably more than one reason.
Speaker 1 (25:56):
Right.
Speaker 2 (25:57):
They did an analysis and they found that on the balance,
we need to be helping.
Speaker 1 (26:01):
Yeah, you can.
Speaker 3 (26:02):
You can go buy your wife flowers for no reason.
Speaker 1 (26:04):
But I think it's good. I have a lot of
friends in the UK, and I'm happy that they're at risk.
Speaker 2 (26:14):
So yeah, me too. Good on your Microsoft. Okay, this
next one, hackers allegedly leaked another leak story. We got
to get a theme song for leak stories. Yeah, maybe
just sad. Trombones hackers allegedly leaked eighty six million AT
(26:35):
and T customer records with decrypted social security numbers.
Speaker 3 (26:41):
I mean, let me clutch my pearls and gas loudly.
Oh no, you're so. Security number is out there. It's
been out there, It's going to be out there. They
could leak it a million times and it doesn't change
the fact that it's out there. So if you want
somebody so security number, you don't even have to go
that deep to find it anymore. So it's not great.
(27:01):
It's a bad look, but it's not really that big
of a deal anymore.
Speaker 2 (27:05):
Well, what I have a suggestion for our listeners and
people who want to be secure. You know, we did
the whole thing on freezing your credit. That's good. Another
thing you should do is request a copy of your
social Security number from the Social Security Administration. And because
having the physical card is way more secure for you
(27:25):
to prove you are who you are if you get
a stolen identity.
Speaker 3 (27:30):
So I have a story in this regard. I got
a message from a bank and I'll name the bank Chase,
that those bastards they can't approve my credit card application
because my credit is frozen. Yeah, And I laughed, and
I laughed because I didn't take out a credit card.
Speaker 2 (27:46):
Ah.
Speaker 3 (27:48):
So I called them and I said, this is fraud.
This is not me. I have no intention of unfreezing.
Speaker 2 (27:52):
And this is why I froze my credit.
Speaker 3 (27:54):
And so they some hackers got my information because my
social Security number is probably in these hacks and this
has been going on. But every time that happens, they
get nothing, they get ZIP because all my all my
credit is frozen. I've unfrozen it for maybe twenty four
hours once in the last two years. Wow, because I
was buying a car.
Speaker 2 (28:14):
Yeah.
Speaker 1 (28:15):
Yeah, so and you can now I want to say, yeah,
there's a I want to say, there's a digital log
in now where you can actually log into government and
monitor social scurity number and that sort of stuff, like
time I tied my government, so I have a government
ID for for our global pass and that sort of stuff.
So now there's this you can connect into the United
(28:37):
States government social security numbers and tie it into that
log in.
Speaker 2 (28:40):
I have global entry. Does that help?
Speaker 1 (28:42):
Yeah?
Speaker 3 (28:42):
I do?
Speaker 1 (28:43):
Yeah, same thing. Yeah, so now you can you can
go to that same go to the government social scurity
site NILL log in with your go's account, which I
don't think is called goes anymore, but whatever.
Speaker 2 (28:53):
Yeah, I used to be government. Oh whatever.
Speaker 1 (28:55):
Yeah, and then now it's that one log in and
all sorts of information.
Speaker 2 (29:00):
Yeah, that's it.
Speaker 1 (29:01):
Yeah, yep. Yeah, So we traveled way too much.
Speaker 2 (29:04):
We do. I'm going to be in Sweden next week,
so nice. I'm hoping we can record, but.
Speaker 1 (29:11):
Yeah, I think we can. Yeah, okay, well I'll go
to Sweden.
Speaker 3 (29:15):
I'm going to be down. I'll be on a large
military base next Thursday, so i'll see you want to
be recording, No, I plan on recording. I just I'll
be in a general's quarters.
Speaker 1 (29:25):
Maybe you just listen to me and Patrick Wayne Poetic.
The interesting thing about this breach though, coming back to
this story, I else is massive breach in AT and
T happened years ago, and there were encrypted social security
numbers there. Okay, now they're decrypted, so they're speculating that
potentially what happened is the older breach. They've had computers
(29:47):
working on decrypting the social security number.
Speaker 2 (29:50):
They finally got around to doing it.
Speaker 1 (29:51):
I don't know why you would put that much effort
into getting a social security number, but and.
Speaker 3 (29:55):
Then releasing it on the dark web, what's the point.
Speaker 1 (29:58):
Well selling it? Okay? Usually these usually the raid forums
and owner of stuff they're actually trying to sell these
massive breaches.
Speaker 2 (30:06):
Wow, all right, freeze that credit kids, that's the uh
cautionary tale. All right, now to our clickbait story, Meta,
which owns this, you know, Facebook and uh Instagram and
what'sapp found covertly tracking. Now that's in quotes, So let's
find out what that means. Covertly tracking Android users through
(30:30):
Instagram and Facebook.
Speaker 3 (30:32):
I mean this also includes the Russian company Yandex. But
this that doesn't doesn't even make the news.
Speaker 2 (30:39):
Really, Yeah, that's right, Meta and search engine company Yandex
have been covertly tracking Android users in the background of
their devices, according to experts. And again, covertly tracking is
in quotes, right, so what did it really do?
Speaker 1 (30:53):
So? And this this story actually came from Cliff Off
of our discord. So thanks again Cliff for forgiving us
this and this our attention. Yeah, so this is this
one's interesting in that the way this was discovered is
all of your applications on your phone and your tabs
(31:13):
on your phone and that sort of stuff of isolation.
They shouldn't be talking to each other, right, And what
was happening in this particular case is both y index
and Meta were bypassing those isolations to track what was
going on. And they said, well, we were just doing
it to personalize our service to the users. So if
they happened to open another tab in a browser and
(31:35):
they happen to be looking for, you know, work boots,
then we would happen to know about it, and next
time they're on yendex, we would happen to show them
more boots. Right.
Speaker 2 (31:43):
Okay, so the word covert is in dispute. I guess
maybe that's why it's think quote.
Speaker 3 (31:47):
Yeah, and that's yeah. Well they didn't get permission, Yeah
they didn't. They didn't ask the user if they wanted
to do it.
Speaker 1 (31:54):
Yeah, and accord, according to Google, who puts out the
Android operating system, they said they said Meta and yandex
used Android's capabilities in an unintended way that blatantly violated
our security and privacy principles. Okay, so that's what the
contention is here. And Metas come back and said, hey,
we're working with you. We didn't Oh my gosh, we
(32:16):
didn't know, right, Yeah, and you know yandex is. I
don't think it's fun.
Speaker 2 (32:21):
So let me ask you this.
Speaker 3 (32:22):
You mean I'm not supposed to have your social Security number?
Speaker 2 (32:26):
Let me ask the listeners this. If you have an
Android phone and you use Facebook and Instagram and WhatsApp,
do you really feel like you're not being snooped on?
Speaker 1 (32:38):
I know, right?
Speaker 2 (32:39):
Is this a surprise to you?
Speaker 1 (32:40):
Apparently?
Speaker 3 (32:41):
Yeah, Now you should add deep Seak and Quenn, the
Chinese open source AIS and you'll have the trifectath all
of it. So be complete.
Speaker 2 (32:48):
That's it. So our recommendation is throw your phone in
the garbage. Get an iPhone, throw that in the garbage.
Don't use the phone, don't use any technology. Just be
a herd and you know, string some wires and a
string between two cans tier from your upstairs to you
downstairs to talk to your kids.
Speaker 1 (33:09):
Be done.
Speaker 2 (33:10):
Case close. Now, really it's really it's get an iPhone,
if you're really concerned, put it in lockdown mode and
you signal yeah, and get rid of all those crappy apps.
Speaker 3 (33:21):
So I hate to give that guidance because it is
an expensive set of guidance. Sure, it's just that Apple
did spend a long time ratcheting down the security on
the iPhone and Android did not keep up. And I'm
hoping they're starting to catch up now.
Speaker 2 (33:36):
But stories they are now.
Speaker 3 (33:37):
Yeah, yeah, stories like this don't help, though, the fact
that they're calling them out in public might be a
sign that they are coming back.
Speaker 1 (33:45):
Right And just to so a little bit more detail
on this, you'll notice in the article it says researcher
discovered that meta's apps, including Facebook, Instagram, and Yandex's apps
such as yandex mapp. We're sitting in the background of
the Android device loading a script that sent data locally
(34:06):
back to the app on the user's phone.
Speaker 2 (34:07):
Oh that's not good.
Speaker 1 (34:08):
So they were circumventing the Oh well you can't. You know,
you have isolation where they would literally call back out
to itself on a local port to get data.
Speaker 2 (34:17):
God. I hope they didn't. I hope they didn't learn
how to do that by watching my dot net show
that I did on Android background services, because I do
show people how to do that. But there are legit
reasons for it though.
Speaker 1 (34:31):
Sure, like tracking us well.
Speaker 2 (34:34):
But it's part of it's part of what you can
do in androids.
Speaker 3 (34:37):
So their nuclear power is legit. But nuclear weapons are
real too, so everything has a dual use, right.
Speaker 2 (34:44):
Well, anyway, if you did learn it from me, please
don't tell anybody. I don't need that.
Speaker 3 (34:50):
Coming soon to a ransomware screen near you.
Speaker 2 (34:53):
Carl's face exactly. Yeah, yeah, well okay, so it turns
out our click bait wasn't that interesting after all.
Speaker 3 (35:02):
But you know, I think it's a big deal.
Speaker 1 (35:04):
I mean, it's a big deal, but it's Yeah, but
you also had the faces on your phone, so what
do you expect? Yeah?
Speaker 2 (35:12):
Yeah, what do you this is it? What do you expect?
You know? All right?
Speaker 1 (35:16):
I love it, says quote that's very shocking quote in
this article.
Speaker 3 (35:23):
In many cases, when I have the choice between an
app and the web site on a mobile device, used
the website. I almost always picked the website. Yeah, because
screw that. I don't want them to have the extra control,
the extra capability. I don't know whether that's really making
a difference, but I suspect it does.
Speaker 2 (35:41):
And I would use the mobile Duck duck go browser.
Speaker 1 (35:44):
No, yeah, all the time.
Speaker 2 (35:46):
Yeah. So there you go. That's our show. We will
talk to you next week. Both Patrick and I will
be away and maybe maybe we can make this work.
Speaker 3 (35:55):
Actually it's week after next. I'm traveling. I'm already next week.
Speaker 2 (35:58):
Okay, I'll be in Stall come next week. It death sounds.
Speaker 3 (36:01):
Don't get the syndrome.
Speaker 2 (36:04):
I already got it. I'm married.
Speaker 3 (36:06):
Come on, you keep showing up to this show.
Speaker 1 (36:09):
I know right, I love it so much.
Speaker 2 (36:12):
All right, bye bye you next week
Hey.
Speaker 2 (00:00):
You know, my mother always used to tell me something
I'll never forget.
Speaker 3 (00:04):
She get your feet off the table.
Speaker 2 (00:06):
Well yeah, that of course. Come on, now I'm the
guy with the pledgeline. She said. You know you, Carl,
you might not be the dumbest guy in the world,
but you better hope he doesn't die.
Speaker 4 (00:19):
Oh yeah, wow, Okay, welcome to Security this week.
Speaker 2 (00:34):
I'm Carl, that's Patrick and Dwayne, and we've got seven
stories for your amusement slash nightmares. Starting with a bleeping
computer story. Unpatched critical bugs in versa concerto lead to
authentication or off I could be either authorization or authentication
bypass and remote control execution. So who wants this one? Medwayne.
Speaker 1 (01:03):
Versa concerto is a it's a management piece of software
that helps.
Speaker 3 (01:09):
It's an orchestration piece.
Speaker 1 (01:10):
Yeah, it's it like orchestrates configuration.
Speaker 2 (01:16):
And now we were going to hear the versa concerto
in e flat by Johan's question, apot.
Speaker 1 (01:24):
Yo, No, it's software. So it actually it will manage
all of their the VERSA devices, right, so a lot
of their Wan devices, network devices that sort of stuff.
Speaker 2 (01:37):
Are these inside the firewall devices or outside the firewall
devices are both.
Speaker 1 (01:41):
So they're typically inside the firewall. But you're going to
see this in massive, massive environments like telcos, not like
you're not going to be installing this at your house. However, Okay,
it is interesting that even devices that that are made
to manage really large amounts of networks and that sort
of stuff fall prey to the same sort of security
(02:03):
issues we see in all sorts of applications. So there
are three different cvees associated with this particular bug. One
is a ten out of tenike CV twent five thirty
four H two seven fix score, perfect score, stuck the landing.
Speaker 2 (02:20):
Does it deserve a ten?
Speaker 1 (02:22):
Well, let's I mean, let me, I'll read it to
you and you tell me.
Speaker 2 (02:24):
Yeah.
Speaker 1 (02:25):
So, a URL decoding inconsistency, right, see, you feed a
URL to it and it decodes it in some way
allows an attacker to bypass authentication and access a file
upload endpoint. By exploiting a race condition, they can write
malicious files to disk race condition.
Speaker 2 (02:43):
That's all about threading and race conditions. They don't always want.
We can't predict those. Yeah, well, you can't predict them.
They could happen like one in a million times. And
only if your code is not protected.
Speaker 3 (02:53):
Right exactly, But there are some race conditions that happen
quite often.
Speaker 1 (02:57):
So you would have to as an attacker. I would
imagine hit this end point over and over and over
and over again, and eventually maybe the race condition happens,
maybe it doesn't. They don't talk about how consistent it is.
But I agree with you, Carl, I wouldn't give this
a ten mm. It's probably anytime you say race condition,
usually I'm knocking that score down no, because it just
(03:17):
it takes eight.
Speaker 2 (03:20):
Well, let me just give a little example. So as
a programmer, we can manipulate threads directly, sure, And so
you can create a new thread and then call a
method on that thread and immediately come back to your
calling code and create more threads and spin up all
these threads. Right, and if those the code on those
threads access the same piece of data that isn't somehow
(03:43):
locked or protected, And there's techniques to doing that in
every language in the world. There's techniques for locking the
data that you're going to access on multiple threads. And
that means while it's locked, you're the only thread that
can access it. And when you say I want to
lock this, you have to wait until it's slockable, right,
So that that is how you write code. That's what
(04:05):
quote unquote threads.
Speaker 3 (04:07):
Safe right, resilient.
Speaker 1 (04:08):
Yeah, And a.
Speaker 2 (04:09):
Race condition is when both of those try to access
that data at the same time and hilarity ensues.
Speaker 1 (04:16):
So it's what's interesting with this article that we posted
the link to. There's actually a video there and you
can see a researcher running the attack and on one
side of the screen they are running a Python script
that's obviously exploiting the race case condition. And on the
other side of the screen there they connect in they do.
(04:37):
You'll see at command that says NC dash l n
V dash four four four four, and all that means
is and see his netcat right. So it's a listening tool,
and you can connect out to remote ports or you
can fire up a port to listen on your local computer.
So this particular researcher fires up a local port four
(04:59):
four four four, right. There's sixty five thousand potential ports ports, right,
so they're pulling up port four four hundred and forty
four and whatever.
Speaker 2 (05:08):
The and before you go on, a port just is
a number that identifies an application connected to a network.
Speaker 3 (05:14):
Device, within a within an address.
Speaker 2 (05:16):
Yeah, connected to a network device.
Speaker 1 (05:18):
Yeah so yeah, exactly, So you are your computer can
have on the network sixty five hundred and thirty five
ports open right, per address, per address, per ip.
Speaker 2 (05:28):
Address, per ip address. Yeah correct.
Speaker 1 (05:30):
Now there's some of them that you can't really change usually,
like in Windows right the you know, one pint thirty
nine and all sorts of the normal Windows ports are
always locked right and used by the operating system. That's
why this particular researcher went really high. It went four thousand,
four hundred and forty four. Anything over one thousand usually
is pretty open. So in this particular case, this researcher
opened up this port just to listen on their local computer.
Speaker 2 (05:53):
Do you mean to see if anything connects to it?
Speaker 1 (05:55):
Yeah, exactly. So then the race case condition. What they
this researcher did is they told the remote computer come
back to me on that port right, connect to me,
and run my code. Okay, So when that that they
ran the script. Here you see on the right hand
on the left hand side, there's a status five hundred,
Status five hundred, statisfied hundred. Every time you're seeing these
(06:16):
status five hundreds. This is the web server coming back
with a catastrophic failure. Wow, right, and he's inducing this
failure so many times that then the reverse shell in
this particular case comes back to his local computer and
he types you name dash ar right, which just means
give me the give me the version of the remote
(06:36):
computer that just connected to me, and it says Linux
and gives a you know, a boontu blow well whatever, right,
so you can see, okay, cool. You know, this particular
researcher exploited that race case condition and then got the
remote system to connect back to them, and then they
could at this point run commands and that sort of stuff,
presumably under you know, root level privileges. So can it
(07:01):
be done?
Speaker 3 (07:01):
Yes?
Speaker 1 (07:02):
However, there are the five hundred errors that are scrolling
on the left hand side of the screen. There's hundreds,
if not thousands of them.
Speaker 2 (07:10):
Yeah, that's all you see.
Speaker 1 (07:11):
While the while, Yeah, exactly while I was trying to
exploit this. So is that noticeable? It should be? Should
be you should be looking if you have ten thousand,
you know, catastrophic website errors in the matter of a
couple of minutes, that's probably something you should Yeah, But.
Speaker 3 (07:24):
If you don't have a sock that's apticively looking at
Security Operations Center actively looking at this, those logs might
not ever get looked at, let alone in a timely
manner to detect this kind of thing.
Speaker 2 (07:34):
Well, sometimes you can cut them off the pass by
configuring the router. Right, you should just say, hey, deny,
you only allow one hundred connections per second from the
same IP address.
Speaker 3 (07:44):
Well, and you've also maybe they shouldn't put this thing
on the web.
Speaker 1 (07:48):
Well there is, but you're absolutely right, Carl Norman on
the able would put like a web application firewall in
front of anything that's the website says going to rate
limit and that sort of stuff.
Speaker 2 (07:57):
See what get.
Speaker 3 (07:58):
Yeah, the most disturbing part of this is the fact
that they, the researchers that found these three errors, contacted
the vendor and didn't get anything back from them. Vendor said,
as designed, No, they we pore the vulnerabilities to the
vendor on February thirteenth with a ninety day disclosure window,
and they acknowledged the findings and requested additional details. But
(08:19):
from what I understand, there hasn't been Oh no, here
they go. They indicated that hot fix will become available
in the effective releases on April seventh. Okay, that's cool.
Speaker 2 (08:29):
So in the meantime, do we just suggest you turn
them off?
Speaker 1 (08:32):
I mean no, I mean at this point these have
all been patched, so you should just go patch. It's
been a little while.
Speaker 2 (08:39):
Well Patrick just said it. Yeah.
Speaker 3 (08:41):
Actually, in lack of an official fix, organizations relying on
it are recommended to implement temporary mitigations. One suggestion for
the research is to block semi colon's in URLs via
reverse proxy or whaff which you just said.
Speaker 1 (08:53):
Oh, I love you know what. I love it when
they give when they give the information as to what
actually exploited it, like they didn't say it anywhere in
this article. They're like, oh, yeah, block semi colons, right,
and then all the attackers are like, oh, you're not
handling semi colons properly. Let me that's right.
Speaker 2 (09:09):
Yeah, all right, let's move on Cisco Warrens of I
S C and CCP flaws with public exploit code, and
now we need the acronym police. Please somebody help me.
Speaker 3 (09:19):
I S and Chinese Communist Party.
Speaker 2 (09:22):
We knew that.
Speaker 1 (09:24):
In this case customer collaboration platform.
Speaker 2 (09:29):
That's far less interesting and Identity Services Engine far less interesting.
But Cisco is the company here.
Speaker 1 (09:39):
Yeah, absolutely so, Cisco's i c their Identity Services Engine.
You know, Cisco's large networking company, right, been around since
the jaunt of time. Really handles a lot of the
backbone of the Internet, a lot of authentication, right.
Speaker 2 (09:56):
And before you freak out, it's been patched.
Speaker 1 (09:58):
Yeah, it's been. And so Cisco releases these devices, these
is s s and they come as either an ISO
or an OVA where you can then deploy it in
your own cloud.
Speaker 2 (10:09):
That's an OVA.
Speaker 1 (10:10):
I'm a virtual machine, right, so okay, yeah, so you can.
Speaker 2 (10:13):
And an ISO is a is a file you can
mount as a drive.
Speaker 1 (10:16):
Yeah yeah, yep, so I can. I can install this,
I can get it up and running. I can go
to Azure and I can run it in Azure. I
can run it in a WUS or whatever it may be.
Speaker 2 (10:25):
Nice.
Speaker 1 (10:26):
And in this particular case, if it was running an
Azure or a Google's cloud or really anywhere VMware, AWSS,
et cetera. Yeah, there was a an issue that could
be exploited. The c VE twenty twenty five two O
two eight six. Yeah, that would would cause a bypass
(10:46):
that's no bueno. So yeah, you want to go and
make sure that if you are running this uh, that
it is at this point patched.
Speaker 2 (10:53):
Okay, well that's an easy one. Let's move on to
Miter M I t R E. This is patch mill
you here, Hey, you guys, take a break. Miter publishes
post quantum, post quantum. We're not even pre quantum.
Speaker 3 (11:08):
We're pre quantum. Oh we are.
Speaker 2 (11:10):
We're post quantum. Are we poography? Migration roadmaps? So this
means you have some cryptography, how do you migrate it
to a post quantum world?
Speaker 1 (11:20):
So wait in a second, Patrick says, we're pre quantum,
but we're also like pre teleportation. Yeah, right, of course, Well,
like both are just as real.
Speaker 3 (11:28):
Not quantum teleportation. That's already here. All right, let's talk
about this for a second. So, as I've said a
number of times, as quantum computing evolves and we get
to from the infancy of quantum computing, which we are in,
to the middle of the road quantum computing, where we
have medium size quantum computers with thousands and tens of
(11:51):
thousands and maybe even eventually millions of logical cubits. All
of our asymmetric encryption mechanisms are pretty toast, So that's
our essay. Diffy Hellman, it's elliptical curve. All the things
that just that use the discrete log problem for their
encryption are toast.
Speaker 2 (12:10):
What was that second one, Jiffy Diffy Hellman, Jeff he
Jiffy pop with Hellman's mayonnaise.
Speaker 3 (12:18):
Diffy Helman elliptical curve or d c C anyways, is
the one that most.
Speaker 1 (12:23):
People But I'm just saying, we've.
Speaker 2 (12:26):
Had this discussion.
Speaker 3 (12:27):
It's jiff jiff natural is so good anyway, But Hi, Digress.
Speaker 2 (12:33):
Is corn muffins?
Speaker 1 (12:35):
Right?
Speaker 3 (12:35):
You are?
Speaker 1 (12:37):
You are correct?
Speaker 3 (12:38):
How I mute your mics? That's my question. So so
as we.
Speaker 2 (12:42):
Get to that phase, you know, you're just asking for
more Patrick.
Speaker 3 (12:47):
So, I was actually talking to somebody I used to
work at rssay about this just today, and we were
talking about the fact that, unlike Y two K, this
is coming but we don't know when. So at least
with Y two K, there was a deadline we could
work back from the deadline. We knew it was coming,
you could get money to pay for it. Well, this one,
(13:07):
no one knows when it's coming, and it's all guesswork.
But the guesswork is getting shorter and short. Some people said, oh, yeah,
we got twenty years, and now they're like, oh yeah,
we probably have ten years. I don't think we have
ten years. The thing is, there are new encryption kit
protocols that have been developed by NIS, the National in
Student of Standard Technology, which help you, which you can
(13:27):
migrate to. They're all crystals, most of them crystals based.
Two out of the three crystals base. If you migrate
to those, but it's a long process. You have to
identify and prepare, you have to get your team up
to speed. You have to then find suitable replacements, and
you have to deploy those replacements. And none of that's
(13:48):
going to happen overnight, and so it's a process. So
the miter Post Quantum Cryptography Coalition has this guidance which
I really recommend people take a look at and start
really thinking about.
Speaker 1 (13:59):
Seriously, Patrick, sir, can I can I just ask copilot
to make me quantum safe? Is that?
Speaker 3 (14:06):
Yes?
Speaker 2 (14:06):
I have it?
Speaker 1 (14:07):
Just go in something. Can you just rewrite all my code?
Some quantum safe?
Speaker 2 (14:11):
Is that? And by the way, if you were quantum safe,
you would have noticed that Jiffy is a partmento between
Jiff and Skippy, both of which are two brands of
peanut butter, and your brain fuse them together. This is
an example of how Dwayne's brain.
Speaker 3 (14:30):
Works, or doesn't or doesn't.
Speaker 2 (14:33):
He's making scenic connections that no other human is making.
Speaker 3 (14:39):
Maybe he mixes his peanut butter sounds delicious. Actually, I
have switched to natural jiff.
Speaker 1 (14:48):
Huh.
Speaker 3 (14:48):
It doesn't have hydrogenated oils. It's much I think it's
much healthier. It's still got sugar in it and molasses,
which is fine, tastes fantastic.
Speaker 2 (14:54):
I think you pronounced it giff yi.
Speaker 1 (14:57):
It's giff schiff giff with it. Hey, sweetie, could you
go to the store and get me some gift.
Speaker 3 (15:03):
I've never hated you more.
Speaker 2 (15:07):
So.
Speaker 3 (15:07):
Anyways, you should check this out. What everyone should do
is at least get up, you know, get updated, get
smart on what this all is. It's not going to
be a trivial thing. It's not going to be a
you know, swap and replace real quick. You've got to
think about it. And the first challenge for most organizations
is they don't even know where they're using asymmetric encryption.
Speaker 2 (15:26):
Sure, so my question is you know, if all my
stuff is in Azure or Amazon, am I safer there
than if I'm running my own infrastructure. When this stuff.
Speaker 3 (15:36):
Happens, They're going to go there faster than you might. Yeah,
but the devil's in the details. If you've written an
application and it has encryption in it, which it probably does,
then you may well have something in there that's vulnerable
and so you got to.
Speaker 2 (15:51):
But for me, all the encryption is in the plumbing
below me, like, first of all, the SSL.
Speaker 1 (15:56):
What did you say.
Speaker 2 (15:59):
It's in the plumbing step.
Speaker 3 (16:01):
Uh, it might be, but people have rolled their own
encryption before.
Speaker 2 (16:06):
Yeah, don't do that.
Speaker 3 (16:08):
You need an inventory. The problem is the inventory is
to find the things you don't know about, not the
things you think you know about.
Speaker 2 (16:14):
I guarantee anything that is of mind that is running
an Azure. I've never encrypted anything intentionally.
Speaker 3 (16:22):
No you haven't, but I haven't. But most companies have
a developer that used to work there that probably.
Speaker 2 (16:27):
Did you know? What about creating GUIDs like I do
use the system cryptography or whatever guid to create new
GUIDs from random numbers and things. That's about as far
as I go.
Speaker 3 (16:37):
I mean all random number generation and classical computing is pseudorandom.
It's not purely random. We're starting to see companies that
do actually use the entropy from quantum systems to generate
true random values, and those are being used for different
types of encryption and stuff like that.
Speaker 2 (16:55):
So there's a dot net random object, and then there's
system cryptogra fee yep uh random number generator. Yeah, and
that that's good. And you can use entropy from you know,
now dot daytime now ticks, which is some super long
number and you might actually have to trim it or whatever,
but but that's a good one.
Speaker 1 (17:17):
Yeah.
Speaker 3 (17:17):
Yeah, it's certainly better than just calling the JavaScript random function.
Speaker 2 (17:21):
Well you said JavaScript, I'm talking real program.
Speaker 3 (17:24):
I'm just saying whatever.
Speaker 1 (17:25):
Yeah, most but you know it's you know what, you
know what else.
Speaker 2 (17:28):
Don't email me. I love JavaScript, wonderful. Global variables are awesome.
Speaker 3 (17:33):
I have I have no high respect for any randomization
function that's not based on quantum data.
Speaker 1 (17:38):
Wow, just because I don't know, all right, So take
a deca cards, Yeah, shuffle it thoroughly.
Speaker 3 (17:45):
That's that's a very big random number that they so
have you guys ever seen v sauce V sauce V sauce. No,
but I know the math behind a deca cards?
Speaker 2 (17:54):
Well, how do you spell that? Is that?
Speaker 1 (17:56):
And I'm literally the sauce? Yeah, it's an actor. It's uh,
this guy who does science videos on YouTube. Interestingly enough,
if you take a fifty two deck car of cards
and shuffle it, there's a strong chance that that particular
shuffle has never been shuffled.
Speaker 2 (18:11):
Never exist, never occurred.
Speaker 3 (18:13):
I never will be again.
Speaker 1 (18:14):
I never will be again. Yeah right, yeah, he goes
He goes through, how you could wait for the the
heat death of the universe.
Speaker 3 (18:21):
Fifty two factoral. Yeah, that's big number.
Speaker 1 (18:25):
It's a lot, so that you could that could be
your random number generat couple of cards.
Speaker 3 (18:29):
Good luck?
Speaker 2 (18:31):
Duayne. Do you ever go to casinos and play blackjack
or anything?
Speaker 1 (18:34):
I've been asked not to.
Speaker 2 (18:36):
Yeah, okay, you've been asked to leave.
Speaker 1 (18:38):
Maybe you call that ass. I actually was the dragged
off of a casino floor and handcuff. But that's a
different story. What because of Microsoft?
Speaker 2 (18:49):
What? What were you eighteen?
Speaker 1 (18:52):
Yeah? Yeah, I know?
Speaker 2 (18:54):
All right, Patrick, Are you done with this story or
do you want to?
Speaker 3 (18:59):
Yeah? I mean we're in early days. People need to
start being aware of the problem. This is a great,
great documentary to peruse and try to get but the
big thing is to sell to your company that this
is a problem that needs to be solved and it's
not something to be put off.
Speaker 2 (19:13):
Somebody should do something about it.
Speaker 1 (19:15):
Now, how are you?
Speaker 3 (19:17):
I wouldn't pay this bill?
Speaker 2 (19:18):
Right, great joke. Okay, we'll be right back after these
very very very very important messages. And if you don't
like these are very very very important messages, you can
pay for an ad free feed. Go to Patreon dot
Security this week, dot com five bucks a month, no ads.
All right, we'll be right back and we're back Security
(19:43):
this week. I'm Carlos, Dwayne and Patrick. Okay, The Hacker
News says popular Chrome extensions leak API keys and user
data via HTTP and hard coded credentials.
Speaker 1 (19:57):
Yeah wow wow.
Speaker 2 (19:59):
Okay, Okay, which extensions and why this one's interesting?
Speaker 1 (20:04):
Yeah, So if you take a look at some of them,
there's a list on the link that we'll put out here.
But like stm Rush, MSN News tab Dual Safe Password Manager,
which sounds bad but really all it's doing is is telemetry.
There's the awesome screen recorder, Microsoft Editor, spell Checking and
(20:29):
grammar and adulte et cetera, et cetera. So what's happening here?
And I love how they have the we usually talk
man in the middle, and now it's apparently called adversary
in the middle. A. I don't know. So what's happening
here is let's say you run a password manager, and
let's say that password manager is pulling telemetry from a website.
(20:51):
Telemetry doesn't have your username, doesn't have your password, doesn't
have it probably has a unique identifier for your installation
that it calls out and says, hey, I'm being used
on this browser whatever. Right, So in this particular case,
that's what's happening. And they even you know, go to say, listen,
passwords weren't leaked. There's some data that's leaked, depending on
which site it's going to. Should they be probably using
(21:15):
htps and be encrypted. Yes, there's no there, there's no
there there. Yeah, I mean, I mean, if you take
the only like the worst one I saw was Microsoft
Editor spell check and grammar check exposes a telemetry key
name stats API key, I don't know that that really matters.
So it's yeah, it's I mean, it's it's an interesting
(21:37):
article exposing the fact that none of us know, none
of us A lot of people don't track the data
that it plug in in your browser is actually sending
back and forth right, and it is potentially being sent
on encrypted right, so it should be audited in some way.
But there's nothing or shattering here too, okay.
Speaker 2 (21:55):
Uh So if you have these any of these extensions,
are the fixes for each one of them individually?
Speaker 1 (22:03):
Said? There aren't. Most of these companies are going to
say it's by design because they probably get hundreds of
millions of calls per second and they don't want to
get the the have an SSL hit on the back end.
Speaker 3 (22:15):
But which is yeah, that's probably a conscious decision in
some cases.
Speaker 1 (22:18):
All right, and you know, and so in all honesty,
I mean, like I as a security you know, researcher,
I'm constantly trying to just remove plugins from my browser.
I don't want plugins at all.
Speaker 2 (22:29):
I only want one and that's my password manager, which
is me too.
Speaker 1 (22:33):
It's the only one I have, is you know, my
one password plug in. Other than that, I'm not using plugins.
Speaker 2 (22:39):
So I would try to find if you're using a
laptop or a PC, I would try to find, you know,
native applications that do the things you want, like screen
capturing and research exactly. Come on, you don't need a
browser extension for that.
Speaker 1 (22:53):
Yeah, Like, I don't know who needs the MSN news
tab plug in.
Speaker 2 (22:57):
Oh god, no, I got more news. I got five screens.
I don't need more news.
Speaker 3 (23:04):
You know.
Speaker 1 (23:05):
Although if somebody did give me a plugin to remove
all news from my browser, hey, now there, you tire,
I might do that.
Speaker 2 (23:11):
Yeah, that's the only news kind of thing, all right,
So be careful out there. Go and check out the
list of plugins and act accordingly. All right. So this
is a good one from tech radar dot com. Microsoft
launches free cybersecurity protection for European governments against AI threats
(23:32):
and more. Hey, look at that. An American company that's
friends with European governments.
Speaker 3 (23:39):
They said it couldn't happen, and they.
Speaker 2 (23:41):
Said that was a bad idea, those two Europeans. Damn
it happens, all right, I'm kidding, all right, So what happens?
What's this all about?
Speaker 1 (23:51):
I I mean, yeah, so, I mean it's pretty it's
pretty straightforward. Microsoft actually has a really big you know,
we talked about Microsoft. Lots of people think about either
like visual studio, right, the programming company or they think
about Windows right or Office right. But Microsoft has a
massive threat analytics center and they actually have tons of
(24:11):
lawyers and they deal with all sorts of jurisdictions all
around the world.
Speaker 3 (24:15):
They're involved in takedowns all the time.
Speaker 1 (24:17):
Oh yeah, constantly. So there's a lot of good that
Microsoft Security Center does and has dedicated teams helping out.
Speaker 3 (24:25):
And they've done things for the US States in the
past and help the federal government. So they're just expanding
the umbrella.
Speaker 1 (24:30):
I'm absolutely glad that they're helping Europe in any way
they can. And you may say to yourself, well, what
doesn't Europe have these resources, And you've got to realize,
like every computer on the planet mostly is running either
Windows or some flavor of Linux, and those were all
invented here, right, So.
Speaker 3 (24:48):
And all the trillion dollar companies in the world are
US based.
Speaker 1 (24:51):
Yeah, and Amazon's here and Azure's here. So it's like,
if you want somebody who knows what should be running
on your box, you're probably from the United States. So
I think it's it's good that they're going out in
helping the UK. My concern especially if you know, if
I were in the UK. My concern would be, well, why, like,
why is Microsoft focusing on AI in Europe? And is
(25:13):
it because there's an eminent threat?
Speaker 3 (25:15):
They don't want to be regular?
Speaker 2 (25:16):
I think there's more threats.
Speaker 1 (25:17):
No, is there an eminent threat that they don't know about? Right?
Speaker 2 (25:19):
I think there's more threats in Europe coming from Western well,
and they also Eastern Europe.
Speaker 3 (25:25):
Europe is much more likely to regulate against big US
big tech than anyone else. And they've already got Google
and Facebook in their crosshairs.
Speaker 1 (25:32):
Oh see, you think it's a play. I mean they're like,
we'll help you out.
Speaker 3 (25:36):
I like Microsoft. I've had a lot of dealings with them.
I think that Sachi Nagel is a is a very
moralistic person. It could be both more so than any
other CEO. It'd be a shame if this place is
burnt down. But I do think there has to be
a like well, and it wouldn't hurt us if we
were if we did some things too.
Speaker 2 (25:53):
It's probably more than one reason.
Speaker 1 (25:56):
Right.
Speaker 2 (25:57):
They did an analysis and they found that on the balance,
we need to be helping.
Speaker 1 (26:01):
Yeah, you can.
Speaker 3 (26:02):
You can go buy your wife flowers for no reason.
Speaker 1 (26:04):
But I think it's good. I have a lot of
friends in the UK, and I'm happy that they're at risk.
Speaker 2 (26:14):
So yeah, me too. Good on your Microsoft. Okay, this
next one, hackers allegedly leaked another leak story. We got
to get a theme song for leak stories. Yeah, maybe
just sad. Trombones hackers allegedly leaked eighty six million AT
(26:35):
and T customer records with decrypted social security numbers.
Speaker 3 (26:41):
I mean, let me clutch my pearls and gas loudly.
Oh no, you're so. Security number is out there. It's
been out there, It's going to be out there. They
could leak it a million times and it doesn't change
the fact that it's out there. So if you want
somebody so security number, you don't even have to go
that deep to find it anymore. So it's not great.
(27:01):
It's a bad look, but it's not really that big
of a deal anymore.
Speaker 2 (27:05):
Well, what I have a suggestion for our listeners and
people who want to be secure. You know, we did
the whole thing on freezing your credit. That's good. Another
thing you should do is request a copy of your
social Security number from the Social Security Administration. And because
having the physical card is way more secure for you
(27:25):
to prove you are who you are if you get
a stolen identity.
Speaker 3 (27:30):
So I have a story in this regard. I got
a message from a bank and I'll name the bank Chase,
that those bastards they can't approve my credit card application
because my credit is frozen. Yeah, And I laughed, and
I laughed because I didn't take out a credit card.
Speaker 2 (27:46):
Ah.
Speaker 3 (27:48):
So I called them and I said, this is fraud.
This is not me. I have no intention of unfreezing.
Speaker 2 (27:52):
And this is why I froze my credit.
Speaker 3 (27:54):
And so they some hackers got my information because my
social Security number is probably in these hacks and this
has been going on. But every time that happens, they
get nothing, they get ZIP because all my all my
credit is frozen. I've unfrozen it for maybe twenty four
hours once in the last two years. Wow, because I
was buying a car.
Speaker 2 (28:14):
Yeah.
Speaker 1 (28:15):
Yeah, so and you can now I want to say, yeah,
there's a I want to say, there's a digital log
in now where you can actually log into government and
monitor social scurity number and that sort of stuff, like
time I tied my government, so I have a government
ID for for our global pass and that sort of stuff.
So now there's this you can connect into the United
(28:37):
States government social security numbers and tie it into that
log in.
Speaker 2 (28:40):
I have global entry. Does that help?
Speaker 1 (28:42):
Yeah?
Speaker 3 (28:42):
I do?
Speaker 1 (28:43):
Yeah, same thing. Yeah, so now you can you can
go to that same go to the government social scurity
site NILL log in with your go's account, which I
don't think is called goes anymore, but whatever.
Speaker 2 (28:53):
Yeah, I used to be government. Oh whatever.
Speaker 1 (28:55):
Yeah, and then now it's that one log in and
all sorts of information.
Speaker 2 (29:00):
Yeah, that's it.
Speaker 1 (29:01):
Yeah, yep. Yeah, So we traveled way too much.
Speaker 2 (29:04):
We do. I'm going to be in Sweden next week,
so nice. I'm hoping we can record, but.
Speaker 1 (29:11):
Yeah, I think we can. Yeah, okay, well I'll go
to Sweden.
Speaker 3 (29:15):
I'm going to be down. I'll be on a large
military base next Thursday, so i'll see you want to
be recording, No, I plan on recording. I just I'll
be in a general's quarters.
Speaker 1 (29:25):
Maybe you just listen to me and Patrick Wayne Poetic.
The interesting thing about this breach though, coming back to
this story, I else is massive breach in AT and
T happened years ago, and there were encrypted social security
numbers there. Okay, now they're decrypted, so they're speculating that
potentially what happened is the older breach. They've had computers
(29:47):
working on decrypting the social security number.
Speaker 2 (29:50):
They finally got around to doing it.
Speaker 1 (29:51):
I don't know why you would put that much effort
into getting a social security number, but and.
Speaker 3 (29:55):
Then releasing it on the dark web, what's the point.
Speaker 1 (29:58):
Well selling it? Okay? Usually these usually the raid forums
and owner of stuff they're actually trying to sell these
massive breaches.
Speaker 2 (30:06):
Wow, all right, freeze that credit kids, that's the uh
cautionary tale. All right, now to our clickbait story, Meta,
which owns this, you know, Facebook and uh Instagram and
what'sapp found covertly tracking. Now that's in quotes, So let's
find out what that means. Covertly tracking Android users through
(30:30):
Instagram and Facebook.
Speaker 3 (30:32):
I mean this also includes the Russian company Yandex. But
this that doesn't doesn't even make the news.
Speaker 2 (30:39):
Really, Yeah, that's right, Meta and search engine company Yandex
have been covertly tracking Android users in the background of
their devices, according to experts. And again, covertly tracking is
in quotes, right, so what did it really do?
Speaker 1 (30:53):
So? And this this story actually came from Cliff Off
of our discord. So thanks again Cliff for forgiving us
this and this our attention. Yeah, so this is this
one's interesting in that the way this was discovered is
all of your applications on your phone and your tabs
(31:13):
on your phone and that sort of stuff of isolation.
They shouldn't be talking to each other, right, And what
was happening in this particular case is both y index
and Meta were bypassing those isolations to track what was
going on. And they said, well, we were just doing
it to personalize our service to the users. So if
they happened to open another tab in a browser and
(31:35):
they happen to be looking for, you know, work boots,
then we would happen to know about it, and next
time they're on yendex, we would happen to show them
more boots. Right.
Speaker 2 (31:43):
Okay, so the word covert is in dispute. I guess
maybe that's why it's think quote.
Speaker 3 (31:47):
Yeah, and that's yeah. Well they didn't get permission, Yeah
they didn't. They didn't ask the user if they wanted
to do it.
Speaker 1 (31:54):
Yeah, and accord, according to Google, who puts out the
Android operating system, they said they said Meta and yandex
used Android's capabilities in an unintended way that blatantly violated
our security and privacy principles. Okay, so that's what the
contention is here. And Metas come back and said, hey,
we're working with you. We didn't Oh my gosh, we
(32:16):
didn't know, right, Yeah, and you know yandex is. I
don't think it's fun.
Speaker 2 (32:21):
So let me ask you this.
Speaker 3 (32:22):
You mean I'm not supposed to have your social Security number?
Speaker 2 (32:26):
Let me ask the listeners this. If you have an
Android phone and you use Facebook and Instagram and WhatsApp,
do you really feel like you're not being snooped on?
Speaker 1 (32:38):
I know, right?
Speaker 2 (32:39):
Is this a surprise to you?
Speaker 1 (32:40):
Apparently?
Speaker 3 (32:41):
Yeah, Now you should add deep Seak and Quenn, the
Chinese open source AIS and you'll have the trifectath all
of it. So be complete.
Speaker 2 (32:48):
That's it. So our recommendation is throw your phone in
the garbage. Get an iPhone, throw that in the garbage.
Don't use the phone, don't use any technology. Just be
a herd and you know, string some wires and a
string between two cans tier from your upstairs to you
downstairs to talk to your kids.
Speaker 1 (33:09):
Be done.
Speaker 2 (33:10):
Case close. Now, really it's really it's get an iPhone,
if you're really concerned, put it in lockdown mode and
you signal yeah, and get rid of all those crappy apps.
Speaker 3 (33:21):
So I hate to give that guidance because it is
an expensive set of guidance. Sure, it's just that Apple
did spend a long time ratcheting down the security on
the iPhone and Android did not keep up. And I'm
hoping they're starting to catch up now.
Speaker 2 (33:36):
But stories they are now.
Speaker 3 (33:37):
Yeah, yeah, stories like this don't help, though, the fact
that they're calling them out in public might be a
sign that they are coming back.
Speaker 1 (33:45):
Right And just to so a little bit more detail
on this, you'll notice in the article it says researcher
discovered that meta's apps, including Facebook, Instagram, and Yandex's apps
such as yandex mapp. We're sitting in the background of
the Android device loading a script that sent data locally
(34:06):
back to the app on the user's phone.
Speaker 2 (34:07):
Oh that's not good.
Speaker 1 (34:08):
So they were circumventing the Oh well you can't. You know,
you have isolation where they would literally call back out
to itself on a local port to get data.
Speaker 2 (34:17):
God. I hope they didn't. I hope they didn't learn
how to do that by watching my dot net show
that I did on Android background services, because I do
show people how to do that. But there are legit
reasons for it though.
Speaker 1 (34:31):
Sure, like tracking us well.
Speaker 2 (34:34):
But it's part of it's part of what you can
do in androids.
Speaker 3 (34:37):
So their nuclear power is legit. But nuclear weapons are
real too, so everything has a dual use, right.
Speaker 2 (34:44):
Well, anyway, if you did learn it from me, please
don't tell anybody. I don't need that.
Speaker 3 (34:50):
Coming soon to a ransomware screen near you.
Speaker 2 (34:53):
Carl's face exactly. Yeah, yeah, well okay, so it turns
out our click bait wasn't that interesting after all.
Speaker 3 (35:02):
But you know, I think it's a big deal.
Speaker 1 (35:04):
I mean, it's a big deal, but it's Yeah, but
you also had the faces on your phone, so what
do you expect? Yeah?
Speaker 2 (35:12):
Yeah, what do you this is it? What do you expect?
You know? All right?
Speaker 1 (35:16):
I love it, says quote that's very shocking quote in
this article.
Speaker 3 (35:23):
In many cases, when I have the choice between an
app and the web site on a mobile device, used
the website. I almost always picked the website. Yeah, because
screw that. I don't want them to have the extra control,
the extra capability. I don't know whether that's really making
a difference, but I suspect it does.
Speaker 2 (35:41):
And I would use the mobile Duck duck go browser.
Speaker 1 (35:44):
No, yeah, all the time.
Speaker 2 (35:46):
Yeah. So there you go. That's our show. We will
talk to you next week. Both Patrick and I will
be away and maybe maybe we can make this work.
Speaker 3 (35:55):
Actually it's week after next. I'm traveling. I'm already next week.
Speaker 2 (35:58):
Okay, I'll be in Stall come next week. It death sounds.
Speaker 3 (36:01):
Don't get the syndrome.
Speaker 2 (36:04):
I already got it. I'm married.
Speaker 3 (36:06):
Come on, you keep showing up to this show.
Speaker 1 (36:09):
I know right, I love it so much.
Speaker 2 (36:12):
All right, bye bye you next week
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
What Are We Even Doing? with Kyle MacLachlan
Join award-winning actor and social media madman Kyle MacLachlan on “What Are We Even Doing,” where he sits down with Millennial and Gen Z actors, musicians, artists, and content creators to share stories about the entertainment industry past, present, and future. Kyle and his guests will talk shop, compare notes on life, and generally be weird together. In a good way. Their conversations will resonate with listeners of any age whose interests lie in television & film, music, art, or pop culture.