Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So this just in. A truck carrying a full load
of Ramen noodle packs was involved in a multi vehicle
accident on the mass Pike. Estimated loss to the company
forty bucks.
Speaker 2 (00:13):
Flavor packs were all the flavor I.
Speaker 1 (00:16):
Flavor packs worth more than the noodles.
Speaker 2 (00:18):
Such.
Speaker 1 (00:27):
All right, well, welcome to security this week. I'm Carl Franklin.
That's Patrick Hines and Dwaye Laflotte, and we got some
stories here for you. A few of them involved Google.
So the first one is from Tom's Hardware. Google is
getting ready to hack back as US considers shifting from
cyber defense to offense and new scam Farms Bill opens
(00:49):
up new retaliatory hacking actions.
Speaker 2 (00:52):
I'm waiting with baited breath. This is very interesting. We've
talked about this, not on this podcast, I don't think,
but but Duenna and I have definitely talked about what
would happen if they allowed us, because there was some
talk about this number of years ago. The biggest problem
is knowing you're hitting the right target. Attribution is really hard,
(01:13):
and false flags are a thing. I can try to say, oh,
you know, Singapore is the source of the hack, and
then you go and take out a hospital in Singapore
if you don't know what IP address you're going up.
Speaker 1 (01:25):
Against, well you wouldn't take out a hospital.
Speaker 2 (01:27):
You might if it looked like it was coming from
North Korea and they, you know, fake you out. Again,
it can be done. It just has to be done
carefully and methodically. And again it's always been illegal, so
up till now it's been a moot point.
Speaker 3 (01:43):
So question if you read through this article, it's a scam.
Farm's Marque and Reprisal Act is what it's called. And
this would authorize the President of the United States to
issue letters of marque and reprisal with respect to acts
of aggression. Again the United States, a member from a
(02:03):
member of a criminal enterprise, or any conspirator associated with
an enterprise involved in cyber crimes. What is a letter
of marquee?
Speaker 2 (02:13):
So this is privateering. Oh oh, this is what the
English crown did to Spanish ships where they said, that's
where I've heard it before, right, yes, yes, yep, that's
where it comes from.
Speaker 1 (02:22):
Yeah, so they got citizens to sign up to it.
Sounds like pirate but it's not. It put me on
the list, signed up to go hunt down the bad guys.
Speaker 2 (02:30):
Yeah, yeah, push it on the.
Speaker 3 (02:32):
List, right, are we like bounty hunters now?
Speaker 2 (02:35):
So basically this is like we've talked about a cyber reserve,
if you will. When the war in Ukraine came, one
of the things that Ukraine did is they try to
recruit people who were technical so that they could start attacking,
so they could raise the stakes against the Russians, because
the Russians were actively using cyber against them and people
(02:56):
they didn't know where trust. They said, here's some websites,
if you can take them down, that'd be great for
those that they knew and trusted. They gave them intel
that they could act upon it and to go after
specific records, specific targets. This is that kind of thing.
Speaker 3 (03:10):
But the thing I don't understand is the president has
to sign this letter, but the president also has control
over probably one of the best offensive cyber commands ever, right,
US cyber Command. I don't know if you guys remember
trick Bot, the massive ransomware.
Speaker 1 (03:28):
I'm sorry, Dwane, that's yesterday's news. Today he fired them all.
Speaker 3 (03:32):
Never mind, sorry my bad, Go ahead and continue.
Speaker 1 (03:35):
That's a joke.
Speaker 3 (03:36):
Tend to see here. But like Trickbot was was compromising
all sorts of different companies with initial access and then
ransom wearing and that sort of stuff. And at one
point I can't remember what the target was, whether it
was a water treatment plant or something like that that
was hit, or whether it was might have been actually
the gas pipeline. Think it was a gas po okay, yeah,
and US Cyber Command stepped in the next day said
(03:59):
whole my beer. Yeah. The next day trick clock line.
We're offline. Now we don't have access to any of
our servers. So whoever did this knows what they're doing. Yeah.
So yeah. US Cyber Command was like, oh, you know,
to stop that.
Speaker 2 (04:15):
That's quality, this is scale.
Speaker 3 (04:18):
Yeah.
Speaker 2 (04:18):
So's you know, if if we're if we're at war,
if there's you know, if let's say things break down
with Russia and you know, we finally had enough of
what's going on and we decide the gloves have to
come off.
Speaker 3 (04:30):
Haven't broken down yet.
Speaker 2 (04:31):
There's too many topics, there's too many targets. I don't know.
Maybe maybe it's just fodder for the for the gristmail
and you know, yeah, we're going to hack back and
they're never gonna even do it. What I'd rather see
is coordination through the FBI of saying, look, we've been
attacked by you know, external actors. We believe we know
how to go after them. Here's our data. We want
(04:53):
permission to go and hack back, and then they do
do it. That's not what we're talking about here. That's
what I'd like to see.
Speaker 1 (04:58):
Yeah, well, apparently there's a lot of money earmarked for this,
at least a billion dollars in the big beautiful bill.
So they're you know, they're not kidding around.
Speaker 3 (05:10):
I like it. Yeah, we'll see what happens.
Speaker 1 (05:11):
See what happens film at eleven.
Speaker 3 (05:14):
Maybe wrong, Maybe we'll turn the discord server into privateers
and all of you.
Speaker 1 (05:18):
Oh that's all great idea.
Speaker 2 (05:20):
We'd have to move it off and big at a boat.
Speaker 1 (05:25):
All right. So, next story from Bleeping Computers, Citrix fixes
critical net scaler remote code execution flaw exploited in zero
day attacks. And this story is from August twenty sixth.
Speaker 3 (05:37):
Yeah, and this is this is one of two of
our go patch stories. Right, So how do you know
you're affected if you're running a net scaler from Citrix? Yeah,
fourteen dot one prior to fourteen dot one, dash forty
seven forty eight. You want you want to go patch
upgrade your net scaler. The vulnerability here is a memory
overflow bug where successfully ex obviously gives you remote code execution.
(06:02):
That's an RC, so pretty important. Usually net scalers are
accessible to the Internet, especially the gate the net scaler gateway,
so you're absolutely gonna want to go fix this one.
I'd say this is probably topic.
Speaker 2 (06:13):
One, So let's go a little deeper just for a second. Sure,
when you say RCE, what comes to mind for me
is a reverse shell, the ability to like run commands.
It will, sure, but sometimes it's not that open. What
percentage of the time does an RCE do you think
result in Like I just can run any command I
want and I have a shell or versus I can
(06:35):
insert a command command injection and I can just get
a little bit like I can get let like twelve
characters get to run.
Speaker 3 (06:44):
Right, Because it's a big difference. Yeah, that's yeah, there's
a huge difference there. You're absolutely right. If I had
to put a number on it, I would say that
RCE is full control. So it's reverse shell. So when
they say RCE, it's admin you get to run. Yeah,
as many commands as you want. Then maybe maybe you're
(07:06):
at the console. Yeah, maybe not easy for you to
run the commands, like you have to run them and
batch them together and.
Speaker 2 (07:12):
Bundle them in a package or something.
Speaker 3 (07:14):
Yeah, I get twelve characters per you know, post to
a website and I have to put it in a
file and then tell that file to run. But eventually
you're going to get control. You get control over the system.
Speaker 1 (07:25):
So you think RCEE comes after PRIVESK, right, you have
you do privileged escalation and then you can.
Speaker 3 (07:31):
So that's that's a good point. It depends. It depends
on if the system itself is running in escalated privileges
or not. So if I compromise a website and the
website's running as a low end user and I get
remote code execution, I can run commands with command prompt.
Well I'm still running as that low end user, so
now I need to PROVESK afterwards. But if if I'm
(07:53):
on like an elevated system like usually the netscalers aren't
expecting people to do it have backup systems, right, then
prove already happened the moment I hit the system, because
I'm already running on your privileged context.
Speaker 1 (08:04):
All right, good to know.
Speaker 2 (08:05):
Yeah, you usually need PRIVESK after you've got RCE, but
because you need privileges to run the commands you really want.
Speaker 3 (08:11):
Yeah, right. And although far too often we find a
lot of people we talk to and work with and whatnot,
they have applications running in greater privileges than they need to.
Speaker 2 (08:21):
Yeah, least privileges not followed.
Speaker 3 (08:23):
Listen, I love developers, but a lot of that is
the developers sometimes going, it works on my workstation, exactly,
So let's keep opening up privileges until it works. Oh
it works now as an admin, leave it alone, and you.
Speaker 2 (08:34):
Probably opened up fifty percent of the privileges you open
up weren't necessary.
Speaker 3 (08:37):
Right right, Yeah exactly, yep.
Speaker 1 (08:39):
All right. So the next story, or the next two
links anyway, go together. The first one is Google from
First Alert six wowt dot com.
Speaker 2 (08:50):
Oh from the First Alert team.
Speaker 1 (08:52):
Yeah, Google Warren's two point five billion Gmail users to
update passwords after data breach of one of its databases.
And so what did we do? We all went and
we updated our passwords and all that stuff. Even though
I never got anything from Google. Yeah, never got anything
on my iPhone or whatever. And then a couple of
(09:13):
days later, Google comes out with from their blog gmails
protections are strong and effective and claims of a major
Gmail security warning are false. Yeah, so it's a BS story.
Speaker 2 (09:26):
Not a bad practice to change your password though.
Speaker 3 (09:28):
No, agreed. And so if you dig into we're going
to send out a link to this and if you
click on the Google reports a breach. Yeah, if you
go down that the reported breach was if you're using
Salesforce and you had enabled sales aloft Drift. So, salesloft
Drift is an AI that can well connect into your
(09:50):
Salesforce and pull information out and do all sorts of stuff.
Speaker 1 (09:53):
No, it's not. It's a band from the nineties and
you know it.
Speaker 3 (09:56):
I know, right, it's sales loft Drift the pain. So
if you had enabled it and connected it to your Salesforce,
you were vulnerable. Other than that, normal Salesforce users were
not so. And what they saw was when they when
they went through and did the forensics, is they saw
a bunch of select queries coming through from sales sales
(10:18):
loft Drift, the connector for select count from account. Right,
So if you know sqels statements, this is trying to
figure out how many accounts you have in your salesforce.
Select count from opportunities, select count from users, left count
from case, so so on and so forth. And they
were enumerating the back end database in salesforce, pulling all
the information out for your customers, and they could grab
(10:41):
o oft tokens and all sorts of other weird stuff.
But this was absolutely not a Google issue. This was
more there was a connector that got compromised and if
you had it on, your accounts might have got compromised.
Speaker 1 (10:52):
All right, So the long and short of it is
you should change your password on a regular basis, but
not because of this story.
Speaker 2 (10:59):
Actually we should talk about passkeys at this point.
Speaker 3 (11:01):
Yeah, I was going to say, honestly, I've been changed
my Google password in years. Yeah, I'm throwing that out there.
Last I had my Google password, I had a password
manager said it was a really, really long password. But
now I'm literally just using passkeys for everything.
Speaker 2 (11:13):
So passkeys, I think we've mentioned it before, is where
the device does an exchange with the service or website
and it's like a certificate. It's not really a certificate,
but it might as well be. It's like hundreds of
characters password and the device remembers it in its secure storage.
And so like if I have that on my phone,
(11:35):
I've got to authenticate to my phone and hopefully using
you know not you using a pin code that has
limited tries, and you've got security and the device. But
it means that you have to not only have your device,
but be able to unlock it. And that might be
a desktop in your house, a browser you know on
your work PC, your your tablet, your phone or other device.
And it's much more secure because no one, even a
(11:57):
five dollars rench doesn't work because you don't know that password.
The five dollars rench works if you have the device
and they tell you to unlock it and then they
you know, hand them the device. That's different.
Speaker 1 (12:06):
But is this five dollars rench you speak of, is
that a metaphor in your land?
Speaker 3 (12:10):
It breaks into anything, It breaks into most things. Yeah, basically, yeah,
it's this sophisticated piece of hardware where you go to
home depot and you buy a wrench for five dollars.
I mean it has to be a hefty wrench.
Speaker 1 (12:22):
So it's a metaphor.
Speaker 2 (12:24):
For compliance out of them.
Speaker 3 (12:25):
No, it's actually legit thing. It's actually a risk that
we assess. Although we find that rubber hoses will get answers,
fast water boards, Yeah, they hurt more.
Speaker 2 (12:39):
Who stole my red bull? Who ate the cheesecake? I
had the French? So past keys are the next generation.
The problem with passkeys right now is that every service
that implements them is doing them differently.
Speaker 3 (12:53):
Right.
Speaker 2 (12:53):
We haven't gotten consistency.
Speaker 1 (12:54):
Yet, right, So you have fifty thousand different authenticator apps
on your phone.
Speaker 2 (13:00):
The thing that's making it easier is most of the
good key manager. Yeah, key management and password management systems
will save your pass keys as well.
Speaker 3 (13:11):
Yep, and provide them.
Speaker 1 (13:12):
Okay, look into it. Okay, well that's where we break.
Right here is where we break. We'll be back right
after these very important messages. So don't go anywhere, all right.
So in Hacker News, Android security alert, Google patches one
hundred and twenty flaws, including two zero days.
Speaker 2 (13:34):
Didn't we just say, didn't Google just say no, wait,
we're really secure?
Speaker 1 (13:39):
Well they said Gmail was secure.
Speaker 3 (13:41):
Yeah, Gmail's great. Android's another story.
Speaker 1 (13:44):
Android's a whole different animal.
Speaker 3 (13:46):
Listen, I'm glad that somebody's looking at Android, because somebody
needs to all the time.
Speaker 2 (13:52):
Oh yeah, I'm going to say something similar to what
I'm thinking it is, why don't they make the whole
plane out of the black box stuff? Why doesn't Google
out of the Gmail stuff?
Speaker 1 (14:06):
That's great. I can imagine Patrick in a board meeting
like at Boeing or something. Hey, hey, I got an idea.
Why don't you make the plane out of the black
box material? And everybody's like, you're a genius.
Speaker 2 (14:19):
Puts a plane in the black box, and then it's recording.
Speaker 3 (14:24):
That makes sense that you know what Patrick? I think
he solved it.
Speaker 2 (14:27):
Solve it might drop follow me for more tips, I'll
get Bellevue.
Speaker 3 (14:36):
Listen, folks, this is what I have to deal with
every day. You know.
Speaker 1 (14:40):
This is what it's like to work at a security
company any Hampshire. Okay, so help me unpack this story, somebody.
Speaker 3 (14:49):
So this is not uncommon, you know, Android is It
has been around a long, long long time. It's actually
if you look at the number of devices running Android,
it's way more than running iOS. Yeah, right, because there's
all sorts of different Android style devices from set top
boxes refrigerators to set top boxes to TVs to whatever.
Speaker 1 (15:12):
Even phones, right, even phones, Android phones far out weigh usage.
Speaker 3 (15:16):
Of iPhones absolutely, so far from that standpoint, it's a
large target. But the other thing about Android is it's
also was geared to be open originally, right, where's iOS
was completely closed off nobody could see the source code right.
Speaker 2 (15:33):
And got more closed off over time, and got.
Speaker 3 (15:36):
More closed off over time. So we're going to see
these things where oh, there's this Linux kernel flock here,
or there's this you know, buffer run over there. It's
pretty common. It's just good that you have someone like
Google who really does understand it very well, going through
and saying, okay, yeah, found this, found this, found this.
We have one hundred and it sounds staggering, Oh my god,
there's one hundred and twenty seven patches, But if you
(15:57):
go look at Microsoft patches this year, there are plenty
of them that were deployed that were over one hundred. Yeah,
things they fixed, so not on common.
Speaker 2 (16:06):
Here's the problem. Here's a big problem that nobody, no
one's talked about lately. The problem with Google and Android,
as I understand it, is they build a version and
then they come up with new features that they're going
to add that they didn't tell their ecosystem about and
so the next version that comes out can't be installed
(16:30):
on the hardware.
Speaker 3 (16:31):
Yeah. Well it's even worse than that though, because not
only do they do that, but they also then allow
a provider to add core features as well. So like
if I'm an AT and T customer and using Android,
at and T gets a say as to what's on
the phone, what apps, what preconfigurations, that sort of stuff.
Same thing with Verizon, the same thing with you know,
(16:51):
all of them. So now you're you're making it flexible
enough where all these providers can do their own branding
and their own apps in their own whatever. But you
have no control over that ECO system. Right. Whereas I
get my iPhone from AT and T or Verizon or whoever,
it's the same iPhone, there's no it's the difference. Yeah, exactly,
it's running the same OS. There's no patching, there's no
(17:13):
random apps on there. If I want the Verizon app,
I have to go download it, right. Yeah, So you know,
I think, like I said, there's just two different mantras.
So it doesn't surprise me that they found issues like that.
Speaker 1 (17:22):
I got a story for you, Yeah, this was this
was just yesterday. My wife and I went to Best
buy to get her a new laptop. Cool, and we
literally walked out with a new laptop in the box
and I said, I'll set this up for you because
it's probably got all sorts of bloatwear and stuff. Yeah
it didn't. It had two HP apps and McAfee wow,
and that's it.
Speaker 2 (17:42):
Windows eleven has the crap wear moved down to the root.
Speaker 3 (17:49):
That's what it is. Yeah, they rekated it with with
bloat with.
Speaker 1 (17:53):
Yeah, but I thought that was interesting because it wasn't
that long ago that you buy a new laptop and
you've got all of this crap software.
Speaker 2 (18:00):
Maybe they realized it doesn't work.
Speaker 3 (18:02):
Yeah, you had to pave it. Yeah, well it could be.
I mean I still am upset about McAfee, but whatever.
That's it is what it is like deploying MACA. I
know you have contracts with McAfee, but we really they're
better and cheaper. McAfee is just one hair away from
being spam. Yeah, because when when your contract you're free
thirty days with McAfee ends, they throw up the same
(18:25):
style warning screens you would see if you were on.
Speaker 2 (18:27):
A Yeah, I'd rather have nothing, you know, a.
Speaker 3 (18:30):
Spyware site where it's like oh, you do realize you're
not protected anymore? Click here right, yeah, type okay, whatever.
Speaker 1 (18:36):
But you are. You have Windows Defender right.
Speaker 2 (18:38):
Exactly, and you weren't protected before with them, right, It's
all right?
Speaker 3 (18:42):
So I don't know. I really don't like McAfee. I
would I would unstall that and just allow Defender and
whatnot runs with that. Actually, I have Defender on my
phone works really well.
Speaker 1 (18:51):
Yeah, all right, So if you have an Android device,
patch yep.
Speaker 3 (18:54):
Go patch, go patch, Go patch, go patch.
Speaker 1 (18:58):
You're going to write a song? Go patch?
Speaker 3 (19:00):
You should. We should get t shirts with like a
dog with a software like a disc in his mouth
he's panned.
Speaker 2 (19:05):
On the run time or something like that.
Speaker 1 (19:07):
Met it to yourself.
Speaker 2 (19:08):
We need you know what you need? You need a
band Carl with a cybersecurity theme and two tambourine players
for me and Dwayne.
Speaker 3 (19:18):
I look fantastic in bell bottoms.
Speaker 1 (19:20):
Okay, said No one said, all right, So we told
you Google is all over this week's show. So this
one is from cloud dot Google dot com view state
de serialization, zero DAVE vulnerability in site core products.
Speaker 3 (19:38):
This one's neat.
Speaker 2 (19:39):
Let me guess they're written in dot net.
Speaker 3 (19:42):
Well hence the view state. So we'll unpack this a
little bit. So for those of you who don't program
in dot net, where typically you're going to see, yeah,
these are a sp dot net systems.
Speaker 1 (19:54):
Yeah, site core.
Speaker 3 (19:56):
You have view state and view state. Think of it
like think of it like a session key for you
being logged into the server.
Speaker 1 (20:05):
But it's not a key. It actually contains sized data.
Speaker 3 (20:10):
It does so if you could decrypt it, then you
could see real data. It's not just a key.
Speaker 2 (20:17):
So it might be a drop down box and it
maintains which one you have selected.
Speaker 3 (20:21):
Yeah, right, but it's also view state data. Is it's
encrypted by with the machine key, data that you typically
don't have access to. In this particular case, they actually
were able to access the machine key remotely.
Speaker 1 (20:37):
Wow, that's no blin.
Speaker 3 (20:39):
So accessing the machine key means obviously you can now
modify U state, if you can modify VIE state. You
can inject an object into the view state and then
sign it as if the server would. So when the
server gets it, it goes, oh, okay, this is cool.
I must have had that object on the page because
it looks like it's signed by me. And when a
(21:01):
de serializes it. It would then run good everything go boom.
Speaker 2 (21:04):
There's a technical thing most programmers won't know, and that
is it seems like when you talk to a web
server it remembers you.
Speaker 3 (21:12):
It doesn't.
Speaker 2 (21:14):
It doesn't. It's like if you go to a conference
and the speaker says, oh, hey Patrick, and they're like, here,
remember my name. It's on your chest. So what happens
is when you make a request, especially to like a
web farm where there's fifteen web servers and they're load balancing,
they might try to make you go to that same
(21:34):
web server regularly with your conversation so that it doesn't
have to put things in memory all the time.
Speaker 1 (21:40):
Yeah, it's called affinity affinity. Once you log into one system,
the idea with affinity or stickiness is that every request
goes to that same service.
Speaker 2 (21:50):
That said, every time you talk to that web server,
you have to remind it where was I what was
I doing? And you state and your session key and
your token and all that stuff. Is the way you
remind the server this is where we were in our
last conversation. And that happens every time you talk to
(22:10):
the server.
Speaker 1 (22:11):
This is in older technology, this is aspnut web forms
that we're talking about, which has been replaced by Blazer,
which does not have this problem.
Speaker 3 (22:20):
Correct.
Speaker 2 (22:21):
So is Blazer connection oriented or connection lists?
Speaker 1 (22:24):
Well, there's two types. There's Blazer server, which uses a
signal our connection on the back end just to transfer
data that's changing and comes back with data that's been
updated using sockets you know requests. Yeah, uses web sockets
signal Ours implementation of web sockets, and then the server
(22:45):
maintains the state of all the data right there. It's
never sent back down to the client. And in web
assembly it's just a standalone thing, so you're you're responsible
for communicating with the server through an API or something
else like that.
Speaker 2 (23:00):
HTTP protocol is connectionless, it doesn't you have to bring
it to you. Everything from the privates conversation, so HTTP, ASP,
all PHP, all those things follow the rules that I
just illuminated.
Speaker 3 (23:14):
Yeah, you have to have some session that you hold back.
Speaker 2 (23:16):
Calls talking about a cheat where they set up a
session so that they don't have to do that, which
is great.
Speaker 1 (23:21):
Yeah, but Laser service wonderful and it's.
Speaker 2 (23:23):
Very secure, but that wasn't possible back in the old days.
Speaker 3 (23:26):
No, So what's really neat about this? Let's say we
could grab the view state, and let's say we could
modify that view state. Now I'm an attacker on the website.
I'm viewing a site car so site coort for people.
We didn't actually even talk about this. It's a uh
content resource management. Yeah, it's it's like I think like WordPress.
Speaker 2 (23:48):
Word site court is going to sue you for comparing them.
Speaker 3 (23:53):
A wordpressy They were exploitable, so they're exactly like WordPress. No. Anyways,
I go to the website, I get I get this
view state. I can then as I grab the machine keys,
I can decrypt this view state. I can add an object.
What object do we add? In this particular case, what
they did is they injected what's called the weep steel
(24:14):
w E E P S t e e L, which
is a an object.
Speaker 1 (24:19):
Sebaskan Robin's ice cream flavor.
Speaker 3 (24:21):
Come onload fifty razor. You know I expected, I'm gonna
be honest, when my kids started trigger treating, I expected
more razor blades in game.
Speaker 1 (24:31):
I know, I know where where are all the razor blades.
Speaker 3 (24:34):
Has a man gotta get a shave, right, We like,
we all checked every piece of candy like there was
going to be a razor blade in everything.
Speaker 1 (24:40):
It's like candy.
Speaker 3 (24:44):
Cut it off. So what this would do is when
it de serialized on the server, then it would take
over the server. And from there they started doing reconnaissance
with things like sharpound and that sort of thing to
enumerate the environment, gain access to recontrol over the web server,
all sorts of crazy stuff. Yeah, yep.
Speaker 1 (25:05):
So if you've got site core patch.
Speaker 3 (25:07):
Right yeah, yeah, or switch to another yeah, or upgrade
to Blazer, Yeah, or upgrade to Blazer, call our buddy Carl.
Speaker 1 (25:13):
In which case Carl at apphoenex dot com we'll take
care of you.
Speaker 3 (25:17):
Yeah, Carl can absolutely help you with them.
Speaker 2 (25:19):
This is this is an inherently risky thing to do,
is give people the ability to edit over the Internet.
Speaker 3 (25:25):
Oh. Absolutely.
Speaker 2 (25:26):
So it's nice to make fun of the companies and
I feel bad sometimes, but you know, they picked it.
It's kind of like, you know, if you made fun
of Roy Sigfried and Roy because they got eaten by
a line. It's a it's an an inherent job risk.
Speaker 3 (25:40):
Yeah, eaten by a lion one of the Wow, not
too soon, it's years, It's okay.
Speaker 1 (25:46):
Too soon, Yeah, it's been years. Most people listening to
this don't even know who Sigfried and Roy are. All right,
so what do we want to say? Are we done
with the view state? I think we are?
Speaker 2 (25:59):
Is there a pack? Did they say that?
Speaker 3 (26:01):
Yeah? I believe that psyche core has actually fixed the issue.
So you should be good if you're using Psychcorp. The
problem is if you were using psite core, you may
want to just go through logs and make sure that
there's nobody doing weird stuff on your server that you
don't expect.
Speaker 1 (26:16):
Okay, and speaking of logs, do security blogs enable vibe coded? Cybercrime?
Security companies routinely publish detailed analysis of security incidents, making
attacker tactics, techniques, and procedures wildly known and visible. These
reports often provide comprehensive insights into specific vulnerabilities that are
(26:39):
or could be exploited, malware delivery mechanisms, and evasion techniques.
Speaker 2 (26:45):
Yes, let's talk about a few aspects of this.
Speaker 3 (26:48):
So the first is well, vibe coding Before you start,
this is not this is not a new question right now,
We've been answering this question for twenty two years.
Speaker 2 (26:58):
Yeah, but continue so in the question and let's answer
that first the question is are we safer by divulging
this stuff or by keeping its secret? And the I mean, honestly,
the community that supports open source should be all over
the Yeah, we're safer if we disclose this stuff. By
disclosing it, we can come up with better tools, we
(27:19):
can let do lessons learned. Some people might say that
we shouldn't be talking about this stuff on our podcast
when we try to give people advice about how this
stuff works, but understanding how.
Speaker 3 (27:29):
It works the criminal career advice.
Speaker 2 (27:31):
Helps you one understand when it's safe, when it's secure,
I think we should air in the side of information
that said, there's a big difference between explaining how an
attack works and providing a sample code. What Microsoft did
recently was cut off some companies in China's ability to
get early warnings before there was a patch available, and
(27:53):
it included how to recreate the problem, and as a result,
some Chinese actors when and use that sample code to
go hack a bunch of defense organizations in US companies.
That's that's too far. We're not talking about that. We're
talking about, Oh, there's enough information that I can vibe
code a reproduction of that perfect concept I would say
(28:16):
that's possible, but it's narrow. And the reason I say
it's narrow is my is our experience. So if I
have a group, if I have a team of six developers,
if I take that best developer in that team and
I give them vibe coding tools like cursor, AI, Windsurfer,
those kinds of tools, I can get the productivity of
that team of six typically out of that one if
(28:37):
they're really good. But I can't get rid of that one.
And so I can't take a thirteen year old who
doesn't understand web sockets and TCPIP and ports and things
like that and have them vibe code their way to
an exploit because of the blog is sphere. If they're
a if they're a technical hacker programmer, I may they
(28:59):
may be able to vibe code their way to a
point where they can write something they normally wouldn't be
able to write themselves. So it's a combat multiplier, it's
not a gross enabler.
Speaker 3 (29:08):
Yeah, and I would go even a little bit further.
They may be able to write something that eventually they
could write, but like you still have to have the
technical knowledge to know if the thing that the AI
is writing is in the right realm of possibility. He
is doing the right things and that sort. So you
still need to be an expert, but I think what
happens is you're going to bring the time in right.
(29:31):
So like, if it's going to take me a month
to build an exploit, I might be able to do
it in a week if I'm vibe coding and understand everything.
But eventually I would have been able to write it
by myself anyway.
Speaker 2 (29:40):
Yeah, So let's talk about something that most people don't
know about. So there's a tool. There's a tool called metasploit,
and there's a tool called explore exploit dB yep, that
most people are horrified to find out about.
Speaker 1 (29:51):
Is this where we play the theme song Patrick.
Speaker 2 (29:54):
Yes, you definitely would.
Speaker 3 (29:56):
Yeah. Exploit DB's awesome, all right.
Speaker 1 (29:58):
Roll it, roll it yeah, Yeah, it's screamin.
Speaker 2 (30:05):
So exploit dB is a database of exploits against known systems.
So if you find out after doing a scan that
somebody's using qte FTP versions one, two, three, four, five,
whatever it is, you can look up an exploitdb and
you might be able to find an exploit that might
work against it. Also, if you're running metasploit. You can
go and look in their tables and find an exploit
(30:27):
that they've built, so you can target that and it'll
work sometimes but not always. And the trick is it'll
If you don't know what you're doing and it doesn't work,
you're screwed. Yeah, if it doesn't work and you know
what you're doing, you can go in and look in question.
Maybe they installed it to a different path other than
the default path. Maybe they're on a different port than
(30:49):
the default port. Maybe there's a In other words, you
can you can figure out why it didn't work and
fix it. That's not possible if you're not technically savvy enough,
So you've got to be ninety percent of the way
there or else you can't do what this what this
article is talking about. Okay, so it helps you with
that last mile, it's not gonna help you with the
first nine.
Speaker 3 (31:09):
Yeah, agree, all right.
Speaker 1 (31:11):
That brings us to our clickbait story, which you know
it's kind of important. This it's not us. We're not
just baiting you. Like the register, FBI cyber cop salt
Typhoon ponned nearly every American, Yeah, plus millions of other
people across eighty countries, Salt Typhoon.
Speaker 2 (31:32):
It's basically China. China's hoovered up. You gotta love that
as a verb. They hoovered up information.
Speaker 3 (31:38):
And know right, hoovered. So this is like Jaeger, this
is exposure. This is he got phone logs too. So yeah,
if you if you.
Speaker 2 (31:47):
Gave up on privacy a decade ago, this is no
big deal. If if you're worried about China's hacking, it's
a big deal. But it also shows they did get caught.
Speaker 3 (31:57):
Yeah, but they got caught six years later.
Speaker 2 (31:59):
Yeah, that's true.
Speaker 3 (32:00):
The campaign started in twenty nineteen. Wow, So in twenty
nineteen hackers broke into telco companies right, yeah, your Horizons
and AT and TS and that's fur stuff and started
pulling information like who you're calling and recording calls and
seeing us the messages and watching what you're browsing for
on your phone. Yes, kids, someone can see what you're
(32:21):
browsing for on your phone sometimes, so you know, this
could be pretty damaging depending on what they pulled.
Speaker 2 (32:27):
That's true, although I'm pretty sure it's not ending up
on the dark web, because China will keep it for
themselves like they did the Marriot hacker.
Speaker 3 (32:33):
Oh, absolutely right, and they'll use it to leverage assets
in the United States, I'm sure.
Speaker 1 (32:38):
And yeah, I don't think China cares. If you know,
every American is going to porn sites on their phones.
Speaker 3 (32:45):
Well it depends if it depends if you're if you're
a senator saying how those sites are terrible and you
should never view them.
Speaker 1 (32:52):
Oh yeah, well okay, yeah.
Speaker 3 (32:54):
Then China comes up and says, hey, here's a list
of all the ones you go to. How about you
vote our way.
Speaker 2 (32:58):
When they find out Mike Johnson's browsing habits, he's in trouble, right,
what did they tell his son? Oh I almost got
Duyna spittake.
Speaker 3 (33:07):
Yeah, I almost coffee almost came all over.
Speaker 2 (33:10):
Yeah, yeah, I timed it wrong.
Speaker 3 (33:13):
I didn't time it right.
Speaker 1 (33:13):
All right. So the blackmail factor is high, is what
you're saying?
Speaker 3 (33:18):
Or present?
Speaker 2 (33:18):
I don't know. If it's high, it's present.
Speaker 1 (33:20):
Yeah, well, it's present for people who are doing things
they shouldn't do.
Speaker 3 (33:24):
Are doing things they shouldn't I mean, listen, I'm sure
there's one or two Americans who are cheating on their
spouse and it's in an SMS message somewhere. So dude.
Speaker 2 (33:32):
Here's the thing though, if China came and said Carl
is doing this, who would believe them? Well, there is
that And if they said, well we know because we
hacked your tailcoats, Okay, well what the hell are you
doing tack of my tailco It's.
Speaker 3 (33:45):
Right, And you did just plant that information exactly.
Speaker 2 (33:47):
Yeah, you made that up. You made that up because.
Speaker 1 (33:49):
Carl Franklin dyes his hair silver.
Speaker 2 (33:55):
I always wondered about that, now you know. So this
this is a big, far ranging thing. That said it.
There's nothing here that I don't assume our government is
doing with warrants or without warrants.
Speaker 3 (34:10):
Oh isn't doing yes, yeah, absolutely, or fiz at court
orders or whatever. Yeah, absolutely, yep.
Speaker 1 (34:18):
Okay, well there's no there's no really call to action
about this. It's just you know the usual.
Speaker 2 (34:24):
Well, just accept the fact that there's no there's no privacy.
Speaker 3 (34:28):
Well or listen, if you're going to be taught like
we use communications platforms expecting that if it needs to
be secret, we need to know that that data is
being encrypted end to end. We need to know that
that data is being burnt at a particular time. And
that's what one of the reasons of things like signal
and even then, Yeah, we're not putting anything super sensitive
(34:48):
in those chat lands.
Speaker 2 (34:49):
We have code words for customers when we're talking in person.
Speaker 3 (34:52):
Right yeah, just so that we're not be like, hey,
there's this customer by name, right.
Speaker 2 (34:56):
Yeah, so we don't throw names around frivolously.
Speaker 3 (34:59):
Be paranoid, always paranoid.
Speaker 1 (35:00):
Well, just because you're paranoid doesn't mean they're not out
to get you, right, Okay, Well, on that happy note
and notes, let's wrap it up and we'll say thank
you for listening, and we'll see you next week on
Security this week. Thank you, Bye bye guy
So this just in. A truck carrying a full load
of Ramen noodle packs was involved in a multi vehicle
accident on the mass Pike. Estimated loss to the company
forty bucks.
Speaker 2 (00:13):
Flavor packs were all the flavor I.
Speaker 1 (00:16):
Flavor packs worth more than the noodles.
Speaker 2 (00:18):
Such.
Speaker 1 (00:27):
All right, well, welcome to security this week. I'm Carl Franklin.
That's Patrick Hines and Dwaye Laflotte, and we got some
stories here for you. A few of them involved Google.
So the first one is from Tom's Hardware. Google is
getting ready to hack back as US considers shifting from
cyber defense to offense and new scam Farms Bill opens
(00:49):
up new retaliatory hacking actions.
Speaker 2 (00:52):
I'm waiting with baited breath. This is very interesting. We've
talked about this, not on this podcast, I don't think,
but but Duenna and I have definitely talked about what
would happen if they allowed us, because there was some
talk about this number of years ago. The biggest problem
is knowing you're hitting the right target. Attribution is really hard,
(01:13):
and false flags are a thing. I can try to say, oh,
you know, Singapore is the source of the hack, and
then you go and take out a hospital in Singapore
if you don't know what IP address you're going up.
Speaker 1 (01:25):
Against, well you wouldn't take out a hospital.
Speaker 2 (01:27):
You might if it looked like it was coming from
North Korea and they, you know, fake you out. Again,
it can be done. It just has to be done
carefully and methodically. And again it's always been illegal, so
up till now it's been a moot point.
Speaker 3 (01:43):
So question if you read through this article, it's a scam.
Farm's Marque and Reprisal Act is what it's called. And
this would authorize the President of the United States to
issue letters of marque and reprisal with respect to acts
of aggression. Again the United States, a member from a
(02:03):
member of a criminal enterprise, or any conspirator associated with
an enterprise involved in cyber crimes. What is a letter
of marquee?
Speaker 2 (02:13):
So this is privateering. Oh oh, this is what the
English crown did to Spanish ships where they said, that's
where I've heard it before, right, yes, yes, yep, that's
where it comes from.
Speaker 1 (02:22):
Yeah, so they got citizens to sign up to it.
Sounds like pirate but it's not. It put me on
the list, signed up to go hunt down the bad guys.
Speaker 2 (02:30):
Yeah, yeah, push it on the.
Speaker 3 (02:32):
List, right, are we like bounty hunters now?
Speaker 2 (02:35):
So basically this is like we've talked about a cyber reserve,
if you will. When the war in Ukraine came, one
of the things that Ukraine did is they try to
recruit people who were technical so that they could start attacking,
so they could raise the stakes against the Russians, because
the Russians were actively using cyber against them and people
(02:56):
they didn't know where trust. They said, here's some websites,
if you can take them down, that'd be great for
those that they knew and trusted. They gave them intel
that they could act upon it and to go after
specific records, specific targets. This is that kind of thing.
Speaker 3 (03:10):
But the thing I don't understand is the president has
to sign this letter, but the president also has control
over probably one of the best offensive cyber commands ever, right,
US cyber Command. I don't know if you guys remember
trick Bot, the massive ransomware.
Speaker 1 (03:28):
I'm sorry, Dwane, that's yesterday's news. Today he fired them all.
Speaker 3 (03:32):
Never mind, sorry my bad, Go ahead and continue.
Speaker 1 (03:35):
That's a joke.
Speaker 3 (03:36):
Tend to see here. But like Trickbot was was compromising
all sorts of different companies with initial access and then
ransom wearing and that sort of stuff. And at one
point I can't remember what the target was, whether it
was a water treatment plant or something like that that
was hit, or whether it was might have been actually
the gas pipeline. Think it was a gas po okay, yeah,
and US Cyber Command stepped in the next day said
(03:59):
whole my beer. Yeah. The next day trick clock line.
We're offline. Now we don't have access to any of
our servers. So whoever did this knows what they're doing. Yeah.
So yeah. US Cyber Command was like, oh, you know,
to stop that.
Speaker 2 (04:15):
That's quality, this is scale.
Speaker 3 (04:18):
Yeah.
Speaker 2 (04:18):
So's you know, if if we're if we're at war,
if there's you know, if let's say things break down
with Russia and you know, we finally had enough of
what's going on and we decide the gloves have to
come off.
Speaker 3 (04:30):
Haven't broken down yet.
Speaker 2 (04:31):
There's too many topics, there's too many targets. I don't know.
Maybe maybe it's just fodder for the for the gristmail
and you know, yeah, we're going to hack back and
they're never gonna even do it. What I'd rather see
is coordination through the FBI of saying, look, we've been
attacked by you know, external actors. We believe we know
how to go after them. Here's our data. We want
(04:53):
permission to go and hack back, and then they do
do it. That's not what we're talking about here. That's
what I'd like to see.
Speaker 1 (04:58):
Yeah, well, apparently there's a lot of money earmarked for this,
at least a billion dollars in the big beautiful bill.
So they're you know, they're not kidding around.
Speaker 3 (05:10):
I like it. Yeah, we'll see what happens.
Speaker 1 (05:11):
See what happens film at eleven.
Speaker 3 (05:14):
Maybe wrong, Maybe we'll turn the discord server into privateers
and all of you.
Speaker 1 (05:18):
Oh that's all great idea.
Speaker 2 (05:20):
We'd have to move it off and big at a boat.
Speaker 1 (05:25):
All right. So, next story from Bleeping Computers, Citrix fixes
critical net scaler remote code execution flaw exploited in zero
day attacks. And this story is from August twenty sixth.
Speaker 3 (05:37):
Yeah, and this is this is one of two of
our go patch stories. Right, So how do you know
you're affected if you're running a net scaler from Citrix? Yeah,
fourteen dot one prior to fourteen dot one, dash forty
seven forty eight. You want you want to go patch
upgrade your net scaler. The vulnerability here is a memory
overflow bug where successfully ex obviously gives you remote code execution.
(06:02):
That's an RC, so pretty important. Usually net scalers are
accessible to the Internet, especially the gate the net scaler gateway,
so you're absolutely gonna want to go fix this one.
I'd say this is probably topic.
Speaker 2 (06:13):
One, So let's go a little deeper just for a second. Sure,
when you say RCE, what comes to mind for me
is a reverse shell, the ability to like run commands.
It will, sure, but sometimes it's not that open. What
percentage of the time does an RCE do you think
result in Like I just can run any command I
want and I have a shell or versus I can
(06:35):
insert a command command injection and I can just get
a little bit like I can get let like twelve
characters get to run.
Speaker 3 (06:44):
Right, Because it's a big difference. Yeah, that's yeah, there's
a huge difference there. You're absolutely right. If I had
to put a number on it, I would say that
RCE is full control. So it's reverse shell. So when
they say RCE, it's admin you get to run. Yeah,
as many commands as you want. Then maybe maybe you're
(07:06):
at the console. Yeah, maybe not easy for you to
run the commands, like you have to run them and
batch them together and.
Speaker 2 (07:12):
Bundle them in a package or something.
Speaker 3 (07:14):
Yeah, I get twelve characters per you know, post to
a website and I have to put it in a
file and then tell that file to run. But eventually
you're going to get control. You get control over the system.
Speaker 1 (07:25):
So you think RCEE comes after PRIVESK, right, you have
you do privileged escalation and then you can.
Speaker 3 (07:31):
So that's that's a good point. It depends. It depends
on if the system itself is running in escalated privileges
or not. So if I compromise a website and the
website's running as a low end user and I get
remote code execution, I can run commands with command prompt.
Well I'm still running as that low end user, so
now I need to PROVESK afterwards. But if if I'm
(07:53):
on like an elevated system like usually the netscalers aren't
expecting people to do it have backup systems, right, then
prove already happened the moment I hit the system, because
I'm already running on your privileged context.
Speaker 1 (08:04):
All right, good to know.
Speaker 2 (08:05):
Yeah, you usually need PRIVESK after you've got RCE, but
because you need privileges to run the commands you really want.
Speaker 3 (08:11):
Yeah, right. And although far too often we find a
lot of people we talk to and work with and whatnot,
they have applications running in greater privileges than they need to.
Speaker 2 (08:21):
Yeah, least privileges not followed.
Speaker 3 (08:23):
Listen, I love developers, but a lot of that is
the developers sometimes going, it works on my workstation, exactly,
So let's keep opening up privileges until it works. Oh
it works now as an admin, leave it alone, and you.
Speaker 2 (08:34):
Probably opened up fifty percent of the privileges you open
up weren't necessary.
Speaker 3 (08:37):
Right right, Yeah exactly, yep.
Speaker 1 (08:39):
All right. So the next story, or the next two
links anyway, go together. The first one is Google from
First Alert six wowt dot com.
Speaker 2 (08:50):
Oh from the First Alert team.
Speaker 1 (08:52):
Yeah, Google Warren's two point five billion Gmail users to
update passwords after data breach of one of its databases.
And so what did we do? We all went and
we updated our passwords and all that stuff. Even though
I never got anything from Google. Yeah, never got anything
on my iPhone or whatever. And then a couple of
(09:13):
days later, Google comes out with from their blog gmails
protections are strong and effective and claims of a major
Gmail security warning are false. Yeah, so it's a BS story.
Speaker 2 (09:26):
Not a bad practice to change your password though.
Speaker 3 (09:28):
No, agreed. And so if you dig into we're going
to send out a link to this and if you
click on the Google reports a breach. Yeah, if you
go down that the reported breach was if you're using
Salesforce and you had enabled sales aloft Drift. So, salesloft
Drift is an AI that can well connect into your
(09:50):
Salesforce and pull information out and do all sorts of stuff.
Speaker 1 (09:53):
No, it's not. It's a band from the nineties and
you know it.
Speaker 3 (09:56):
I know, right, it's sales loft Drift the pain. So
if you had enabled it and connected it to your Salesforce,
you were vulnerable. Other than that, normal Salesforce users were
not so. And what they saw was when they when
they went through and did the forensics, is they saw
a bunch of select queries coming through from sales sales
(10:18):
loft Drift, the connector for select count from account. Right,
So if you know sqels statements, this is trying to
figure out how many accounts you have in your salesforce.
Select count from opportunities, select count from users, left count
from case, so so on and so forth. And they
were enumerating the back end database in salesforce, pulling all
the information out for your customers, and they could grab
(10:41):
o oft tokens and all sorts of other weird stuff.
But this was absolutely not a Google issue. This was
more there was a connector that got compromised and if
you had it on, your accounts might have got compromised.
Speaker 1 (10:52):
All right, So the long and short of it is
you should change your password on a regular basis, but
not because of this story.
Speaker 2 (10:59):
Actually we should talk about passkeys at this point.
Speaker 3 (11:01):
Yeah, I was going to say, honestly, I've been changed
my Google password in years. Yeah, I'm throwing that out there.
Last I had my Google password, I had a password
manager said it was a really, really long password. But
now I'm literally just using passkeys for everything.
Speaker 2 (11:13):
So passkeys, I think we've mentioned it before, is where
the device does an exchange with the service or website
and it's like a certificate. It's not really a certificate,
but it might as well be. It's like hundreds of
characters password and the device remembers it in its secure storage.
And so like if I have that on my phone,
(11:35):
I've got to authenticate to my phone and hopefully using
you know not you using a pin code that has
limited tries, and you've got security and the device. But
it means that you have to not only have your device,
but be able to unlock it. And that might be
a desktop in your house, a browser you know on
your work PC, your your tablet, your phone or other device.
And it's much more secure because no one, even a
(11:57):
five dollars rench doesn't work because you don't know that password.
The five dollars rench works if you have the device
and they tell you to unlock it and then they
you know, hand them the device. That's different.
Speaker 1 (12:06):
But is this five dollars rench you speak of, is
that a metaphor in your land?
Speaker 3 (12:10):
It breaks into anything, It breaks into most things. Yeah, basically, yeah,
it's this sophisticated piece of hardware where you go to
home depot and you buy a wrench for five dollars.
I mean it has to be a hefty wrench.
Speaker 1 (12:22):
So it's a metaphor.
Speaker 2 (12:24):
For compliance out of them.
Speaker 3 (12:25):
No, it's actually legit thing. It's actually a risk that
we assess. Although we find that rubber hoses will get answers,
fast water boards, Yeah, they hurt more.
Speaker 2 (12:39):
Who stole my red bull? Who ate the cheesecake? I
had the French? So past keys are the next generation.
The problem with passkeys right now is that every service
that implements them is doing them differently.
Speaker 3 (12:53):
Right.
Speaker 2 (12:53):
We haven't gotten consistency.
Speaker 1 (12:54):
Yet, right, So you have fifty thousand different authenticator apps
on your phone.
Speaker 2 (13:00):
The thing that's making it easier is most of the
good key manager. Yeah, key management and password management systems
will save your pass keys as well.
Speaker 3 (13:11):
Yep, and provide them.
Speaker 1 (13:12):
Okay, look into it. Okay, well that's where we break.
Right here is where we break. We'll be back right
after these very important messages. So don't go anywhere, all right.
So in Hacker News, Android security alert, Google patches one
hundred and twenty flaws, including two zero days.
Speaker 2 (13:34):
Didn't we just say, didn't Google just say no, wait,
we're really secure?
Speaker 1 (13:39):
Well they said Gmail was secure.
Speaker 3 (13:41):
Yeah, Gmail's great. Android's another story.
Speaker 1 (13:44):
Android's a whole different animal.
Speaker 3 (13:46):
Listen, I'm glad that somebody's looking at Android, because somebody
needs to all the time.
Speaker 2 (13:52):
Oh yeah, I'm going to say something similar to what
I'm thinking it is, why don't they make the whole
plane out of the black box stuff? Why doesn't Google
out of the Gmail stuff?
Speaker 1 (14:06):
That's great. I can imagine Patrick in a board meeting
like at Boeing or something. Hey, hey, I got an idea.
Why don't you make the plane out of the black
box material? And everybody's like, you're a genius.
Speaker 2 (14:19):
Puts a plane in the black box, and then it's recording.
Speaker 3 (14:24):
That makes sense that you know what Patrick? I think
he solved it.
Speaker 2 (14:27):
Solve it might drop follow me for more tips, I'll
get Bellevue.
Speaker 3 (14:36):
Listen, folks, this is what I have to deal with
every day. You know.
Speaker 1 (14:40):
This is what it's like to work at a security
company any Hampshire. Okay, so help me unpack this story, somebody.
Speaker 3 (14:49):
So this is not uncommon, you know, Android is It
has been around a long, long long time. It's actually
if you look at the number of devices running Android,
it's way more than running iOS. Yeah, right, because there's
all sorts of different Android style devices from set top
boxes refrigerators to set top boxes to TVs to whatever.
Speaker 1 (15:12):
Even phones, right, even phones, Android phones far out weigh usage.
Speaker 3 (15:16):
Of iPhones absolutely, so far from that standpoint, it's a
large target. But the other thing about Android is it's
also was geared to be open originally, right, where's iOS
was completely closed off nobody could see the source code right.
Speaker 2 (15:33):
And got more closed off over time, and got.
Speaker 3 (15:36):
More closed off over time. So we're going to see
these things where oh, there's this Linux kernel flock here,
or there's this you know, buffer run over there. It's
pretty common. It's just good that you have someone like
Google who really does understand it very well, going through
and saying, okay, yeah, found this, found this, found this.
We have one hundred and it sounds staggering, Oh my god,
there's one hundred and twenty seven patches, But if you
(15:57):
go look at Microsoft patches this year, there are plenty
of them that were deployed that were over one hundred. Yeah,
things they fixed, so not on common.
Speaker 2 (16:06):
Here's the problem. Here's a big problem that nobody, no
one's talked about lately. The problem with Google and Android,
as I understand it, is they build a version and
then they come up with new features that they're going
to add that they didn't tell their ecosystem about and
so the next version that comes out can't be installed
(16:30):
on the hardware.
Speaker 3 (16:31):
Yeah. Well it's even worse than that though, because not
only do they do that, but they also then allow
a provider to add core features as well. So like
if I'm an AT and T customer and using Android,
at and T gets a say as to what's on
the phone, what apps, what preconfigurations, that sort of stuff.
Same thing with Verizon, the same thing with you know,
(16:51):
all of them. So now you're you're making it flexible
enough where all these providers can do their own branding
and their own apps in their own whatever. But you
have no control over that ECO system. Right. Whereas I
get my iPhone from AT and T or Verizon or whoever,
it's the same iPhone, there's no it's the difference. Yeah, exactly,
it's running the same OS. There's no patching, there's no
(17:13):
random apps on there. If I want the Verizon app,
I have to go download it, right. Yeah, So you know,
I think, like I said, there's just two different mantras.
So it doesn't surprise me that they found issues like that.
Speaker 1 (17:22):
I got a story for you, Yeah, this was this
was just yesterday. My wife and I went to Best
buy to get her a new laptop. Cool, and we
literally walked out with a new laptop in the box
and I said, I'll set this up for you because
it's probably got all sorts of bloatwear and stuff. Yeah
it didn't. It had two HP apps and McAfee wow,
and that's it.
Speaker 2 (17:42):
Windows eleven has the crap wear moved down to the root.
Speaker 3 (17:49):
That's what it is. Yeah, they rekated it with with
bloat with.
Speaker 1 (17:53):
Yeah, but I thought that was interesting because it wasn't
that long ago that you buy a new laptop and
you've got all of this crap software.
Speaker 2 (18:00):
Maybe they realized it doesn't work.
Speaker 3 (18:02):
Yeah, you had to pave it. Yeah, well it could be.
I mean I still am upset about McAfee, but whatever.
That's it is what it is like deploying MACA. I
know you have contracts with McAfee, but we really they're
better and cheaper. McAfee is just one hair away from
being spam. Yeah, because when when your contract you're free
thirty days with McAfee ends, they throw up the same
(18:25):
style warning screens you would see if you were on.
Speaker 2 (18:27):
A Yeah, I'd rather have nothing, you know, a.
Speaker 3 (18:30):
Spyware site where it's like oh, you do realize you're
not protected anymore? Click here right, yeah, type okay, whatever.
Speaker 1 (18:36):
But you are. You have Windows Defender right.
Speaker 2 (18:38):
Exactly, and you weren't protected before with them, right, It's
all right?
Speaker 3 (18:42):
So I don't know. I really don't like McAfee. I
would I would unstall that and just allow Defender and
whatnot runs with that. Actually, I have Defender on my
phone works really well.
Speaker 1 (18:51):
Yeah, all right, So if you have an Android device,
patch yep.
Speaker 3 (18:54):
Go patch, go patch, Go patch, go patch.
Speaker 1 (18:58):
You're going to write a song? Go patch?
Speaker 3 (19:00):
You should. We should get t shirts with like a
dog with a software like a disc in his mouth
he's panned.
Speaker 2 (19:05):
On the run time or something like that.
Speaker 1 (19:07):
Met it to yourself.
Speaker 2 (19:08):
We need you know what you need? You need a
band Carl with a cybersecurity theme and two tambourine players
for me and Dwayne.
Speaker 3 (19:18):
I look fantastic in bell bottoms.
Speaker 1 (19:20):
Okay, said No one said, all right, So we told
you Google is all over this week's show. So this
one is from cloud dot Google dot com view state
de serialization, zero DAVE vulnerability in site core products.
Speaker 3 (19:38):
This one's neat.
Speaker 2 (19:39):
Let me guess they're written in dot net.
Speaker 3 (19:42):
Well hence the view state. So we'll unpack this a
little bit. So for those of you who don't program
in dot net, where typically you're going to see, yeah,
these are a sp dot net systems.
Speaker 1 (19:54):
Yeah, site core.
Speaker 3 (19:56):
You have view state and view state. Think of it
like think of it like a session key for you
being logged into the server.
Speaker 1 (20:05):
But it's not a key. It actually contains sized data.
Speaker 3 (20:10):
It does so if you could decrypt it, then you
could see real data. It's not just a key.
Speaker 2 (20:17):
So it might be a drop down box and it
maintains which one you have selected.
Speaker 3 (20:21):
Yeah, right, but it's also view state data. Is it's
encrypted by with the machine key, data that you typically
don't have access to. In this particular case, they actually
were able to access the machine key remotely.
Speaker 1 (20:37):
Wow, that's no blin.
Speaker 3 (20:39):
So accessing the machine key means obviously you can now
modify U state, if you can modify VIE state. You
can inject an object into the view state and then
sign it as if the server would. So when the
server gets it, it goes, oh, okay, this is cool.
I must have had that object on the page because
it looks like it's signed by me. And when a
(21:01):
de serializes it. It would then run good everything go boom.
Speaker 2 (21:04):
There's a technical thing most programmers won't know, and that
is it seems like when you talk to a web
server it remembers you.
Speaker 3 (21:12):
It doesn't.
Speaker 2 (21:14):
It doesn't. It's like if you go to a conference
and the speaker says, oh, hey Patrick, and they're like, here,
remember my name. It's on your chest. So what happens
is when you make a request, especially to like a
web farm where there's fifteen web servers and they're load balancing,
they might try to make you go to that same
(21:34):
web server regularly with your conversation so that it doesn't
have to put things in memory all the time.
Speaker 1 (21:40):
Yeah, it's called affinity affinity. Once you log into one system,
the idea with affinity or stickiness is that every request
goes to that same service.
Speaker 2 (21:50):
That said, every time you talk to that web server,
you have to remind it where was I what was
I doing? And you state and your session key and
your token and all that stuff. Is the way you
remind the server this is where we were in our
last conversation. And that happens every time you talk to
(22:10):
the server.
Speaker 1 (22:11):
This is in older technology, this is aspnut web forms
that we're talking about, which has been replaced by Blazer,
which does not have this problem.
Speaker 3 (22:20):
Correct.
Speaker 2 (22:21):
So is Blazer connection oriented or connection lists?
Speaker 1 (22:24):
Well, there's two types. There's Blazer server, which uses a
signal our connection on the back end just to transfer
data that's changing and comes back with data that's been
updated using sockets you know requests. Yeah, uses web sockets
signal Ours implementation of web sockets, and then the server
(22:45):
maintains the state of all the data right there. It's
never sent back down to the client. And in web
assembly it's just a standalone thing, so you're you're responsible
for communicating with the server through an API or something
else like that.
Speaker 2 (23:00):
HTTP protocol is connectionless, it doesn't you have to bring
it to you. Everything from the privates conversation, so HTTP, ASP,
all PHP, all those things follow the rules that I
just illuminated.
Speaker 3 (23:14):
Yeah, you have to have some session that you hold back.
Speaker 2 (23:16):
Calls talking about a cheat where they set up a
session so that they don't have to do that, which
is great.
Speaker 1 (23:21):
Yeah, but Laser service wonderful and it's.
Speaker 2 (23:23):
Very secure, but that wasn't possible back in the old days.
Speaker 3 (23:26):
No, So what's really neat about this? Let's say we
could grab the view state, and let's say we could
modify that view state. Now I'm an attacker on the website.
I'm viewing a site car so site coort for people.
We didn't actually even talk about this. It's a uh
content resource management. Yeah, it's it's like I think like WordPress.
Speaker 2 (23:48):
Word site court is going to sue you for comparing them.
Speaker 3 (23:53):
A wordpressy They were exploitable, so they're exactly like WordPress. No. Anyways,
I go to the website, I get I get this
view state. I can then as I grab the machine keys,
I can decrypt this view state. I can add an object.
What object do we add? In this particular case, what
they did is they injected what's called the weep steel
(24:14):
w E E P S t e e L, which
is a an object.
Speaker 1 (24:19):
Sebaskan Robin's ice cream flavor.
Speaker 3 (24:21):
Come onload fifty razor. You know I expected, I'm gonna
be honest, when my kids started trigger treating, I expected
more razor blades in game.
Speaker 1 (24:31):
I know, I know where where are all the razor blades.
Speaker 3 (24:34):
Has a man gotta get a shave, right, We like,
we all checked every piece of candy like there was
going to be a razor blade in everything.
Speaker 1 (24:40):
It's like candy.
Speaker 3 (24:44):
Cut it off. So what this would do is when
it de serialized on the server, then it would take
over the server. And from there they started doing reconnaissance
with things like sharpound and that sort of thing to
enumerate the environment, gain access to recontrol over the web server,
all sorts of crazy stuff. Yeah, yep.
Speaker 1 (25:05):
So if you've got site core patch.
Speaker 3 (25:07):
Right yeah, yeah, or switch to another yeah, or upgrade
to Blazer, Yeah, or upgrade to Blazer, call our buddy Carl.
Speaker 1 (25:13):
In which case Carl at apphoenex dot com we'll take
care of you.
Speaker 3 (25:17):
Yeah, Carl can absolutely help you with them.
Speaker 2 (25:19):
This is this is an inherently risky thing to do,
is give people the ability to edit over the Internet.
Speaker 3 (25:25):
Oh. Absolutely.
Speaker 2 (25:26):
So it's nice to make fun of the companies and
I feel bad sometimes, but you know, they picked it.
It's kind of like, you know, if you made fun
of Roy Sigfried and Roy because they got eaten by
a line. It's a it's an an inherent job risk.
Speaker 3 (25:40):
Yeah, eaten by a lion one of the Wow, not
too soon, it's years, It's okay.
Speaker 1 (25:46):
Too soon, Yeah, it's been years. Most people listening to
this don't even know who Sigfried and Roy are. All right,
so what do we want to say? Are we done
with the view state? I think we are?
Speaker 2 (25:59):
Is there a pack? Did they say that?
Speaker 3 (26:01):
Yeah? I believe that psyche core has actually fixed the issue.
So you should be good if you're using Psychcorp. The
problem is if you were using psite core, you may
want to just go through logs and make sure that
there's nobody doing weird stuff on your server that you
don't expect.
Speaker 1 (26:16):
Okay, and speaking of logs, do security blogs enable vibe coded? Cybercrime?
Security companies routinely publish detailed analysis of security incidents, making
attacker tactics, techniques, and procedures wildly known and visible. These
reports often provide comprehensive insights into specific vulnerabilities that are
(26:39):
or could be exploited, malware delivery mechanisms, and evasion techniques.
Speaker 2 (26:45):
Yes, let's talk about a few aspects of this.
Speaker 3 (26:48):
So the first is well, vibe coding Before you start,
this is not this is not a new question right now,
We've been answering this question for twenty two years.
Speaker 2 (26:58):
Yeah, but continue so in the question and let's answer
that first the question is are we safer by divulging
this stuff or by keeping its secret? And the I mean, honestly,
the community that supports open source should be all over
the Yeah, we're safer if we disclose this stuff. By
disclosing it, we can come up with better tools, we
(27:19):
can let do lessons learned. Some people might say that
we shouldn't be talking about this stuff on our podcast
when we try to give people advice about how this
stuff works, but understanding how.
Speaker 3 (27:29):
It works the criminal career advice.
Speaker 2 (27:31):
Helps you one understand when it's safe, when it's secure,
I think we should air in the side of information
that said, there's a big difference between explaining how an
attack works and providing a sample code. What Microsoft did
recently was cut off some companies in China's ability to
get early warnings before there was a patch available, and
(27:53):
it included how to recreate the problem, and as a result,
some Chinese actors when and use that sample code to
go hack a bunch of defense organizations in US companies.
That's that's too far. We're not talking about that. We're
talking about, Oh, there's enough information that I can vibe
code a reproduction of that perfect concept I would say
(28:16):
that's possible, but it's narrow. And the reason I say
it's narrow is my is our experience. So if I
have a group, if I have a team of six developers,
if I take that best developer in that team and
I give them vibe coding tools like cursor, AI, Windsurfer,
those kinds of tools, I can get the productivity of
that team of six typically out of that one if
(28:37):
they're really good. But I can't get rid of that one.
And so I can't take a thirteen year old who
doesn't understand web sockets and TCPIP and ports and things
like that and have them vibe code their way to
an exploit because of the blog is sphere. If they're
a if they're a technical hacker programmer, I may they
(28:59):
may be able to vibe code their way to a
point where they can write something they normally wouldn't be
able to write themselves. So it's a combat multiplier, it's
not a gross enabler.
Speaker 3 (29:08):
Yeah, and I would go even a little bit further.
They may be able to write something that eventually they
could write, but like you still have to have the
technical knowledge to know if the thing that the AI
is writing is in the right realm of possibility. He
is doing the right things and that sort. So you
still need to be an expert, but I think what
happens is you're going to bring the time in right.
(29:31):
So like, if it's going to take me a month
to build an exploit, I might be able to do
it in a week if I'm vibe coding and understand everything.
But eventually I would have been able to write it
by myself anyway.
Speaker 2 (29:40):
Yeah, So let's talk about something that most people don't
know about. So there's a tool. There's a tool called metasploit,
and there's a tool called explore exploit dB yep, that
most people are horrified to find out about.
Speaker 1 (29:51):
Is this where we play the theme song Patrick.
Speaker 2 (29:54):
Yes, you definitely would.
Speaker 3 (29:56):
Yeah. Exploit DB's awesome, all right.
Speaker 1 (29:58):
Roll it, roll it yeah, Yeah, it's screamin.
Speaker 2 (30:05):
So exploit dB is a database of exploits against known systems.
So if you find out after doing a scan that
somebody's using qte FTP versions one, two, three, four, five,
whatever it is, you can look up an exploitdb and
you might be able to find an exploit that might
work against it. Also, if you're running metasploit. You can
go and look in their tables and find an exploit
(30:27):
that they've built, so you can target that and it'll
work sometimes but not always. And the trick is it'll
If you don't know what you're doing and it doesn't work,
you're screwed. Yeah, if it doesn't work and you know
what you're doing, you can go in and look in question.
Maybe they installed it to a different path other than
the default path. Maybe they're on a different port than
(30:49):
the default port. Maybe there's a In other words, you
can you can figure out why it didn't work and
fix it. That's not possible if you're not technically savvy enough,
So you've got to be ninety percent of the way
there or else you can't do what this what this
article is talking about. Okay, so it helps you with
that last mile, it's not gonna help you with the
first nine.
Speaker 3 (31:09):
Yeah, agree, all right.
Speaker 1 (31:11):
That brings us to our clickbait story, which you know
it's kind of important. This it's not us. We're not
just baiting you. Like the register, FBI cyber cop salt
Typhoon ponned nearly every American, Yeah, plus millions of other
people across eighty countries, Salt Typhoon.
Speaker 2 (31:32):
It's basically China. China's hoovered up. You gotta love that
as a verb. They hoovered up information.
Speaker 3 (31:38):
And know right, hoovered. So this is like Jaeger, this
is exposure. This is he got phone logs too. So yeah,
if you if you.
Speaker 2 (31:47):
Gave up on privacy a decade ago, this is no
big deal. If if you're worried about China's hacking, it's
a big deal. But it also shows they did get caught.
Speaker 3 (31:57):
Yeah, but they got caught six years later.
Speaker 2 (31:59):
Yeah, that's true.
Speaker 3 (32:00):
The campaign started in twenty nineteen. Wow, So in twenty
nineteen hackers broke into telco companies right, yeah, your Horizons
and AT and TS and that's fur stuff and started
pulling information like who you're calling and recording calls and
seeing us the messages and watching what you're browsing for
on your phone. Yes, kids, someone can see what you're
(32:21):
browsing for on your phone sometimes, so you know, this
could be pretty damaging depending on what they pulled.
Speaker 2 (32:27):
That's true, although I'm pretty sure it's not ending up
on the dark web, because China will keep it for
themselves like they did the Marriot hacker.
Speaker 3 (32:33):
Oh, absolutely right, and they'll use it to leverage assets
in the United States, I'm sure.
Speaker 1 (32:38):
And yeah, I don't think China cares. If you know,
every American is going to porn sites on their phones.
Speaker 3 (32:45):
Well it depends if it depends if you're if you're
a senator saying how those sites are terrible and you
should never view them.
Speaker 1 (32:52):
Oh yeah, well okay, yeah.
Speaker 3 (32:54):
Then China comes up and says, hey, here's a list
of all the ones you go to. How about you
vote our way.
Speaker 2 (32:58):
When they find out Mike Johnson's browsing habits, he's in trouble, right,
what did they tell his son? Oh I almost got
Duyna spittake.
Speaker 3 (33:07):
Yeah, I almost coffee almost came all over.
Speaker 2 (33:10):
Yeah, yeah, I timed it wrong.
Speaker 3 (33:13):
I didn't time it right.
Speaker 1 (33:13):
All right. So the blackmail factor is high, is what
you're saying?
Speaker 3 (33:18):
Or present?
Speaker 2 (33:18):
I don't know. If it's high, it's present.
Speaker 1 (33:20):
Yeah, well, it's present for people who are doing things
they shouldn't do.
Speaker 3 (33:24):
Are doing things they shouldn't I mean, listen, I'm sure
there's one or two Americans who are cheating on their
spouse and it's in an SMS message somewhere. So dude.
Speaker 2 (33:32):
Here's the thing though, if China came and said Carl
is doing this, who would believe them? Well, there is
that And if they said, well we know because we
hacked your tailcoats, Okay, well what the hell are you
doing tack of my tailco It's.
Speaker 3 (33:45):
Right, And you did just plant that information exactly.
Speaker 2 (33:47):
Yeah, you made that up. You made that up because.
Speaker 1 (33:49):
Carl Franklin dyes his hair silver.
Speaker 2 (33:55):
I always wondered about that, now you know. So this
this is a big, far ranging thing. That said it.
There's nothing here that I don't assume our government is
doing with warrants or without warrants.
Speaker 3 (34:10):
Oh isn't doing yes, yeah, absolutely, or fiz at court
orders or whatever. Yeah, absolutely, yep.
Speaker 1 (34:18):
Okay, well there's no there's no really call to action
about this. It's just you know the usual.
Speaker 2 (34:24):
Well, just accept the fact that there's no there's no privacy.
Speaker 3 (34:28):
Well or listen, if you're going to be taught like
we use communications platforms expecting that if it needs to
be secret, we need to know that that data is
being encrypted end to end. We need to know that
that data is being burnt at a particular time. And
that's what one of the reasons of things like signal
and even then, Yeah, we're not putting anything super sensitive
(34:48):
in those chat lands.
Speaker 2 (34:49):
We have code words for customers when we're talking in person.
Speaker 3 (34:52):
Right yeah, just so that we're not be like, hey,
there's this customer by name, right.
Speaker 2 (34:56):
Yeah, so we don't throw names around frivolously.
Speaker 3 (34:59):
Be paranoid, always paranoid.
Speaker 1 (35:00):
Well, just because you're paranoid doesn't mean they're not out
to get you, right, Okay, Well, on that happy note
and notes, let's wrap it up and we'll say thank
you for listening, and we'll see you next week on
Security this week. Thank you, Bye bye guy
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
CrimeLess: Hillbilly Heist
It’s 1996 in rural North Carolina, and an oddball crew makes history when they pull off America’s third largest cash heist. But it’s all downhill from there. Join host Johnny Knoxville as he unspools a wild and woolly tale about a group of regular ‘ol folks who risked it all for a chance at a better life. CrimeLess: Hillbilly Heist answers the question: what would you do with 17.3 million dollars? The answer includes diamond rings, mansions, velvet Elvis paintings, plus a run for the border, murder-for-hire-plots, and FBI busts.