August 16, 2025 • 44 mins
BitUnlocker – Multiple 0-days to Bypass BitLocker and Extract All Protected Data
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Hey, you guys, hear about that hitchhiker the other day.
He got a ride and he decided to be a little,
you know, sarcastic, and he said, what makes you think
I'm not a serial killer? And the driver said, there'd
never be two of us in the same.
Speaker 2 (00:13):
Car on the odds, and Dwayne was driving. So for
those who are watching on YouTube, this is our first
YouTube video.
Speaker 3 (00:32):
Uh.
Speaker 2 (00:33):
For those who are listening to the podcast, check out
the links on our show notes and we should have
a link to the YouTube video in there.
Speaker 1 (00:41):
I don't know.
Speaker 2 (00:41):
We haven't made it yet, so we are. We're just
testing the waters here to see if people actually want
to see our faces that are otherwise radio.
Speaker 1 (00:51):
And to those who are listening, congratulations on making the
right choice.
Speaker 2 (00:56):
So there's probably gonna be some jump cuts in here.
Oologize for that, but you know we have to edit
for audio first. So yeah, all right, guys, let's look
at these stories. The first one is win raar. You
know what RAR is if you've been around for a while.
Win ra is a Windows version of RAR, which is
like ZIP. It's a compression thing. So win rars zero
(01:18):
day exploited to plant malware on archive extraction.
Speaker 1 (01:23):
I mean we haven't been trying. We haven't been trusting
archival zips or ras or anything like that for a
long time. Yeah, so this is just this adds to
that legacy.
Speaker 2 (01:33):
I'm more likely to trust Windows built in zip compression
than I am in you know, seven zip or any
of those external products. What do you think?
Speaker 4 (01:44):
Yeah, yeah, I mean I use seven zip only because
it supports formats sometimes that wind zip. Windows native zip doesn't.
So if you've done you know, U gunn zip, guitar ball,
you know what, right what un guns zip, Yeah, you're
probably not finding that in the normal native game. It
(02:06):
is it is the gun zip dar ball. That's my uh,
that's my fighting names, gun zapall something.
Speaker 2 (02:14):
We play in the woods with Patrick with the tar
ball guns right, all right, So.
Speaker 4 (02:19):
It can be useful to have other tools. I don't
particularly use wind roar, but it's been around forever.
Speaker 2 (02:26):
Yeah.
Speaker 4 (02:27):
So a lot of this is a directory traversal vulnerability. Right,
So CD eighty eighty eight a direct reach reversal vulnerability
affecting Windows wind versions, blah blah blah. What a directory
traversal exploit can be. There was another one that was
very similar called slip zip, where when you zip a
(02:49):
file up into an archive, it actually keeps track of
the path that the file was zipped up from, and
sometimes it's a relative path. It's like, oh, well, you know,
I took all of the security this week episodes, and
I threw in a directory called STW, and I zipped
up the STW directory. So when I unzip it, it
will create the STW directory.
Speaker 2 (03:11):
Well what you usually unzip it to an existing directory
and then it will create STW underneath that exactly.
Speaker 4 (03:18):
So now what if I go into the metadata in
the zip and I say, oh, it's not you know,
dot slash STW slash you know episode one dot MP four,
it's dot dot slash, dot dot slash, dot dot slash,
dot dot slash, Windows slash, System thirty two slash, you
know whatever, right path. So that's directory traversal. I'm actually
(03:42):
moving outside of the directory you told it to unzip
in and then deploying other things, whether it's executables or
files or overwritingtonfigs or whatever.
Speaker 1 (03:51):
And it would be foiled if the user unzipping it
doesn't have access to that directory, but that never happens.
Speaker 2 (03:57):
Right, Or if the unzipped software notice that it was
a traversal and said, no, this is.
Speaker 1 (04:03):
None less than what I just said, right exactly.
Speaker 4 (04:07):
He's looking for that.
Speaker 2 (04:09):
So can you do this with zip files too?
Speaker 4 (04:11):
You used to be able to. Yeah, And a lot
of this has been fixed in different archival tools. I know,
we've seen it with seven zip, We've seen it with
Windows Zip. We've seen it actually prety much every archiving
tool has had some form of ZIP slip issue.
Speaker 2 (04:26):
Director, I remember us talking about some of these things
that were patched.
Speaker 4 (04:29):
Yep.
Speaker 2 (04:30):
But I guess wind rar is just the latest to
be vulnerable to that.
Speaker 4 (04:34):
Yeah. And sometimes it's you know, an attacker finds an
innovative way to re implement, you know, something that's already
been patched. So it is what it is. But if
you are running wind rar, I believe, let's take a
lot of the versions, if you're running anything prior to
seven dot twelve or earlier, So seven dot twelve or earlier,
you need to go patch because if somebody, I mean,
(04:57):
here's the risk, right, It's not like, oh my god,
I have seven to twelve on my computer and now
it's compromised. Somebody still has to send you an archive.
Somebody has to send you a Z and.
Speaker 1 (05:06):
They definitely will. Yeah, and nobody will at some point.
Speaker 4 (05:09):
Hold on, you still need to open it. It's not
like a zero click like somebody's going to send you
an email with a ZIP that says it's, uh, your
invoice for your Best Buy extended warranty or something stupid
like that, and you're gonna unzip it and it's going
to zip to the wrong location.
Speaker 1 (05:27):
Yeah, and they're going to send you a RAR. They're
not going to send you a ZIP. Yeah, you're using
ZIP like the word cleanux.
Speaker 4 (05:33):
Exactly right, just in the generic. They're going to send
you a compression archive format that's supported by win wrong.
Speaker 2 (05:39):
I would think that if you're downloading a RAR file
from a website that it's in that website's interest to
understand that the RAR is secure.
Speaker 4 (05:50):
Sure.
Speaker 1 (05:51):
Yeah, but that's no protection because it's also in their
interest to make sure there's no cross site scripting, and
because it affects the client not the web hoster, it's
a very low priority thing.
Speaker 2 (06:03):
Okay, all right, if.
Speaker 1 (06:04):
You found out that your car might cause someone to
slip and fall, it's not going to affect you. You
might if you're a really good person, you'll fix it.
But if you're busy, you might never get around to it.
Speaker 4 (06:18):
You know.
Speaker 2 (06:19):
Usually I love your analogies. Today a little I'm not.
Speaker 1 (06:22):
So sure that's the rough one.
Speaker 4 (06:25):
All right?
Speaker 2 (06:26):
Moving on from windwar wim Rock. I can't even say
it win.
Speaker 1 (06:32):
And we're from New England, I know, right, we've been
saving raw rah, We've been saving the ass up just
for that sentence, all right.
Speaker 2 (06:42):
So this one. AOL will end dial up internet service
in September, thirty four years after its debut. Al shield
browser and a dialer software be shuttered the same day.
Speaker 4 (06:52):
What I know, why?
Speaker 3 (06:54):
Why?
Speaker 2 (06:54):
Now I've been I thought that was gone long.
Speaker 1 (06:58):
This is like an announcement that the mammoth has gone next.
Speaker 2 (07:00):
Thing, So I guess to be fair, there are places
in the world that don't have internet service Wi Fi
and dial up is their only option. There are there, Yeah,
satellite I don't know, man like all right, but the
poor places first of Saharan Africa for example.
Speaker 3 (07:23):
First, is there really an I SP down? There is
there a dial up? It's hard to get satellites, good question.
Speaker 4 (07:34):
I don't even know what to do with this. This
is I don't know all of us on this on
this podcast are old enough to remember, well, hold on,
are old enough to remember pre Internet, Yes, before we
were all boarded, which is horrifying. But we're also old
enough to remember that your when your primary connection to
(07:55):
the outside world was you took your computer.
Speaker 1 (08:00):
Yeah, yeah, you can.
Speaker 2 (08:01):
We we'll find that audio clip.
Speaker 4 (08:03):
And you connected your computer to the phone line. Whether
it was you plugged it in the back of your
computer for fancy people, or you took literally the phone
and put it on these cups and got.
Speaker 2 (08:14):
I remember my friend, an old friend who ran a
BBS in Norwich, Connecticut, I'm sorry on board system ran
ran and then he moved it to uh an is
SP changed to an I s P because he had
all the motems. He had racks of US Robotics modems
(08:34):
and and he became the dial up service for our
local area.
Speaker 4 (08:39):
Hey do you guys, do you guys alternative? Do you
guys remember the like the Holy War between US Robotics
and Hayes come on in the day, Like Hayes were
the big boys in the market and us R they
were the they were the new people on the block.
Speaker 1 (08:53):
I jumped in the game when it was three hundred modems.
Speaker 2 (08:57):
Yeah, all right, it was amazing. So back to this story,
it says, but there remain a few options to plug
in your fifty six K or slower screeching modem into
so so apparently there there are other options. But this somehow,
you know, waited all this time to AOL, waited all
(09:19):
this time to get rid of it. But if anybody
out there knows of somebody who is going to be
I don't know, upset about this, please let us know.
Speaker 1 (09:33):
We doubt they're watching video on YouTube if they have
a motim.
Speaker 4 (09:36):
Yeah, they probably won't get this podcast for a while.
Speaker 2 (09:38):
Now, if you know of somebody who's going to be upset,
like you know, if your grandmother or whatever, your elderly.
Speaker 1 (09:45):
Parents shout on the discord, give us.
Speaker 2 (09:46):
A shout on discord. Let us know. I'm just really
curious to know, all right.
Speaker 4 (09:52):
Oh AOL, Okay, we used to I know, right, A wait,
that was that was? That was the service you've got mail? Right?
Speaker 1 (10:03):
Yeah, yeah, that's right, Yeah, it was AOL.
Speaker 4 (10:06):
You're right, that was AOL. I actually knew the lady.
I was in a training class I think with you Patrick,
and there was a lady taking the class that her
husband is the one who voiced that wave wave a
long long time ago. Yeah.
Speaker 1 (10:20):
Wow.
Speaker 4 (10:20):
I was like, oh that's neat, it's.
Speaker 1 (10:22):
Fame, and he bought bought two cups of coffee with
the money. Yeah, all right.
Speaker 2 (10:28):
So the next one is from Security Week, not Security
this week. Flaws exposed one hundred Dell laptop models to
implants Windows login bypass.
Speaker 1 (10:41):
So this does require physical access, which is a theme
this week.
Speaker 2 (10:45):
Yeah, it's a recurring theme, and.
Speaker 1 (10:48):
So it's it's a it's a big deal, but it's
not not a crushing deal. It's not like you know,
suddenly you're at your vulnerable at an internet cafe. But
if you're going through a security checkpoint in a dicey country,
if somebody does steal a laptop and you find it,
it adds some risk.
Speaker 2 (11:06):
I didn't know Dell had one hundred models of laptop.
That seems crazy.
Speaker 4 (11:12):
Probably, I mean, if you look at the ones that
are under support, that's probably true. Like there's probably some
that they just don't like older Dell model laptops that
still have support, but that are aren't sold on their
website and.
Speaker 1 (11:24):
They've bought, they've acquired companies yeah, you do.
Speaker 4 (11:27):
Well, and that's true. You have the Alienware series too,
which is also Dell just sold under anywhere.
Speaker 1 (11:33):
Maybe, but just what they say is one hundred Dell
laptop models. Does that mean there's any laptop models that
aren't affected by this? I would say no, probably not,
maybe maybe super discontinued ones.
Speaker 2 (11:45):
Yeah, yeah.
Speaker 4 (11:46):
So according according to this, according to Tallos, an attacker
that does not have administrative privileges could interact with control
Vault via the associated APIs and execute arbitrary code on
the firmware, leaking sensitive information affecting the security of the device,
which could allow them to modify the firmware. So there's
(12:07):
actually there's the several cvs associated with this one. This
is twenty twenty five, twenty four to three one one,
twenty five, twenty one five, twenty four nine to two two,
twenty fifty fifty, and twenty twenty four nine to one nine.
So there's there's several issues with this. It's not just
oh there's one thing we forgot to look at. It's
(12:28):
we see in here. There's an out of bounds read
and write, there's a stack buffer overflows. There's all sorts
of different issues with different parts of this safe get Yeah.
Speaker 1 (12:36):
And when they're talking about models, they're talking about like
a latitude. I don't even know if these are real numbers,
but like a fifty five to twenty and a fifty
five to thirty. Those are two different.
Speaker 2 (12:43):
Models, right, Oh, I see, so they're different.
Speaker 4 (12:45):
Yeah, yep, they're.
Speaker 2 (12:46):
Different configurations of the same model. Probably we have different
same family, I say, yeah, same family, different model.
Speaker 4 (12:52):
Yeah, yep.
Speaker 2 (12:53):
Okay, all right, well that makes sense.
Speaker 1 (12:55):
Now, so this again, the risk here is if you
lose physical control of laptop, which you shouldn't, but if
you did, then somebody and it's a pretty high tech
it's not the average thing. A script kit is not
going to be able to do this. The average the
average you know, person who's just dealing with networking and
stuff like that, it isn't going to be doing this.
(13:15):
This is this is customer the eye controls.
Speaker 4 (13:18):
Yeah, and it's definitely it's custom firmware as well, which
there are people who know how to do this type
of thing. But you're absolutely right, the barrier to terror
is higher. But if you you know, continuing looking at
some of these CBS, it says another interesting consequence of
this scenario is that the system affected, let's say it
was able to be unlocked by a user's fingerprint. It's
actually possible to tamper with the firmware so that it
(13:40):
will accept any fingerprint and say it's a legitimate user.
Speaker 1 (13:45):
So you know this.
Speaker 4 (13:46):
This then means you could boot up a laptop without
BitLocker or with BitLocker, who knows, we'll talk about that later,
and then be able to log in just using your fingerprint.
Speaker 1 (13:58):
I think the biggest risk here is your you're traveling
with a laptop, it leaves your custody and goes into
a special room, a room as we say from England.
And you know they they execute this because of you
know who you are, what your job is that?
Speaker 4 (14:14):
But I wonder too, is you see a lot of
the Hey, I can't you know, my fingerprint scanner's not
working on my laptop. What should I do? Right? You
search Google? On the first site that comes up is
some random you know, Joe's awesome patches dot com and
he's like, oh, just applt his patch and it'll fix
your you know.
Speaker 2 (14:31):
Yeah, reader, I never do that. I always go to
the source.
Speaker 4 (14:34):
So it's possible that might be a vector as well,
where it's like, oh, we just you know, will give
you this firmware that's going to update and it's going
to allow any fingerprint and it'll look like it works
for you, but it'll work for everybody else to.
Speaker 1 (14:46):
Yeah, but if you've got that level of control, you
could just steal everything.
Speaker 4 (14:48):
Well that's true too, right on the computer.
Speaker 2 (14:50):
Why well, speaking of updates, Dell has issued patches for
these laptops.
Speaker 1 (14:56):
All of them Windows patches their firmware, right, so you've
got to go into the firmware and update the firmware,
which most people never do.
Speaker 4 (15:05):
No, No, The only time you do it is usually
when that device stops working and you go, gosh, maybe
I'll go find the firmware. But that's pretty much.
Speaker 2 (15:12):
I do that by logging onto Dell. And you know,
if you've already gotten account, right, if you don't, you
can look it up by the model and there will
be listed there for downloads, firmware, Yeah, patches, So go
do that. If you had a del laptop, dude, dude,
you got hacked.
Speaker 1 (15:28):
Yeah, but I just want to make clear, and I'm
being a stickler here was baked all the time. Yeah,
I'm being a Stickler. Here is this isn't Windows Update, correct, right,
You're right. You have to go into the biosend patch
the firmware, and that is not a process that is like, oh,
I'm just going to do Windows Update. You've got to
actually go through the process that you've probably never done before.
Speaker 2 (15:47):
Probably. Yeah. And also make sure you're at Dell dot com, like,
don't don't go to Bob's you know, discount sharkcages dot com.
All right, so forty that, oh my god, we can't
get rid of these guys. Fort net warrens of forty
SIAM pre off r C flaw with exploit in the wild.
(16:11):
So it seems like this was in the news last week.
Speaker 1 (16:14):
So first thing is, this is a sim AND and
we don't the E Security Information and Events Management.
Speaker 4 (16:21):
Even though we want to pronounce the E.
Speaker 2 (16:23):
Yeah I pronounced the SIAM because how we.
Speaker 1 (16:25):
Tell hey, we tell the outsiders, Yeah, it's how's your
SEAM And you're like, no, sorry, SIM SIM. So for
sim AND, basically this is where you'd gather up information
and logs and things like that to see to catch
the hacker. Threat hunting kind of thing.
Speaker 4 (16:41):
Okay, here's what I want to say. Though Fortinet, what happened?
Speaker 1 (16:45):
Yeah, honestly, you've been We're really good.
Speaker 4 (16:47):
You were really good. It's funny. I was. There's actually
a couple of listeners of the podcast from Germany I
was talking to this week, and we were we were
we were lamenting. We were like, you know what Fortinet
used to be good? Right, we used to meet me
over a camera throw right exactly. So it's you know,
it's OK, exactly Do we need an intervention at this point?
Speaker 1 (17:10):
Ye know, we do.
Speaker 4 (17:12):
Do I need to bring my buddies ubiquity? Yeah, no,
it's it's amazing how far they've they've fallen. They were
the cutting edge of you know, firewalls and protection and whatnot.
I think they grew too fast, possibly in this particular case,
if we if we dig into this, So this is
(17:33):
like like Patrick and Carl had said, this is the
four to sim right, So this is gathering logs and
understanding what's going on in your network. So generally something
you want up and running to know if somebody is
attacking your network. But the exploit here is an improper
neutralization of special elements used in an OS command injection.
(17:54):
Vulnerability may allow attackers blubblah blah whatever. So what does
that mean? What's an OS demanded injection vulnerability. Most of
these tools have the ability to say, oh, I want
to Let's say I want to write my logs out
to Splunk, right, and do you go to the Splunk
configuration screen and you say, what's the name of the
(18:15):
host the IP dress where Spunk is and you type
it in and I don't know if it can it
can talk to that server. So I click test and
it goes out and it pings it and it comes
back and says, yes, that host is alive. I can
see it. Okay, that type in the user name and
password or whatever. A host injection or as command injection
is where I might type in, okay, I'm going to
type in the name of the Spunk server, and then
(18:37):
I'm going to use the A symbol who am I right?
And what happens is when you click test, not only
does it run an OS command ping name because that
and symbol is in there, it goes oh, by the way,
I want to run another command, which is who am
I right? So not sanitizing that input means that I
(18:58):
can stack my commands. It's like sequel injection exactly and
in some cases sometimes easier than SQL sequel injection because
it's literally I just need to put another command there,
and then put another command in there, and then tell
it to reach back out to me with the shell
so that I can do things.
Speaker 1 (19:13):
The words that make it the most unsettling are remote unauthenticated. Yes,
I think that means it's it's a much bigger deal
if this thing is connected to the Internet, which I
assume in many cases it is.
Speaker 2 (19:27):
And here's a warning, kids, If you put in that
splunk RL and you get back a picture of a cave,
you probably misspelled.
Speaker 4 (19:34):
Splunk wrong wrong spelunking.
Speaker 2 (19:38):
That would be spulunk. There's an ex j E in
there just that that'll give you. You're not going to
get a four or four. You're just going to get
a picture of a cave, all right.
Speaker 1 (19:47):
So patch patches, it's got a nine eight, nine point
eight rating, and I think the words remote unauthenticated, yeah,
merits that it's up in that range because a lot
of times, for the who are new to the show,
we we take a little bit of a reality check
on those numbers from the CVA to see whether we
think it's really measures. I think it's definitely above a
(20:10):
nine because of that.
Speaker 2 (20:11):
Yes, but is it is there a patch?
Speaker 4 (20:13):
Let me check I think it. Yes, Yes, there's a
bit of update to the latest version six dot seven
ten seven zero one seven one eight seven two six
seven three two. Right now, we'll put the link. We'll
put the link in the notes. But yeah, there is
a patch work if you're running seven seven dot three
or six dot six earlier year in drouble.
Speaker 1 (20:32):
The shame about these things is this, these are people
who using this product, who are trying to do the
right thing by trying to use a sim to find
the bad stuff, and the and the thing that they
were using to find the bad stuff open them up
to worse stuff.
Speaker 2 (20:44):
Right, well, this is about the time when we need
to take a break, so we'll be right back after
these very important messages. Don't you go away, and we're back.
It's security this week. I'm Carl Franklin. That's Patrick Kyin
and Dwayne Laflott here for your terrifying and realgy jocularity. Okay,
(21:10):
next story, seventeen thousand plus VMware. How do you say this?
Speaker 4 (21:16):
Es x I esxies sexy.
Speaker 1 (21:20):
That's how he's sexy should Yeah, I'm running now, sexy.
Speaker 2 (21:29):
Hey you heard it here first, that's.
Speaker 4 (21:32):
Gonna be right. Makes some very awkward conversations with customers.
Are you running, You're gonna be like what did you
just say?
Speaker 2 (21:40):
Seventeen thousand plus VMware ESXi servers vulnerable to critical integer
overflow vulnerability. Yikes? Yeah, what happened?
Speaker 4 (21:50):
So this this is an interesting one. Now, this vulnerability
can allow all sorts of takeover and control and it
is rated pretty high. If I remember correctly, this is nine
point three. Yeah, this is a nine point three security
researchers warn it's been around for a little while. The
biggest problem right now is the Shadow Server Foundation has
found that seventeen and thirty eight of these ESXi boxes
(22:12):
are sitting on the internet. And oh right, so that's
a fair surface of attack to be able to hit. Honestly,
I'm not entirely sure why you'd put an esxibox on
the internet, but it's yeah, it is what it is.
Speaker 1 (22:28):
I mean, I can say hosting a VM on the internet,
but it's kind of that's kind of reckless, I.
Speaker 4 (22:33):
Think, right, And at this point it says it permits
unauthenticated remote attackers to execute arbitrary code, escalate privileges, or
deliver ransomware to the virtual environment.
Speaker 2 (22:46):
So VMware ESXi obviously is like what on something that
sits on top of VMware is a brand of view.
Speaker 1 (22:55):
It's a hypervisor that lets you run vms.
Speaker 4 (22:58):
Yeah, okay, yeah, So you would install this usually bar metal,
you know, instead of installing Windows or Linux on your computer,
you would install ESXi as an operating system. I see,
and then you could Then it allows you, as a
hypervisor to use all of the hardware on that bar
metal to spin up virtual machines. So I could spin
(23:19):
up a Windows server, I could spin up three Windows servers.
I could spin up the Linux server, all on the
same hardware.
Speaker 2 (23:25):
So get this. This critical vulnerability, first flagged in July,
has prompted urgent calls for patching, but the latest scan
results suggest progress remains slow, with thousands of systems still unpacked.
Speaker 1 (23:38):
Because this is like the firmware on a laptop or
or computer system. This is under the covers of what
most people deal with. And you know, it's it's it's
it's closer to hardware than it is to software in
most propless minds.
Speaker 4 (23:52):
Yeah, so July nineteenth, there was seventeen thou two hundred
and thirty eight vulnerable hosts on the internet. It's as
of August tenth, there's sixteen three hundred, so less than
a hundred have been or less than a thousand have
been patched.
Speaker 2 (24:07):
So is this something where you have to create a
USB stick or a portable hard drive and boot from
that to update?
Speaker 4 (24:13):
Generally this is something where you need to go into
You can go in and click update, but usually you
have to have keyboard and monitor to the ESXi box.
You can do it through an administrative interface as well,
so it's a couple of ways to do the update.
It's not super painful, but it's to Patrick's point, it's
not as easy as Windows updates.
Speaker 1 (24:30):
It's so like just go click on somewhere out. We
have no inside information on this, but it's possible that
this is very localized to like one large wet cloud
provider who decided their default configuration was on the web
and they've only gotten ten percent or eight percent of
their servers done. Yeah, it could certainly be that. I
wann't look at the showdown or the shadowt Foundation results
(24:53):
to know, but I don't think we can get that detail.
Speaker 2 (24:55):
But you said this is just for the box, not
for each individual VM. The VM them selves don't need
to be patched or do that.
Speaker 1 (25:01):
No, they don't. Good, No, but they might have to
be offline.
Speaker 2 (25:06):
Yeah.
Speaker 1 (25:06):
Sure, so if they're there a mission critical you might
need to migrate them and their software solutions like VEM
that will allow you to move a VM while it's
running to another system, So that that's not a great
excuse unless you don't have those solutions in place.
Speaker 2 (25:20):
Well, yeah, you should have a backup anyway.
Speaker 1 (25:23):
Well, imagine a provider with this scenario and you've got
a server with like twenty vms from different clients, from
twenty different clients, You're gonna have to notify all those
clients and give them enough time to understand the outage window.
And if it's high enough priority, you're going to have
to give that get them to agree to the outage window.
Speaker 2 (25:41):
Yeah, and that card, like you said, you could use
VEM if you have another server standing by as a backup,
use VEM after you have installed the latest version of
the SxI exactly, and then use VAM and then switch
it over.
Speaker 1 (25:55):
Yeah, but that that would kind of speak to why
it's a slower process, or just maybe that this message
isn't getting out and people aren't checking.
Speaker 2 (26:02):
Yeah, could be that they're not listening to security this week.
Speaker 4 (26:06):
Uncool.
Speaker 2 (26:07):
Uncool.
Speaker 1 (26:08):
I didn't think that was possible.
Speaker 2 (26:09):
Right, Okay, As we get closer and closer to our
top story new Windows zero click nt landman credential leakage
vulnerability bypasses Microsoft's patch, that can't be good.
Speaker 1 (26:25):
Well, so this is part of the whole the arms
race that we're seeing. So there's a there's a term
called a one day, So a zero day, most people understand,
is is a vulnerability that's not known to the general
public that a hacking group or the NSA could use
to infiltrate organizations and do what they want until it
becomes public knowledge. Then it's no longer zero day once
(26:46):
it gets patched. What's happening now is the hackers and
in organizations like us are going and reverse engineering the
patch to figure out what the vulnerability was so that
they can then exploit it before people get a chance
to patch. So this is I don't it's not the
same thing, but it's part and parcel. I think because
Microsoft put out a patch and someone looked at the patch, reversed,
(27:09):
engineered and said, oh, they missed a trick. I can
get around this patch. So even a patch system, I
can get around.
Speaker 4 (27:17):
Yeah. And so backing up a little bit, though, people
might be like, well, why does it matter? Right? What's
going on here? Like we we threw out a lot
of acronyms and new Windows zero click and TLM credential
leaking vulnerability bypass Microsoft's patch. Like that's a there's a
lot going on there we can unpack. So credential stealing.
(27:38):
Right when we break into a network, the first thing
we're looking to do, especially if we don't have a
user account. There's plenty of times we're working with customers
where we'll send them an implant, like you know, just
a device at the plug into the network. We don't
have any user accounts, so our first goal is go
find user accounts.
Speaker 2 (27:54):
Right how now I thought it was to find the
ATM network and spit out a bunch of.
Speaker 4 (27:58):
I means, yeah, you got to do that first. But
then the second goal is three step three make money.
So we need a user account to do anything. Well,
easy way for us to get user accounts is to
compromise lower end devices, whether that's like a printer that
may have a user count on it, and then we
can grab credentials there. But another way for us to
(28:19):
do that is for us to take a link file
and LNK file in Windows and put it somewhere that's
publicly accessible by everyone. So we found shares that everybody
can write to. Right, So what do I do to
in everyone's share? I can't put an executable in EXE
because nobody's going to run it, right, but I can
put an LNK file. And if I put an LNK file,
what a link file does is it's a short cut
(28:42):
to another file. So we've all done this before, right,
you have your documents. You might have an Excel document
in there and you want a link to it on
your desktop so you can always double click on it.
So you would drag it to your desktop and it
would say do you want to make a copy here
or do you just want a short cut a link? Right?
And we'd say, oh, shortcut, And now it's a link file.
If you dissect that file inside, it's going to be
(29:04):
the path to the original file. Well, what if I
change that path? Instead of saying, you know, c com backslash,
you know users backslash deal the flap, backslash documents, backslash
my XL document. What if I change it to backslash,
backslash some computer name, backslash some share, backslash some fake file.
When you double click on that link file, it will
(29:27):
try to go out to the network and authenticate against
that share with your user account, which you're logged into
your computer with automatically. Okay, so that's not a big deal.
You go, who cares now, because somebody, somebody had a
double r right, they had to do something. So how
do you make this zero click? Well? Windows Explorer has
(29:48):
a really interesting feature. When you open up Windows Explorer,
which is the my computer and you're surfing your hard drive,
you'll notice all the files have icons on them. Right, Oh,
this is the word and you can identify it by
the fact that it's a word document.
Speaker 1 (30:02):
Yeah.
Speaker 4 (30:02):
What Windows Explorer does is it interrogates the file to
see what the icon should be. When it does that,
it has to reach out to the original file to
do it.
Speaker 1 (30:14):
Of course, it's okay.
Speaker 4 (30:15):
You put a link file out there and you reference
a remote word doc that's not really a word doc,
and when a user opens that share up Windows Explorer
automatically reaches out to us and gives us credentials for
the user. And they're not credentials, they're hashes. We could
go into a lot of how you replay them and
all the other good stuff, but moral of the story
(30:35):
is some form of credential comes back out to us,
and that's really cool. But Microsoft has tried to stop it.
In this particular case. What they're doing is they're taking
that link file. They're referencing an executable that's on a
remote location, and in that executable is the icon for
the executable. So they're like, oh, well, what I need
to do. This is what Microsoft is saying is I
(30:56):
need to take that executable from the remote location. I
need to pull it down to the local computer. I
need to open it up and find the icon so
I can display it. Well, now what I've done is
that executable is now local to the Windows computer. It's
already there. So it's a zero click deploy of executable.
Speaker 2 (31:15):
So it's in some cash files.
Speaker 4 (31:17):
You've got to use it to do yeah, and you didn't,
And they didn't even notice it. All they were doing
was surfing a hard drive or opening up the public
Share looking at their home drive. Right, they didn't click
on anything, They didn't do anything other than just open
up that explorer. So it's important. But we're going to
because this system of how you know, NTLM works and
Windows Sharing and that sort of stuff has been around
(31:38):
for thirty five forty years, we're going to see a
lot of these sort of bypasses. It's an interesting one. Actually, well,
I'm sure use it on all of our attacks. We
love the length file. I honestly we do use link
files all the time on our attacks because it's just
super easy for us to grab credentials that way.
Speaker 1 (31:54):
And for those who haven't heard it, convenience is the
enemy of security, right and link files are hell convenient.
Speaker 2 (32:00):
Oh yeah, all right, so we know this is a vulnerability.
Is there a patch?
Speaker 4 (32:04):
Not particularly? No works designed, I think is what we're
doing right now. It's works as designed. I could see
Microsoft going out and being more stringent in how they
reach out and look for icons and files and saying, well,
if it's a remote executable, maybe we won't do this anymore,
or maybe we'll pull down the executable, pull out the
(32:24):
you know, the icon, and then delete the executable or whatever.
But currently there's a Hey, this is kind of how
it was designed.
Speaker 1 (32:31):
Well, there was a patch.
Speaker 4 (32:33):
There was a patch that attempted to fix a lot
of this stuff, so I could see Microsoft adding more
logic to that patch. But it's a rabbit hole exactly.
It's it's an arms race that you always talk.
Speaker 1 (32:44):
About, the aable to break as much as they fix.
Speaker 2 (32:46):
Yeah, well, the document says Microsoft the website, Microsoft is
expected to release a comprehensive security update to address the
bypass technique completely. So is that still true?
Speaker 4 (32:58):
Yeah, absolutely, But there again, it's an arms race. The
last time they released a patch, it was a comprehensive
update to stop them bypass and tire last.
Speaker 1 (33:06):
The hash is. It's not the same attack, but it's
it's in the same family, I would say, And they
said that was you know, absolutely designed.
Speaker 4 (33:14):
Right, and I think it's like, shoot, almost ten years
ago now, maybe seven years ago. Now, Microsoft's like past
the hash is dead. And we saw tons of pen
testing articles out there saying past the hash is dead.
Long lived past the hash because there's you could still
do it right even though Microsoft had patched and tried
to catch it. It's this arms race of oh.
Speaker 1 (33:33):
Yeah, but they told people not to. So I mean,
that's all you have to do, That's all you really
have to do.
Speaker 4 (33:38):
Just let them know. I mean, like, this isn't cool.
The scouts are my bad. I'm bad. So I think
I think this will be the same thing, Carl. This
will be an arms race. We're going to see attackers
find a way around this comprehensive patch and it's just
going to keep going and.
Speaker 1 (33:51):
An ongoing good news for Microsoft.
Speaker 2 (33:54):
Yeah, so we're ready for the big one here in
cybersecurity news. Bit unlocker multiple zero days to bypass BitLocker
and extract all protected data. So we've talked about BitLocker
in the past, the feature of Windows and when you
turn it on for a particular folder or hard drive,
it encrypts everything in that folding hard drive and encryption
(34:18):
at rest, so that if you make a copy of
it and copy it somewhere, you cannot access it unless
you've got the key, which is online and you can
find those keys. And we talked about this because I
had this issue where I had some music that I
had recorded on one PC and apparently BitLocker was on
(34:39):
it and realize it and I went to copy that
off and give it to the artists that I recorded
it for, and they couldn't open it, and so I
had to go get the key and turn it all off.
Speaker 1 (34:53):
But encryption at rest is very important because it means
that if somebody steals the laptop or the computer, or
just gets the hard drive because you threw it away
without wiping effectively wiping it, which is a big no no,
they can read the data. And we have people I
won't mention names who will just go to a pawn
(35:13):
shop and buy old hard drives for fun and see
what's on them. Yeah, you know, and they're mostly people
in our industry and they're you know, for a laugh,
and they'll take a look at what's on there, more
so that they can tell war stories when they speak
at conferences, not so that they can steal data. But
there could be somebody, you know, you could buy a
hard drive, probably an old terabied hard drive nowadays, where
(35:36):
three hundred and fifty gigabyte hard drive you probably get
for three to five bucks, and it could be the
hell your old bitcoin could be on there that you
were looking at.
Speaker 2 (35:46):
So Staples, in case you don't know, the big chain
will recycle all sorts of electronic equipment, and in my
town there's just an empty cart right inside the door,
and you just put stuff in there. I had over
one hundred hard drives that I had amassed over the years,
and after cleaning them all off and getting rid of
(36:08):
everything that I needed, I drilled holes through them, two
holes all the way through. Usually took took those what
do you mean usually?
Speaker 4 (36:17):
So can you still recover from those drives? You can,
but it does require some very specialized tools.
Speaker 1 (36:23):
Which we have, so you can do it.
Speaker 4 (36:25):
What, Yeah, you can do so?
Speaker 2 (36:26):
I mean they're still what if I bang it with
a hammer, so it's completely misa.
Speaker 1 (36:29):
You'll break something badly, but you won't. So we have
a partnership with a hardware instruction company that has a
shredder drives and give us a certificate of destruction.
Speaker 2 (36:40):
Right, I guess to get a big enough magnet like
Richard Campbell's, it's true.
Speaker 1 (36:44):
Yeah, if you get I think it's I think it's
one one sixteenth of an inch of disc platter. Can
you can read something off it?
Speaker 2 (36:51):
Now?
Speaker 1 (36:52):
It might be just random bits, but it could be
it could be a social Security number, which I can
also get off the internet. So it's just understand that
it's it's not the way like wiper. Programs don't just
erase the data. They erase the data and write new data,
and erase that data and write it again dozens of
times to make sure there's no residuals so that they
(37:13):
can't unread it all.
Speaker 2 (37:14):
Right, back to the story, Researchers have disclosed a series
of critical days zero critical zero day vulnerabilities that completely
bypass Windows BitLocker encryption, allowing attackers with physical access to
extract all protected data. There's four critical attack factors discovered.
So you want to talk about these.
Speaker 4 (37:33):
Yeah, absolutely, So they all distilled down to so like
you talked about, BitLocker drive is encrypted, right, all the
data is encrypted at ross. So for those of you
who have a bitlockered like you may be like, oh,
I don't know if I have a BitLocker drive. Shut
your computer off, and when you turn it back on,
if it asks you for a really long password, then
(37:53):
you probably have BitLocker on. So there are ways. Let's
say we're recovered ring our PC right to go into
Windows and the last patch cause all sorts of issues
and that sort of stuff, and I say, I want
to recover to a different recovery point or something along
those lines. You're using WINAR, which is the Windows Recovery Environment.
When you do that, that process has to be able
(38:15):
to register applications to be able to be used prior
to your drive booting, so that it can restore the
operating system and do all sorts of stuff. What this
is doing is exploiting that recovery volume, right that boot
SDI file that allows you to do these types of
recoveries and registering new applications and that sort of stuff.
(38:37):
So it's a way of bypassing the BitLocker key. Now
it's not like Hazah just shuts it off. You do
get read access so you can pull certain files off
the drive if you want to. This has been patched, however,
So this has been patched if you I believe it
was in the July twenty five patch. But firmware or
(38:59):
Windows Update, No, this is just Windows Update. This is
this is fixing the way that the setup platform dot
exc works.
Speaker 1 (39:07):
So, just as a as a clarification, when you boot
Windows that has BitLocker, you're not prompted if you're booting
from the the the installation of Windows that has BitLocker.
If you try to install another operating system that access
to that disc, that's when you'd get prompted for the
BitLocker exactly because it's encrypted at rest, so it's transparent
(39:28):
to most.
Speaker 4 (39:29):
Right, and that's what an attacker is going to do,
Like I'm I'm not going to know you used the
name of password. So if I stole your laptop, I
would want to boot to it, boots to a USB
and access the drive and at that point and that
would require right.
Speaker 1 (39:41):
And also if you take that that drive out or
you throw that drive in staple shopping cart and I
grab it out, because they guard that really well, right, yeah,
they're looking guard So if I grab that drive out
and I bring it home, if it's got if it
was on a partition with BitLocker, I will, it will
be encrypted and it will be a much higher standard
(40:03):
for me because it's a heavy encryption BitLocker.
Speaker 4 (40:05):
Oh yeah, sure, I mean the key is huge. And consequently,
if you've ever tried, like run into an operating system
issue had to reinstall and it asked you for that
BitLocker key, and you go, oh my gosh, I didn't
write it down. It's associated with your Windows account. So
you can actually now log into Microsoft Windows site with
your user name and password find all the BitLocker keys
(40:27):
associated with your computers that you can type it in,
So there's a way to get back your keys. Used
to not be that way it used to be if
you didn't write it down, Oh, well, you were in trouble.
Speaker 2 (40:37):
Well do most people just encrypt their data drives? Because
I imagine most people can.
Speaker 1 (40:44):
Have one drive, yeah, and they rap it or they don't.
Speaker 4 (40:48):
Yeah. Even most laptops you're going to buy from Dell
would have one drive in it, right. It doesn't have
multiple drives typically unless you like order with multiple drives
and add.
Speaker 1 (40:57):
A gamers and musicians whicheh. Pretty much it which all
of us are one of those guess who's who? Yeah?
Speaker 2 (41:05):
So but okay, so you mentioned I asked you before
the show. Who uses BitLocker. So, government, military.
Speaker 1 (41:12):
A lot of people depend on it if they require,
if their standards require encryption at rest, which the military
definitely does. Government definitely does. You know some some non
disclosure agreements, if they're extensive enough, we'll say you're only
going to store our data on devices that have at
rest encryption. Uh, and you know, encryption in transit. Those
(41:33):
those those are the keys. So yeah, we're starting to
become dependent on it and just assume it's there. Uh
and Bitlocker's kind of the gold standard right now because
it's easy, it's.
Speaker 4 (41:44):
It's included, it's not hard to use. Yeah.
Speaker 2 (41:47):
Right, So, as I mentioned, there's four right, So there's
boot SDI parsing vulnerability, there's the reagent XML exploitation that's
win Ari's offline scanning feature.
Speaker 1 (42:00):
Yep.
Speaker 2 (42:00):
There's trusted app manipulation so that targets set up platform
exse a trusted app. And then there's b.
Speaker 4 (42:09):
C D you know, a push button reset functional figuration. Yeah, yeah,
and all of them pretty much you're targeting the same thing.
They're targeting the ability to do either restores or low
level uh you know, point checks and that sort of
stuff in your operating system. So, although there's different ways
to do it, whether it's you know, manipulating the buddhesti
(42:31):
or you know, changing an XML file that's configuration and
reagent as to which you know, offline program can run
either way you're what you're or manipulating set up platform
to run command dot ex like whatever it is it's
that recovery piece that you're exploiting to then run the
program of your choice past the BitLocker protection.
Speaker 1 (42:53):
And again the risk here is you go to a
country that wants to read your laptop and knows about
this hack, and you haven't done patching on that system.
Somebody you know, you throw away or drive and somebody
wants to get into it after the fact, whether they
know you or not. The fact that it's on Windows Update,
there's a much easier path to getting it patched. So
(43:14):
everybody should be patching this.
Speaker 2 (43:16):
Oh we don't wait for patch Tuesday, do it now.
Speaker 4 (43:18):
By the way, this was just publicly spoken at black
Hat last week. There was a session called BitLocker Unlock
bit Unlocker leveraging Windows recovery to extract Bitlocker's secrets, and
there was a team there that actually showed how to
do it.
Speaker 1 (43:34):
So they made prime time.
Speaker 4 (43:35):
They did.
Speaker 2 (43:36):
They said, beelocker keys, we don't need no steaking BitLocker keys.
Speaker 4 (43:42):
They did, and they were right.
Speaker 1 (43:44):
They were right.
Speaker 2 (43:46):
Wow, another awesome show has elapsed. Thank you very much.
You wasted at least forty five minutes watching us on
YouTube and listening to us on the podcast, and for
that we thank you. We'll see you next week on
Security this week.
Speaker 1 (44:02):
Thankshe bye,
Hey, you guys, hear about that hitchhiker the other day.
He got a ride and he decided to be a little,
you know, sarcastic, and he said, what makes you think
I'm not a serial killer? And the driver said, there'd
never be two of us in the same.
Speaker 2 (00:13):
Car on the odds, and Dwayne was driving. So for
those who are watching on YouTube, this is our first
YouTube video.
Speaker 3 (00:32):
Uh.
Speaker 2 (00:33):
For those who are listening to the podcast, check out
the links on our show notes and we should have
a link to the YouTube video in there.
Speaker 1 (00:41):
I don't know.
Speaker 2 (00:41):
We haven't made it yet, so we are. We're just
testing the waters here to see if people actually want
to see our faces that are otherwise radio.
Speaker 1 (00:51):
And to those who are listening, congratulations on making the
right choice.
Speaker 2 (00:56):
So there's probably gonna be some jump cuts in here.
Oologize for that, but you know we have to edit
for audio first. So yeah, all right, guys, let's look
at these stories. The first one is win raar. You
know what RAR is if you've been around for a while.
Win ra is a Windows version of RAR, which is
like ZIP. It's a compression thing. So win rars zero
(01:18):
day exploited to plant malware on archive extraction.
Speaker 1 (01:23):
I mean we haven't been trying. We haven't been trusting
archival zips or ras or anything like that for a
long time. Yeah, so this is just this adds to
that legacy.
Speaker 2 (01:33):
I'm more likely to trust Windows built in zip compression
than I am in you know, seven zip or any
of those external products. What do you think?
Speaker 4 (01:44):
Yeah, yeah, I mean I use seven zip only because
it supports formats sometimes that wind zip. Windows native zip doesn't.
So if you've done you know, U gunn zip, guitar ball,
you know what, right what un guns zip, Yeah, you're
probably not finding that in the normal native game. It
(02:06):
is it is the gun zip dar ball. That's my uh,
that's my fighting names, gun zapall something.
Speaker 2 (02:14):
We play in the woods with Patrick with the tar
ball guns right, all right, So.
Speaker 4 (02:19):
It can be useful to have other tools. I don't
particularly use wind roar, but it's been around forever.
Speaker 2 (02:26):
Yeah.
Speaker 4 (02:27):
So a lot of this is a directory traversal vulnerability. Right,
So CD eighty eighty eight a direct reach reversal vulnerability
affecting Windows wind versions, blah blah blah. What a directory
traversal exploit can be. There was another one that was
very similar called slip zip, where when you zip a
(02:49):
file up into an archive, it actually keeps track of
the path that the file was zipped up from, and
sometimes it's a relative path. It's like, oh, well, you know,
I took all of the security this week episodes, and
I threw in a directory called STW, and I zipped
up the STW directory. So when I unzip it, it
will create the STW directory.
Speaker 2 (03:11):
Well what you usually unzip it to an existing directory
and then it will create STW underneath that exactly.
Speaker 4 (03:18):
So now what if I go into the metadata in
the zip and I say, oh, it's not you know,
dot slash STW slash you know episode one dot MP four,
it's dot dot slash, dot dot slash, dot dot slash,
dot dot slash, Windows slash, System thirty two slash, you
know whatever, right path. So that's directory traversal. I'm actually
(03:42):
moving outside of the directory you told it to unzip
in and then deploying other things, whether it's executables or
files or overwritingtonfigs or whatever.
Speaker 1 (03:51):
And it would be foiled if the user unzipping it
doesn't have access to that directory, but that never happens.
Speaker 2 (03:57):
Right, Or if the unzipped software notice that it was
a traversal and said, no, this is.
Speaker 1 (04:03):
None less than what I just said, right exactly.
Speaker 4 (04:07):
He's looking for that.
Speaker 2 (04:09):
So can you do this with zip files too?
Speaker 4 (04:11):
You used to be able to. Yeah, And a lot
of this has been fixed in different archival tools. I know,
we've seen it with seven zip, We've seen it with
Windows Zip. We've seen it actually prety much every archiving
tool has had some form of ZIP slip issue.
Speaker 2 (04:26):
Director, I remember us talking about some of these things
that were patched.
Speaker 4 (04:29):
Yep.
Speaker 2 (04:30):
But I guess wind rar is just the latest to
be vulnerable to that.
Speaker 4 (04:34):
Yeah. And sometimes it's you know, an attacker finds an
innovative way to re implement, you know, something that's already
been patched. So it is what it is. But if
you are running wind rar, I believe, let's take a
lot of the versions, if you're running anything prior to
seven dot twelve or earlier, So seven dot twelve or earlier,
you need to go patch because if somebody, I mean,
(04:57):
here's the risk, right, It's not like, oh my god,
I have seven to twelve on my computer and now
it's compromised. Somebody still has to send you an archive.
Somebody has to send you a Z and.
Speaker 1 (05:06):
They definitely will. Yeah, and nobody will at some point.
Speaker 4 (05:09):
Hold on, you still need to open it. It's not
like a zero click like somebody's going to send you
an email with a ZIP that says it's, uh, your
invoice for your Best Buy extended warranty or something stupid
like that, and you're gonna unzip it and it's going
to zip to the wrong location.
Speaker 1 (05:27):
Yeah, and they're going to send you a RAR. They're
not going to send you a ZIP. Yeah, you're using
ZIP like the word cleanux.
Speaker 4 (05:33):
Exactly right, just in the generic. They're going to send
you a compression archive format that's supported by win wrong.
Speaker 2 (05:39):
I would think that if you're downloading a RAR file
from a website that it's in that website's interest to
understand that the RAR is secure.
Speaker 4 (05:50):
Sure.
Speaker 1 (05:51):
Yeah, but that's no protection because it's also in their
interest to make sure there's no cross site scripting, and
because it affects the client not the web hoster, it's
a very low priority thing.
Speaker 2 (06:03):
Okay, all right, if.
Speaker 1 (06:04):
You found out that your car might cause someone to
slip and fall, it's not going to affect you. You
might if you're a really good person, you'll fix it.
But if you're busy, you might never get around to it.
Speaker 4 (06:18):
You know.
Speaker 2 (06:19):
Usually I love your analogies. Today a little I'm not.
Speaker 1 (06:22):
So sure that's the rough one.
Speaker 4 (06:25):
All right?
Speaker 2 (06:26):
Moving on from windwar wim Rock. I can't even say
it win.
Speaker 1 (06:32):
And we're from New England, I know, right, we've been
saving raw rah, We've been saving the ass up just
for that sentence, all right.
Speaker 2 (06:42):
So this one. AOL will end dial up internet service
in September, thirty four years after its debut. Al shield
browser and a dialer software be shuttered the same day.
Speaker 4 (06:52):
What I know, why?
Speaker 3 (06:54):
Why?
Speaker 2 (06:54):
Now I've been I thought that was gone long.
Speaker 1 (06:58):
This is like an announcement that the mammoth has gone next.
Speaker 2 (07:00):
Thing, So I guess to be fair, there are places
in the world that don't have internet service Wi Fi
and dial up is their only option. There are there, Yeah,
satellite I don't know, man like all right, but the
poor places first of Saharan Africa for example.
Speaker 3 (07:23):
First, is there really an I SP down? There is
there a dial up? It's hard to get satellites, good question.
Speaker 4 (07:34):
I don't even know what to do with this. This
is I don't know all of us on this on
this podcast are old enough to remember, well, hold on,
are old enough to remember pre Internet, Yes, before we
were all boarded, which is horrifying. But we're also old
enough to remember that your when your primary connection to
(07:55):
the outside world was you took your computer.
Speaker 1 (08:00):
Yeah, yeah, you can.
Speaker 2 (08:01):
We we'll find that audio clip.
Speaker 4 (08:03):
And you connected your computer to the phone line. Whether
it was you plugged it in the back of your
computer for fancy people, or you took literally the phone
and put it on these cups and got.
Speaker 2 (08:14):
I remember my friend, an old friend who ran a
BBS in Norwich, Connecticut, I'm sorry on board system ran
ran and then he moved it to uh an is
SP changed to an I s P because he had
all the motems. He had racks of US Robotics modems
(08:34):
and and he became the dial up service for our
local area.
Speaker 4 (08:39):
Hey do you guys, do you guys alternative? Do you
guys remember the like the Holy War between US Robotics
and Hayes come on in the day, Like Hayes were
the big boys in the market and us R they
were the they were the new people on the block.
Speaker 1 (08:53):
I jumped in the game when it was three hundred modems.
Speaker 2 (08:57):
Yeah, all right, it was amazing. So back to this story,
it says, but there remain a few options to plug
in your fifty six K or slower screeching modem into
so so apparently there there are other options. But this somehow,
you know, waited all this time to AOL, waited all
(09:19):
this time to get rid of it. But if anybody
out there knows of somebody who is going to be
I don't know, upset about this, please let us know.
Speaker 1 (09:33):
We doubt they're watching video on YouTube if they have
a motim.
Speaker 4 (09:36):
Yeah, they probably won't get this podcast for a while.
Speaker 2 (09:38):
Now, if you know of somebody who's going to be upset,
like you know, if your grandmother or whatever, your elderly.
Speaker 1 (09:45):
Parents shout on the discord, give us.
Speaker 2 (09:46):
A shout on discord. Let us know. I'm just really
curious to know, all right.
Speaker 4 (09:52):
Oh AOL, Okay, we used to I know, right, A wait,
that was that was? That was the service you've got mail? Right?
Speaker 1 (10:03):
Yeah, yeah, that's right, Yeah, it was AOL.
Speaker 4 (10:06):
You're right, that was AOL. I actually knew the lady.
I was in a training class I think with you Patrick,
and there was a lady taking the class that her
husband is the one who voiced that wave wave a
long long time ago. Yeah.
Speaker 1 (10:20):
Wow.
Speaker 4 (10:20):
I was like, oh that's neat, it's.
Speaker 1 (10:22):
Fame, and he bought bought two cups of coffee with
the money. Yeah, all right.
Speaker 2 (10:28):
So the next one is from Security Week, not Security
this week. Flaws exposed one hundred Dell laptop models to
implants Windows login bypass.
Speaker 1 (10:41):
So this does require physical access, which is a theme
this week.
Speaker 2 (10:45):
Yeah, it's a recurring theme, and.
Speaker 1 (10:48):
So it's it's a it's a big deal, but it's
not not a crushing deal. It's not like you know,
suddenly you're at your vulnerable at an internet cafe. But
if you're going through a security checkpoint in a dicey country,
if somebody does steal a laptop and you find it,
it adds some risk.
Speaker 2 (11:06):
I didn't know Dell had one hundred models of laptop.
That seems crazy.
Speaker 4 (11:12):
Probably, I mean, if you look at the ones that
are under support, that's probably true. Like there's probably some
that they just don't like older Dell model laptops that
still have support, but that are aren't sold on their
website and.
Speaker 1 (11:24):
They've bought, they've acquired companies yeah, you do.
Speaker 4 (11:27):
Well, and that's true. You have the Alienware series too,
which is also Dell just sold under anywhere.
Speaker 1 (11:33):
Maybe, but just what they say is one hundred Dell
laptop models. Does that mean there's any laptop models that
aren't affected by this? I would say no, probably not,
maybe maybe super discontinued ones.
Speaker 2 (11:45):
Yeah, yeah.
Speaker 4 (11:46):
So according according to this, according to Tallos, an attacker
that does not have administrative privileges could interact with control
Vault via the associated APIs and execute arbitrary code on
the firmware, leaking sensitive information affecting the security of the device,
which could allow them to modify the firmware. So there's
(12:07):
actually there's the several cvs associated with this one. This
is twenty twenty five, twenty four to three one one,
twenty five, twenty one five, twenty four nine to two two,
twenty fifty fifty, and twenty twenty four nine to one nine.
So there's there's several issues with this. It's not just
oh there's one thing we forgot to look at. It's
(12:28):
we see in here. There's an out of bounds read
and write, there's a stack buffer overflows. There's all sorts
of different issues with different parts of this safe get Yeah.
Speaker 1 (12:36):
And when they're talking about models, they're talking about like
a latitude. I don't even know if these are real numbers,
but like a fifty five to twenty and a fifty
five to thirty. Those are two different.
Speaker 2 (12:43):
Models, right, Oh, I see, so they're different.
Speaker 4 (12:45):
Yeah, yep, they're.
Speaker 2 (12:46):
Different configurations of the same model. Probably we have different
same family, I say, yeah, same family, different model.
Speaker 4 (12:52):
Yeah, yep.
Speaker 2 (12:53):
Okay, all right, well that makes sense.
Speaker 1 (12:55):
Now, so this again, the risk here is if you
lose physical control of laptop, which you shouldn't, but if
you did, then somebody and it's a pretty high tech
it's not the average thing. A script kit is not
going to be able to do this. The average the
average you know, person who's just dealing with networking and
stuff like that, it isn't going to be doing this.
(13:15):
This is this is customer the eye controls.
Speaker 4 (13:18):
Yeah, and it's definitely it's custom firmware as well, which
there are people who know how to do this type
of thing. But you're absolutely right, the barrier to terror
is higher. But if you you know, continuing looking at
some of these CBS, it says another interesting consequence of
this scenario is that the system affected, let's say it
was able to be unlocked by a user's fingerprint. It's
actually possible to tamper with the firmware so that it
(13:40):
will accept any fingerprint and say it's a legitimate user.
Speaker 1 (13:45):
So you know this.
Speaker 4 (13:46):
This then means you could boot up a laptop without
BitLocker or with BitLocker, who knows, we'll talk about that later,
and then be able to log in just using your fingerprint.
Speaker 1 (13:58):
I think the biggest risk here is your you're traveling
with a laptop, it leaves your custody and goes into
a special room, a room as we say from England.
And you know they they execute this because of you
know who you are, what your job is that?
Speaker 4 (14:14):
But I wonder too, is you see a lot of
the Hey, I can't you know, my fingerprint scanner's not
working on my laptop. What should I do? Right? You
search Google? On the first site that comes up is
some random you know, Joe's awesome patches dot com and
he's like, oh, just applt his patch and it'll fix
your you know.
Speaker 2 (14:31):
Yeah, reader, I never do that. I always go to
the source.
Speaker 4 (14:34):
So it's possible that might be a vector as well,
where it's like, oh, we just you know, will give
you this firmware that's going to update and it's going
to allow any fingerprint and it'll look like it works
for you, but it'll work for everybody else to.
Speaker 1 (14:46):
Yeah, but if you've got that level of control, you
could just steal everything.
Speaker 4 (14:48):
Well that's true too, right on the computer.
Speaker 2 (14:50):
Why well, speaking of updates, Dell has issued patches for
these laptops.
Speaker 1 (14:56):
All of them Windows patches their firmware, right, so you've
got to go into the firmware and update the firmware,
which most people never do.
Speaker 4 (15:05):
No, No, The only time you do it is usually
when that device stops working and you go, gosh, maybe
I'll go find the firmware. But that's pretty much.
Speaker 2 (15:12):
I do that by logging onto Dell. And you know,
if you've already gotten account, right, if you don't, you
can look it up by the model and there will
be listed there for downloads, firmware, Yeah, patches, So go
do that. If you had a del laptop, dude, dude,
you got hacked.
Speaker 1 (15:28):
Yeah, but I just want to make clear, and I'm
being a stickler here was baked all the time. Yeah,
I'm being a Stickler. Here is this isn't Windows Update, correct, right,
You're right. You have to go into the biosend patch
the firmware, and that is not a process that is like, oh,
I'm just going to do Windows Update. You've got to
actually go through the process that you've probably never done before.
Speaker 2 (15:47):
Probably. Yeah. And also make sure you're at Dell dot com, like,
don't don't go to Bob's you know, discount sharkcages dot com.
All right, so forty that, oh my god, we can't
get rid of these guys. Fort net warrens of forty
SIAM pre off r C flaw with exploit in the wild.
(16:11):
So it seems like this was in the news last week.
Speaker 1 (16:14):
So first thing is, this is a sim AND and
we don't the E Security Information and Events Management.
Speaker 4 (16:21):
Even though we want to pronounce the E.
Speaker 2 (16:23):
Yeah I pronounced the SIAM because how we.
Speaker 1 (16:25):
Tell hey, we tell the outsiders, Yeah, it's how's your
SEAM And you're like, no, sorry, SIM SIM. So for
sim AND, basically this is where you'd gather up information
and logs and things like that to see to catch
the hacker. Threat hunting kind of thing.
Speaker 4 (16:41):
Okay, here's what I want to say. Though Fortinet, what happened?
Speaker 1 (16:45):
Yeah, honestly, you've been We're really good.
Speaker 4 (16:47):
You were really good. It's funny. I was. There's actually
a couple of listeners of the podcast from Germany I
was talking to this week, and we were we were
we were lamenting. We were like, you know what Fortinet
used to be good? Right, we used to meet me
over a camera throw right exactly. So it's you know,
it's OK, exactly Do we need an intervention at this point?
Speaker 1 (17:10):
Ye know, we do.
Speaker 4 (17:12):
Do I need to bring my buddies ubiquity? Yeah, no,
it's it's amazing how far they've they've fallen. They were
the cutting edge of you know, firewalls and protection and whatnot.
I think they grew too fast, possibly in this particular case,
if we if we dig into this, So this is
(17:33):
like like Patrick and Carl had said, this is the
four to sim right, So this is gathering logs and
understanding what's going on in your network. So generally something
you want up and running to know if somebody is
attacking your network. But the exploit here is an improper
neutralization of special elements used in an OS command injection.
(17:54):
Vulnerability may allow attackers blubblah blah whatever. So what does
that mean? What's an OS demanded injection vulnerability. Most of
these tools have the ability to say, oh, I want
to Let's say I want to write my logs out
to Splunk, right, and do you go to the Splunk
configuration screen and you say, what's the name of the
(18:15):
host the IP dress where Spunk is and you type
it in and I don't know if it can it
can talk to that server. So I click test and
it goes out and it pings it and it comes
back and says, yes, that host is alive. I can
see it. Okay, that type in the user name and
password or whatever. A host injection or as command injection
is where I might type in, okay, I'm going to
type in the name of the Spunk server, and then
(18:37):
I'm going to use the A symbol who am I right?
And what happens is when you click test, not only
does it run an OS command ping name because that
and symbol is in there, it goes oh, by the way,
I want to run another command, which is who am
I right? So not sanitizing that input means that I
(18:58):
can stack my commands. It's like sequel injection exactly and
in some cases sometimes easier than SQL sequel injection because
it's literally I just need to put another command there,
and then put another command in there, and then tell
it to reach back out to me with the shell
so that I can do things.
Speaker 1 (19:13):
The words that make it the most unsettling are remote unauthenticated. Yes,
I think that means it's it's a much bigger deal
if this thing is connected to the Internet, which I
assume in many cases it is.
Speaker 2 (19:27):
And here's a warning, kids, If you put in that
splunk RL and you get back a picture of a cave,
you probably misspelled.
Speaker 4 (19:34):
Splunk wrong wrong spelunking.
Speaker 2 (19:38):
That would be spulunk. There's an ex j E in
there just that that'll give you. You're not going to
get a four or four. You're just going to get
a picture of a cave, all right.
Speaker 1 (19:47):
So patch patches, it's got a nine eight, nine point
eight rating, and I think the words remote unauthenticated, yeah,
merits that it's up in that range because a lot
of times, for the who are new to the show,
we we take a little bit of a reality check
on those numbers from the CVA to see whether we
think it's really measures. I think it's definitely above a
(20:10):
nine because of that.
Speaker 2 (20:11):
Yes, but is it is there a patch?
Speaker 4 (20:13):
Let me check I think it. Yes, Yes, there's a
bit of update to the latest version six dot seven
ten seven zero one seven one eight seven two six
seven three two. Right now, we'll put the link. We'll
put the link in the notes. But yeah, there is
a patch work if you're running seven seven dot three
or six dot six earlier year in drouble.
Speaker 1 (20:32):
The shame about these things is this, these are people
who using this product, who are trying to do the
right thing by trying to use a sim to find
the bad stuff, and the and the thing that they
were using to find the bad stuff open them up
to worse stuff.
Speaker 2 (20:44):
Right, well, this is about the time when we need
to take a break, so we'll be right back after
these very important messages. Don't you go away, and we're back.
It's security this week. I'm Carl Franklin. That's Patrick Kyin
and Dwayne Laflott here for your terrifying and realgy jocularity. Okay,
(21:10):
next story, seventeen thousand plus VMware. How do you say this?
Speaker 4 (21:16):
Es x I esxies sexy.
Speaker 1 (21:20):
That's how he's sexy should Yeah, I'm running now, sexy.
Speaker 2 (21:29):
Hey you heard it here first, that's.
Speaker 4 (21:32):
Gonna be right. Makes some very awkward conversations with customers.
Are you running, You're gonna be like what did you
just say?
Speaker 2 (21:40):
Seventeen thousand plus VMware ESXi servers vulnerable to critical integer
overflow vulnerability. Yikes? Yeah, what happened?
Speaker 4 (21:50):
So this this is an interesting one. Now, this vulnerability
can allow all sorts of takeover and control and it
is rated pretty high. If I remember correctly, this is nine
point three. Yeah, this is a nine point three security
researchers warn it's been around for a little while. The
biggest problem right now is the Shadow Server Foundation has
found that seventeen and thirty eight of these ESXi boxes
(22:12):
are sitting on the internet. And oh right, so that's
a fair surface of attack to be able to hit. Honestly,
I'm not entirely sure why you'd put an esxibox on
the internet, but it's yeah, it is what it is.
Speaker 1 (22:28):
I mean, I can say hosting a VM on the internet,
but it's kind of that's kind of reckless, I.
Speaker 4 (22:33):
Think, right, And at this point it says it permits
unauthenticated remote attackers to execute arbitrary code, escalate privileges, or
deliver ransomware to the virtual environment.
Speaker 2 (22:46):
So VMware ESXi obviously is like what on something that
sits on top of VMware is a brand of view.
Speaker 1 (22:55):
It's a hypervisor that lets you run vms.
Speaker 4 (22:58):
Yeah, okay, yeah, So you would install this usually bar metal,
you know, instead of installing Windows or Linux on your computer,
you would install ESXi as an operating system. I see,
and then you could Then it allows you, as a
hypervisor to use all of the hardware on that bar
metal to spin up virtual machines. So I could spin
(23:19):
up a Windows server, I could spin up three Windows servers.
I could spin up the Linux server, all on the
same hardware.
Speaker 2 (23:25):
So get this. This critical vulnerability, first flagged in July,
has prompted urgent calls for patching, but the latest scan
results suggest progress remains slow, with thousands of systems still unpacked.
Speaker 1 (23:38):
Because this is like the firmware on a laptop or
or computer system. This is under the covers of what
most people deal with. And you know, it's it's it's
it's closer to hardware than it is to software in
most propless minds.
Speaker 4 (23:52):
Yeah, so July nineteenth, there was seventeen thou two hundred
and thirty eight vulnerable hosts on the internet. It's as
of August tenth, there's sixteen three hundred, so less than
a hundred have been or less than a thousand have
been patched.
Speaker 2 (24:07):
So is this something where you have to create a
USB stick or a portable hard drive and boot from
that to update?
Speaker 4 (24:13):
Generally this is something where you need to go into
You can go in and click update, but usually you
have to have keyboard and monitor to the ESXi box.
You can do it through an administrative interface as well,
so it's a couple of ways to do the update.
It's not super painful, but it's to Patrick's point, it's
not as easy as Windows updates.
Speaker 1 (24:30):
It's so like just go click on somewhere out. We
have no inside information on this, but it's possible that
this is very localized to like one large wet cloud
provider who decided their default configuration was on the web
and they've only gotten ten percent or eight percent of
their servers done. Yeah, it could certainly be that. I
wann't look at the showdown or the shadowt Foundation results
(24:53):
to know, but I don't think we can get that detail.
Speaker 2 (24:55):
But you said this is just for the box, not
for each individual VM. The VM them selves don't need
to be patched or do that.
Speaker 1 (25:01):
No, they don't. Good, No, but they might have to
be offline.
Speaker 2 (25:06):
Yeah.
Speaker 1 (25:06):
Sure, so if they're there a mission critical you might
need to migrate them and their software solutions like VEM
that will allow you to move a VM while it's
running to another system, So that that's not a great
excuse unless you don't have those solutions in place.
Speaker 2 (25:20):
Well, yeah, you should have a backup anyway.
Speaker 1 (25:23):
Well, imagine a provider with this scenario and you've got
a server with like twenty vms from different clients, from
twenty different clients, You're gonna have to notify all those
clients and give them enough time to understand the outage window.
And if it's high enough priority, you're going to have
to give that get them to agree to the outage window.
Speaker 2 (25:41):
Yeah, and that card, like you said, you could use
VEM if you have another server standing by as a backup,
use VEM after you have installed the latest version of
the SxI exactly, and then use VAM and then switch
it over.
Speaker 1 (25:55):
Yeah, but that that would kind of speak to why
it's a slower process, or just maybe that this message
isn't getting out and people aren't checking.
Speaker 2 (26:02):
Yeah, could be that they're not listening to security this week.
Speaker 4 (26:06):
Uncool.
Speaker 2 (26:07):
Uncool.
Speaker 1 (26:08):
I didn't think that was possible.
Speaker 2 (26:09):
Right, Okay, As we get closer and closer to our
top story new Windows zero click nt landman credential leakage
vulnerability bypasses Microsoft's patch, that can't be good.
Speaker 1 (26:25):
Well, so this is part of the whole the arms
race that we're seeing. So there's a there's a term
called a one day, So a zero day, most people understand,
is is a vulnerability that's not known to the general
public that a hacking group or the NSA could use
to infiltrate organizations and do what they want until it
becomes public knowledge. Then it's no longer zero day once
(26:46):
it gets patched. What's happening now is the hackers and
in organizations like us are going and reverse engineering the
patch to figure out what the vulnerability was so that
they can then exploit it before people get a chance
to patch. So this is I don't it's not the
same thing, but it's part and parcel. I think because
Microsoft put out a patch and someone looked at the patch, reversed,
(27:09):
engineered and said, oh, they missed a trick. I can
get around this patch. So even a patch system, I
can get around.
Speaker 4 (27:17):
Yeah. And so backing up a little bit, though, people
might be like, well, why does it matter? Right? What's
going on here? Like we we threw out a lot
of acronyms and new Windows zero click and TLM credential
leaking vulnerability bypass Microsoft's patch. Like that's a there's a
lot going on there we can unpack. So credential stealing.
(27:38):
Right when we break into a network, the first thing
we're looking to do, especially if we don't have a
user account. There's plenty of times we're working with customers
where we'll send them an implant, like you know, just
a device at the plug into the network. We don't
have any user accounts, so our first goal is go
find user accounts.
Speaker 2 (27:54):
Right how now I thought it was to find the
ATM network and spit out a bunch of.
Speaker 4 (27:58):
I means, yeah, you got to do that first. But
then the second goal is three step three make money.
So we need a user account to do anything. Well,
easy way for us to get user accounts is to
compromise lower end devices, whether that's like a printer that
may have a user count on it, and then we
can grab credentials there. But another way for us to
(28:19):
do that is for us to take a link file
and LNK file in Windows and put it somewhere that's
publicly accessible by everyone. So we found shares that everybody
can write to. Right, So what do I do to
in everyone's share? I can't put an executable in EXE
because nobody's going to run it, right, but I can
put an LNK file. And if I put an LNK file,
what a link file does is it's a short cut
(28:42):
to another file. So we've all done this before, right,
you have your documents. You might have an Excel document
in there and you want a link to it on
your desktop so you can always double click on it.
So you would drag it to your desktop and it
would say do you want to make a copy here
or do you just want a short cut a link? Right?
And we'd say, oh, shortcut, And now it's a link file.
If you dissect that file inside, it's going to be
(29:04):
the path to the original file. Well, what if I
change that path? Instead of saying, you know, c com backslash,
you know users backslash deal the flap, backslash documents, backslash
my XL document. What if I change it to backslash,
backslash some computer name, backslash some share, backslash some fake file.
When you double click on that link file, it will
(29:27):
try to go out to the network and authenticate against
that share with your user account, which you're logged into
your computer with automatically. Okay, so that's not a big deal.
You go, who cares now, because somebody, somebody had a
double r right, they had to do something. So how
do you make this zero click? Well? Windows Explorer has
(29:48):
a really interesting feature. When you open up Windows Explorer,
which is the my computer and you're surfing your hard drive,
you'll notice all the files have icons on them. Right, Oh,
this is the word and you can identify it by
the fact that it's a word document.
Speaker 1 (30:02):
Yeah.
Speaker 4 (30:02):
What Windows Explorer does is it interrogates the file to
see what the icon should be. When it does that,
it has to reach out to the original file to
do it.
Speaker 1 (30:14):
Of course, it's okay.
Speaker 4 (30:15):
You put a link file out there and you reference
a remote word doc that's not really a word doc,
and when a user opens that share up Windows Explorer
automatically reaches out to us and gives us credentials for
the user. And they're not credentials, they're hashes. We could
go into a lot of how you replay them and
all the other good stuff, but moral of the story
(30:35):
is some form of credential comes back out to us,
and that's really cool. But Microsoft has tried to stop it.
In this particular case. What they're doing is they're taking
that link file. They're referencing an executable that's on a
remote location, and in that executable is the icon for
the executable. So they're like, oh, well, what I need
to do. This is what Microsoft is saying is I
(30:56):
need to take that executable from the remote location. I
need to pull it down to the local computer. I
need to open it up and find the icon so
I can display it. Well, now what I've done is
that executable is now local to the Windows computer. It's
already there. So it's a zero click deploy of executable.
Speaker 2 (31:15):
So it's in some cash files.
Speaker 4 (31:17):
You've got to use it to do yeah, and you didn't,
And they didn't even notice it. All they were doing
was surfing a hard drive or opening up the public
Share looking at their home drive. Right, they didn't click
on anything, They didn't do anything other than just open
up that explorer. So it's important. But we're going to
because this system of how you know, NTLM works and
Windows Sharing and that sort of stuff has been around
(31:38):
for thirty five forty years, we're going to see a
lot of these sort of bypasses. It's an interesting one. Actually, well,
I'm sure use it on all of our attacks. We
love the length file. I honestly we do use link
files all the time on our attacks because it's just
super easy for us to grab credentials that way.
Speaker 1 (31:54):
And for those who haven't heard it, convenience is the
enemy of security, right and link files are hell convenient.
Speaker 2 (32:00):
Oh yeah, all right, so we know this is a vulnerability.
Is there a patch?
Speaker 4 (32:04):
Not particularly? No works designed, I think is what we're
doing right now. It's works as designed. I could see
Microsoft going out and being more stringent in how they
reach out and look for icons and files and saying, well,
if it's a remote executable, maybe we won't do this anymore,
or maybe we'll pull down the executable, pull out the
(32:24):
you know, the icon, and then delete the executable or whatever.
But currently there's a Hey, this is kind of how
it was designed.
Speaker 1 (32:31):
Well, there was a patch.
Speaker 4 (32:33):
There was a patch that attempted to fix a lot
of this stuff, so I could see Microsoft adding more
logic to that patch. But it's a rabbit hole exactly.
It's it's an arms race that you always talk.
Speaker 1 (32:44):
About, the aable to break as much as they fix.
Speaker 2 (32:46):
Yeah, well, the document says Microsoft the website, Microsoft is
expected to release a comprehensive security update to address the
bypass technique completely. So is that still true?
Speaker 4 (32:58):
Yeah, absolutely, But there again, it's an arms race. The
last time they released a patch, it was a comprehensive
update to stop them bypass and tire last.
Speaker 1 (33:06):
The hash is. It's not the same attack, but it's
it's in the same family, I would say, And they
said that was you know, absolutely designed.
Speaker 4 (33:14):
Right, and I think it's like, shoot, almost ten years
ago now, maybe seven years ago. Now, Microsoft's like past
the hash is dead. And we saw tons of pen
testing articles out there saying past the hash is dead.
Long lived past the hash because there's you could still
do it right even though Microsoft had patched and tried
to catch it. It's this arms race of oh.
Speaker 1 (33:33):
Yeah, but they told people not to. So I mean,
that's all you have to do, That's all you really
have to do.
Speaker 4 (33:38):
Just let them know. I mean, like, this isn't cool.
The scouts are my bad. I'm bad. So I think
I think this will be the same thing, Carl. This
will be an arms race. We're going to see attackers
find a way around this comprehensive patch and it's just
going to keep going and.
Speaker 1 (33:51):
An ongoing good news for Microsoft.
Speaker 2 (33:54):
Yeah, so we're ready for the big one here in
cybersecurity news. Bit unlocker multiple zero days to bypass BitLocker
and extract all protected data. So we've talked about BitLocker
in the past, the feature of Windows and when you
turn it on for a particular folder or hard drive,
it encrypts everything in that folding hard drive and encryption
(34:18):
at rest, so that if you make a copy of
it and copy it somewhere, you cannot access it unless
you've got the key, which is online and you can
find those keys. And we talked about this because I
had this issue where I had some music that I
had recorded on one PC and apparently BitLocker was on
(34:39):
it and realize it and I went to copy that
off and give it to the artists that I recorded
it for, and they couldn't open it, and so I
had to go get the key and turn it all off.
Speaker 1 (34:53):
But encryption at rest is very important because it means
that if somebody steals the laptop or the computer, or
just gets the hard drive because you threw it away
without wiping effectively wiping it, which is a big no no,
they can read the data. And we have people I
won't mention names who will just go to a pawn
(35:13):
shop and buy old hard drives for fun and see
what's on them. Yeah, you know, and they're mostly people
in our industry and they're you know, for a laugh,
and they'll take a look at what's on there, more
so that they can tell war stories when they speak
at conferences, not so that they can steal data. But
there could be somebody, you know, you could buy a
hard drive, probably an old terabied hard drive nowadays, where
(35:36):
three hundred and fifty gigabyte hard drive you probably get
for three to five bucks, and it could be the
hell your old bitcoin could be on there that you
were looking at.
Speaker 2 (35:46):
So Staples, in case you don't know, the big chain
will recycle all sorts of electronic equipment, and in my
town there's just an empty cart right inside the door,
and you just put stuff in there. I had over
one hundred hard drives that I had amassed over the years,
and after cleaning them all off and getting rid of
(36:08):
everything that I needed, I drilled holes through them, two
holes all the way through. Usually took took those what
do you mean usually?
Speaker 4 (36:17):
So can you still recover from those drives? You can,
but it does require some very specialized tools.
Speaker 1 (36:23):
Which we have, so you can do it.
Speaker 4 (36:25):
What, Yeah, you can do so?
Speaker 2 (36:26):
I mean they're still what if I bang it with
a hammer, so it's completely misa.
Speaker 1 (36:29):
You'll break something badly, but you won't. So we have
a partnership with a hardware instruction company that has a
shredder drives and give us a certificate of destruction.
Speaker 2 (36:40):
Right, I guess to get a big enough magnet like
Richard Campbell's, it's true.
Speaker 1 (36:44):
Yeah, if you get I think it's I think it's
one one sixteenth of an inch of disc platter. Can
you can read something off it?
Speaker 2 (36:51):
Now?
Speaker 1 (36:52):
It might be just random bits, but it could be
it could be a social Security number, which I can
also get off the internet. So it's just understand that
it's it's not the way like wiper. Programs don't just
erase the data. They erase the data and write new data,
and erase that data and write it again dozens of
times to make sure there's no residuals so that they
(37:13):
can't unread it all.
Speaker 2 (37:14):
Right, back to the story, Researchers have disclosed a series
of critical days zero critical zero day vulnerabilities that completely
bypass Windows BitLocker encryption, allowing attackers with physical access to
extract all protected data. There's four critical attack factors discovered.
So you want to talk about these.
Speaker 4 (37:33):
Yeah, absolutely, So they all distilled down to so like
you talked about, BitLocker drive is encrypted, right, all the
data is encrypted at ross. So for those of you
who have a bitlockered like you may be like, oh,
I don't know if I have a BitLocker drive. Shut
your computer off, and when you turn it back on,
if it asks you for a really long password, then
(37:53):
you probably have BitLocker on. So there are ways. Let's
say we're recovered ring our PC right to go into
Windows and the last patch cause all sorts of issues
and that sort of stuff, and I say, I want
to recover to a different recovery point or something along
those lines. You're using WINAR, which is the Windows Recovery Environment.
When you do that, that process has to be able
(38:15):
to register applications to be able to be used prior
to your drive booting, so that it can restore the
operating system and do all sorts of stuff. What this
is doing is exploiting that recovery volume, right that boot
SDI file that allows you to do these types of
recoveries and registering new applications and that sort of stuff.
(38:37):
So it's a way of bypassing the BitLocker key. Now
it's not like Hazah just shuts it off. You do
get read access so you can pull certain files off
the drive if you want to. This has been patched, however,
So this has been patched if you I believe it
was in the July twenty five patch. But firmware or
(38:59):
Windows Update, No, this is just Windows Update. This is
this is fixing the way that the setup platform dot
exc works.
Speaker 1 (39:07):
So, just as a as a clarification, when you boot
Windows that has BitLocker, you're not prompted if you're booting
from the the the installation of Windows that has BitLocker.
If you try to install another operating system that access
to that disc, that's when you'd get prompted for the
BitLocker exactly because it's encrypted at rest, so it's transparent
(39:28):
to most.
Speaker 4 (39:29):
Right, and that's what an attacker is going to do,
Like I'm I'm not going to know you used the
name of password. So if I stole your laptop, I
would want to boot to it, boots to a USB
and access the drive and at that point and that
would require right.
Speaker 1 (39:41):
And also if you take that that drive out or
you throw that drive in staple shopping cart and I
grab it out, because they guard that really well, right, yeah,
they're looking guard So if I grab that drive out
and I bring it home, if it's got if it
was on a partition with BitLocker, I will, it will
be encrypted and it will be a much higher standard
(40:03):
for me because it's a heavy encryption BitLocker.
Speaker 4 (40:05):
Oh yeah, sure, I mean the key is huge. And consequently,
if you've ever tried, like run into an operating system
issue had to reinstall and it asked you for that
BitLocker key, and you go, oh my gosh, I didn't
write it down. It's associated with your Windows account. So
you can actually now log into Microsoft Windows site with
your user name and password find all the BitLocker keys
(40:27):
associated with your computers that you can type it in,
So there's a way to get back your keys. Used
to not be that way it used to be if
you didn't write it down, Oh, well, you were in trouble.
Speaker 2 (40:37):
Well do most people just encrypt their data drives? Because
I imagine most people can.
Speaker 1 (40:44):
Have one drive, yeah, and they rap it or they don't.
Speaker 4 (40:48):
Yeah. Even most laptops you're going to buy from Dell
would have one drive in it, right. It doesn't have
multiple drives typically unless you like order with multiple drives
and add.
Speaker 1 (40:57):
A gamers and musicians whicheh. Pretty much it which all
of us are one of those guess who's who? Yeah?
Speaker 2 (41:05):
So but okay, so you mentioned I asked you before
the show. Who uses BitLocker. So, government, military.
Speaker 1 (41:12):
A lot of people depend on it if they require,
if their standards require encryption at rest, which the military
definitely does. Government definitely does. You know some some non
disclosure agreements, if they're extensive enough, we'll say you're only
going to store our data on devices that have at
rest encryption. Uh, and you know, encryption in transit. Those
(41:33):
those those are the keys. So yeah, we're starting to
become dependent on it and just assume it's there. Uh
and Bitlocker's kind of the gold standard right now because
it's easy, it's.
Speaker 4 (41:44):
It's included, it's not hard to use. Yeah.
Speaker 2 (41:47):
Right, So, as I mentioned, there's four right, So there's
boot SDI parsing vulnerability, there's the reagent XML exploitation that's
win Ari's offline scanning feature.
Speaker 1 (42:00):
Yep.
Speaker 2 (42:00):
There's trusted app manipulation so that targets set up platform
exse a trusted app. And then there's b.
Speaker 4 (42:09):
C D you know, a push button reset functional figuration. Yeah, yeah,
and all of them pretty much you're targeting the same thing.
They're targeting the ability to do either restores or low
level uh you know, point checks and that sort of
stuff in your operating system. So, although there's different ways
to do it, whether it's you know, manipulating the buddhesti
(42:31):
or you know, changing an XML file that's configuration and
reagent as to which you know, offline program can run
either way you're what you're or manipulating set up platform
to run command dot ex like whatever it is it's
that recovery piece that you're exploiting to then run the
program of your choice past the BitLocker protection.
Speaker 1 (42:53):
And again the risk here is you go to a
country that wants to read your laptop and knows about
this hack, and you haven't done patching on that system.
Somebody you know, you throw away or drive and somebody
wants to get into it after the fact, whether they
know you or not. The fact that it's on Windows Update,
there's a much easier path to getting it patched. So
(43:14):
everybody should be patching this.
Speaker 2 (43:16):
Oh we don't wait for patch Tuesday, do it now.
Speaker 4 (43:18):
By the way, this was just publicly spoken at black
Hat last week. There was a session called BitLocker Unlock
bit Unlocker leveraging Windows recovery to extract Bitlocker's secrets, and
there was a team there that actually showed how to
do it.
Speaker 1 (43:34):
So they made prime time.
Speaker 4 (43:35):
They did.
Speaker 2 (43:36):
They said, beelocker keys, we don't need no steaking BitLocker keys.
Speaker 4 (43:42):
They did, and they were right.
Speaker 1 (43:44):
They were right.
Speaker 2 (43:46):
Wow, another awesome show has elapsed. Thank you very much.
You wasted at least forty five minutes watching us on
YouTube and listening to us on the podcast, and for
that we thank you. We'll see you next week on
Security this week.
Speaker 1 (44:02):
Thankshe bye,
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.