October 3, 2025 • 42 mins
Japan's beer giant Asahi Group cannot resume production after cyberattack
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Hey, so my wife said she saw a dwarf climbing
down the Montville prison wall yesterday. I said, dwarf, that's
a little condescending. Okay, Well, welcome to security this week
(00:23):
this week. And Patrick wasn't here last week, but he's here.
Speaker 2 (00:26):
This week until next week when none of us will
be here next week.
Speaker 3 (00:30):
So the quality of the show has gone down, gone down,
just in this last week.
Speaker 2 (00:35):
Just in the last Wait till next week.
Speaker 1 (00:39):
All right. So the first story we have is about
Tilly Norwood, a fully AI actor.
Speaker 3 (00:45):
I went to high school with her.
Speaker 2 (00:46):
I don't think it did, no, I gotta I got.
Speaker 1 (00:49):
Fully AI actor blasted by Actors Union sag AFTRA for
devaluing human artistry. So what a virtual actor is getting
crap from real actors who.
Speaker 3 (01:03):
They're actually trying to shop her out for gigs and
not she has.
Speaker 2 (01:08):
An agency, and not only have are they trying to
shop her out, she's actually got some interest from some
some of the some of the different producers have said, yeah,
you know what, we might actually use her.
Speaker 1 (01:20):
She's good enough that you wouldn't be able to tell
she's not a human actor.
Speaker 2 (01:23):
Oh yeah, no, So if you look at that, I mean,
it's tough. You look at the AI generated videos and
they're really good. They but they're all short, right, they're
all like movie trailers, right, so it's not like a
three hour uh you know, I don't know a Shakespeare play.
It's it's you. It's like a thirty second thing. But
this is But you might say, well, why to security
(01:45):
this week?
Speaker 1 (01:46):
Care?
Speaker 2 (01:46):
Like why are we bringing this up? Although it looks
like a lot of the actors and uh where the
Screen Actors Guild have been really outspoken about this, where
they're you know, they're they're concerned. Of course, where a
square you could take a script from a writer, throw
it at AI and have it just generate the whole movie.
Speaker 3 (02:06):
Well, we have that in podcasting. You there are there
are hundreds of podcasts that are completely made up by
AI and there's no human content involved. I wouldn't listen
to one.
Speaker 1 (02:17):
I don't know what you're talking about.
Speaker 3 (02:20):
I wouldn't I wouldn't participate in one. Well, I wouldn't
intentionally listen to one. But the problem is if you
can't tell the difference I have.
Speaker 1 (02:27):
I have opinions. I think I think we're in this
novel period where people want to push the limits of
what AI can do. And if they think, you know,
the cooler that it is, the more attention it's going
to get, and then the more real people are going
to be upset. I just think I think it's temporary,
(02:47):
because here's why music. Music fans would never go to
a concert where their favorite band leader has been replaced
by a robot.
Speaker 3 (03:00):
All right, Milli Vanilli, I said music. Oh wow, I'm
not a million I just needed a fake band.
Speaker 1 (03:10):
They never sang anything, all right. So, but but what
I'm saying is the authenticity of the artist and the
backstory of the artist, and the life of the artist,
and the life of the actors and the people that
we like to see on screen and we know their
stories and stuff. That all adds to the experience of
(03:30):
the art. And when you just take that away and
strip it away, and now it's all about dollars and stuff.
We we may have this novel interest like slowing down
in an accident to techno.
Speaker 2 (03:44):
I love techno.
Speaker 3 (03:45):
I know you do. It sounds like an.
Speaker 1 (03:47):
Alarm clock with a beat to me, I don't know.
Speaker 2 (03:50):
Oh my god, I love techno. I listened to it
all the time.
Speaker 1 (03:53):
I know you do.
Speaker 3 (03:53):
That's why I said that it was yeah.
Speaker 2 (03:56):
Yeah. It is funny because people will usually ask me,
like what type of music you listen to? And I'm
like you like, yeah, can you name an art an
artist in edim I'm like, yeah, you don't listen to
like do you see M? No your motto no.
Speaker 1 (04:12):
M is a condition that is brought on by eating
too many donuts.
Speaker 2 (04:16):
No, it's not.
Speaker 1 (04:17):
Okay, I know electronic digital music. Yeah, I've produced a
lot of it actually in my day. But but it
wouldn't just you know, take a tape recorder out on
a stage like David Byrne and push play and dance
to it. You know, yep, he can get away with that,
but not me.
Speaker 2 (04:34):
Well, and you can you if you see the really
good artists, you see them really like working the whole
deck right while they're doing what they're doing. That that's art,
you know, just it is, You're right, absolutely, Just having
like auto fhades come in and out of other songs
is and yeah that's not media.
Speaker 1 (04:49):
But what I'm saying is that, you know, I think
this is a novel phase and you know, don't worry
about it. These things are going to get attention and
they're going to take attention away from real things that
are going on. But I think people are smart and
they come around and they have an affinity for the
humanity of arts.
Speaker 3 (05:04):
Do you know people.
Speaker 1 (05:07):
Too, you and Dwayne.
Speaker 3 (05:09):
I think the people who listen to this podcast are
probably smart based on my experience of the Oh sure
of the discord, but on average, you just walked down
the street. Most people aren't smart.
Speaker 1 (05:19):
Yeah, okay, but you know what, they weren't gonna they
weren't gonna get into the backstory of an artist and
go follow them and listen to them anyway. So you know,
if they want to put press a button in here
an alarm clock like Dwayne and you know, and it's
made by an Ai, fine, I have no problem with that.
But I don't think people ought to be worried about,
you know, AI taking over the arts and all that stuff.
(05:41):
I think that authentic artists will never ever ever go
out of style.
Speaker 2 (05:47):
So I think you're right, But I think the coming
back to the security this week of view on this Okay,
it's an interesting argument in the you know, the actors
build a ward going against now they're calling them synth
performers or synthetics. Right, that actually sounds like a New
World War synthetics versu human.
Speaker 1 (06:07):
So, oh that was a wasn't that a Star Wars?
Speaker 2 (06:09):
I'm pretty sure. Yeah, I think you're right.
Speaker 1 (06:12):
The synthetics the war.
Speaker 2 (06:14):
But the other thing actually, and there's plenty of video
games where there's the sense. But but from the standpoint
of if this actress is good enough to fool people
into thinking originally that it's a normal human being, we're
getting to the point where deep fakes are getting really, really,
really good. Right. It used to be you could tell
(06:36):
because they were missing a finger or they had three arms,
and you're like, Okay, that's not really good. But in
this case, like hair movement, eye movement, like little twitches,
that sort of stuff are so realistic.
Speaker 3 (06:47):
And there's two ways to do flaws like freckles and yeah,
and they're asymmetry and things like that.
Speaker 2 (06:52):
And there's a couple of ways to do this. There's
one way to do this, which is like totally AI
generated based on us a segment of video and we've
you know, I'll let a little cat out of the bag.
We've done that here. Yeah, right, if you've ever seen
videos of me on LinkedIn. That's not me, that's actually
an AI, right, And it's because they've taken video of me,
(07:13):
They've had me say things, and now they can generate
whatever they want from me, all right, which is great.
But I would also say this is a good use
case though. Yeah, so this is an interest right. But
the other thing is, let's say somebody else had access
to that and jumped on a zoom and had me saying,
you know what, I think we should close the entire company,
or I think you know, I need a thousand gift
(07:34):
to make whatever whatever may be.
Speaker 1 (07:36):
Yeah, deep fakes are a problem.
Speaker 3 (07:37):
I wondered why you needed all those gift cards.
Speaker 1 (07:39):
Deep fakes are probably I'll give you an example where
a deep fake was I would say not one hundred
percent effective. But that was Luke Skywalker as young Luke Skywalker,
Mark Hamill, the AI and a a older you know,
a later version of Star Wars, and I can't remember
which one because there were nine of them, but it
might have been.
Speaker 3 (07:58):
Yeah, didn't they do seven after she passed Yeah.
Speaker 2 (08:02):
Yeah, she passed away and they did. Yeah, they did
her as an AI as well. Yeah, and she was
younger in the presentation of it.
Speaker 1 (08:07):
Yeah, right, but when they did, when they did Mark
Hamill is a young Luke Skywalker, you know, coming back
from the grave while he's sat on a mountain and meditated.
That was that was. It was not quite there. Yes,
the Uncanny Valley reared its ugly head, but probably that's
just because it was of the time, you know. But
let's say Robert Redford was filming a movie last year
(08:30):
and he never completed it and he died before and
there was a scene that they needed him to do.
Speaker 3 (08:36):
Well, it's up to his estate at that point, right.
Speaker 1 (08:38):
But if if it was my estate, if I was
the estate people, I would have said absolutely he would
have wanted it.
Speaker 3 (08:43):
And that's the difference though, Yeah, because now we're talking
about just the movie makers and the producers making all
the money, and they're being no talent.
Speaker 1 (08:52):
The real problem I think with deep fakes is politics. Yeah,
I think once you know, and it has become extream,
it's just the politicians haven't gotten smart enough to use
it yet. But once they do, they're going to put
words in their opponent's mouths that are you know, and
then and what that does?
Speaker 3 (09:07):
They already have ridiculous words in their own mouths, so
I know.
Speaker 1 (09:09):
But what that does is that gives them the grand excuse.
Oh that's that was a deep fake. I never said that, right, Okay,
well can you you know.
Speaker 3 (09:17):
The shaggy defense, right right.
Speaker 2 (09:19):
But on top of that, there's so many different ways
that you could use those defeates, like, hey, look at
these protesters right where none of them might actually exist,
So it's not like a well known person you could
go track down. Yeah right, So I think that's rough.
Speaker 3 (09:33):
These things have existed because if you want a picture
of a protest, you get one from you know, South Africa,
and you say, this is Detroit. Sure, right, and that's happening,
that's been happening. It makes the problem worse, But I
don't think it makes a new problem as much.
Speaker 1 (09:46):
Well, it means that everybody, in order to fact check,
has to actually go and see that there are protests
are not protests, and then when they tell each other yeah,
I was there and I saw it, that's just another
point of do we believe that person or not.
Speaker 3 (09:59):
I think we might literally get to the point where
we need on the ground journalists to verify things.
Speaker 1 (10:03):
So what are these journalists who speak of I think
they went by the way of the Dinosaur.
Speaker 3 (10:09):
And now this is a reason for it to come back.
Speaker 2 (10:12):
So Patrick, what are your thoughts on And maybe this
is just tinfoil hat conspiracy stuff, but I heard from
a friend whose cousin's mother's roommate read it happened, Yeah,
read it on Reddit.
Speaker 3 (10:25):
Whose genitals swelled up when they took the virus.
Speaker 2 (10:31):
That there are towns in Russia that they've staged to
look like Middle America, like Middle sort of Bible Beltway towns,
so they can stage riots and stuff so that it
actually looks real and they can post it out on
the Internet. Or is that all bus I.
Speaker 3 (10:52):
Don't I believe so. The original concept of the Potemkin village,
which is the fake village, is from Russia. It's in
the playbook. It's not an unknown thing. One of the
stories I read from I think it was a book
by one of the one of the great novelists who
wrote about like World War III, was that they they
built and again this is from a novel, so this
(11:14):
is not true, but that the Russians built a complete
app replica of one of the historic cities in Germany.
Speaker 1 (11:21):
You're thinking of blazing saddles, no.
Speaker 3 (11:24):
And then and then they then they filmed it being
invaded by Russians and destroyed, and they actually killed the
actors and inhabitants that were Oh wow, they're playing the Germans.
And they used that to show the Germans that they
had destroyed the city and got them to capitulate.
Speaker 1 (11:39):
Wow. Wow.
Speaker 3 (11:40):
And so that the Germans weren't participating in the second
in the Third World War, and it's just the Americans,
and I think it was Team Yankee.
Speaker 1 (11:47):
All right, So there's the book.
Speaker 3 (11:48):
Anyways, we're way off on a rabbit hole.
Speaker 1 (11:50):
Way off a rabbit hole. But I think the moral
of the story is don't trust anybody.
Speaker 2 (11:56):
I think the other moral of the story is, if
you want to know Hempkin Villages. Patrick's the only expert
on this on this podcast.
Speaker 3 (12:05):
Yes, So, Fortempkin Villages was an attempt by Petempkin, an
advisor to the Queen, Queen Catherine the Great, to convince
her that they had spent the money appropriately that she
had allocated to build out the Volga. And she took
a vulgar cruise and there were all these villages along
the thing, and they were just facades. So that's why
they call them a Pattempkin village. It's a fake village.
Speaker 2 (12:25):
Wow, we all know you see this is an educational
show kids, it is right.
Speaker 3 (12:30):
And they all turned it off. Okay, enough of AI actors.
Speaker 2 (12:36):
Yes, yes, please Chin.
Speaker 1 (12:38):
Let's talk about China because that's such a happier subject.
This one is from Dark Reading. China exploited new VMware
bug for nearly a year. Okay, are we safe in
our homes?
Speaker 3 (12:53):
Is your home controlled by VMware? Yeah?
Speaker 2 (12:55):
I don't know. I mean, oddly enough, the people on
this call probably actually do have VMware at their homes.
I don't, whereas most you don't know. Do you use
any virtualization at all? Not?
Speaker 1 (13:07):
No, The only virtualization I use is in the cloud? Okay,
and it's not VMware.
Speaker 3 (13:11):
Car all right, why well you play?
Speaker 1 (13:13):
Don't you know that? Don't you have a digital map
of my network?
Speaker 2 (13:18):
Right now?
Speaker 3 (13:18):
Anything?
Speaker 2 (13:19):
Until you exactly right? And now that it's public.
Speaker 1 (13:21):
He was, That's what that pause was. He was looking
it up.
Speaker 2 (13:24):
Hold on, hold on, Yeah, you know you're right, Carl,
You're right, you don't. I hadn't looked at the new map.
Speaker 3 (13:30):
Hey you transmission flu is a little low carlat things?
Speaker 2 (13:37):
So oh man a transmission. So neils say, for those
of you who are running VMware, this story is this
story is interesting, but we've seen this before. VMware owner
Broadcom on September twenty ninth, this is super recent disclosed
that there are three vulnerabilities CD twenty twenty five four
(13:57):
one two four four twenty two four five and guess
the next one twenty twenty five four one two four
six where you have the ability to privilege, escalate, disclose
information and there's an improper vulnerability or an improper authorization
(14:17):
vulnerabilities so that you can actually get authorized the things
you shouldn't. Yeah, so dangerous if you're running these these
particular this particular software and virtualization in your environment.
Speaker 1 (14:27):
Okay, and is it a go patch story?
Speaker 2 (14:29):
This is a go patch. Yeah. We like to add
a couple of these in here where the latest bugs
have been the veer bugs all the time, right, we
see patches show up all the time. We if we
just talked about patches, it would be every show and
we'd have just a scrolling list of software.
Speaker 3 (14:44):
It would be a long show.
Speaker 2 (14:45):
Right, So what we typically want to do is bring
patches where they're actively being exploited in the wild. These
are the most important things you should take a look
at in the next within the next seven days from
four our next pot.
Speaker 1 (14:55):
They did they give any details about what China did
by when they exploited.
Speaker 2 (15:00):
This, So not really, especially if there's an ongoing investigation
right now. They'll keep a lot of this close to
the vest until they come out with Okay, here's exactly
what we're seeing. So this is just the tip of
the iceberg. They'll come out and say, hey, we're seeing
this actively exploited in the wild. You need to go
patch blah blah blah so that they can stem the bleeding.
And then they'll come out later and say, oh, by
(15:21):
the way, this was a targeted operation against so and so.
Speaker 1 (15:24):
And when they say China, they do mean that this
was a state exploitation, not Chinese people, right.
Speaker 2 (15:30):
Right, Oh, yeah, absolutely, yeah. Yeah. Usually if it's a
if it's somebody other than ah, you know, if it's
let's say it's just a random group in China or
a random group in Russia, they'll usually give them a
like a hackery name, like oh, this is salt Typhoon
or this is whoever. But if it's like state sponsored,
they'll they'll mention the country a.
Speaker 1 (15:51):
Cool not cool, but you know, awesome.
Speaker 3 (15:53):
It's so to talk about this just for a minute.
Speaker 1 (15:57):
More.
Speaker 3 (15:59):
More and more people are talking who are very conservative
about things, are talking about the Cold War e merging
between the United States and China, and this stuff benefited
greatly from the fact that people viewed China as a
trusted partner, a trading partner, and all these other things.
We didn't have this kind of vulnerability against the Soviets,
(16:21):
but then again, cyber was in its infancy, but even
then we were on guard. I think that we might
see this start to diminish over the next few years,
not because they're not trying, not because we're getting better,
but because the trust factor is going away, the fact
that Microsoft no longer shares pre information about vulnerabilities with
(16:41):
Chinese companies that have to share with the government. I
think we're finally coming around. I hope we're finally coming around,
but we'll see in another year or so.
Speaker 1 (16:50):
Here's what I understand, and you guys correct me if
I'm wrong, But the difference between China and Russia in
terms of their internet lockdown right, China built its internet
from the bottom up, with access to and control of
the state, and so from the very beginning they own
the bones of the Internet within China, and they control
(17:14):
everything Russia did not. Russia started the pre you know,
hacking Russia, and the pre lockdown of their Internet was
completely free, I mean American websites, New York Times, they
could read everything, and everything was open and free. And
then gradually they started a top down campaign to lock
(17:36):
down what people could inculach is harder access, which is
much harder. I think you're right opening Pandora's box.
Speaker 3 (17:42):
Not an expert in it, but I think I believe
that's my belief as well. I think that is correct.
Speaker 1 (17:46):
So it's much harder too.
Speaker 3 (17:48):
That said, it's hard to capture. I mean the US
had programs like Carnivore and things that snowed reported on.
It's much harder with a billion people, no matter how
many hard drives you're willing to buy, just to catch everything.
So interesting, I was just having a conversation with somebody
who's very much in the know. China is starting to
(18:09):
crack down on the live flat trend, which is that
a lot of young people are like, look, it's not
worth working as hard as they want us to. Just
do the minimum. It's basically the quiet quitting in the
United States, and they're trying to crack down on that
because it's hitting morale and things like that. That's a
much harder thing to crack down on than it's people
(18:30):
talking about Taiwan or tam and square. Sure, but they
are trying to They are trying to control it, but
it's a monumental task even with the right tools, and
AI is probably the thing they're going to deploy.
Speaker 1 (18:45):
Even so for China, even though they own the communications
and the Internet and all that stuff, it's still hard.
Speaker 3 (18:51):
Yeah, it is going to make it a lot easier.
It's just how many trusted eyes can you have to
see this stuff, Whereas with AI they could very well
get ahead of it and be even more controlled well.
Speaker 2 (19:01):
And China also has the Great Firewall of China so.
Speaker 3 (19:05):
Just keeps things out. But it doesn't help. With Piggs
on side discussing I don't jump on Chinese language forms
and control. No, I don't know about you.
Speaker 1 (19:12):
Not since that last time that you know, you know
what I'm talking about.
Speaker 3 (19:16):
Patrick, Oh, we know we said we wouldn't speak with.
Speaker 1 (19:19):
That, Okay, I think uh oh, No, we have this
line viper malware. Thing to talk about Cisco ASA firewalls,
zero day exploits, deploy ray initiator, and line viper malware.
And that is the name of my next song.
Speaker 3 (19:38):
It sounds like you're just saying code words.
Speaker 2 (19:40):
Yeah it is, and you pretty much are just saying.
Speaker 1 (19:42):
I am just saying cohers. I don't know what what's
the noun, what's the verb? What are adjectives? I have
no idea.
Speaker 3 (19:50):
Can you be reinitiated?
Speaker 1 (19:53):
I don't know. I'm so confused.
Speaker 2 (19:55):
Right, let me sum up bad day for Cisco. Yeah, yeah, yeah,
bad day for Cisco. This one's interesting. If you take
a look at the step by step on this. If
you are running a Cisco ASA, and on that ASA,
you are running the web VPN.
Speaker 1 (20:14):
So web what's an ASA?
Speaker 2 (20:16):
So it's just an advanced security pliants or adapt adaptive
security pliants. It's a firewall, oh firewall.
Speaker 1 (20:21):
Okay.
Speaker 2 (20:22):
So if you're running if you're running a Cisco ASA
the fifty five x series devices and you've turned on
the ability to VPN in right, and you have a
web VPN on the front end of it. Okay, I mean,
so there's a web server responding to client requests that
web server has a if you specially craft a packet
(20:43):
to that web server, you can actually send it into
a buffer overflow and get remote code execution on that
on that device. So that's CVE twenty five two zero
three three three is a remote code execution. Once you
get access, there is a privilege escalation and off bypass.
(21:06):
You can then get access to which is twenty twenty
five twenty three six two, and then from there they
start installing your Reinitiator slash line Viper. Reinitiator is a
boot device boot sort of a bootloader piece of software
sort of. It's for persistence in the environment and your
(21:27):
Reinitiator boot kit from there on in. I'm sorry, your
line viper is a user mode shell software. So I
install my reinitiator. It makes me stay on the box.
I then load my line viper, which starts infecting executables
with reverse shells so that I can get access to
command and control and have people download these executables.
Speaker 1 (21:49):
This reminds me when I used to listen to car
Talk when I was ten, and I had no idea
what they were talking about, but it sounded really technical
and very cool.
Speaker 2 (21:56):
It's likely this is really neat. I don't know what
it is.
Speaker 3 (21:59):
Would you like us to affect our Boston?
Speaker 1 (22:01):
And then when I was like sixteen and I started
watching Star Trek and they, you know, Geordy started talking
about decoupling the Heisenberg compensators and stuff, and I was like.
Speaker 2 (22:10):
Hey, dilsium crystals is now a thing. I'm just saying
they were just prophetic.
Speaker 3 (22:15):
Should we break out the Boston accents?
Speaker 1 (22:18):
Like clicking, well, just say what you just said but
in English?
Speaker 2 (22:22):
Fair enough? All right? Okay, if you have a web
VPN turned on on your Cisco firewall, yeah, fifty five
hundred device right now, there is a risk of somebody
being able to break the web server, get access to
the device and install malicious software.
Speaker 1 (22:36):
That is the best explanation ever.
Speaker 2 (22:41):
Thank you, thank you.
Speaker 1 (22:42):
That's great. So patch basically is what we're saying.
Speaker 2 (22:45):
Yeah, right now you need to update your assa. The
thing you need to be careful of is it's not
just go patch in this one, because if they have
exploited the system, they've already started putting in bootload changers
and that sort of stuff. Really need to be careful
if a device is compromised and you can't hit it
with a tomahawk. Patrick, you can't hit anything with a tomahawks,
(23:08):
So what do you mean anything with a tamahawk. You
hit me with the tomahawk. Greg, be careful.
Speaker 1 (23:13):
Yes, when you say be careful, does that mean reboot
the device offline, refresh it from memory, and restore a backup.
Speaker 2 (23:23):
No, there's there. Yeah. In the article we post, there'll
be actually a link to Cisco's sort of recommended. Well,
you could throw in the trash, but there's a there's
a link to Cisco's recommended Waight up there.
Speaker 1 (23:34):
Would you use kerosene or gasoline when you throw a
match on it? Which one would you prefer?
Speaker 2 (23:40):
Kerosene burns a little hotter, a little cleaner, which is
nice for the inside of the data center. So you know,
kerosene is the way to go. When phosphates A little
Willie p little little rub.
Speaker 1 (23:51):
A little bondo on the great.
Speaker 2 (23:53):
I love thermites, Great, little thermite, little rust You're good,
all right. Here's how you make thermite, kids.
Speaker 1 (24:00):
Ask Richard Campbell. He made it when he was He
burned off a ten inch hole in the ground.
Speaker 3 (24:05):
It's so easy. It is kill say it on a podcast,
we will get bad.
Speaker 1 (24:09):
No you can't.
Speaker 2 (24:10):
I wonder if chatch ept will give it to me.
Speaker 1 (24:13):
No, no, no, anyhow, Yeah to Richard. Richard Campbell told
the story of how he made thermite when he was young,
and he just lit it and put it on the
ground and it started going down into the ground and
the fire department came around and they couldn't put it out.
Speaker 2 (24:31):
Oh yeah, yeah, that will burn it hot.
Speaker 1 (24:33):
It burns underwater.
Speaker 2 (24:34):
Yepeah, yep, all right.
Speaker 1 (24:36):
Anyway, but we were talking, so you you explained in English,
it's go patch, but not just go patch, but be
careful whatever that means. Yea, that there's a process by
which you can uh and it's out be safe, and
it's outlined in the instructions.
Speaker 2 (24:52):
Yeah, Cisco has that. Cisco has those instructions for you
to remove nefarious people from your device and then pack
cool cool, definitely go do that.
Speaker 1 (25:00):
Well, thank god, somebody's on the ball and we will
kind of knows it's not us. We will be right
back after these very important messages. Don't you go away,
And we're back at security this week. I'm Carl, It's
Dwayne and Patrick, and you know, we're we're going to
be in Orlando at Aren't we already at Universal?
Speaker 2 (25:24):
Yeah?
Speaker 1 (25:24):
Yeah, you're right, we are by this time.
Speaker 2 (25:27):
I think we're on when this drops.
Speaker 1 (25:29):
I think we're going to be live on Tuesday at
eleven or eleven thirty. Yes, at Security Intersection, Cybersecurity Intersection.
All right, let's move on Microsoft Outlook, because.
Speaker 2 (25:42):
Yeah, why not? Why not?
Speaker 1 (25:44):
They stopped displaying inline SVG images used in attacks?
Speaker 2 (25:50):
Good? What time?
Speaker 1 (25:54):
Yeah? So svgs something vector graphics, scalable ailable vector graphics.
Is it? Do you remember what were those files called
before SVGU They were little files that did vector graphics
that you could in Windows, that you could just show
in an editor. But they're not raster graphics.
Speaker 2 (26:15):
They're not right now, right, I mean they're Yeah, it's
almost it's almost like a mathematical model that puts them
together so they can be.
Speaker 1 (26:23):
Draw here to here, red, draw a line from here
to here, blue, fill in this area. So the problem
with SVG images and outlook is what.
Speaker 2 (26:33):
Well, here's the problem. SPGs are awesome in that they
do more than just display a picture, right, they install malware. Yeah,
I know it's the same. It's exactly what what Carl
was just talking about, like draw a line from here
to here. Right, So if you if you really dig
into that SVG format, you can run javascripts, you can
(26:56):
do all sorts of things in there that are not
just drawings. So it's probably one of the more dangerous
picture types is svgs, especially as attachments, because there's all
sorts of things that you can do inside there. And
like I said, you can have JavaScript that runs, You
can have especially if the user downloads it and tries
to run it from their desktop.
Speaker 1 (27:16):
Now I get it. My Outlook would be a problem
because Outlook has full user security, right, and so it
has access to the system. Whereas if you're in Gmail
and you open an SVG and a browser, so.
Speaker 2 (27:27):
What right, right? Right? Yeah, the browsers generally know how
to handle them very well because they're always protecting against this.
But if I open an SVG locally on my workstation,
that sandbox is a little bit different. Right. So if
we download a file that we think is a PDF,
but is a pdf dot SVG, double click on it.
Sure enough that SVEG has some autonomy where it can
(27:49):
actually run scripts and interesting like that. The article we
put out is from Bleeping Computer and they talk about
how the threat Hunting team, the mal hunter team, has
put some samples out as to how dangerous this is.
So you can take a look at this article. You
can see things like a user loading up one of
(28:10):
these svgs and it's actually says it's a pdf dot sveg.
They loaded up and it looks like Excel, but it's
stealing some informations. There's all sorts of stuff they can
do in there. I'm just surprised that Outlook hasn't banned
these earlier to get rid of them. But here we are, folks,
(28:30):
So it's good. I'm you know, I'm glad. It just
shuts down one of the ways that right now people
are getting fished.
Speaker 1 (28:37):
Wouldn't if I was writing Outlook, I would want to
have everything that shows up in a preview panel be
a little browser that has its own island of you know,
can't reach around and do all sorts of stuff on
your system. Why wouldn't they do that? In general? I
would fix Outlook. I wouldn't stop showing svegs.
Speaker 2 (28:58):
Yeah, that's an interesting question, and I think it becomes
a slippery slope where you say, okay, well, the preview
pain has the attachments. Let's say somebody sent me a
word doc and I can click in that previewponent, I
can say save attachments. Should that be able to jump
outside of the sandbox and save anywhere on the drive? Well, well, yeah,
of course that shit. I should be able to save
that to my documents or whatever.
Speaker 1 (29:18):
Right, But a browser can download any attachment to your
downloads folder.
Speaker 2 (29:23):
As well any drive there either. Right, So now you're
starting to talk about oh your downloads folder usually yeah, exactly,
so they'll go directly downloads, although you can you can
write click on it and change how where you download
it to. But so's there's this jumping in between access
to the local system, not access to the local system
from certain attachments but not other attachments. Maybe it's from
(29:43):
the download attachments section, but not from viewing the attachment.
Maybe it is from viewing the attachment. If I double
click on a PDF, does that pdf load from the
remote email server? Does it load from cash? Does it
pull the PDF down first and then load it in
the browser. Like, there's all sorts of options there that
I think you might run into issues. But I agree
(30:04):
with you. I wouldn't be surprised if the preview panel
isn't already using you know, the Chromium objects to load
up the view.
Speaker 1 (30:13):
It's just a matter of what security context is it using.
And I would say it should be as you know,
what do you call it, you know, removed from everything else,
as the browser is. The sandbox should be there, and
you should only be able to save to your downloads folder. Yep,
I mean, why what's the benefit. There's a lot of risk,
(30:37):
but what's the benefit to having that security model there?
Speaker 2 (30:41):
Lower support calls?
Speaker 1 (30:43):
Yeah?
Speaker 2 (30:43):
I think, you know, seriously, I think.
Speaker 1 (30:47):
Security calls when people can't save their attachments.
Speaker 2 (30:51):
Yeah, they're like, why don't you google it? Yeah, exact,
I think.
Speaker 3 (30:56):
I think there's parts of the ecosystem that we're not
aware of that you're probably using functionality. Microsoft knows. There's
lots of features Microsoft. I look at and I'm like,
why don't they turn that off? Well, there's probably like
fourteen ISPs that are using it that I don't know about.
Riv's that are using it that I don't know about it.
It's just such a big open standard and that has
(31:16):
its own positives and negatives.
Speaker 1 (31:19):
Yeah, Okay, we'll give them some slack this.
Speaker 3 (31:21):
Time, and we need something to do, Carl, don't take
all of our that's true.
Speaker 1 (31:24):
Yeah, I'm sorry, geez.
Speaker 3 (31:27):
Now you'll tell people to lock their doors.
Speaker 2 (31:29):
I know.
Speaker 1 (31:31):
Okay, let's move on. Cybersecurity News says Critical Western Digital.
My cloud NASS vulnerability allows remote code execution. NASA is
network attached storage. Those are usually big radar rays that
sit in a box somewhere and you just connect to them.
Speaker 3 (31:48):
I mean, my clouds are kind of desktop. They're kind
of like two drives a raised. They're not very big,
They're very convenient, and I I never sought to buy
one because they were I thought they were a little
too consumer grade.
Speaker 2 (32:03):
They are, But listen, if you're not a super high
end technologist with a rack of servers in your basement,
they're not a bad little device to plug into the network,
have access to store pictures and want to tell them
backed up. Yeah, it's interesting this this flaw. So this
is tracked to CV twenty twenty five thirty two four seven.
(32:23):
The flaws listed as an OS command injection in the
user interface of micloud. So breaking that down, what does
that typically mean? What that typically means is in the
setting in the ability of the web page. You you
hit the web page on the naves where you can
(32:45):
log in as a user. So here it already says
you have to be in the user interface of Micloud,
so you have to have logged into that. This isn't
a off bypass.
Speaker 1 (32:55):
Right, So when you say the web page, you mean
the admin page.
Speaker 2 (32:58):
Yeah, the normal user page, the admin page, Like I'm
a user on that NAS.
Speaker 1 (33:03):
Yeah, don't. You don't set up a web server.
Speaker 2 (33:05):
No, now, but it does have a web server built
into it, just so I can see all the files,
and I can log in and I can download files
and that sort of stuff, And it probably has FTP
and SMB and all the other file protocols you'd expect,
and now's NAS device to have. So when you log
in as the normal user, there are usually there's usually
functionality in there, and there's usually troubleshooting functionality, like, hey,
(33:30):
can you ping this device? My wife's computer can't see
this drive? Can I ping from the drive to my
wife's computer? Now, i'd go to my wife's computer. Can
I ping from her computer back to the drive? Oh?
I can you know? Maybe it was a name resolution
issue or something along those lines, just troubleshooting device, right
or can I go check for an update or something
(33:50):
along those lines, or do I have an Internet connection? Right?
That's another Hey I can't reach the internet, so how
can we back it up to a cloud, you know,
a cloud provider like one drive or whatever, which a
lot of these will offload.
Speaker 1 (34:02):
And here's the little foreshadowing, kids, you shouldn't connect these
things to the er.
Speaker 2 (34:06):
Hut, right. So the problem is when you're in there
running those commands, typically those are actually running operating system commands, right,
it's going it's actually running a ping operating system command
from the command line of the little operating system that's
running on the NAZ or it's running a w get
to reach out to one drive and see if it
(34:29):
gets a return back or a CURL or something along
those lines. So with the command injection, which you can
do is say hey, can you reach out to one
drive and then throw in things like the double and
symbol and can you do something else, give me a
user account whatever it is, and it goes out and
it reaches out to one drive and then it also
runs as other ability.
Speaker 1 (34:48):
So it's kind of like a command injection.
Speaker 2 (34:50):
So usually you're stacking those commands exactly. Yeah, you're just
stacking those commands and you can run multiple commands at
the same time. And if the developer doesn't protect against this, yeah,
now you have control over the device at kind of
the lowest level. So although I think this one's important,
and I think you should go patch. If you have
(35:10):
the device connected to the internet, take it out, Yes,
go patch. Yeah, it shouldn't it shouldn't be connected to
the internet.
Speaker 1 (35:15):
Don't do it.
Speaker 2 (35:16):
Yeah, I agree with you one hundred percent. I mean,
if you need access to a device on your home network,
like put a VPN in, use tail scale if you
have to.
Speaker 1 (35:24):
Or just copy the files that you need to a
little portable hard drive and take them away you on vacation.
Don't don't open up your whole.
Speaker 3 (35:30):
We're at that partile. Like you can get a VM
via VMD I drive and VMD and VM.
Speaker 2 (35:37):
Oh and VM E and VM drive and VM.
Speaker 1 (35:40):
Drive a little drive.
Speaker 3 (35:41):
It's alphabet soup nowadays. Yeah, those little drives. I carry
them around. You can get terabyte sized ones and they're
very convenient in a way. You don't want to lose it.
Speaker 2 (35:51):
That's yeah right there, sports t Yeah, yeah, well terabytes.
Speaker 1 (35:55):
I got a two terabyte right here. And Dona, Now
this is.
Speaker 3 (35:57):
Not a video podcast, you know, so you should that
to me.
Speaker 1 (36:00):
But Dwayne and I both held up. I have a
sand disk, he has another another. It's probably a Dwayne brand.
He probably made it himself.
Speaker 3 (36:10):
So so that's you know, you can get enough store
to carry with you. But but making things available on
the internet very dangerous.
Speaker 1 (36:17):
Yeah, agreed, Yeah, it's not cool. And you know, just
because you can say and and by the way, I
wouldn't you know, tell the maitre d or the guy
that delivers your room service, Hey watch this. You know
he's not impressed, and he might even be able to
hack it.
Speaker 2 (36:33):
So just don't do it right, There's there's no.
Speaker 1 (36:37):
Need, no need, right, all right, should we talk be
Let's talk.
Speaker 2 (36:43):
Thereof be ya be Yeah, very Boston.
Speaker 1 (36:47):
I'll say this one with.
Speaker 4 (36:48):
A main accident, Japan's be a giant shy heat group
Asahi Group cannot resume production after a cyber attack.
Speaker 3 (36:59):
The reason we want to talk about this story is
this is this is something a lot of people don't
think about when they think about the risk of ransomware,
is you just never get everything back. The company just
goes out of business. Yeah, just dust ups and file away. Now,
when nine to eleven happened, we had a lot of
really hard conversations with owners as a result of like
(37:21):
what had happened to some of these companies where they
literally ceased operations that day. And you don't want a
digital attack to be the same have that same impact,
but it can and it does, and we just don't
see it that oftense. So we want to talk about
this story because this is an example of a company
that may never come back. Okay, wow, I mean they
have thirty plants in Japan making beer beverages and other
(37:44):
proof of and they're still figuring out whether they can
start the company up again. That's this isn't a small company.
This isn't like two people in a garage.
Speaker 1 (37:52):
So they got ransomwared, right, I.
Speaker 2 (37:54):
Think that's what happened. Yeah, they got they got ransomwared. Well,
they have a cyber event. It's caused an outage, which
is now political speak for we done clicked on stuff
we shouldn't have and it shut down our computers. Yeah,
but uh, you know.
Speaker 3 (38:10):
And we still haven't seen the promised cat video.
Speaker 2 (38:12):
I am not right, it's just sitting there is it's
ransom wearing everything. Where's this video? Please?
Speaker 3 (38:19):
One star?
Speaker 2 (38:20):
That's what I'm gonna do. When it pops up the
ransom screen, it's like, you have to contact us. You'll
be like, hey, where's the video.
Speaker 3 (38:27):
There's a video I promised.
Speaker 2 (38:28):
I was promised a video.
Speaker 3 (38:29):
You get not a penny till I see that dolphin.
Speaker 1 (38:32):
You send me a video of the happy cat waving
at me. That's not what I asked for.
Speaker 2 (38:38):
So at first I was not, you know, listen, another
ransomware and it may shut things down, and that's really sad.
But then I saw that this is also the company
that not only makes beer, which I do not drink,
but also makes Nika whiskey Oh Wow, which is a
fantastic whiskey. And now I'm invested. That's the Japanese Scotch.
If you guys, yeah, one of you. If you guys
(38:58):
need us to come, how let us know. I will.
I will fly over there and fix whatever needs a
fix in I'm surprised you didn't whip out the Liam Neeson.
I have a certain I will find you.
Speaker 1 (39:11):
We will take the unsold inventory off your.
Speaker 2 (39:15):
Hands exactly, or I could sell some back. Either way,
I already have either way.
Speaker 3 (39:22):
Yeah, well, near and dear the card.
Speaker 2 (39:23):
I didn't know that for me either. Until I was
reading through the rest of the article. I was like,
wait a second, wait man, wait a second, this does
affect me. Oh my god.
Speaker 1 (39:32):
So it isn't really a matter of money then, right,
It's not like they can borrow money to get back
online like they are so screwed they would have to
start their whole business over right.
Speaker 3 (39:42):
They didn't give detail, but they're unsure whether they can
get back in a business. So it could be that
they've just lost so much they they're going to lun
out of money before they could get everything back.
Speaker 2 (39:51):
According to the Japanese Times, they have outdated hands.
Speaker 1 (39:57):
You're not going to say this in Japanese, are.
Speaker 3 (39:58):
You only for our Japanese nekka taie.
Speaker 2 (40:03):
No, they have outdated handling processes with a lot of
their systems that were not quite updated, let's put it
that way. So, wow, shocker. And that's about as good
as my Japanese is. So that's it, that's all I got.
Speaker 1 (40:20):
Wow, this is this is a cautionary tale. Folks. Do
what you can to shore up your systems against ransomware,
and it starts with your people, educate them, don't make
it onto. Absolutely should be mandatory listening for everybody. Okay,
not everybody. Certain parts of the population would not appreciate it. Okay,
(40:46):
Well that's it this week for what happened last week,
and we'll see you next week on security this week.
Speaker 2 (40:52):
Oh and if you're in Orlando next week, come visit.
Speaker 1 (40:55):
Well, it wouldn't be next week, it'd be like tomorrow
or tuesday.
Speaker 2 (40:58):
Oh, there'd be this week. Hey tomorrow. If you're there now,
it would be like tomorrow.
Speaker 3 (41:01):
Here there now, if you're within five mile start driving.
Speaker 1 (41:05):
Yeah, oh, I almost forgot Twain. How's discord going?
Speaker 2 (41:09):
Awesome? You know what it's been. It's been awesome, honestly,
great engagement. People going back and.
Speaker 1 (41:16):
Forth in the non Dwayne in the non Dwayne usage
other word.
Speaker 2 (41:20):
And the non dway. Yeah, in the in the real way.
There's there's an active conversation going on right now around
how to mess unify systems in a secure way. There's
a lot of communications around different security tools and that
sort of stuff. There's tons of new Dad jokes in
there that are hilarious.
Speaker 1 (41:41):
So yeah, yeah, I gotta go pick them up. There
ye all right, okay, we'll see you next time.
Speaker 5 (41:47):
Bye bye sounds, good bye guys. FO
Hey, so my wife said she saw a dwarf climbing
down the Montville prison wall yesterday. I said, dwarf, that's
a little condescending. Okay, Well, welcome to security this week
(00:23):
this week. And Patrick wasn't here last week, but he's here.
Speaker 2 (00:26):
This week until next week when none of us will
be here next week.
Speaker 3 (00:30):
So the quality of the show has gone down, gone down,
just in this last week.
Speaker 2 (00:35):
Just in the last Wait till next week.
Speaker 1 (00:39):
All right. So the first story we have is about
Tilly Norwood, a fully AI actor.
Speaker 3 (00:45):
I went to high school with her.
Speaker 2 (00:46):
I don't think it did, no, I gotta I got.
Speaker 1 (00:49):
Fully AI actor blasted by Actors Union sag AFTRA for
devaluing human artistry. So what a virtual actor is getting
crap from real actors who.
Speaker 3 (01:03):
They're actually trying to shop her out for gigs and
not she has.
Speaker 2 (01:08):
An agency, and not only have are they trying to
shop her out, she's actually got some interest from some
some of the some of the different producers have said, yeah,
you know what, we might actually use her.
Speaker 1 (01:20):
She's good enough that you wouldn't be able to tell
she's not a human actor.
Speaker 2 (01:23):
Oh yeah, no, So if you look at that, I mean,
it's tough. You look at the AI generated videos and
they're really good. They but they're all short, right, they're
all like movie trailers, right, so it's not like a
three hour uh you know, I don't know a Shakespeare play.
It's it's you. It's like a thirty second thing. But
this is But you might say, well, why to security
(01:45):
this week?
Speaker 1 (01:46):
Care?
Speaker 2 (01:46):
Like why are we bringing this up? Although it looks
like a lot of the actors and uh where the
Screen Actors Guild have been really outspoken about this, where
they're you know, they're they're concerned. Of course, where a
square you could take a script from a writer, throw
it at AI and have it just generate the whole movie.
Speaker 3 (02:06):
Well, we have that in podcasting. You there are there
are hundreds of podcasts that are completely made up by
AI and there's no human content involved. I wouldn't listen
to one.
Speaker 1 (02:17):
I don't know what you're talking about.
Speaker 3 (02:20):
I wouldn't I wouldn't participate in one. Well, I wouldn't
intentionally listen to one. But the problem is if you
can't tell the difference I have.
Speaker 1 (02:27):
I have opinions. I think I think we're in this
novel period where people want to push the limits of
what AI can do. And if they think, you know,
the cooler that it is, the more attention it's going
to get, and then the more real people are going
to be upset. I just think I think it's temporary,
(02:47):
because here's why music. Music fans would never go to
a concert where their favorite band leader has been replaced
by a robot.
Speaker 3 (03:00):
All right, Milli Vanilli, I said music. Oh wow, I'm
not a million I just needed a fake band.
Speaker 1 (03:10):
They never sang anything, all right. So, but but what
I'm saying is the authenticity of the artist and the
backstory of the artist, and the life of the artist,
and the life of the actors and the people that
we like to see on screen and we know their
stories and stuff. That all adds to the experience of
(03:30):
the art. And when you just take that away and
strip it away, and now it's all about dollars and stuff.
We we may have this novel interest like slowing down
in an accident to techno.
Speaker 2 (03:44):
I love techno.
Speaker 3 (03:45):
I know you do. It sounds like an.
Speaker 1 (03:47):
Alarm clock with a beat to me, I don't know.
Speaker 2 (03:50):
Oh my god, I love techno. I listened to it
all the time.
Speaker 1 (03:53):
I know you do.
Speaker 3 (03:53):
That's why I said that it was yeah.
Speaker 2 (03:56):
Yeah. It is funny because people will usually ask me,
like what type of music you listen to? And I'm
like you like, yeah, can you name an art an
artist in edim I'm like, yeah, you don't listen to
like do you see M? No your motto no.
Speaker 1 (04:12):
M is a condition that is brought on by eating
too many donuts.
Speaker 2 (04:16):
No, it's not.
Speaker 1 (04:17):
Okay, I know electronic digital music. Yeah, I've produced a
lot of it actually in my day. But but it
wouldn't just you know, take a tape recorder out on
a stage like David Byrne and push play and dance
to it. You know, yep, he can get away with that,
but not me.
Speaker 2 (04:34):
Well, and you can you if you see the really
good artists, you see them really like working the whole
deck right while they're doing what they're doing. That that's art,
you know, just it is, You're right, absolutely, Just having
like auto fhades come in and out of other songs
is and yeah that's not media.
Speaker 1 (04:49):
But what I'm saying is that, you know, I think
this is a novel phase and you know, don't worry
about it. These things are going to get attention and
they're going to take attention away from real things that
are going on. But I think people are smart and
they come around and they have an affinity for the
humanity of arts.
Speaker 3 (05:04):
Do you know people.
Speaker 1 (05:07):
Too, you and Dwayne.
Speaker 3 (05:09):
I think the people who listen to this podcast are
probably smart based on my experience of the Oh sure
of the discord, but on average, you just walked down
the street. Most people aren't smart.
Speaker 1 (05:19):
Yeah, okay, but you know what, they weren't gonna they
weren't gonna get into the backstory of an artist and
go follow them and listen to them anyway. So you know,
if they want to put press a button in here
an alarm clock like Dwayne and you know, and it's
made by an Ai, fine, I have no problem with that.
But I don't think people ought to be worried about,
you know, AI taking over the arts and all that stuff.
(05:41):
I think that authentic artists will never ever ever go
out of style.
Speaker 2 (05:47):
So I think you're right, But I think the coming
back to the security this week of view on this Okay,
it's an interesting argument in the you know, the actors
build a ward going against now they're calling them synth
performers or synthetics. Right, that actually sounds like a New
World War synthetics versu human.
Speaker 1 (06:07):
So, oh that was a wasn't that a Star Wars?
Speaker 2 (06:09):
I'm pretty sure. Yeah, I think you're right.
Speaker 1 (06:12):
The synthetics the war.
Speaker 2 (06:14):
But the other thing actually, and there's plenty of video
games where there's the sense. But but from the standpoint
of if this actress is good enough to fool people
into thinking originally that it's a normal human being, we're
getting to the point where deep fakes are getting really, really,
really good. Right. It used to be you could tell
(06:36):
because they were missing a finger or they had three arms,
and you're like, Okay, that's not really good. But in
this case, like hair movement, eye movement, like little twitches,
that sort of stuff are so realistic.
Speaker 3 (06:47):
And there's two ways to do flaws like freckles and yeah,
and they're asymmetry and things like that.
Speaker 2 (06:52):
And there's a couple of ways to do this. There's
one way to do this, which is like totally AI
generated based on us a segment of video and we've
you know, I'll let a little cat out of the bag.
We've done that here. Yeah, right, if you've ever seen
videos of me on LinkedIn. That's not me, that's actually
an AI, right, And it's because they've taken video of me,
(07:13):
They've had me say things, and now they can generate
whatever they want from me, all right, which is great.
But I would also say this is a good use
case though. Yeah, so this is an interest right. But
the other thing is, let's say somebody else had access
to that and jumped on a zoom and had me saying,
you know what, I think we should close the entire company,
or I think you know, I need a thousand gift
(07:34):
to make whatever whatever may be.
Speaker 1 (07:36):
Yeah, deep fakes are a problem.
Speaker 3 (07:37):
I wondered why you needed all those gift cards.
Speaker 1 (07:39):
Deep fakes are probably I'll give you an example where
a deep fake was I would say not one hundred
percent effective. But that was Luke Skywalker as young Luke Skywalker,
Mark Hamill, the AI and a a older you know,
a later version of Star Wars, and I can't remember
which one because there were nine of them, but it
might have been.
Speaker 3 (07:58):
Yeah, didn't they do seven after she passed Yeah.
Speaker 2 (08:02):
Yeah, she passed away and they did. Yeah, they did
her as an AI as well. Yeah, and she was
younger in the presentation of it.
Speaker 1 (08:07):
Yeah, right, but when they did, when they did Mark
Hamill is a young Luke Skywalker, you know, coming back
from the grave while he's sat on a mountain and meditated.
That was that was. It was not quite there. Yes,
the Uncanny Valley reared its ugly head, but probably that's
just because it was of the time, you know. But
let's say Robert Redford was filming a movie last year
(08:30):
and he never completed it and he died before and
there was a scene that they needed him to do.
Speaker 3 (08:36):
Well, it's up to his estate at that point, right.
Speaker 1 (08:38):
But if if it was my estate, if I was
the estate people, I would have said absolutely he would
have wanted it.
Speaker 3 (08:43):
And that's the difference though, Yeah, because now we're talking
about just the movie makers and the producers making all
the money, and they're being no talent.
Speaker 1 (08:52):
The real problem I think with deep fakes is politics. Yeah,
I think once you know, and it has become extream,
it's just the politicians haven't gotten smart enough to use
it yet. But once they do, they're going to put
words in their opponent's mouths that are you know, and
then and what that does?
Speaker 3 (09:07):
They already have ridiculous words in their own mouths, so
I know.
Speaker 1 (09:09):
But what that does is that gives them the grand excuse.
Oh that's that was a deep fake. I never said that, right, Okay,
well can you you know.
Speaker 3 (09:17):
The shaggy defense, right right.
Speaker 2 (09:19):
But on top of that, there's so many different ways
that you could use those defeates, like, hey, look at
these protesters right where none of them might actually exist,
So it's not like a well known person you could
go track down. Yeah right, So I think that's rough.
Speaker 3 (09:33):
These things have existed because if you want a picture
of a protest, you get one from you know, South Africa,
and you say, this is Detroit. Sure, right, and that's happening,
that's been happening. It makes the problem worse, But I
don't think it makes a new problem as much.
Speaker 1 (09:46):
Well, it means that everybody, in order to fact check,
has to actually go and see that there are protests
are not protests, and then when they tell each other yeah,
I was there and I saw it, that's just another
point of do we believe that person or not.
Speaker 3 (09:59):
I think we might literally get to the point where
we need on the ground journalists to verify things.
Speaker 1 (10:03):
So what are these journalists who speak of I think
they went by the way of the Dinosaur.
Speaker 3 (10:09):
And now this is a reason for it to come back.
Speaker 2 (10:12):
So Patrick, what are your thoughts on And maybe this
is just tinfoil hat conspiracy stuff, but I heard from
a friend whose cousin's mother's roommate read it happened, Yeah,
read it on Reddit.
Speaker 3 (10:25):
Whose genitals swelled up when they took the virus.
Speaker 2 (10:31):
That there are towns in Russia that they've staged to
look like Middle America, like Middle sort of Bible Beltway towns,
so they can stage riots and stuff so that it
actually looks real and they can post it out on
the Internet. Or is that all bus I.
Speaker 3 (10:52):
Don't I believe so. The original concept of the Potemkin village,
which is the fake village, is from Russia. It's in
the playbook. It's not an unknown thing. One of the
stories I read from I think it was a book
by one of the one of the great novelists who
wrote about like World War III, was that they they
built and again this is from a novel, so this
(11:14):
is not true, but that the Russians built a complete
app replica of one of the historic cities in Germany.
Speaker 1 (11:21):
You're thinking of blazing saddles, no.
Speaker 3 (11:24):
And then and then they then they filmed it being
invaded by Russians and destroyed, and they actually killed the
actors and inhabitants that were Oh wow, they're playing the Germans.
And they used that to show the Germans that they
had destroyed the city and got them to capitulate.
Speaker 1 (11:39):
Wow. Wow.
Speaker 3 (11:40):
And so that the Germans weren't participating in the second
in the Third World War, and it's just the Americans,
and I think it was Team Yankee.
Speaker 1 (11:47):
All right, So there's the book.
Speaker 3 (11:48):
Anyways, we're way off on a rabbit hole.
Speaker 1 (11:50):
Way off a rabbit hole. But I think the moral
of the story is don't trust anybody.
Speaker 2 (11:56):
I think the other moral of the story is, if
you want to know Hempkin Villages. Patrick's the only expert
on this on this podcast.
Speaker 3 (12:05):
Yes, So, Fortempkin Villages was an attempt by Petempkin, an
advisor to the Queen, Queen Catherine the Great, to convince
her that they had spent the money appropriately that she
had allocated to build out the Volga. And she took
a vulgar cruise and there were all these villages along
the thing, and they were just facades. So that's why
they call them a Pattempkin village. It's a fake village.
Speaker 2 (12:25):
Wow, we all know you see this is an educational
show kids, it is right.
Speaker 3 (12:30):
And they all turned it off. Okay, enough of AI actors.
Speaker 2 (12:36):
Yes, yes, please Chin.
Speaker 1 (12:38):
Let's talk about China because that's such a happier subject.
This one is from Dark Reading. China exploited new VMware
bug for nearly a year. Okay, are we safe in
our homes?
Speaker 3 (12:53):
Is your home controlled by VMware? Yeah?
Speaker 2 (12:55):
I don't know. I mean, oddly enough, the people on
this call probably actually do have VMware at their homes.
I don't, whereas most you don't know. Do you use
any virtualization at all? Not?
Speaker 1 (13:07):
No, The only virtualization I use is in the cloud? Okay,
and it's not VMware.
Speaker 3 (13:11):
Car all right, why well you play?
Speaker 1 (13:13):
Don't you know that? Don't you have a digital map
of my network?
Speaker 2 (13:18):
Right now?
Speaker 3 (13:18):
Anything?
Speaker 2 (13:19):
Until you exactly right? And now that it's public.
Speaker 1 (13:21):
He was, That's what that pause was. He was looking
it up.
Speaker 2 (13:24):
Hold on, hold on, Yeah, you know you're right, Carl,
You're right, you don't. I hadn't looked at the new map.
Speaker 3 (13:30):
Hey you transmission flu is a little low carlat things?
Speaker 2 (13:37):
So oh man a transmission. So neils say, for those
of you who are running VMware, this story is this
story is interesting, but we've seen this before. VMware owner
Broadcom on September twenty ninth, this is super recent disclosed
that there are three vulnerabilities CD twenty twenty five four
(13:57):
one two four four twenty two four five and guess
the next one twenty twenty five four one two four
six where you have the ability to privilege, escalate, disclose
information and there's an improper vulnerability or an improper authorization
(14:17):
vulnerabilities so that you can actually get authorized the things
you shouldn't. Yeah, so dangerous if you're running these these
particular this particular software and virtualization in your environment.
Speaker 1 (14:27):
Okay, and is it a go patch story?
Speaker 2 (14:29):
This is a go patch. Yeah. We like to add
a couple of these in here where the latest bugs
have been the veer bugs all the time, right, we
see patches show up all the time. We if we
just talked about patches, it would be every show and
we'd have just a scrolling list of software.
Speaker 3 (14:44):
It would be a long show.
Speaker 2 (14:45):
Right, So what we typically want to do is bring
patches where they're actively being exploited in the wild. These
are the most important things you should take a look
at in the next within the next seven days from
four our next pot.
Speaker 1 (14:55):
They did they give any details about what China did
by when they exploited.
Speaker 2 (15:00):
This, So not really, especially if there's an ongoing investigation
right now. They'll keep a lot of this close to
the vest until they come out with Okay, here's exactly
what we're seeing. So this is just the tip of
the iceberg. They'll come out and say, hey, we're seeing
this actively exploited in the wild. You need to go
patch blah blah blah so that they can stem the bleeding.
And then they'll come out later and say, oh, by
(15:21):
the way, this was a targeted operation against so and so.
Speaker 1 (15:24):
And when they say China, they do mean that this
was a state exploitation, not Chinese people, right.
Speaker 2 (15:30):
Right, Oh, yeah, absolutely, yeah. Yeah. Usually if it's a
if it's somebody other than ah, you know, if it's
let's say it's just a random group in China or
a random group in Russia, they'll usually give them a
like a hackery name, like oh, this is salt Typhoon
or this is whoever. But if it's like state sponsored,
they'll they'll mention the country a.
Speaker 1 (15:51):
Cool not cool, but you know, awesome.
Speaker 3 (15:53):
It's so to talk about this just for a minute.
Speaker 1 (15:57):
More.
Speaker 3 (15:59):
More and more people are talking who are very conservative
about things, are talking about the Cold War e merging
between the United States and China, and this stuff benefited
greatly from the fact that people viewed China as a
trusted partner, a trading partner, and all these other things.
We didn't have this kind of vulnerability against the Soviets,
(16:21):
but then again, cyber was in its infancy, but even
then we were on guard. I think that we might
see this start to diminish over the next few years,
not because they're not trying, not because we're getting better,
but because the trust factor is going away, the fact
that Microsoft no longer shares pre information about vulnerabilities with
(16:41):
Chinese companies that have to share with the government. I
think we're finally coming around. I hope we're finally coming around,
but we'll see in another year or so.
Speaker 1 (16:50):
Here's what I understand, and you guys correct me if
I'm wrong, But the difference between China and Russia in
terms of their internet lockdown right, China built its internet
from the bottom up, with access to and control of
the state, and so from the very beginning they own
the bones of the Internet within China, and they control
(17:14):
everything Russia did not. Russia started the pre you know,
hacking Russia, and the pre lockdown of their Internet was
completely free, I mean American websites, New York Times, they
could read everything, and everything was open and free. And
then gradually they started a top down campaign to lock
(17:36):
down what people could inculach is harder access, which is
much harder. I think you're right opening Pandora's box.
Speaker 3 (17:42):
Not an expert in it, but I think I believe
that's my belief as well. I think that is correct.
Speaker 1 (17:46):
So it's much harder too.
Speaker 3 (17:48):
That said, it's hard to capture. I mean the US
had programs like Carnivore and things that snowed reported on.
It's much harder with a billion people, no matter how
many hard drives you're willing to buy, just to catch everything.
So interesting, I was just having a conversation with somebody
who's very much in the know. China is starting to
(18:09):
crack down on the live flat trend, which is that
a lot of young people are like, look, it's not
worth working as hard as they want us to. Just
do the minimum. It's basically the quiet quitting in the
United States, and they're trying to crack down on that
because it's hitting morale and things like that. That's a
much harder thing to crack down on than it's people
(18:30):
talking about Taiwan or tam and square. Sure, but they
are trying to They are trying to control it, but
it's a monumental task even with the right tools, and
AI is probably the thing they're going to deploy.
Speaker 1 (18:45):
Even so for China, even though they own the communications
and the Internet and all that stuff, it's still hard.
Speaker 3 (18:51):
Yeah, it is going to make it a lot easier.
It's just how many trusted eyes can you have to
see this stuff, Whereas with AI they could very well
get ahead of it and be even more controlled well.
Speaker 2 (19:01):
And China also has the Great Firewall of China so.
Speaker 3 (19:05):
Just keeps things out. But it doesn't help. With Piggs
on side discussing I don't jump on Chinese language forms
and control. No, I don't know about you.
Speaker 1 (19:12):
Not since that last time that you know, you know
what I'm talking about.
Speaker 3 (19:16):
Patrick, Oh, we know we said we wouldn't speak with.
Speaker 1 (19:19):
That, Okay, I think uh oh, No, we have this
line viper malware. Thing to talk about Cisco ASA firewalls,
zero day exploits, deploy ray initiator, and line viper malware.
And that is the name of my next song.
Speaker 3 (19:38):
It sounds like you're just saying code words.
Speaker 2 (19:40):
Yeah it is, and you pretty much are just saying.
Speaker 1 (19:42):
I am just saying cohers. I don't know what what's
the noun, what's the verb? What are adjectives? I have
no idea.
Speaker 3 (19:50):
Can you be reinitiated?
Speaker 1 (19:53):
I don't know. I'm so confused.
Speaker 2 (19:55):
Right, let me sum up bad day for Cisco. Yeah, yeah, yeah,
bad day for Cisco. This one's interesting. If you take
a look at the step by step on this. If
you are running a Cisco ASA, and on that ASA,
you are running the web VPN.
Speaker 1 (20:14):
So web what's an ASA?
Speaker 2 (20:16):
So it's just an advanced security pliants or adapt adaptive
security pliants. It's a firewall, oh firewall.
Speaker 1 (20:21):
Okay.
Speaker 2 (20:22):
So if you're running if you're running a Cisco ASA
the fifty five x series devices and you've turned on
the ability to VPN in right, and you have a
web VPN on the front end of it. Okay, I mean,
so there's a web server responding to client requests that
web server has a if you specially craft a packet
(20:43):
to that web server, you can actually send it into
a buffer overflow and get remote code execution on that
on that device. So that's CVE twenty five two zero
three three three is a remote code execution. Once you
get access, there is a privilege escalation and off bypass.
(21:06):
You can then get access to which is twenty twenty
five twenty three six two, and then from there they
start installing your Reinitiator slash line Viper. Reinitiator is a
boot device boot sort of a bootloader piece of software
sort of. It's for persistence in the environment and your
(21:27):
Reinitiator boot kit from there on in. I'm sorry, your
line viper is a user mode shell software. So I
install my reinitiator. It makes me stay on the box.
I then load my line viper, which starts infecting executables
with reverse shells so that I can get access to
command and control and have people download these executables.
Speaker 1 (21:49):
This reminds me when I used to listen to car
Talk when I was ten, and I had no idea
what they were talking about, but it sounded really technical
and very cool.
Speaker 2 (21:56):
It's likely this is really neat. I don't know what
it is.
Speaker 3 (21:59):
Would you like us to affect our Boston?
Speaker 1 (22:01):
And then when I was like sixteen and I started
watching Star Trek and they, you know, Geordy started talking
about decoupling the Heisenberg compensators and stuff, and I was like.
Speaker 2 (22:10):
Hey, dilsium crystals is now a thing. I'm just saying
they were just prophetic.
Speaker 3 (22:15):
Should we break out the Boston accents?
Speaker 1 (22:18):
Like clicking, well, just say what you just said but
in English?
Speaker 2 (22:22):
Fair enough? All right? Okay, if you have a web
VPN turned on on your Cisco firewall, yeah, fifty five
hundred device right now, there is a risk of somebody
being able to break the web server, get access to
the device and install malicious software.
Speaker 1 (22:36):
That is the best explanation ever.
Speaker 2 (22:41):
Thank you, thank you.
Speaker 1 (22:42):
That's great. So patch basically is what we're saying.
Speaker 2 (22:45):
Yeah, right now you need to update your assa. The
thing you need to be careful of is it's not
just go patch in this one, because if they have
exploited the system, they've already started putting in bootload changers
and that sort of stuff. Really need to be careful
if a device is compromised and you can't hit it
with a tomahawk. Patrick, you can't hit anything with a tomahawks,
(23:08):
So what do you mean anything with a tamahawk. You
hit me with the tomahawk. Greg, be careful.
Speaker 1 (23:13):
Yes, when you say be careful, does that mean reboot
the device offline, refresh it from memory, and restore a backup.
Speaker 2 (23:23):
No, there's there. Yeah. In the article we post, there'll
be actually a link to Cisco's sort of recommended. Well,
you could throw in the trash, but there's a there's
a link to Cisco's recommended Waight up there.
Speaker 1 (23:34):
Would you use kerosene or gasoline when you throw a
match on it? Which one would you prefer?
Speaker 2 (23:40):
Kerosene burns a little hotter, a little cleaner, which is
nice for the inside of the data center. So you know,
kerosene is the way to go. When phosphates A little
Willie p little little rub.
Speaker 1 (23:51):
A little bondo on the great.
Speaker 2 (23:53):
I love thermites, Great, little thermite, little rust You're good,
all right. Here's how you make thermite, kids.
Speaker 1 (24:00):
Ask Richard Campbell. He made it when he was He
burned off a ten inch hole in the ground.
Speaker 3 (24:05):
It's so easy. It is kill say it on a podcast,
we will get bad.
Speaker 1 (24:09):
No you can't.
Speaker 2 (24:10):
I wonder if chatch ept will give it to me.
Speaker 1 (24:13):
No, no, no, anyhow, Yeah to Richard. Richard Campbell told
the story of how he made thermite when he was young,
and he just lit it and put it on the
ground and it started going down into the ground and
the fire department came around and they couldn't put it out.
Speaker 2 (24:31):
Oh yeah, yeah, that will burn it hot.
Speaker 1 (24:33):
It burns underwater.
Speaker 2 (24:34):
Yepeah, yep, all right.
Speaker 1 (24:36):
Anyway, but we were talking, so you you explained in English,
it's go patch, but not just go patch, but be
careful whatever that means. Yea, that there's a process by
which you can uh and it's out be safe, and
it's outlined in the instructions.
Speaker 2 (24:52):
Yeah, Cisco has that. Cisco has those instructions for you
to remove nefarious people from your device and then pack
cool cool, definitely go do that.
Speaker 1 (25:00):
Well, thank god, somebody's on the ball and we will
kind of knows it's not us. We will be right
back after these very important messages. Don't you go away,
And we're back at security this week. I'm Carl, It's
Dwayne and Patrick, and you know, we're we're going to
be in Orlando at Aren't we already at Universal?
Speaker 2 (25:24):
Yeah?
Speaker 1 (25:24):
Yeah, you're right, we are by this time.
Speaker 2 (25:27):
I think we're on when this drops.
Speaker 1 (25:29):
I think we're going to be live on Tuesday at
eleven or eleven thirty. Yes, at Security Intersection, Cybersecurity Intersection.
All right, let's move on Microsoft Outlook, because.
Speaker 2 (25:42):
Yeah, why not? Why not?
Speaker 1 (25:44):
They stopped displaying inline SVG images used in attacks?
Speaker 2 (25:50):
Good? What time?
Speaker 1 (25:54):
Yeah? So svgs something vector graphics, scalable ailable vector graphics.
Is it? Do you remember what were those files called
before SVGU They were little files that did vector graphics
that you could in Windows, that you could just show
in an editor. But they're not raster graphics.
Speaker 2 (26:15):
They're not right now, right, I mean they're Yeah, it's
almost it's almost like a mathematical model that puts them
together so they can be.
Speaker 1 (26:23):
Draw here to here, red, draw a line from here
to here, blue, fill in this area. So the problem
with SVG images and outlook is what.
Speaker 2 (26:33):
Well, here's the problem. SPGs are awesome in that they
do more than just display a picture, right, they install malware. Yeah,
I know it's the same. It's exactly what what Carl
was just talking about, like draw a line from here
to here. Right, So if you if you really dig
into that SVG format, you can run javascripts, you can
(26:56):
do all sorts of things in there that are not
just drawings. So it's probably one of the more dangerous
picture types is svgs, especially as attachments, because there's all
sorts of things that you can do inside there. And
like I said, you can have JavaScript that runs, You
can have especially if the user downloads it and tries
to run it from their desktop.
Speaker 1 (27:16):
Now I get it. My Outlook would be a problem
because Outlook has full user security, right, and so it
has access to the system. Whereas if you're in Gmail
and you open an SVG and a browser, so.
Speaker 2 (27:27):
What right, right? Right? Yeah, the browsers generally know how
to handle them very well because they're always protecting against this.
But if I open an SVG locally on my workstation,
that sandbox is a little bit different. Right. So if
we download a file that we think is a PDF,
but is a pdf dot SVG, double click on it.
Sure enough that SVEG has some autonomy where it can
(27:49):
actually run scripts and interesting like that. The article we
put out is from Bleeping Computer and they talk about
how the threat Hunting team, the mal hunter team, has
put some samples out as to how dangerous this is.
So you can take a look at this article. You
can see things like a user loading up one of
(28:10):
these svgs and it's actually says it's a pdf dot sveg.
They loaded up and it looks like Excel, but it's
stealing some informations. There's all sorts of stuff they can
do in there. I'm just surprised that Outlook hasn't banned
these earlier to get rid of them. But here we are, folks,
(28:30):
So it's good. I'm you know, I'm glad. It just
shuts down one of the ways that right now people
are getting fished.
Speaker 1 (28:37):
Wouldn't if I was writing Outlook, I would want to
have everything that shows up in a preview panel be
a little browser that has its own island of you know,
can't reach around and do all sorts of stuff on
your system. Why wouldn't they do that? In general? I
would fix Outlook. I wouldn't stop showing svegs.
Speaker 2 (28:58):
Yeah, that's an interesting question, and I think it becomes
a slippery slope where you say, okay, well, the preview
pain has the attachments. Let's say somebody sent me a
word doc and I can click in that previewponent, I
can say save attachments. Should that be able to jump
outside of the sandbox and save anywhere on the drive? Well, well, yeah,
of course that shit. I should be able to save
that to my documents or whatever.
Speaker 1 (29:18):
Right, But a browser can download any attachment to your
downloads folder.
Speaker 2 (29:23):
As well any drive there either. Right, So now you're
starting to talk about oh your downloads folder usually yeah, exactly,
so they'll go directly downloads, although you can you can
write click on it and change how where you download
it to. But so's there's this jumping in between access
to the local system, not access to the local system
from certain attachments but not other attachments. Maybe it's from
(29:43):
the download attachments section, but not from viewing the attachment.
Maybe it is from viewing the attachment. If I double
click on a PDF, does that pdf load from the
remote email server? Does it load from cash? Does it
pull the PDF down first and then load it in
the browser. Like, there's all sorts of options there that
I think you might run into issues. But I agree
(30:04):
with you. I wouldn't be surprised if the preview panel
isn't already using you know, the Chromium objects to load
up the view.
Speaker 1 (30:13):
It's just a matter of what security context is it using.
And I would say it should be as you know,
what do you call it, you know, removed from everything else,
as the browser is. The sandbox should be there, and
you should only be able to save to your downloads folder. Yep,
I mean, why what's the benefit. There's a lot of risk,
(30:37):
but what's the benefit to having that security model there?
Speaker 2 (30:41):
Lower support calls?
Speaker 1 (30:43):
Yeah?
Speaker 2 (30:43):
I think, you know, seriously, I think.
Speaker 1 (30:47):
Security calls when people can't save their attachments.
Speaker 2 (30:51):
Yeah, they're like, why don't you google it? Yeah, exact,
I think.
Speaker 3 (30:56):
I think there's parts of the ecosystem that we're not
aware of that you're probably using functionality. Microsoft knows. There's
lots of features Microsoft. I look at and I'm like,
why don't they turn that off? Well, there's probably like
fourteen ISPs that are using it that I don't know about.
Riv's that are using it that I don't know about it.
It's just such a big open standard and that has
(31:16):
its own positives and negatives.
Speaker 1 (31:19):
Yeah, Okay, we'll give them some slack this.
Speaker 3 (31:21):
Time, and we need something to do, Carl, don't take
all of our that's true.
Speaker 1 (31:24):
Yeah, I'm sorry, geez.
Speaker 3 (31:27):
Now you'll tell people to lock their doors.
Speaker 2 (31:29):
I know.
Speaker 1 (31:31):
Okay, let's move on. Cybersecurity News says Critical Western Digital.
My cloud NASS vulnerability allows remote code execution. NASA is
network attached storage. Those are usually big radar rays that
sit in a box somewhere and you just connect to them.
Speaker 3 (31:48):
I mean, my clouds are kind of desktop. They're kind
of like two drives a raised. They're not very big,
They're very convenient, and I I never sought to buy
one because they were I thought they were a little
too consumer grade.
Speaker 2 (32:03):
They are, But listen, if you're not a super high
end technologist with a rack of servers in your basement,
they're not a bad little device to plug into the network,
have access to store pictures and want to tell them
backed up. Yeah, it's interesting this this flaw. So this
is tracked to CV twenty twenty five thirty two four seven.
(32:23):
The flaws listed as an OS command injection in the
user interface of micloud. So breaking that down, what does
that typically mean? What that typically means is in the
setting in the ability of the web page. You you
hit the web page on the naves where you can
(32:45):
log in as a user. So here it already says
you have to be in the user interface of Micloud,
so you have to have logged into that. This isn't
a off bypass.
Speaker 1 (32:55):
Right, So when you say the web page, you mean
the admin page.
Speaker 2 (32:58):
Yeah, the normal user page, the admin page, Like I'm
a user on that NAS.
Speaker 1 (33:03):
Yeah, don't. You don't set up a web server.
Speaker 2 (33:05):
No, now, but it does have a web server built
into it, just so I can see all the files,
and I can log in and I can download files
and that sort of stuff, And it probably has FTP
and SMB and all the other file protocols you'd expect,
and now's NAS device to have. So when you log
in as the normal user, there are usually there's usually
functionality in there, and there's usually troubleshooting functionality, like, hey,
(33:30):
can you ping this device? My wife's computer can't see
this drive? Can I ping from the drive to my
wife's computer? Now, i'd go to my wife's computer. Can
I ping from her computer back to the drive? Oh?
I can you know? Maybe it was a name resolution
issue or something along those lines, just troubleshooting device, right
or can I go check for an update or something
(33:50):
along those lines, or do I have an Internet connection? Right?
That's another Hey I can't reach the internet, so how
can we back it up to a cloud, you know,
a cloud provider like one drive or whatever, which a
lot of these will offload.
Speaker 1 (34:02):
And here's the little foreshadowing, kids, you shouldn't connect these
things to the er.
Speaker 2 (34:06):
Hut, right. So the problem is when you're in there
running those commands, typically those are actually running operating system commands, right,
it's going it's actually running a ping operating system command
from the command line of the little operating system that's
running on the NAZ or it's running a w get
to reach out to one drive and see if it
(34:29):
gets a return back or a CURL or something along
those lines. So with the command injection, which you can
do is say hey, can you reach out to one
drive and then throw in things like the double and
symbol and can you do something else, give me a
user account whatever it is, and it goes out and
it reaches out to one drive and then it also
runs as other ability.
Speaker 1 (34:48):
So it's kind of like a command injection.
Speaker 2 (34:50):
So usually you're stacking those commands exactly. Yeah, you're just
stacking those commands and you can run multiple commands at
the same time. And if the developer doesn't protect against this, yeah,
now you have control over the device at kind of
the lowest level. So although I think this one's important,
and I think you should go patch. If you have
(35:10):
the device connected to the internet, take it out, Yes,
go patch. Yeah, it shouldn't it shouldn't be connected to
the internet.
Speaker 1 (35:15):
Don't do it.
Speaker 2 (35:16):
Yeah, I agree with you one hundred percent. I mean,
if you need access to a device on your home network,
like put a VPN in, use tail scale if you
have to.
Speaker 1 (35:24):
Or just copy the files that you need to a
little portable hard drive and take them away you on vacation.
Don't don't open up your whole.
Speaker 3 (35:30):
We're at that partile. Like you can get a VM
via VMD I drive and VMD and VM.
Speaker 2 (35:37):
Oh and VM E and VM drive and VM.
Speaker 1 (35:40):
Drive a little drive.
Speaker 3 (35:41):
It's alphabet soup nowadays. Yeah, those little drives. I carry
them around. You can get terabyte sized ones and they're
very convenient in a way. You don't want to lose it.
Speaker 2 (35:51):
That's yeah right there, sports t Yeah, yeah, well terabytes.
Speaker 1 (35:55):
I got a two terabyte right here. And Dona, Now
this is.
Speaker 3 (35:57):
Not a video podcast, you know, so you should that
to me.
Speaker 1 (36:00):
But Dwayne and I both held up. I have a
sand disk, he has another another. It's probably a Dwayne brand.
He probably made it himself.
Speaker 3 (36:10):
So so that's you know, you can get enough store
to carry with you. But but making things available on
the internet very dangerous.
Speaker 1 (36:17):
Yeah, agreed, Yeah, it's not cool. And you know, just
because you can say and and by the way, I
wouldn't you know, tell the maitre d or the guy
that delivers your room service, Hey watch this. You know
he's not impressed, and he might even be able to
hack it.
Speaker 2 (36:33):
So just don't do it right, There's there's no.
Speaker 1 (36:37):
Need, no need, right, all right, should we talk be
Let's talk.
Speaker 2 (36:43):
Thereof be ya be Yeah, very Boston.
Speaker 1 (36:47):
I'll say this one with.
Speaker 4 (36:48):
A main accident, Japan's be a giant shy heat group
Asahi Group cannot resume production after a cyber attack.
Speaker 3 (36:59):
The reason we want to talk about this story is
this is this is something a lot of people don't
think about when they think about the risk of ransomware,
is you just never get everything back. The company just
goes out of business. Yeah, just dust ups and file away. Now,
when nine to eleven happened, we had a lot of
really hard conversations with owners as a result of like
(37:21):
what had happened to some of these companies where they
literally ceased operations that day. And you don't want a
digital attack to be the same have that same impact,
but it can and it does, and we just don't
see it that oftense. So we want to talk about
this story because this is an example of a company
that may never come back. Okay, wow, I mean they
have thirty plants in Japan making beer beverages and other
(37:44):
proof of and they're still figuring out whether they can
start the company up again. That's this isn't a small company.
This isn't like two people in a garage.
Speaker 1 (37:52):
So they got ransomwared, right, I.
Speaker 2 (37:54):
Think that's what happened. Yeah, they got they got ransomwared. Well,
they have a cyber event. It's caused an outage, which
is now political speak for we done clicked on stuff
we shouldn't have and it shut down our computers. Yeah,
but uh, you know.
Speaker 3 (38:10):
And we still haven't seen the promised cat video.
Speaker 2 (38:12):
I am not right, it's just sitting there is it's
ransom wearing everything. Where's this video? Please?
Speaker 3 (38:19):
One star?
Speaker 2 (38:20):
That's what I'm gonna do. When it pops up the
ransom screen, it's like, you have to contact us. You'll
be like, hey, where's the video.
Speaker 3 (38:27):
There's a video I promised.
Speaker 2 (38:28):
I was promised a video.
Speaker 3 (38:29):
You get not a penny till I see that dolphin.
Speaker 1 (38:32):
You send me a video of the happy cat waving
at me. That's not what I asked for.
Speaker 2 (38:38):
So at first I was not, you know, listen, another
ransomware and it may shut things down, and that's really sad.
But then I saw that this is also the company
that not only makes beer, which I do not drink,
but also makes Nika whiskey Oh Wow, which is a
fantastic whiskey. And now I'm invested. That's the Japanese Scotch.
If you guys, yeah, one of you. If you guys
(38:58):
need us to come, how let us know. I will.
I will fly over there and fix whatever needs a
fix in I'm surprised you didn't whip out the Liam Neeson.
I have a certain I will find you.
Speaker 1 (39:11):
We will take the unsold inventory off your.
Speaker 2 (39:15):
Hands exactly, or I could sell some back. Either way,
I already have either way.
Speaker 3 (39:22):
Yeah, well, near and dear the card.
Speaker 2 (39:23):
I didn't know that for me either. Until I was
reading through the rest of the article. I was like,
wait a second, wait man, wait a second, this does
affect me. Oh my god.
Speaker 1 (39:32):
So it isn't really a matter of money then, right,
It's not like they can borrow money to get back
online like they are so screwed they would have to
start their whole business over right.
Speaker 3 (39:42):
They didn't give detail, but they're unsure whether they can
get back in a business. So it could be that
they've just lost so much they they're going to lun
out of money before they could get everything back.
Speaker 2 (39:51):
According to the Japanese Times, they have outdated hands.
Speaker 1 (39:57):
You're not going to say this in Japanese, are.
Speaker 3 (39:58):
You only for our Japanese nekka taie.
Speaker 2 (40:03):
No, they have outdated handling processes with a lot of
their systems that were not quite updated, let's put it
that way. So, wow, shocker. And that's about as good
as my Japanese is. So that's it, that's all I got.
Speaker 1 (40:20):
Wow, this is this is a cautionary tale. Folks. Do
what you can to shore up your systems against ransomware,
and it starts with your people, educate them, don't make
it onto. Absolutely should be mandatory listening for everybody. Okay,
not everybody. Certain parts of the population would not appreciate it. Okay,
(40:46):
Well that's it this week for what happened last week,
and we'll see you next week on security this week.
Speaker 2 (40:52):
Oh and if you're in Orlando next week, come visit.
Speaker 1 (40:55):
Well, it wouldn't be next week, it'd be like tomorrow
or tuesday.
Speaker 2 (40:58):
Oh, there'd be this week. Hey tomorrow. If you're there now,
it would be like tomorrow.
Speaker 3 (41:01):
Here there now, if you're within five mile start driving.
Speaker 1 (41:05):
Yeah, oh, I almost forgot Twain. How's discord going?
Speaker 2 (41:09):
Awesome? You know what it's been. It's been awesome, honestly,
great engagement. People going back and.
Speaker 1 (41:16):
Forth in the non Dwayne in the non Dwayne usage
other word.
Speaker 2 (41:20):
And the non dway. Yeah, in the in the real way.
There's there's an active conversation going on right now around
how to mess unify systems in a secure way. There's
a lot of communications around different security tools and that
sort of stuff. There's tons of new Dad jokes in
there that are hilarious.
Speaker 1 (41:41):
So yeah, yeah, I gotta go pick them up. There
ye all right, okay, we'll see you next time.
Speaker 5 (41:47):
Bye bye sounds, good bye guys. FO
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
CrimeLess: Hillbilly Heist
It’s 1996 in rural North Carolina, and an oddball crew makes history when they pull off America’s third largest cash heist. But it’s all downhill from there. Join host Johnny Knoxville as he unspools a wild and woolly tale about a group of regular ‘ol folks who risked it all for a chance at a better life. CrimeLess: Hillbilly Heist answers the question: what would you do with 17.3 million dollars? The answer includes diamond rings, mansions, velvet Elvis paintings, plus a run for the border, murder-for-hire-plots, and FBI busts.