Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Hey, do you know my uncle Benny's a mortician. No,
there he was. He's retired now, but he once told
me that there's a new trend in funerals, and that's
glass coffins. Will they be popular? Remains to be seen. Well,
(00:26):
welcome back to security this week. I'm Carl, that's Patrick
and Dwayne, and we're going to talk about the week's
you know, unfortunate events and maybe we'll learn something. Starting
with a massive data breach that exposes one hundred and
eighty four million passwords for Google, Microsoft, Facebook, and more.
(00:48):
The file was unencrypted, no password protection, no security, just
a plain text file with millions of sensitive pieces of data. Ok.
Speaker 2 (00:57):
Okay, but this wasn't left by Google, Microsoft, Facebook.
Speaker 1 (01:00):
No, no, no in a ball.
Speaker 2 (01:03):
Yeah yeah, proof of the deep state.
Speaker 1 (01:07):
Yeah. So, I mean the funny thing is, I think
we're all getting wary of these data breach stories because, yeah, okay,
we need to change our passwords. We need to use
a password manager. We're already doing that right right, listeners, Yeah,
not using Fluffy one, two three anymore for your password? Okay,
(01:31):
but how how I don't know what to do with this.
Speaker 3 (01:35):
So there's a couple different ways that you're going to
find somebody's usernames and passwords.
Speaker 4 (01:39):
Right.
Speaker 3 (01:39):
One, it's in an old data breach, right, so you
use the same username and password for the last ten
years that user name and pastors out there, or even.
Speaker 2 (01:49):
Just a curl LA variant, like maybe you like the
word dragon and so it's Dragon one two three or
Dragon three two one.
Speaker 3 (01:56):
Or summer twenty eleven and then summer twenty two exactly.
Speaker 2 (02:00):
Yeah, yeah, yeah.
Speaker 3 (02:02):
So needless to say, you know, that's one way to
get a username and password and it ends up in
these breaches, these massive collections of breaches. But another way
that is concerning here is with information stealers malware. So
you know, we hear a lot about ransomware, right, you
click on the wrong thing on your phone. You know,
(02:23):
it's not going to encrypt all of your stuff, right,
But what may happen is you're going to have an
info stealer that's going to watch as you're typing in
usernames and passwords. At that point, it gets really hard
to change your password to something they don't know, because
if there's an info stealer there, it's going to pick
up the username and password you change it to.
Speaker 1 (02:42):
Right.
Speaker 3 (02:43):
So really, if you are in these databases and you
find consistently your passwords are being are showing up in
the database. Or let's say you're doing what we're doing,
you're using a password manager. Yeah, like one password, one
password will go out and verify is the password you're
using in a breach somewhere. Right, So let's say and
I have one password, Auto generate my passwords that thirty
(03:04):
two characters long. And if I see that all of
my passwords start showing up in a breach, you've got
an infostealing Chances are I have an infostealer somewhere, so
I need to start crushing either my phone, start reinstalling computers,
whatever it may be.
Speaker 1 (03:17):
So you would have an infostealer on your end.
Speaker 3 (03:21):
Right, Yeah exactly, yeah, yeah, yep, yah yeah. And this
is where we say, you know, having antivirus and that
sort of stuff probably a good idea.
Speaker 2 (03:28):
We're seeing that this is all about passwords spray attack.
So passwords spray attack is when let's say I'm targeting you, Carl,
I would find all the passwords that you've used on
the dark Web, that you've used that are in breaches,
and I would use that as fodder to say, well,
I want to break into your GitHub, so I'm going
to try all these passwords and variants off those passwords
(03:48):
because you because people are creatures or habit And if
you think, oh, well, I haven't used this password in years,
I haven't used this password since you know, Netflix was
still sending out CDs DVDs, then maybe I can bring
it back in a vogue. But it's still in the
dark web. It's still out there if it was in
a breach, so that password will never be safe with
(04:10):
you again. Now I'm not of this, of the proposition
that just because a password was ever used by anyone
in any breach, it's a really bad password, But it
is a week in password because when if I'm going
to try to break one of your passwords, if I
get a hash of one of your passwords and take
it offline, the first thing I'm going to do is
(04:32):
try to is use a dictionary that includes all those
passwords that we're ever in a breach. And I think
rock you twenty twenty five or four was eight billion passwords, Dwayne,
wasn't it. So we'd burn through those eight billion passwords
in a couple of seconds. On our crack cluster, and
then we'd start going through. Okay, we're going to try
randomized dictionary attacks, which which means if you've used a password,
(04:56):
anyone in any of those breaches has used it's we're
going to get it in the first three seconds.
Speaker 1 (05:00):
So this article says to check if have I been pooned?
To see if your credentials have been leaked. Do you
think that have I been poned? Has this document?
Speaker 2 (05:11):
I don't know that it have it like instantly, but
this is like three This is like three days ago,
so within a week or so, I think Troy would proved.
Speaker 3 (05:19):
It's tough too if if the database was taken offline,
right and and what happened is the researcher that found
it notified the hosting provider, and the hosting provider removed
public access to it's soft line. Now there's no uh,
you know, legal course for have I been pooned to
be like he can you give me that database? Right?
Speaker 1 (05:39):
Yeah?
Speaker 3 (05:40):
And there's no reason the hosting provider has to provide, right, Okay,
So the hosting provider could be like, yeah, we deleted it. Whatever, sorry,
I have a nice day, right.
Speaker 2 (05:47):
Well, And this might just be a rehash of Breeches.
I don't know anything about Jeremiah Filer other than that
he fought at the Battle of Bunker Hill.
Speaker 1 (05:58):
Jeremiah.
Speaker 2 (05:59):
So the fact that he says, well, it including Google, Microsoft, Apple, Facebook, Instagram, Snapchat.
That could just be that it's somebody's Microsoft account, somebody's
Gmail account. It doesn't necessarily mean it's corporate passwords or
current right. Yeah, So you know, if people they go
for the if I don't get to see it, I
(06:21):
always assume that they're exaggerating, right, you know the importance
of something.
Speaker 1 (06:25):
Yeah, all right, Well we'll be on the lookout for that.
All right, bleeping computer says critical samlify sso that single
sign on flaw let's attackers log in as administrators. So
what's this all about?
Speaker 3 (06:39):
Yeah? See this this is uh for those of you
who don't know.
Speaker 1 (06:44):
It must be terrible. He's laughing.
Speaker 3 (06:45):
I know, right, I'm so giddy. So this is for
those of you who don't know what SAMIL and Sso
we threw sort of a whole bunch of security mumbo
jumbo out there. SAMIL is a security markup language that
allows you to define, you know, certain key things that
(07:08):
you assert for a particular user, so I can say
this user is an administrator, this user is a normal developer,
this users or whatever. Right, So there's certain assertions I
can make and all it all it distills down to
is XML, right, yeah, So and we've seen this a lot.
There's all sorts of uh, you know, data that's passed
back and forth between you know, a web server and
(07:28):
the back end. That is just an XML. It's just
xmal market. It's a markup language.
Speaker 1 (07:32):
Right.
Speaker 3 (07:33):
So you can go in and you can change that, right,
So I could, I could try and log in, I could,
I could grab this samial, request this token, I can
modify it, and I can send it along. And the
way that they protect against that with Patrick logging in
as a normal user and Patrick grabbing this samal and
saying no, no, no, I'm an admin and then sending it
along is they sign it. And for those of you
(07:54):
who haven't looked into cryptographics signing, cryptographic signing is not
in encrypting it. There's a difference between hashing something for
a signature and encrypting something. Encrypting something Patrick might not
be able to see it, and innately, the traffic between
Patrick's browser and the back end is encrypted anyways. Yeah, right,
it's using SSL encryption. But that's easily man in the
(08:18):
middle Patrick could do at anytime. Patrick would man in
the middle of zone traffic and you could modify it.
The second thing that we're talking about here is not encryption,
but is verifying that the document hasn't changed. Yeah, that's
why you use a hash, right, So you would take
the contents of the document, you would hash it down.
And what a hash does. Use an algorithm to hash it,
(08:39):
and it will come out with a unique call it
thirty two you know character string of of gobbledy gout. Yeah, right,
And if I were to change an upper case A
to or lower case A in the original document and
rehash it totally different, the thirty two characters come out different. Right.
Speaker 2 (08:57):
So when you when you download like an image of software,
it there's a hash that's published so that you know
that it hasn't been adulterated.
Speaker 3 (09:05):
Right, right, exactly, So now at this point I know, hey,
this is this hasn't changed. And that's what they do here.
They're actually signing that that XML, right, that's going that's
going forward and asking for assertations. What they're not doing however,
is once a valid user logs in, there's more data
that is sent to the server for permissions that they
(09:28):
just assume because the user logged invalid. They're not checking
for the signature. There's what they call benign parts of
the XML structure, parts of the XML structure that are
not a part of the signature. Okay, that unfortunately allow
you to request rights. Oh yeah, it seems like a
it seems like such a subtle oversight.
Speaker 2 (09:47):
So it's like the waiter of Applebee's using the private jet. Huh,
he's a valid he's a valid user, so he must
be able to use the private jet absolutely.
Speaker 3 (09:55):
If he said he if he said he needs it,
he needs it, right.
Speaker 1 (09:59):
Wow, Patrick has the best analogies.
Speaker 2 (10:01):
That's my job. So that's why you invite me.
Speaker 1 (10:04):
I make the jokes, You do the analogies. Dwayne does
the content.
Speaker 2 (10:07):
That's that is.
Speaker 3 (10:12):
So I could see I could see as a developer
missing this. Yeah, this was actually reported by endoor Labs.
A bunch of great e walks.
Speaker 2 (10:21):
Just you know you're going to walk.
Speaker 3 (10:24):
It's a moon just on the moon somewhere. I don't
know if the wookies an they're from Kashi I don't
know anyways, So yeah, it's a security lab reported it
to Samlifi and they have sense put out a patch.
So if you are running Samlifi s s O to
do any type of single sign on s s O
(10:47):
to something like azure a D or Octa or any
sort of other federated uh you know, authentication providering those lines,
you want to make sure that you upgrade to Samlifi
two dot ten ten to fix this issue. Go patch,
go patch, reinstall, patch.
Speaker 1 (11:05):
All right, So the next one hacker news critical Windows
Server twenty twenty five DMSA vulnerability enables active directory compromise, Dwayne,
what's DMSA.
Speaker 3 (11:16):
DMSA is delegated managed service account.
Speaker 1 (11:20):
Oh well, that clears it up.
Speaker 3 (11:21):
Let me unpack that a little bit.
Speaker 2 (11:23):
I thought it was I thought it was the new
party drug.
Speaker 3 (11:27):
It makes you want to touch everything. So so if
you have a service account, there are plenty of ways
for you to compromise that service account and get information
on it.
Speaker 2 (11:39):
Well, let's talk about service accounts for se yes. So
the service account is many softwares. When you run them,
they run under your credentials. So when I open word,
it's running as me so we can access the files
that I can access. If I can't access a file,
I can't open it with word, even if it's a
word document. With service accounts, we have software like databases
and email systems and anti virus that need to run
(12:02):
no matter who's logged in, and even when no one's
logged in, right, And so a service account gives that
piece of software typically called a server, it's credentials that
it can operate on, and we call that a service account.
Speaker 1 (12:15):
Right, And it doesn't have access to everything, but it
has access to all the things that services need.
Speaker 2 (12:21):
Unfortunately it usually does. It shouldn't have access to everything.
It should only have least privilege what it needs access to.
Speaker 1 (12:27):
So you're saying, there's there's one service account for all
of Windows, and all of the services run under that
account with full access to everything.
Speaker 3 (12:35):
So there is a system level sort of generic access
that you can run a service as just local system
which does have access to pretty much everything. Right, Most
people will put a service account as a particular user account.
So like if I have a Microsoft sql server and
it's running the Microsoft sql server services, I might install
that service as you know, SRV underscore, Microsoft EQUL is
(13:00):
a user, literal user in active directory that has local
administrative rights to the computer I'm on, okay, and runs
the service. The problem with that is who changes that password? Okay, right,
so that account and it's not convenient. Yeah, it's not convenient.
And on top of that, you then start going into okay,
now we start looking at kerb roast, which is curb
(13:23):
ros allows for authentication and access to resources, and you
have what are called service principle names. I won't go
into just like sort of really deep here, but just
know that if I have a service account that's responsible
for a particular type of service and a network where
I have curb ros, I can request a token for
that user and then crack it and then use it. Right,
(13:44):
there's this process called kerber roasting, or I can crack
a you know, correct that that account and then start
using that account. So that being said, Microsoft said, okay,
to combat this, what we'd love to be able to
do is use this delegated managed service account, and we'll
give the ability during a migration to migrate to this
(14:05):
new sort of delegated better service account, better service account,
something that kerb roasting, you know, won't cause issues with okay,
and in doing that it seems like they've missed part
of the process. An attacker can simulate the migration and say, oh, yeah,
by the way, this is the new service account and
(14:27):
it's going to take over that sequel server and run
any issues there.
Speaker 1 (14:30):
So so what do we do? Cry do we patch?
Speaker 3 (14:36):
There is a patch currently in the works.
Speaker 2 (14:38):
Okay, so abandon ye all hope hopefully?
Speaker 1 (14:42):
Yeah, okay.
Speaker 2 (14:43):
At least Microsoft didn't say works as intended.
Speaker 3 (14:46):
Yeah right, yeah, well they've done that in the past
two honestly, So if for the NSA did yes, it
works as.
Speaker 1 (14:53):
Intended, right, oh yeah, this is how we meant it
to work.
Speaker 3 (14:56):
Yeah, And if you look through there's actually in this
hacker News article, there's a really good infographic here that
shows sort of the requests as the attacker goes and
adds a new attacker account and blah blah blah, goes
on through requests a ticket for that account, so and
so forth.
Speaker 2 (15:12):
I didn't know you wore glasses, Dwane, right, the attacker has,
well maybe it's Karl, maybe Carl.
Speaker 3 (15:23):
So one interesting fact they say about this simulated migration
technique is that it does not require any permissions over
the superseded account, so that Microsoft Seql server account. I
don't need permissions over that account to say that I'm
migrating away from that account, and that that's kind of
where the crux of the problem is.
Speaker 2 (15:42):
It's kind of like changing the password without knowing the
old password.
Speaker 3 (15:45):
Exactly right, analogy, I can do that. Yeah, so akama
I said, they reported the finding. They actually discovered the finding.
They reported the finding on April first to Microsoft and
they're still waiting on a fix. They there is a
PowerShell script that was released by Akamai that can actually
(16:08):
show any of these DMSA accounts that were created in
your environment, so that you might be able to discover
if somebody is trying to steal things from your environment.
You know, most likely they might do what's called the
DC syncatak, which is where they pull down all the
user names in hashes for all the users in your domain.
Ideally you're looking for that, but yeah, until there's a patch.
Speaker 1 (16:29):
Just you guys.
Speaker 2 (16:30):
I used to love actor directory, but it's just become
such a bundle of liability that I really do advise
that if you can get rid of active directory and
go to zero trust or better off.
Speaker 3 (16:44):
Yeah, yeah, yeah, and according to this however, a patch
is currently not in the works running that script. Why
should we see if you've run it? See ifs you've
already been compromised.
Speaker 1 (16:54):
But all right, let's move on one more story before
we take a break, and we talk about Janet Jackson.
What okay, memo hackers exploit you heard me, memo hackers
exploit CB twenty twenty five three two four three two
in craft CMS to deploy cryptomnor and proxywear. Good lord,
(17:17):
the sky is falling. What the hell is this all about?
Speaker 3 (17:22):
So, for those of you don't know what a CMS is,
CMS is are really tough to secure?
Speaker 1 (17:27):
A content management system?
Speaker 3 (17:28):
Yeah, it's a content management system. Anybody who's ever used WordPress? Yeah,
for those of you who've never heard of Wordpresskay.
Speaker 2 (17:35):
Never listen to this podcast.
Speaker 3 (17:36):
Welcome, Welcome to the show. Yeah, yeah, welcome to the show.
Speaker 1 (17:39):
Yeah. You have software with features, you turn them on,
you turn them off, you can figure them, you put
them Yeah.
Speaker 2 (17:43):
Well it's it. Yeah, it's meant to have somebody who's
not a programmer maintain your website or maintain your wiki,
or maintain whatever.
Speaker 1 (17:51):
Or your software, whatever software or whatever.
Speaker 2 (17:53):
Right, Yeah, And it's it's it's well intended, and it
is meant to provide convenience.
Speaker 4 (17:59):
Yeah.
Speaker 3 (17:59):
Well, and the tough yeah, but the tough part of
there is it is well intended and it's but it's
hard to secure. Imagine allowing somebody to create sort of
any type of web page they want, but make it
in a way that's not going to cause any issues,
right right, may not be a security flaw.
Speaker 4 (18:15):
Right.
Speaker 3 (18:15):
So we find all the time when we get access
to a CMS, it's like, I'll just create a hacker
page that runs the script on the back end. It
gives me access to the server right exactly, and upload.
Speaker 1 (18:25):
Upload whatever you want. We'll put it on your.
Speaker 3 (18:27):
Web page right right, and there's.
Speaker 1 (18:32):
Right everything.
Speaker 3 (18:35):
So in this particular issue they're running into UH. And
if I believe we have the details on the versions,
here we go. The vulnerability in question is a Maximus
verity flaw, which we'll go through UH. And it was
patched in version three dot nine dot fifteen, four dot fourteen,
dot five, and five dot six dot seventeen. So if
(18:58):
you are running this particular CMS, this Craft Content Management System,
then you want to go out and make sure that
you've absolutely patched. But that being said, according to a
new report, the threat actors behind the campaign weaponizing this
obtained unauthorized access to the target system. So they're actually
logging in with a username and password, whether that's credential stuffering,
(19:22):
whether it's from the one hundred and eighty four billion
passwords that were just released. Whatever.
Speaker 2 (19:26):
It may be million million, not billion.
Speaker 3 (19:30):
They were billion, trillion, quadrillions, centillion.
Speaker 2 (19:34):
It was millions only only six zeros, thank you very much.
Speaker 3 (19:38):
Wait a second, if you apply like the FBI swizzle
rules anyways, So.
Speaker 1 (19:45):
So googling that, I got.
Speaker 3 (19:47):
Yeah, the if they obtained unauthorized access to target systems,
So they got access to a let's call it word
like a word prestyle system is craft. But they got
into the system as a normal user where they can
could create a web page. They could have at this
point defaced it right, just put nasty things on there
and left it and you know, giggled in the background whatever.
(20:08):
But what they did is they actually deployed a webshell.
So when they created a page that would then grab
content in this particular case, an SAH script or a
Bash script would pull it down and then would run
that content right, and then once that content was run,
there was an executable known as the memo loader MIMO
(20:31):
loader m m im loader, which modifies the et c
lds O preload file dynamic linker and then starts deploying
malware et cetera, et cetera, et cetera.
Speaker 1 (20:42):
Right, I love it when he talks dirty, don't you,
Patrick Nowhere?
Speaker 2 (20:46):
Yeah? Yeah, So so I guess this where this would
be especially bad would be multi tenant where I have
a yeah, uh, you know, maybe I have a consortium
or some kind of you know, a store joint community
site where I get a log in, but I don't
get you know, god like access. This would allow me
(21:07):
to basically go in and pillage at will.
Speaker 3 (21:10):
Right. Well, and on top of that, it's okay, you say, okay, great,
I can go patch, But you know, how do I
protect myself before this happened? Before we knew this exploit existed?
Speaker 1 (21:20):
Right?
Speaker 3 (21:21):
Because Content Management systems CMS has always have issues like this,
right right, there's we'd love when we see a CMS,
it's usually ten minutes to owning the box. So I
would say, in this particular case, the way you protect
against this before you knew about this was make sure
that any of your users who have access to the
CMS have good passwords, use multi factor authentication if the
(21:41):
CMS supports it, and make sure that you're watching logs.
Right So, you know, I don't know about you guys,
but like, we don't change the Pulsarsecurity dot com website
every day, so if I had something notifying me whenever
any user logged into it, I would know, right, Hey,
is weird that nine users have logged into Houldsoursecurity dot
(22:04):
com to change the web pages today?
Speaker 4 (22:06):
Right? Right?
Speaker 3 (22:06):
Yeah, so logging and notifications would have been your key
here where you see somebody logging in that shouldn't have
been there, you know, And then.
Speaker 1 (22:14):
Yeah, yeah, yeah, okay, all right, we're going to take
a break and as promise, when we come back, we're
going to talk about Janet Jackson. Janet what does Janet
Jackson have to do with security? Well you'll find out
everything right after these very important messages don't go away,
and we're back. It's Security this Week. I'm Carl, that's
(22:38):
Dwayne and Patrick and uh we're continuing on the week's news.
This is actually an old story.
Speaker 3 (22:45):
It's from twenty twenty two. Yeah or yeah, So it's
not too old. It's only three years old, but.
Speaker 2 (22:49):
So security this decade.
Speaker 1 (22:51):
Yeah yeah, So here's the story. Janet Jackson's Rhythm Nation
has resonant frequency and some or one or more are
the songs that can cause certain fifty four hundred rpm
hard drives in approximately twenty twenty five and later to
(23:12):
crash system crash. Like if you if you're playing Rhythm
Nation on your laptop and you have this certain hard drive.
Speaker 3 (23:21):
Kabumski, right, yeah, it's this is this is like there's
actually a cve. This is a this is like a
perfect side channel attack. Yeah right, You're you're working on
the harmonic resonance of fifty four hundred revs per second,
and apparently Rhythm Nation this song perfectly amplifies the harmonic
(23:42):
resonance of that drive to crash the disc.
Speaker 1 (23:45):
Oh here's the thing. I don't think they did that
on purpose. I think that you know, the.
Speaker 3 (23:50):
Would be alsome.
Speaker 2 (23:50):
Janet's pretty wow.
Speaker 3 (23:51):
I mean that that song came out in nineteen eighty
yeah right right, so no deep attack right exactly the future.
I think it's her and Rick Astley.
Speaker 2 (24:03):
If you check, if you check the patents for fifty
four hundred rpm drives. You find someone named Jackson in there.
Speaker 1 (24:09):
I'm sure.
Speaker 2 (24:11):
I think Tito is the agent.
Speaker 1 (24:13):
Tito, you know, put your put your future hat on
twenty twenty five these hard drives, where are they going
to be running at fifty four pm? All right, let's
fine tune the base. I don't think so, Carl.
Speaker 2 (24:29):
I could see Carl doing an attack like that.
Speaker 1 (24:31):
You know.
Speaker 3 (24:31):
It's funny though we joke about it, but it is like,
legitimately there is a cve. There is that mentions Janet
Jackson's Rhythm Nation.
Speaker 2 (24:38):
So there's a TV show called Bones. I don't know
if you've ever seen it, Oh yeah, yeah, And supposedly
there was a hacker or a murderer who puts something
designs into Bones. Wow, so that when the bones got scanned,
they got read as code and executed a virus to
infect the forensic system and took over, which wow. You
(24:59):
know it. It's very futuristic and kind of like that.
Speaker 3 (25:03):
And if you haven't seen Bones, I mean now you
don't have.
Speaker 2 (25:06):
Those are pretty good episode. You never know what a
side channelttack is going to look like and whether it's
and I do I do can see this is probably
not an intentional thing.
Speaker 1 (25:16):
No, No, it's just really kind of funny. It's just awesome. Yeah,
all right, so let's get back to the serious stuff.
The Hacker News is saying cyber criminals target AI users
with malware loaded installers posing as popular tools.
Speaker 2 (25:35):
This is just a new take on an old hack
where people would take whatever's popular machine learning, big data,
and they're trying to just get people to click on
the wrong thing. You have to make sure you know
what you're doing, what you're getting. All these stories we've
had about people downloading the wrong apps in the app store,
the fact that people download the wrong packages that are
(25:58):
infected or named like, it's all the same things. You
have to check what you're putting into your system, just
like you check what you put into your mouth.
Speaker 1 (26:08):
Yeah, most so, here's the thing. These are fake installers,
and one of them is for chat GPT. You don't
need an installer for chat GPT. You just go to
the website. I mean, get granted, there's a there's a
phone app.
Speaker 2 (26:21):
Sure, got to go to the right website.
Speaker 1 (26:22):
But if you're in the app store, right, and you're
in the Apple App Store or the Google App Store,
you know you're probably installing something good. But if you
go to a website and you, hey, click here to
install in video AI for example.
Speaker 2 (26:38):
Well and it could just be an ad. Yeah, so
you could do a search or go to any site
Facebook or anyplace else that that livers ads, and it
could say install chat, GPT, now use the use the
power of the Internet, and you click it, and now
it's it. You're in this in this space.
Speaker 1 (26:52):
And it's not just malware. We're talking about ransomware. Yeah
it's bad. Yeah, well some is malware, some is ransomware.
Speaker 2 (27:02):
Yeah, none of it's good.
Speaker 1 (27:04):
None of it's good. I do like the graphic though.
Speaker 2 (27:09):
But you know, as this will keep occurring, it's like
after there's a tsunami they're trying to get people to
donate to the relief. Cause we're not saying you shouldn't
use this stuff, but you got to understand from reputable sources,
how you get it, how you install it, how you
use it. And if you just like click on the
(27:29):
first thing you see, you're probably gonna get owned, right,
get hurt.
Speaker 1 (27:33):
You're gonna get hurt. Son all right, so let's move
on cybersecurity. Drive dot Com says, Google says China backed
hackers are hiding malware in calendar events. That's it.
Speaker 3 (27:48):
No more calendar events done APT forty one.
Speaker 1 (27:51):
No, never clicking on a calendar event again.
Speaker 3 (27:55):
No.
Speaker 1 (27:56):
Let me read the subtitle here, the APT forty one
nations the threat group is exploiting yet another cloud service
to mask its operations, according to new research.
Speaker 3 (28:06):
Yeah, and this is a lot of people might be worried, like,
oh my gosh, now maybe I shouldn't you know, that's
not what it is Google Events or anything like that.
And it has nothing to do with that. Yeah, when
we break into a company legally.
Speaker 2 (28:17):
Or we could should say were we too?
Speaker 3 (28:20):
Were we too?
Speaker 2 (28:21):
Yeah?
Speaker 3 (28:22):
Thank you?
Speaker 1 (28:23):
All right? Just for everybody who doesn't know Dwayne and Patrick,
that's their job. They get hired to break into Yeah,
welcome to the show, and then deny it. They get
hired to break into companies, buy the companies, yes, to
find the vulnerabilities. That's what they do.
Speaker 3 (28:37):
So there's a lot of companies watch out going traffic. Right.
So if I, let's say I put either an implant
or a cable or something that I can get access
to the internal network, I got to get data off
I and usually I got to get data off, and
you need to control whatever agents on the inside, and
that's that's where you turn to what they call C
two or command and control structure, where I need to
(28:58):
issue a command to an agent on the inside, and
that agent needs to read that command somehow and know
what it's looking for, and then it comes back with
the data right of the execution of the command. And
there's tons of commandic control structures out there that There's
one called Empire, there's a Sliver, there's uh, you know,
you name it. There's tons of them out there this
(29:20):
and the problem is once they get very well known,
they obviously get blocked, right, And I might be communicating
over DNS right, a naming service, which I can do
through command and control. It's slow, but people are now
watching DNS for it, so you go, okay, well, how
can I communicate back and forth with my agent without
anybody noticing the difference? And what happens is the APT,
(29:45):
the advanced persistent threat from China, creates a Google event
and it's just a calendar that anybody can subscribe to,
and in the body of that event is an encrypted
command the agent on the inside, which got installed some
other way right, you plugged in the wrong USB drive,
you clicked on the wrong thing, and email whatever it
(30:06):
is okay, right, is now running on your computer and
it polls that Google event and when it finds the event,
it pulls down the content, decrypts, it knows what it
should run, and then it posts back to the same event.
Here's the encrypted results.
Speaker 1 (30:23):
Wow.
Speaker 3 (30:24):
So that now I'm using this calendar to be.
Speaker 1 (30:27):
Using it as a two way communications device exactly.
Speaker 3 (30:31):
Yeah, yep, yep, And that's what's going on here, right.
Speaker 1 (30:34):
So a report eighty nobody would ever suspect using yeah,
four four to three.
Speaker 2 (30:40):
Other examples that we've seen in the past is using
the drafts of Gmail of their Gmail account.
Speaker 3 (30:47):
Yeah, or Dropbox or one drive or even Instagram. I
mean there's all sorts of different ways that you can
use public services.
Speaker 1 (30:54):
Yes, see how dropbox makes or drive makes more sense,
Like I would be looking for that, right. Oh, they're
writing to a drive file and somebody else is reading it.
But but but this is tricky, right wow. Yeah.
Speaker 3 (31:07):
Yeah, And we've even seen it, like Patrick said, like
we've seen like Gmail emails where they'll send an email
and sometimes leave it in drafts, or they'll be monitoring
an inbox and you just send an email to this
inbox saying how can you you know, run a dr
and it's replies to you with right, here's all the
files on that computer. So wow, see and this is
tough because what's your organization? Do do you block Google
(31:31):
from the organization?
Speaker 1 (31:32):
Yes?
Speaker 4 (31:32):
Rob, well there you heard it first repat Yeah, block Google,
get rid of it.
Speaker 2 (31:42):
It's a fad I would never take off.
Speaker 1 (31:47):
All right, So this is just an interesting story. There's
really no no, you know, nothing can harm you around this.
Just know.
Speaker 3 (31:56):
The only thing I would say is there's I wish
it would be nice if there were a much better
way for deeper analytics into outbound traffic, Yeah, to be
able to discover abnormal traffic. Like if I saw somebody
pulling events in a Google calendar ten times a day
and then tomorrow it's three hundred times a day. Yeah,
(32:18):
that would be an interesting metric. Yeah, Right, if I
saw DNS queries were only two mega day and now
they're thirty mega day, also an interesting metric, right, And.
Speaker 2 (32:29):
These are the kind of things that AI will find
for us.
Speaker 1 (32:32):
But you know what, though, I would put on my
Dwayne Evil hat here and say, if I was going
to try to get around something doing analytics, I would
in every Google Calendar event, I would add another calendar
event address and just keep playing hopscotch right, just keep moving,
just keep moving, Delete the old one stick.
Speaker 3 (32:50):
And move right, create anyone or Yeah, you pull the
command out of a Google calendar and then you submit
the repebll graduated one drive. Yeah you know, I'm proud. Okay,
you're on the team, buddy.
Speaker 1 (33:04):
Got to think like an evil person. Okay, So let's
talk about the clickbait signal says no to Windows eleven's
recall screenshots. So let's talk about Windows eleven recall a bit,
because we talked about it a while ago.
Speaker 2 (33:21):
So Size Patrick, Yeah, it's a it's a it's a horrible,
great idea. So it sounds like it's a great idea
because hey, who hasn't forgotten what they were working on?
Speaker 1 (33:32):
Or what is it? What is it?
Speaker 2 (33:34):
It's Microsoft's attempt to add a feature that will basically
keep a log of everything you've been doing so that
you can go back and remember, oh, what was I
doing last Thursday? Oh well, let me I forgot that document.
Let me get a screenshot of what I was doing
or all right.
Speaker 1 (33:49):
So a screenshot that gets automatically taken of your screen
on some interval that's probably short, like a minute or
so or thirty seconds.
Speaker 2 (33:57):
And I don't think it's just screenshots. I think screenshots
will part of it. But it's also like the text and.
Speaker 1 (34:02):
Yeah does ocr Yeah, here you go.
Speaker 2 (34:04):
So it's a it's a solid record.
Speaker 3 (34:07):
What recall does. It continuously captures snapshots of your activity
active screen every few seconds while you're using your PC.
The snapshots are stored locally and processed using AI. You
can then search through your past activities using natural language,
like find the document I was working on with budget
planning last Tuesday. Then you can scroll through the timeline
(34:29):
and visually browse your computer's activity, like having a photographic memory.
Speaker 1 (34:35):
So this is for people with Alzheimer's obviously.
Speaker 2 (34:38):
Or people that like to share their passwords.
Speaker 3 (34:40):
Yeah, I could see that being right.
Speaker 1 (34:43):
So Patrick's point is that it's inherently insecure because everything
on your screen is now up for grabs, and who
knows where it's going, right.
Speaker 2 (34:53):
Right, So if I would only want this feature, if
I would also want a feature of having Alexa record
every single word I say, just in case I want
to remember what I said.
Speaker 1 (35:06):
You know, it's a good thing. I have my down
and I'm wearing headphones because you would have set it off.
It's sitting right here next to it. It's the best
gag in the world on a podcast.
Speaker 3 (35:20):
I saw that on like a news newscast at one
point where somebody said, hey, Alexa, order me an umbrella
and oh, no, you are getting word.
Speaker 1 (35:28):
You're not thinking grand enough. You say, Alexa, order a
thousand umbrellas and send them to Patrick.
Speaker 2 (35:37):
Oh my god, we are we going to have to
edit that out and bleep. No, is that the new
a word?
Speaker 1 (35:43):
It's a new It's just an old joke that.
Speaker 2 (35:45):
We've been doing a word, the S word.
Speaker 1 (35:48):
We were doing that on dot net rocks ever since
it came out. All right, So so here's the real story.
That signal basically is helping users dodge recalls, screenshots.
Speaker 2 (36:00):
Golf clap.
Speaker 1 (36:03):
So the you know, Signal is the end to end
encrypted communication app. It's been making the news lately, but
it's in general a really good way to communicate. We
all use it because it's end to end and other
and WhatsApp says there end to end, but there's a
man in the middle. It's called Facebook, and they can
decrypt and re encrypt your data and they do so.
(36:26):
Signal is end to end encrypted, great communications. So here's
the story. They're taking proactive steps to ensure Microsoft's recall
feature can't screen capture your secured chats by rolling out
a new version of the Signal for Windows leven client
that enables screen security by default. It's the same DRM
that blocks users from easily screenshotting a Netflix show on
(36:49):
their computer or phone, and using it here could cause
problems for people who use accessibility features like screen readers.
Speaker 2 (36:57):
Yeah, I mean they're creating so Like I've been thinking
about recall a lot and one of the features, one
of the aspects of it that I think is going
to run a foul of the world, is how does
this comply with GDPR? Because with GDPR, I have the
right to be forgotten. And if in my recall there's
information about Carl and Carl has requested his data be scrubbed,
(37:20):
are you going to go and scrub my recall? Because
if you don't, you're not following GDPR. So I think
that again, Microsoft does a great job. They create amazing
features in middleware and things like that, but sometimes they
just don't think through the things that could have security implications.
Speaker 1 (37:39):
Or are they thought through and decide to go ahead anyway.
Speaker 3 (37:42):
Well, and I think I remember this getting announced where
there was there was talk of this feature pushing data
up to the cloud so you could recall from anywhere,
and there was such an outcry. They were like, no, no, no, no,
only local never going to happen. Don't worry about it because.
Speaker 2 (38:01):
No one ever hacks your local system. It's it's a
it's a bad idea. I I it's if you if
you have nothing of value and you have nothing to hide,
then yeah, maybe maybe you don't care. But I think
the problem is if I got a if a hacker
gets in there and they get a hold of it,
(38:22):
they've got everything, every password, every system, every ur L,
every document, it's all theirs.
Speaker 1 (38:29):
Oh he's a thing I understood when we talked about
this before, that this is an opt in feature, right,
or maybe it's on by default, but but the thing
is you can turn it off. You can turn it
off and on. So whether it's on by default, I
don't know that would be bad. Yeah.
Speaker 3 (38:45):
I was actually yeah. Well, and if if I remember correctly,
this blah blah blah blah uses the neural neural processing
unit in Copilot plus PCs. So if you don't have
a Copilot plus PC, I don't think it's actually getting
processed anywans. But still, okay, yeah, it was the moment
I have one of those, I'll be turning it off.
Speaker 1 (39:04):
Anyways, exactly. All right, that's a show, guys, Always fun,
always fun, and scary, always fun and just a little scary. Yep.
Speaker 3 (39:15):
And we have a bunch of new users at the
security this week discord. All right, a lot of really
great conversations around there. So by all means, continue joining,
continue participating on the channels, and potentially get your chance
to win some schnazzy security this week lock Picks.
Speaker 1 (39:31):
That's right, So suggest a story for us, you know,
do we miss something? If you suggest a story and
we use it, you'll get your specially branded Security this
Week podcast lock Pick set that comes with no instructions.
They're awesome, but you can find them on the internet.
Speaker 2 (39:51):
Luck Picking Lawyer is the best.
Speaker 1 (39:52):
Yeah that's okay, heck, yeah, all right, let's see you
next week.
Speaker 2 (39:56):
Thank guys, Bye bye bye.
Speaker 1 (40:00):
Oh t
Hey, do you know my uncle Benny's a mortician. No,
there he was. He's retired now, but he once told
me that there's a new trend in funerals, and that's
glass coffins. Will they be popular? Remains to be seen. Well,
(00:26):
welcome back to security this week. I'm Carl, that's Patrick
and Dwayne, and we're going to talk about the week's
you know, unfortunate events and maybe we'll learn something. Starting
with a massive data breach that exposes one hundred and
eighty four million passwords for Google, Microsoft, Facebook, and more.
(00:48):
The file was unencrypted, no password protection, no security, just
a plain text file with millions of sensitive pieces of data. Ok.
Speaker 2 (00:57):
Okay, but this wasn't left by Google, Microsoft, Facebook.
Speaker 1 (01:00):
No, no, no in a ball.
Speaker 2 (01:03):
Yeah yeah, proof of the deep state.
Speaker 1 (01:07):
Yeah. So, I mean the funny thing is, I think
we're all getting wary of these data breach stories because, yeah, okay,
we need to change our passwords. We need to use
a password manager. We're already doing that right right, listeners, Yeah,
not using Fluffy one, two three anymore for your password? Okay,
(01:31):
but how how I don't know what to do with this.
Speaker 3 (01:35):
So there's a couple different ways that you're going to
find somebody's usernames and passwords.
Speaker 4 (01:39):
Right.
Speaker 3 (01:39):
One, it's in an old data breach, right, so you
use the same username and password for the last ten
years that user name and pastors out there, or even.
Speaker 2 (01:49):
Just a curl LA variant, like maybe you like the
word dragon and so it's Dragon one two three or
Dragon three two one.
Speaker 3 (01:56):
Or summer twenty eleven and then summer twenty two exactly.
Speaker 2 (02:00):
Yeah, yeah, yeah.
Speaker 3 (02:02):
So needless to say, you know, that's one way to
get a username and password and it ends up in
these breaches, these massive collections of breaches. But another way
that is concerning here is with information stealers malware. So
you know, we hear a lot about ransomware, right, you
click on the wrong thing on your phone. You know,
(02:23):
it's not going to encrypt all of your stuff, right,
But what may happen is you're going to have an
info stealer that's going to watch as you're typing in
usernames and passwords. At that point, it gets really hard
to change your password to something they don't know, because
if there's an info stealer there, it's going to pick
up the username and password you change it to.
Speaker 1 (02:42):
Right.
Speaker 3 (02:43):
So really, if you are in these databases and you
find consistently your passwords are being are showing up in
the database. Or let's say you're doing what we're doing,
you're using a password manager. Yeah, like one password, one
password will go out and verify is the password you're
using in a breach somewhere. Right, So let's say and
I have one password, Auto generate my passwords that thirty
(03:04):
two characters long. And if I see that all of
my passwords start showing up in a breach, you've got
an infostealing Chances are I have an infostealer somewhere, so
I need to start crushing either my phone, start reinstalling computers,
whatever it may be.
Speaker 1 (03:17):
So you would have an infostealer on your end.
Speaker 3 (03:21):
Right, Yeah exactly, yeah, yeah, yep, yah yeah. And this
is where we say, you know, having antivirus and that
sort of stuff probably a good idea.
Speaker 2 (03:28):
We're seeing that this is all about passwords spray attack.
So passwords spray attack is when let's say I'm targeting you, Carl,
I would find all the passwords that you've used on
the dark Web, that you've used that are in breaches,
and I would use that as fodder to say, well,
I want to break into your GitHub, so I'm going
to try all these passwords and variants off those passwords
(03:48):
because you because people are creatures or habit And if
you think, oh, well, I haven't used this password in years,
I haven't used this password since you know, Netflix was
still sending out CDs DVDs, then maybe I can bring
it back in a vogue. But it's still in the
dark web. It's still out there if it was in
a breach, so that password will never be safe with
(04:10):
you again. Now I'm not of this, of the proposition
that just because a password was ever used by anyone
in any breach, it's a really bad password, But it
is a week in password because when if I'm going
to try to break one of your passwords, if I
get a hash of one of your passwords and take
it offline, the first thing I'm going to do is
(04:32):
try to is use a dictionary that includes all those
passwords that we're ever in a breach. And I think
rock you twenty twenty five or four was eight billion passwords, Dwayne,
wasn't it. So we'd burn through those eight billion passwords
in a couple of seconds. On our crack cluster, and
then we'd start going through. Okay, we're going to try
randomized dictionary attacks, which which means if you've used a password,
(04:56):
anyone in any of those breaches has used it's we're
going to get it in the first three seconds.
Speaker 1 (05:00):
So this article says to check if have I been pooned?
To see if your credentials have been leaked. Do you
think that have I been poned? Has this document?
Speaker 2 (05:11):
I don't know that it have it like instantly, but
this is like three This is like three days ago,
so within a week or so, I think Troy would proved.
Speaker 3 (05:19):
It's tough too if if the database was taken offline,
right and and what happened is the researcher that found
it notified the hosting provider, and the hosting provider removed
public access to it's soft line. Now there's no uh,
you know, legal course for have I been pooned to
be like he can you give me that database? Right?
Speaker 1 (05:39):
Yeah?
Speaker 3 (05:40):
And there's no reason the hosting provider has to provide, right, Okay,
So the hosting provider could be like, yeah, we deleted it. Whatever, sorry,
I have a nice day, right.
Speaker 2 (05:47):
Well, And this might just be a rehash of Breeches.
I don't know anything about Jeremiah Filer other than that
he fought at the Battle of Bunker Hill.
Speaker 1 (05:58):
Jeremiah.
Speaker 2 (05:59):
So the fact that he says, well, it including Google, Microsoft, Apple, Facebook, Instagram, Snapchat.
That could just be that it's somebody's Microsoft account, somebody's
Gmail account. It doesn't necessarily mean it's corporate passwords or
current right. Yeah, So you know, if people they go
for the if I don't get to see it, I
(06:21):
always assume that they're exaggerating, right, you know the importance
of something.
Speaker 1 (06:25):
Yeah, all right, Well we'll be on the lookout for that.
All right, bleeping computer says critical samlify sso that single
sign on flaw let's attackers log in as administrators. So
what's this all about?
Speaker 3 (06:39):
Yeah? See this this is uh for those of you
who don't know.
Speaker 1 (06:44):
It must be terrible. He's laughing.
Speaker 3 (06:45):
I know, right, I'm so giddy. So this is for
those of you who don't know what SAMIL and Sso
we threw sort of a whole bunch of security mumbo
jumbo out there. SAMIL is a security markup language that
allows you to define, you know, certain key things that
(07:08):
you assert for a particular user, so I can say
this user is an administrator, this user is a normal developer,
this users or whatever. Right, So there's certain assertions I
can make and all it all it distills down to
is XML, right, yeah, So and we've seen this a lot.
There's all sorts of uh, you know, data that's passed
back and forth between you know, a web server and
(07:28):
the back end. That is just an XML. It's just
xmal market. It's a markup language.
Speaker 1 (07:32):
Right.
Speaker 3 (07:33):
So you can go in and you can change that, right,
So I could, I could try and log in, I could,
I could grab this samial, request this token, I can
modify it, and I can send it along. And the
way that they protect against that with Patrick logging in
as a normal user and Patrick grabbing this samal and
saying no, no, no, I'm an admin and then sending it
along is they sign it. And for those of you
(07:54):
who haven't looked into cryptographics signing, cryptographic signing is not
in encrypting it. There's a difference between hashing something for
a signature and encrypting something. Encrypting something Patrick might not
be able to see it, and innately, the traffic between
Patrick's browser and the back end is encrypted anyways. Yeah, right,
it's using SSL encryption. But that's easily man in the
(08:18):
middle Patrick could do at anytime. Patrick would man in
the middle of zone traffic and you could modify it.
The second thing that we're talking about here is not encryption,
but is verifying that the document hasn't changed. Yeah, that's
why you use a hash, right, So you would take
the contents of the document, you would hash it down.
And what a hash does. Use an algorithm to hash it,
(08:39):
and it will come out with a unique call it
thirty two you know character string of of gobbledy gout. Yeah, right,
And if I were to change an upper case A
to or lower case A in the original document and
rehash it totally different, the thirty two characters come out different. Right.
Speaker 2 (08:57):
So when you when you download like an image of software,
it there's a hash that's published so that you know
that it hasn't been adulterated.
Speaker 3 (09:05):
Right, right, exactly, So now at this point I know, hey,
this is this hasn't changed. And that's what they do here.
They're actually signing that that XML, right, that's going that's
going forward and asking for assertations. What they're not doing however,
is once a valid user logs in, there's more data
that is sent to the server for permissions that they
(09:28):
just assume because the user logged invalid. They're not checking
for the signature. There's what they call benign parts of
the XML structure, parts of the XML structure that are
not a part of the signature. Okay, that unfortunately allow
you to request rights. Oh yeah, it seems like a
it seems like such a subtle oversight.
Speaker 2 (09:47):
So it's like the waiter of Applebee's using the private jet. Huh,
he's a valid he's a valid user, so he must
be able to use the private jet absolutely.
Speaker 3 (09:55):
If he said he if he said he needs it,
he needs it, right.
Speaker 1 (09:59):
Wow, Patrick has the best analogies.
Speaker 2 (10:01):
That's my job. So that's why you invite me.
Speaker 1 (10:04):
I make the jokes, You do the analogies. Dwayne does
the content.
Speaker 2 (10:07):
That's that is.
Speaker 3 (10:12):
So I could see I could see as a developer
missing this. Yeah, this was actually reported by endoor Labs.
A bunch of great e walks.
Speaker 2 (10:21):
Just you know you're going to walk.
Speaker 3 (10:24):
It's a moon just on the moon somewhere. I don't
know if the wookies an they're from Kashi I don't
know anyways, So yeah, it's a security lab reported it
to Samlifi and they have sense put out a patch.
So if you are running Samlifi s s O to
do any type of single sign on s s O
(10:47):
to something like azure a D or Octa or any
sort of other federated uh you know, authentication providering those lines,
you want to make sure that you upgrade to Samlifi
two dot ten ten to fix this issue. Go patch,
go patch, reinstall, patch.
Speaker 1 (11:05):
All right, So the next one hacker news critical Windows
Server twenty twenty five DMSA vulnerability enables active directory compromise, Dwayne,
what's DMSA.
Speaker 3 (11:16):
DMSA is delegated managed service account.
Speaker 1 (11:20):
Oh well, that clears it up.
Speaker 3 (11:21):
Let me unpack that a little bit.
Speaker 2 (11:23):
I thought it was I thought it was the new
party drug.
Speaker 3 (11:27):
It makes you want to touch everything. So so if
you have a service account, there are plenty of ways
for you to compromise that service account and get information
on it.
Speaker 2 (11:39):
Well, let's talk about service accounts for se yes. So
the service account is many softwares. When you run them,
they run under your credentials. So when I open word,
it's running as me so we can access the files
that I can access. If I can't access a file,
I can't open it with word, even if it's a
word document. With service accounts, we have software like databases
and email systems and anti virus that need to run
(12:02):
no matter who's logged in, and even when no one's
logged in, right, And so a service account gives that
piece of software typically called a server, it's credentials that
it can operate on, and we call that a service account.
Speaker 1 (12:15):
Right, And it doesn't have access to everything, but it
has access to all the things that services need.
Speaker 2 (12:21):
Unfortunately it usually does. It shouldn't have access to everything.
It should only have least privilege what it needs access to.
Speaker 1 (12:27):
So you're saying, there's there's one service account for all
of Windows, and all of the services run under that
account with full access to everything.
Speaker 3 (12:35):
So there is a system level sort of generic access
that you can run a service as just local system
which does have access to pretty much everything. Right, Most
people will put a service account as a particular user account.
So like if I have a Microsoft sql server and
it's running the Microsoft sql server services, I might install
that service as you know, SRV underscore, Microsoft EQUL is
(13:00):
a user, literal user in active directory that has local
administrative rights to the computer I'm on, okay, and runs
the service. The problem with that is who changes that password? Okay, right,
so that account and it's not convenient. Yeah, it's not convenient.
And on top of that, you then start going into okay,
now we start looking at kerb roast, which is curb
(13:23):
ros allows for authentication and access to resources, and you
have what are called service principle names. I won't go
into just like sort of really deep here, but just
know that if I have a service account that's responsible
for a particular type of service and a network where
I have curb ros, I can request a token for
that user and then crack it and then use it. Right,
(13:44):
there's this process called kerber roasting, or I can crack
a you know, correct that that account and then start
using that account. So that being said, Microsoft said, okay,
to combat this, what we'd love to be able to
do is use this delegated managed service account, and we'll
give the ability during a migration to migrate to this
(14:05):
new sort of delegated better service account, better service account,
something that kerb roasting, you know, won't cause issues with okay,
and in doing that it seems like they've missed part
of the process. An attacker can simulate the migration and say, oh, yeah,
by the way, this is the new service account and
(14:27):
it's going to take over that sequel server and run
any issues there.
Speaker 1 (14:30):
So so what do we do? Cry do we patch?
Speaker 3 (14:36):
There is a patch currently in the works.
Speaker 2 (14:38):
Okay, so abandon ye all hope hopefully?
Speaker 1 (14:42):
Yeah, okay.
Speaker 2 (14:43):
At least Microsoft didn't say works as intended.
Speaker 3 (14:46):
Yeah right, yeah, well they've done that in the past
two honestly, So if for the NSA did yes, it
works as.
Speaker 1 (14:53):
Intended, right, oh yeah, this is how we meant it
to work.
Speaker 3 (14:56):
Yeah, And if you look through there's actually in this
hacker News article, there's a really good infographic here that
shows sort of the requests as the attacker goes and
adds a new attacker account and blah blah blah, goes
on through requests a ticket for that account, so and
so forth.
Speaker 2 (15:12):
I didn't know you wore glasses, Dwane, right, the attacker has,
well maybe it's Karl, maybe Carl.
Speaker 3 (15:23):
So one interesting fact they say about this simulated migration
technique is that it does not require any permissions over
the superseded account, so that Microsoft Seql server account. I
don't need permissions over that account to say that I'm
migrating away from that account, and that that's kind of
where the crux of the problem is.
Speaker 2 (15:42):
It's kind of like changing the password without knowing the
old password.
Speaker 3 (15:45):
Exactly right, analogy, I can do that. Yeah, so akama
I said, they reported the finding. They actually discovered the finding.
They reported the finding on April first to Microsoft and
they're still waiting on a fix. They there is a
PowerShell script that was released by Akamai that can actually
(16:08):
show any of these DMSA accounts that were created in
your environment, so that you might be able to discover
if somebody is trying to steal things from your environment.
You know, most likely they might do what's called the
DC syncatak, which is where they pull down all the
user names in hashes for all the users in your domain.
Ideally you're looking for that, but yeah, until there's a patch.
Speaker 1 (16:29):
Just you guys.
Speaker 2 (16:30):
I used to love actor directory, but it's just become
such a bundle of liability that I really do advise
that if you can get rid of active directory and
go to zero trust or better off.
Speaker 3 (16:44):
Yeah, yeah, yeah, and according to this however, a patch
is currently not in the works running that script. Why
should we see if you've run it? See ifs you've
already been compromised.
Speaker 1 (16:54):
But all right, let's move on one more story before
we take a break, and we talk about Janet Jackson.
What okay, memo hackers exploit you heard me, memo hackers
exploit CB twenty twenty five three two four three two
in craft CMS to deploy cryptomnor and proxywear. Good lord,
(17:17):
the sky is falling. What the hell is this all about?
Speaker 3 (17:22):
So, for those of you don't know what a CMS is,
CMS is are really tough to secure?
Speaker 1 (17:27):
A content management system?
Speaker 3 (17:28):
Yeah, it's a content management system. Anybody who's ever used WordPress? Yeah,
for those of you who've never heard of Wordpresskay.
Speaker 2 (17:35):
Never listen to this podcast.
Speaker 3 (17:36):
Welcome, Welcome to the show. Yeah, yeah, welcome to the show.
Speaker 1 (17:39):
Yeah. You have software with features, you turn them on,
you turn them off, you can figure them, you put
them Yeah.
Speaker 2 (17:43):
Well it's it. Yeah, it's meant to have somebody who's
not a programmer maintain your website or maintain your wiki,
or maintain whatever.
Speaker 1 (17:51):
Or your software, whatever software or whatever.
Speaker 2 (17:53):
Right, Yeah, And it's it's it's well intended, and it
is meant to provide convenience.
Speaker 4 (17:59):
Yeah.
Speaker 3 (17:59):
Well, and the tough yeah, but the tough part of
there is it is well intended and it's but it's
hard to secure. Imagine allowing somebody to create sort of
any type of web page they want, but make it
in a way that's not going to cause any issues,
right right, may not be a security flaw.
Speaker 4 (18:15):
Right.
Speaker 3 (18:15):
So we find all the time when we get access
to a CMS, it's like, I'll just create a hacker
page that runs the script on the back end. It
gives me access to the server right exactly, and upload.
Speaker 1 (18:25):
Upload whatever you want. We'll put it on your.
Speaker 3 (18:27):
Web page right right, and there's.
Speaker 1 (18:32):
Right everything.
Speaker 3 (18:35):
So in this particular issue they're running into UH. And
if I believe we have the details on the versions,
here we go. The vulnerability in question is a Maximus
verity flaw, which we'll go through UH. And it was
patched in version three dot nine dot fifteen, four dot fourteen,
dot five, and five dot six dot seventeen. So if
(18:58):
you are running this particular CMS, this Craft Content Management System,
then you want to go out and make sure that
you've absolutely patched. But that being said, according to a
new report, the threat actors behind the campaign weaponizing this
obtained unauthorized access to the target system. So they're actually
logging in with a username and password, whether that's credential stuffering,
(19:22):
whether it's from the one hundred and eighty four billion
passwords that were just released. Whatever.
Speaker 2 (19:26):
It may be million million, not billion.
Speaker 3 (19:30):
They were billion, trillion, quadrillions, centillion.
Speaker 2 (19:34):
It was millions only only six zeros, thank you very much.
Speaker 3 (19:38):
Wait a second, if you apply like the FBI swizzle
rules anyways, So.
Speaker 1 (19:45):
So googling that, I got.
Speaker 3 (19:47):
Yeah, the if they obtained unauthorized access to target systems,
So they got access to a let's call it word
like a word prestyle system is craft. But they got
into the system as a normal user where they can
could create a web page. They could have at this
point defaced it right, just put nasty things on there
and left it and you know, giggled in the background whatever.
(20:08):
But what they did is they actually deployed a webshell.
So when they created a page that would then grab
content in this particular case, an SAH script or a
Bash script would pull it down and then would run
that content right, and then once that content was run,
there was an executable known as the memo loader MIMO
(20:31):
loader m m im loader, which modifies the et c
lds O preload file dynamic linker and then starts deploying
malware et cetera, et cetera, et cetera.
Speaker 1 (20:42):
Right, I love it when he talks dirty, don't you,
Patrick Nowhere?
Speaker 2 (20:46):
Yeah? Yeah, So so I guess this where this would
be especially bad would be multi tenant where I have
a yeah, uh, you know, maybe I have a consortium
or some kind of you know, a store joint community
site where I get a log in, but I don't
get you know, god like access. This would allow me
(21:07):
to basically go in and pillage at will.
Speaker 3 (21:10):
Right. Well, and on top of that, it's okay, you say, okay, great,
I can go patch, But you know, how do I
protect myself before this happened? Before we knew this exploit existed?
Speaker 1 (21:20):
Right?
Speaker 3 (21:21):
Because Content Management systems CMS has always have issues like this,
right right, there's we'd love when we see a CMS,
it's usually ten minutes to owning the box. So I
would say, in this particular case, the way you protect
against this before you knew about this was make sure
that any of your users who have access to the
CMS have good passwords, use multi factor authentication if the
(21:41):
CMS supports it, and make sure that you're watching logs.
Right So, you know, I don't know about you guys,
but like, we don't change the Pulsarsecurity dot com website
every day, so if I had something notifying me whenever
any user logged into it, I would know, right, Hey,
is weird that nine users have logged into Houldsoursecurity dot
(22:04):
com to change the web pages today?
Speaker 4 (22:06):
Right? Right?
Speaker 3 (22:06):
Yeah, so logging and notifications would have been your key
here where you see somebody logging in that shouldn't have
been there, you know, And then.
Speaker 1 (22:14):
Yeah, yeah, yeah, okay, all right, we're going to take
a break and as promise, when we come back, we're
going to talk about Janet Jackson. Janet what does Janet
Jackson have to do with security? Well you'll find out
everything right after these very important messages don't go away,
and we're back. It's Security this Week. I'm Carl, that's
(22:38):
Dwayne and Patrick and uh we're continuing on the week's news.
This is actually an old story.
Speaker 3 (22:45):
It's from twenty twenty two. Yeah or yeah, So it's
not too old. It's only three years old, but.
Speaker 2 (22:49):
So security this decade.
Speaker 1 (22:51):
Yeah yeah, So here's the story. Janet Jackson's Rhythm Nation
has resonant frequency and some or one or more are
the songs that can cause certain fifty four hundred rpm
hard drives in approximately twenty twenty five and later to
(23:12):
crash system crash. Like if you if you're playing Rhythm
Nation on your laptop and you have this certain hard drive.
Speaker 3 (23:21):
Kabumski, right, yeah, it's this is this is like there's
actually a cve. This is a this is like a
perfect side channel attack. Yeah right, You're you're working on
the harmonic resonance of fifty four hundred revs per second,
and apparently Rhythm Nation this song perfectly amplifies the harmonic
(23:42):
resonance of that drive to crash the disc.
Speaker 1 (23:45):
Oh here's the thing. I don't think they did that
on purpose. I think that you know, the.
Speaker 3 (23:50):
Would be alsome.
Speaker 2 (23:50):
Janet's pretty wow.
Speaker 3 (23:51):
I mean that that song came out in nineteen eighty
yeah right right, so no deep attack right exactly the future.
I think it's her and Rick Astley.
Speaker 2 (24:03):
If you check, if you check the patents for fifty
four hundred rpm drives. You find someone named Jackson in there.
Speaker 1 (24:09):
I'm sure.
Speaker 2 (24:11):
I think Tito is the agent.
Speaker 1 (24:13):
Tito, you know, put your put your future hat on
twenty twenty five these hard drives, where are they going
to be running at fifty four pm? All right, let's
fine tune the base. I don't think so, Carl.
Speaker 2 (24:29):
I could see Carl doing an attack like that.
Speaker 1 (24:31):
You know.
Speaker 3 (24:31):
It's funny though we joke about it, but it is like,
legitimately there is a cve. There is that mentions Janet
Jackson's Rhythm Nation.
Speaker 2 (24:38):
So there's a TV show called Bones. I don't know
if you've ever seen it, Oh yeah, yeah, And supposedly
there was a hacker or a murderer who puts something
designs into Bones. Wow, so that when the bones got scanned,
they got read as code and executed a virus to
infect the forensic system and took over, which wow. You
(24:59):
know it. It's very futuristic and kind of like that.
Speaker 3 (25:03):
And if you haven't seen Bones, I mean now you
don't have.
Speaker 2 (25:06):
Those are pretty good episode. You never know what a
side channelttack is going to look like and whether it's
and I do I do can see this is probably
not an intentional thing.
Speaker 1 (25:16):
No, No, it's just really kind of funny. It's just awesome. Yeah,
all right, so let's get back to the serious stuff.
The Hacker News is saying cyber criminals target AI users
with malware loaded installers posing as popular tools.
Speaker 2 (25:35):
This is just a new take on an old hack
where people would take whatever's popular machine learning, big data,
and they're trying to just get people to click on
the wrong thing. You have to make sure you know
what you're doing, what you're getting. All these stories we've
had about people downloading the wrong apps in the app store,
the fact that people download the wrong packages that are
(25:58):
infected or named like, it's all the same things. You
have to check what you're putting into your system, just
like you check what you put into your mouth.
Speaker 1 (26:08):
Yeah, most so, here's the thing. These are fake installers,
and one of them is for chat GPT. You don't
need an installer for chat GPT. You just go to
the website. I mean, get granted, there's a there's a
phone app.
Speaker 2 (26:21):
Sure, got to go to the right website.
Speaker 1 (26:22):
But if you're in the app store, right, and you're
in the Apple App Store or the Google App Store,
you know you're probably installing something good. But if you
go to a website and you, hey, click here to
install in video AI for example.
Speaker 2 (26:38):
Well and it could just be an ad. Yeah, so
you could do a search or go to any site
Facebook or anyplace else that that livers ads, and it
could say install chat, GPT, now use the use the
power of the Internet, and you click it, and now
it's it. You're in this in this space.
Speaker 1 (26:52):
And it's not just malware. We're talking about ransomware. Yeah
it's bad. Yeah, well some is malware, some is ransomware.
Speaker 2 (27:02):
Yeah, none of it's good.
Speaker 1 (27:04):
None of it's good. I do like the graphic though.
Speaker 2 (27:09):
But you know, as this will keep occurring, it's like
after there's a tsunami they're trying to get people to
donate to the relief. Cause we're not saying you shouldn't
use this stuff, but you got to understand from reputable sources,
how you get it, how you install it, how you
use it. And if you just like click on the
(27:29):
first thing you see, you're probably gonna get owned, right,
get hurt.
Speaker 1 (27:33):
You're gonna get hurt. Son all right, so let's move
on cybersecurity. Drive dot Com says, Google says China backed
hackers are hiding malware in calendar events. That's it.
Speaker 3 (27:48):
No more calendar events done APT forty one.
Speaker 1 (27:51):
No, never clicking on a calendar event again.
Speaker 3 (27:55):
No.
Speaker 1 (27:56):
Let me read the subtitle here, the APT forty one
nations the threat group is exploiting yet another cloud service
to mask its operations, according to new research.
Speaker 3 (28:06):
Yeah, and this is a lot of people might be worried, like,
oh my gosh, now maybe I shouldn't you know, that's
not what it is Google Events or anything like that.
And it has nothing to do with that. Yeah, when
we break into a company legally.
Speaker 2 (28:17):
Or we could should say were we too?
Speaker 3 (28:20):
Were we too?
Speaker 2 (28:21):
Yeah?
Speaker 3 (28:22):
Thank you?
Speaker 1 (28:23):
All right? Just for everybody who doesn't know Dwayne and Patrick,
that's their job. They get hired to break into Yeah,
welcome to the show, and then deny it. They get
hired to break into companies, buy the companies, yes, to
find the vulnerabilities. That's what they do.
Speaker 3 (28:37):
So there's a lot of companies watch out going traffic. Right.
So if I, let's say I put either an implant
or a cable or something that I can get access
to the internal network, I got to get data off
I and usually I got to get data off, and
you need to control whatever agents on the inside, and
that's that's where you turn to what they call C
two or command and control structure, where I need to
(28:58):
issue a command to an agent on the inside, and
that agent needs to read that command somehow and know
what it's looking for, and then it comes back with
the data right of the execution of the command. And
there's tons of commandic control structures out there that There's
one called Empire, there's a Sliver, there's uh, you know,
you name it. There's tons of them out there this
(29:20):
and the problem is once they get very well known,
they obviously get blocked, right, And I might be communicating
over DNS right, a naming service, which I can do
through command and control. It's slow, but people are now
watching DNS for it, so you go, okay, well, how
can I communicate back and forth with my agent without
anybody noticing the difference? And what happens is the APT,
(29:45):
the advanced persistent threat from China, creates a Google event
and it's just a calendar that anybody can subscribe to,
and in the body of that event is an encrypted
command the agent on the inside, which got installed some
other way right, you plugged in the wrong USB drive,
you clicked on the wrong thing, and email whatever it
(30:06):
is okay, right, is now running on your computer and
it polls that Google event and when it finds the event,
it pulls down the content, decrypts, it knows what it
should run, and then it posts back to the same event.
Here's the encrypted results.
Speaker 1 (30:23):
Wow.
Speaker 3 (30:24):
So that now I'm using this calendar to be.
Speaker 1 (30:27):
Using it as a two way communications device exactly.
Speaker 3 (30:31):
Yeah, yep, yep, And that's what's going on here, right.
Speaker 1 (30:34):
So a report eighty nobody would ever suspect using yeah,
four four to three.
Speaker 2 (30:40):
Other examples that we've seen in the past is using
the drafts of Gmail of their Gmail account.
Speaker 3 (30:47):
Yeah, or Dropbox or one drive or even Instagram. I
mean there's all sorts of different ways that you can
use public services.
Speaker 1 (30:54):
Yes, see how dropbox makes or drive makes more sense,
Like I would be looking for that, right. Oh, they're
writing to a drive file and somebody else is reading it.
But but but this is tricky, right wow. Yeah.
Speaker 3 (31:07):
Yeah, And we've even seen it, like Patrick said, like
we've seen like Gmail emails where they'll send an email
and sometimes leave it in drafts, or they'll be monitoring
an inbox and you just send an email to this
inbox saying how can you you know, run a dr
and it's replies to you with right, here's all the
files on that computer. So wow, see and this is
tough because what's your organization? Do do you block Google
(31:31):
from the organization?
Speaker 1 (31:32):
Yes?
Speaker 4 (31:32):
Rob, well there you heard it first repat Yeah, block Google,
get rid of it.
Speaker 2 (31:42):
It's a fad I would never take off.
Speaker 1 (31:47):
All right, So this is just an interesting story. There's
really no no, you know, nothing can harm you around this.
Just know.
Speaker 3 (31:56):
The only thing I would say is there's I wish
it would be nice if there were a much better
way for deeper analytics into outbound traffic, Yeah, to be
able to discover abnormal traffic. Like if I saw somebody
pulling events in a Google calendar ten times a day
and then tomorrow it's three hundred times a day. Yeah,
(32:18):
that would be an interesting metric. Yeah, Right, if I
saw DNS queries were only two mega day and now
they're thirty mega day, also an interesting metric, right, And.
Speaker 2 (32:29):
These are the kind of things that AI will find
for us.
Speaker 1 (32:32):
But you know what, though, I would put on my
Dwayne Evil hat here and say, if I was going
to try to get around something doing analytics, I would
in every Google Calendar event, I would add another calendar
event address and just keep playing hopscotch right, just keep moving,
just keep moving, Delete the old one stick.
Speaker 3 (32:50):
And move right, create anyone or Yeah, you pull the
command out of a Google calendar and then you submit
the repebll graduated one drive. Yeah you know, I'm proud. Okay,
you're on the team, buddy.
Speaker 1 (33:04):
Got to think like an evil person. Okay, So let's
talk about the clickbait signal says no to Windows eleven's
recall screenshots. So let's talk about Windows eleven recall a bit,
because we talked about it a while ago.
Speaker 2 (33:21):
So Size Patrick, Yeah, it's a it's a it's a horrible,
great idea. So it sounds like it's a great idea
because hey, who hasn't forgotten what they were working on?
Speaker 1 (33:32):
Or what is it? What is it?
Speaker 2 (33:34):
It's Microsoft's attempt to add a feature that will basically
keep a log of everything you've been doing so that
you can go back and remember, oh, what was I
doing last Thursday? Oh well, let me I forgot that document.
Let me get a screenshot of what I was doing
or all right.
Speaker 1 (33:49):
So a screenshot that gets automatically taken of your screen
on some interval that's probably short, like a minute or
so or thirty seconds.
Speaker 2 (33:57):
And I don't think it's just screenshots. I think screenshots
will part of it. But it's also like the text and.
Speaker 1 (34:02):
Yeah does ocr Yeah, here you go.
Speaker 2 (34:04):
So it's a it's a solid record.
Speaker 3 (34:07):
What recall does. It continuously captures snapshots of your activity
active screen every few seconds while you're using your PC.
The snapshots are stored locally and processed using AI. You
can then search through your past activities using natural language,
like find the document I was working on with budget
planning last Tuesday. Then you can scroll through the timeline
(34:29):
and visually browse your computer's activity, like having a photographic memory.
Speaker 1 (34:35):
So this is for people with Alzheimer's obviously.
Speaker 2 (34:38):
Or people that like to share their passwords.
Speaker 3 (34:40):
Yeah, I could see that being right.
Speaker 1 (34:43):
So Patrick's point is that it's inherently insecure because everything
on your screen is now up for grabs, and who
knows where it's going, right.
Speaker 2 (34:53):
Right, So if I would only want this feature, if
I would also want a feature of having Alexa record
every single word I say, just in case I want
to remember what I said.
Speaker 1 (35:06):
You know, it's a good thing. I have my down
and I'm wearing headphones because you would have set it off.
It's sitting right here next to it. It's the best
gag in the world on a podcast.
Speaker 3 (35:20):
I saw that on like a news newscast at one
point where somebody said, hey, Alexa, order me an umbrella
and oh, no, you are getting word.
Speaker 1 (35:28):
You're not thinking grand enough. You say, Alexa, order a
thousand umbrellas and send them to Patrick.
Speaker 2 (35:37):
Oh my god, we are we going to have to
edit that out and bleep. No, is that the new
a word?
Speaker 1 (35:43):
It's a new It's just an old joke that.
Speaker 2 (35:45):
We've been doing a word, the S word.
Speaker 1 (35:48):
We were doing that on dot net rocks ever since
it came out. All right, So so here's the real story.
That signal basically is helping users dodge recalls, screenshots.
Speaker 2 (36:00):
Golf clap.
Speaker 1 (36:03):
So the you know, Signal is the end to end
encrypted communication app. It's been making the news lately, but
it's in general a really good way to communicate. We
all use it because it's end to end and other
and WhatsApp says there end to end, but there's a
man in the middle. It's called Facebook, and they can
decrypt and re encrypt your data and they do so.
(36:26):
Signal is end to end encrypted, great communications. So here's
the story. They're taking proactive steps to ensure Microsoft's recall
feature can't screen capture your secured chats by rolling out
a new version of the Signal for Windows leven client
that enables screen security by default. It's the same DRM
that blocks users from easily screenshotting a Netflix show on
(36:49):
their computer or phone, and using it here could cause
problems for people who use accessibility features like screen readers.
Speaker 2 (36:57):
Yeah, I mean they're creating so Like I've been thinking
about recall a lot and one of the features, one
of the aspects of it that I think is going
to run a foul of the world, is how does
this comply with GDPR? Because with GDPR, I have the
right to be forgotten. And if in my recall there's
information about Carl and Carl has requested his data be scrubbed,
(37:20):
are you going to go and scrub my recall? Because
if you don't, you're not following GDPR. So I think
that again, Microsoft does a great job. They create amazing
features in middleware and things like that, but sometimes they
just don't think through the things that could have security implications.
Speaker 1 (37:39):
Or are they thought through and decide to go ahead anyway.
Speaker 3 (37:42):
Well, and I think I remember this getting announced where
there was there was talk of this feature pushing data
up to the cloud so you could recall from anywhere,
and there was such an outcry. They were like, no, no, no, no,
only local never going to happen. Don't worry about it because.
Speaker 2 (38:01):
No one ever hacks your local system. It's it's a
it's a bad idea. I I it's if you if
you have nothing of value and you have nothing to hide,
then yeah, maybe maybe you don't care. But I think
the problem is if I got a if a hacker
gets in there and they get a hold of it,
(38:22):
they've got everything, every password, every system, every ur L,
every document, it's all theirs.
Speaker 1 (38:29):
Oh he's a thing I understood when we talked about
this before, that this is an opt in feature, right,
or maybe it's on by default, but but the thing
is you can turn it off. You can turn it
off and on. So whether it's on by default, I
don't know that would be bad. Yeah.
Speaker 3 (38:45):
I was actually yeah. Well, and if if I remember correctly,
this blah blah blah blah uses the neural neural processing
unit in Copilot plus PCs. So if you don't have
a Copilot plus PC, I don't think it's actually getting
processed anywans. But still, okay, yeah, it was the moment
I have one of those, I'll be turning it off.
Speaker 1 (39:04):
Anyways, exactly. All right, that's a show, guys, Always fun,
always fun, and scary, always fun and just a little scary. Yep.
Speaker 3 (39:15):
And we have a bunch of new users at the
security this week discord. All right, a lot of really
great conversations around there. So by all means, continue joining,
continue participating on the channels, and potentially get your chance
to win some schnazzy security this week lock Picks.
Speaker 1 (39:31):
That's right, So suggest a story for us, you know,
do we miss something? If you suggest a story and
we use it, you'll get your specially branded Security this
Week podcast lock Pick set that comes with no instructions.
They're awesome, but you can find them on the internet.
Speaker 2 (39:51):
Luck Picking Lawyer is the best.
Speaker 1 (39:52):
Yeah that's okay, heck, yeah, all right, let's see you
next week.
Speaker 2 (39:56):
Thank guys, Bye bye bye.
Speaker 1 (40:00):
Oh t
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.