August 22, 2025 • 33 mins
Security researcher driven by free nuggets unearths McDonald's security flaw — changing 'login' to 'register' in URL prompted site to issue plain text password for a new account
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
This just in, a truck carrying a full load of
potato chips was involved in a multi vehicle accident on
the mass Pike. Expect delays so bad. Delays are everywhere,
(00:23):
all right, guys. Before we get started with security this week,
by the way, I'm Carl Franklin that's doing La Flat
and Patrick Hines, we want to announce that we created
a video of last week's show episode. And the first
link on our website for this show is why not Yeah,
And the first link on the podcast page for this
(00:46):
show is a link to that video. So it's on
your video channel, Pulse OAR Security. Yep. Yeah.
Speaker 2 (00:52):
So we release an audio as well.
Speaker 1 (00:53):
Yeah, we released an audio as well, But we also
said in the audio that we were doing a video,
so I just want to make sure people knew where
it was and how to get there. Are we committing
to one a month?
Speaker 2 (01:04):
I think that's our goal. Yea, our goal is one
a month, Okay, And depending on that.
Speaker 3 (01:09):
I don't know. Well, I guess it depends on how
well they received.
Speaker 1 (01:11):
That's what I was just going to say.
Speaker 3 (01:12):
If everybody hates them, then maybe no, all right, maybe
nobody wants to see this no more than hiring his.
Speaker 1 (01:20):
Face with his hand. Yeah, okay, let's jump into it. Then.
The first story this week, Cisco warns of max severity
flaw in firewell Management Center.
Speaker 2 (01:30):
Wow.
Speaker 1 (01:30):
Wow, that's not a good place to have a max
severity flaw.
Speaker 2 (01:34):
I mean, it's house of cards at that point. It's
an RCE in the RADIUS subsystem of their Secure Firewall
Management Center or FMC software. I'm assuming this is something
that you would put outside the firewall, which sounds like
it shouldn't be, and it's it's it's a go patch.
We got to go patch this stuff. If you haven't, right,
(01:54):
then you might want to challenge your life choices.
Speaker 1 (01:57):
Yeah, our listeners should know that our c E stands
for Remote Remote Code Execution.
Speaker 3 (02:03):
That's right, and RADIUS stands for Remote Authentication dial in,
User service dial in. I don't know. I was just
I figured we were right.
Speaker 2 (02:11):
I thigured that was obvious.
Speaker 3 (02:12):
So I figured that was obvious. Everybody remembers dial in,
don't you.
Speaker 1 (02:16):
Well a call back to last week's show with aol
Bally throwing in the towel.
Speaker 3 (02:21):
No, we're dial in needed. Yeah. No, So although Radius
does have dial in in the name, it's still used
as an authentication protocol for you know, VPNs and that
sort of stuff, wireless all sorts of things.
Speaker 1 (02:35):
All right, So that's a go patch, go pack. This
one's interesting. This is in Secure list dot Com code
highlighting with Cursor AI for five hundred thousand dollars. I
don't really understand from the headline what happened, but apparently
some AI did some bad things.
Speaker 2 (02:52):
So someone had crypto assets in a wallet on a
system they were using Cursor Cursors a Vibe coding platform.
It's actually quite good from from all reports, and it
helps with you know, writing code from scratch, but also
for editing code upgrading. I know somebody who upgraded a
(03:13):
Angular system for versions in less than a week, which
would normally take a lot longer than that. Wow, so
it's got some value. Unfortunately, the highlight it says code
highlighting with Cursor AI for only five hundred thousand dollars.
What happened is the the AI grabbed a package that
had a crypto stealer and the guy happened to have
(03:33):
crypto on that computer and it stole half a million dollars. Wow,
actually stole all of it?
Speaker 3 (03:39):
I'm sure, Yeah, yeah, it doesn't leave any crypto steelers. Yeah,
they're not like, let's let's leave a tip.
Speaker 1 (03:45):
Yeah.
Speaker 3 (03:47):
Yeah, it's tough. You got to you got to know.
And we've seen this happen with Python packages, right. We've
talked a lot about you know, pip installing Python packages
and pulling them down, and some of them might be
malicious and you really need to look through the code
and know what those packages do. Right, So, I think
we're starting to see the advent of attackers moving into
(04:08):
that vibe coding space. So for those of you who
don't know what vibe coding is, if you are a
developer and you're creating an application and you maybe know
nothing about code or computers at all, you can now
create an app. You can talk to your computer, whether
it's typing or literally chatting, and it will create an
(04:28):
application for you. The problem is you're beholden to understanding
none of it. So it could be malicious, it could
be you know, rife with security holes and that sort
of stuff. And that's what we're seeing here is you know,
you have this people who are using vibe coding. The
assumption is they don't understand code well enough in some cases,
which is not always the case, which is not always
(04:50):
the case. So but you hit that one person who
doesn't understand the libraries or doesn't take the time to
read through them, and sure enough, yeah, you're gonna well,
that's some things into your code that you really didn't
want there.
Speaker 1 (05:01):
So if you're a real developer out there and worried
about you know, is my job over? No, it's not over.
It's just changing. Yeah. Where whereas people would call on
you to build software, now they're going to call on
you to I'm going to say, on f software. Yeah,
there you go, right, yep, go through this, figure out
what's good, what's not good, and fix what's not good,
(05:24):
and give us a report of what you did.
Speaker 2 (05:25):
But we often will take a look at an application
and test it without looking at the source code, and
we often some we often look at the source code too.
So this is nothing new to us. It's just that
normally you can assess by talking to the developer what
there do they know about sequel injection? Have they protected
against it or they think they protected and it just
it helps us understand. But with with with AI written code,
(05:49):
the assumptions are dangerous.
Speaker 1 (05:50):
Yeah, when you ask it, Hey, what did you do hear?
And it says, oh, I raised unicorns from babies and
them yellow.
Speaker 3 (05:58):
Okaya, mm hmmm, all.
Speaker 1 (06:01):
Right, cautionary tale there. Let's get to this one. Microsoft
Defender AI to uncover plain text credentials within active directory.
This sounds like a feel good story.
Speaker 2 (06:11):
Well it's it's more than that, because what is it
talking about. So you can't save your password in active
directory as clear text, but you can do other things
in clear text, right.
Speaker 3 (06:21):
Dwayne, Yeah, we do to see it. So active directory
is it's literally it's a directory. So like think like
phone book kids, for those of you who don't know
what a phone book is, turn to your parents and
ask what a phone book is.
Speaker 2 (06:35):
But it's like Facebook, the Facebook original, what's the social network?
Speaker 3 (06:43):
It's like a dictionary. Wait, no, if that's not going
to help either. No, So a directory is you can
look up any object in that directory. And for active directory,
it might be computers, it might be servers, or it
might be user accounts, and there's all sorts of other
objects with those objects, there's properties, right, and one of
those proper might be the password or the last time
the user logged in or how many times they've unsuccessfully
(07:05):
logged in that sort of stuff. Right, All of these
are properties around that object generally we see in pen tests,
And we were just talking about this beforehand, like is
this kind of an important thing. There were a lot
of times when we're doing pen tests, greater than fifty
percent of the time where we will attack a large
organization and we'll go through their active directory and there's
(07:25):
an open field on users, a notes field, and we'll
see passwords just typed in there. And a lot of
times that's because the help desk will receive a call
from a valid user and say I need to reset
my password, and they'll take that password and they'll paste
it into that notes field. But what they don't realize
is that is a open text field that anybody can read.
(07:48):
So when we pull down that open text field having nope,
privileges whatsoever, we can actually see those passwords because any user,
normal user account would have access to it. We find
it a lot with like service accounts, right, like, oh,
I'm running a sqel server over here. It needs an account,
needs a password for that account. While I'm not going
to keep it, you know, on a notepad on my desktop,
(08:10):
I'll just put it in the notes field next to
that SEQL account user, so everybody knows what it is
who has access to a d but unfortunately that's every user.
So a Microsoft is done and said and this actually
just sounds like a text search, not really a defender
AI thing, but whatever, you know, Microsoft has said, hey, listen,
we've unleashed the AI to take a look at you know,
(08:31):
open free text fields, right fields associated with objects, and
just see, hey, could this be a password? And they
found forty thousand plus credentials exposed in two and a
half thousand tenants. So that is a whole lot of
passwords sitting out in the clear.
Speaker 1 (08:51):
And if AI knew the cat names of the people
that had their passwords, they probably could make much more
accurate guesses right exactly that name one through three exclamation marks.
Speaker 3 (09:03):
I'm going to be honest. You know, Summer twenty twenty
five has been really popular, but I think fall twenty
twenty five as a password. COM's coming. You need a
long password.
Speaker 2 (09:13):
If they're well educated, they might be autumn.
Speaker 1 (09:20):
Yeah, all right, so it's a good thing. Yeah, I
think it's a good thing.
Speaker 3 (09:24):
Yeah, this is a good thing.
Speaker 1 (09:25):
Yep. Absolutely, But also the cautionary tale. There is watch
out where you put those freaking passes files.
Speaker 3 (09:31):
Exactly have a password manager, and I know a couple
of stories from now we're going to talk about issues
with password managers. But yeah, exactly, we're still got there.
Speaker 1 (09:42):
All right, one more here before the break. DARPA touts
value of AI powered vulnerability detection as it announces competition winners.
Speaker 2 (09:51):
So, for those who don't know, DARPA is the organization
that helps the military realize it's decade forward goal. So
the Internet sprang from a darker project to help the
military communicate nationwide after nukes had destroyed some of our cities.
They're the ones that started the autonomous vehicle revolution. They
(10:14):
created drones, they created GPS. Now they don't build that
stuff directly, they fund it.
Speaker 1 (10:18):
It's a research organization.
Speaker 2 (10:20):
Well, they direct funding. And so now the eye of
saar On has turned to AR powered vulnerability section, which
is great, and it's a project that they probably are
just getting ahead of now, but it's already taken off.
Speaker 1 (10:35):
We like it. Yeah, but like everything that AI tells you,
it found, you need to validate.
Speaker 2 (10:40):
Well, so we had a story about this not too
long ago where it talked about a lot of slop here.
So like when we do it a vulnerability assessment, we
look at potential vulnerabilities, but we don't know if they're
real or not unless we actually try to exploit them.
And that's when we find out, oh no, that this
just looked like it would be open, it's not. I
don't think that's happening here. So you're going to get
(11:02):
a lot of oh yeah, there's a vulnerability here, vulnerability here,
and then it's like, oh no, that's really not one.
And I don't know if AI is good at figuring
out the ones that are real versus the ones that
are just appearing to be right there.
Speaker 1 (11:15):
Yep.
Speaker 3 (11:16):
Yeah. So in this particular case, this was a competition
at Defcon forty two. So what DARPA did is said, hey, listen,
we've taken an open source project, we've forked it, we've
created our own sort of copy of it, and we've
injected synthetic vulnerabilities. Right, so we've made up vulnerabilities in here,
and we want to see how many of them you find,
(11:38):
and using a.
Speaker 2 (11:39):
They injected one hundred and one hundred and twenty were found.
Speaker 3 (11:44):
That would be awesome. So the results thoroughly impressed DARPA.
Of the seventy synthetic vulnerabilities the agency created, the finalists
discovered fifty four of them seventy seven percent success rate,
and patched that. The winning team had to not only
discover these vulnerabilities, but but remediate automatically remediate them by AI.
(12:09):
So discovered fifty four of the vulnerabilities and patched forty
three of them sixty one percent. In the process.
Speaker 2 (12:15):
I would just delete all the code and say I
remediated it.
Speaker 1 (12:20):
Patrick Hines, Tomahawk Policy.
Speaker 3 (12:23):
You know, it's funny you say that, because AI will
do that. When you're working within in vibe coding, you'd
be like, oh, there's an issue with this particular function,
can you fix it? And we'll just delete it. All
these like done, it's not an issue anymore. You're like,
wait is dude, No, Dave, I can't do that.
Speaker 1 (12:39):
Yeah, you just deleted all by code.
Speaker 3 (12:42):
Yeah, it's brutal. So this is I think this is
a good news story. In uh, we're going to start
seeing I actually start seeing We've already have AI in
pretty much everything we're using right now. If you're using
Microsoft Office, there's AI in there. If you're using Visual Studio,
theres AI in there. If you're using vs code, there's
AI in there. So we're we're seeing this really integrated
(13:07):
part of AI into development, into our day to day lives.
And it's good that it know, we can know that
maybe soon we could rely on it to actually kind
of help in the security world.
Speaker 2 (13:17):
We're not there yet, so it's let's talk about this
for a second, because a lot of people perceive and
we're starting to see the realization starting to come across
Silicon Valley. AI is a fantastic tool that can do
a lot, but it can't do it alone. We really
don't know. We're in the agentic era, but we're not
in the independent era, right and I don't know that
(13:38):
we're going to get to the independent error in my
lifetime and I'm not ninety three yet. So it's you
still need a good developer, you still need a good
security engineer, you still need a good business person to
make sense of the ideas because there's still a lot
of slop that comes through these And notice it didn't
find all of the errors. Yeah, it didn't find all
(13:58):
of the things, so it's not on nip, but yet
it's really good it's really useful, but we need to
understand there's still a role for people who understand how
to use it, and we need more of those people.
So don't get fatalistic and say, well, you know, that's it.
AI's taken my job. It's going to be more competitive
in the future. But we already had a shortage of
people who understood security, so this will help us catch.
Speaker 1 (14:20):
Up, right, and it's those that can take advantage of AI.
It make sense of it that we'll have the jobs. Yeah,
seems like we say the same thing over and over
again every week.
Speaker 2 (14:30):
Yeah, history repeats itself.
Speaker 1 (14:31):
Yeah, all right, Well, I guess this is the time
where we're going to take a little break, So pay
attention to these very important messages and we'll be right
back after the break, and we're back. It's security this week.
I'm Carl Franklin slaying La Flott and Patrick Hines.
Speaker 2 (14:48):
We haven't said this since before the break, but go patch.
Oh no, that I'm supposed to say that at the
end of this story.
Speaker 3 (14:52):
Yeah, yeah, you gotta wait till the end of the story.
Speaker 2 (14:54):
Okay, all right, all wait.
Speaker 1 (14:55):
All right, the next story. Hundreds of nuble ends central
instances affected by exploited vulnerabilities.
Speaker 2 (15:04):
And dash sounds like you're stuttering and nimble enable and central.
Speaker 1 (15:09):
And dash able and dash able and and dash central,
Which is why do they have to name their products
such incredibly stupid names that are different out and.
Speaker 3 (15:22):
Able is the name of the company, and Central is
their product, of.
Speaker 1 (15:27):
Course it is. And I could tell by just the headline, right,
what's the matter with me?
Speaker 3 (15:33):
This is? Uh, this is more a tool. This is
what's called an r MM, which is a remote management
and monitoring tool. So this is something that your IT staff,
especially if you have outsourced it, would be using to
monitor your system. So this is a smaller, medium business
medium sized businesses that are working with what we call
the manage a managed service provider an MSP. So you
(15:55):
may not have your own IT department, You may just
outsource it to a company and they would put these
servers in place and they would be able to remotely
monitor and manage all your servers and computers and workstations.
Speaker 2 (16:07):
And sounds amazingly convenient.
Speaker 3 (16:09):
You know, antivirus and backups and that sort of stuff. Right,
A central management for all of your computers with godlike privileges,
which is one to them all right, Now, we've seen
these style of tools get compromised in the past, cause Sarah, Yeah,
I think Casara thinks Solar Winds think right, this very
similar style product. So in this particular case, although both
(16:30):
of these cvees CVEE twenty twenty five eight eight seven
five and CVE twenty twenty five eight eight seven six,
both of them do require being authenticated to the device,
so you do need a username and password of some sort.
But they are pretty pretty damning. We're looking at execution
of remote code that sort of stuff. So what what
(16:52):
do you do and how do you know if you're affected, Well,
if you're affected if you have an implemented on premise,
which means on I had to explain on prem recently.
I don't I don't realize how many these terms we
just throw around, like on premise too many.
Speaker 1 (17:06):
I think it's on premises, Yeah, on premises, on the premises.
Speaker 3 (17:11):
If you have a server sitting at a building of
your your own work place, yeah, but I have it
on premise. And if you're running one on premises, it's.
Speaker 2 (17:24):
Either in the cloud or it's on premises. Yeah.
Speaker 3 (17:27):
Yeah, So if you're running one on premises, then you
want to, but.
Speaker 1 (17:29):
It is not it is not on premise.
Speaker 3 (17:32):
Though it is not on premise. On premise is entirely
different that is on the on the premise, that on
premise of yes, yeah, yeah, So if you're running one
that's twenty twenty five three dot one, then you want
to go patch that. There is an update for it. Honestly,
if you are running any of the nable devices on site,
(17:53):
then what you want to do is just go talk
to your MSP, get them to come in and do
the do the right patching.
Speaker 1 (17:58):
All right, So it's really a go patch.
Speaker 3 (18:00):
Yep, I thought I said that, yeah, but this one
you might not be able to. You may have to,
I know you said it in the you may have
to go talk to your your manager provider and get
them to go patch. But that's a good idea, all right.
Speaker 1 (18:09):
Next story, zero day click checking vulnerabilities found in major
password managers like one Password, last Pass and others.
Speaker 3 (18:19):
So yeah, and it's funny because they actually go through
I love this. We're going to post the link to this,
but they go through this chart, if you will, this
table of all of the different password managers one password,
bit Warden, dash Lane, En pass iCloud, password keep Er,
last Pass, log me in, nord Pass, proton pass, and roboform. Right,
(18:43):
all of the different password managers that you may have,
and you see there's all these little red skulls like
in every every field saying are they vulnerable, and there's
a red skull in every one of them. Yeah, they're
all vulnerable.
Speaker 2 (18:55):
And there's three that are checkboxes and not red skulls.
Speaker 1 (18:59):
Yeah. For the exit, well, those are extension elements.
Speaker 3 (19:02):
Yeah, so that's like, okay, there's a small portion of
the thing that you were technted, but for the most part,
every single one of these is vulnerable. This is a
zero click So this means you go to the web page,
you don't do anything, and they steal your password from
your password menaguer, which sounds pretty scary.
Speaker 1 (19:20):
Yeah, here's what.
Speaker 3 (19:21):
Typically happens with password menager, especially that's an extension on
your browser. When I go to a website, there are
two ways for the password manager to work. I can
either click on the username field, click a drop down
for my password manager, and then physically click on the
user I want to use right or the account, or
I can allow the password manager to auto fill those fields.
Speaker 1 (19:44):
That's what you don't want to do.
Speaker 3 (19:45):
So the moment I go to the page, it auto
fills the username in the password and automatically click submit.
By default, a lot of these password managers have auto
fill because it's easier, it's convenient. I go to the page,
it just locks me and it clicks next. I'm done.
Problem being is in here. This is what's called a
DOM based attack, which is a document object model attack.
Speaker 1 (20:07):
That's basically the metadata about what is you're looking at
in your browser exactly.
Speaker 3 (20:13):
So I can take a let's say, and just to
sort of make this a little bit simpler, let's say
on the screen I have too, I have a password
field a username and password, and it says user name
and password. But behind the scenes, I don't call those
username and password. I call those like username one and
password one, which the password manager is not going to
fill in. But then I have another field that I'm
(20:35):
able to inject your JavaScript or whatever that's hidden that
is a username and password. Well, you're you're a manager.
Your password manager doesn't know that. You can't see that field.
That just fills it in, right, and now I, as
an attacker, have those passwords. So this is a dom
attack where you're hiding those particular you know fill ins,
and your password manager just automatically fills it in. The
(20:56):
damaging thing here is a you don't see it be.
It also has the ability to do things like what
we call TOOTP or the time based one time passwords.
So those little ticky, obnoxious numbers that you may also
have in your password manager, they also can auto fill in.
And if they do that, then I can steal that
as well and bypass that. So moral of this story,
(21:19):
anything that's convenient is probably not something you want turned on.
I've heard that, so I would say, yeah, I know, right,
So in this particular case, turn off autofill on password
managers and a lot of this goes away, but it's
still good to know it's an informat.
Speaker 2 (21:34):
Now the password that gets stolen. So let's say I
go to my cornerhardware store dot com and I have
an account there. Yep, if it's if autofill is on,
it's going to fill in the use name and password
for that domain. Correct, not my master password, no, exactly
for bitwarden correct. So that site has to be breached.
Speaker 3 (21:56):
Exactly, or I have to be able to inject JavaScript
into the browse at the time, So it's could be
like a phishing attack or something along those lies.
Speaker 2 (22:03):
If I go to my other corner hardware store dot
com where I have no account, then it's not going
to it's not going to fill in. Kay, That's what
I thought, yep, because the.
Speaker 3 (22:11):
Password managers are really good about verifying the the r
L the where you are right on the internet and
not filling in the wrong password. But I can trick
you into sending you an email from you know, my
cornerhardware store dot com saying hey, there's an issue with your
account whatever, and when you click on it, it brings
you to their actual site so that the password manager
will give the actual username and password. But I've injected
(22:32):
a piece of JavaScript in the page.
Speaker 2 (22:35):
Could you do that by putting it in a frame?
Speaker 3 (22:37):
You could do it by well, so yes, you can
in some cases do it by putting in a frame,
depending on how depends on the browsers and the safeties
that are put in place.
Speaker 2 (22:45):
So this is like finding out that you know there
are knives in the world and people can use them
to stabby stabby you, right, But it's not that you
know you're going to be you know, breathing air kills
you immediately.
Speaker 1 (22:56):
You're so happy when you say stabby.
Speaker 2 (22:58):
Right, how come be happy about the internet burning? And
I can't be happy about murdering people? Why is that wrong?
Speaker 3 (23:05):
You know what I feel? You Patrick on there with you.
Speaker 2 (23:07):
But it's a nice knife right here, that's.
Speaker 3 (23:09):
A good one, good one.
Speaker 2 (23:10):
Yeah, all right, So some people need to be taken out.
Speaker 1 (23:17):
You're right, You're right about that. I have a list,
So I guess what we're saying here is like everything
else to these hacks compound, like these vulnerabilities are compounded.
Use one to get into another one. And once you
get to that, you know.
Speaker 2 (23:33):
It's like getting sick in the real world. If you're
if you're weakened immune system and and exposure to a
pathogen one or the other, you're probably not going to
get sick. But when both happen, you get sick. You
didn't get enough sleep. Yeah, not having the right So
it's the same kind of you want to live in
a healthy environment technologically right, and that means so convenience
has to go out the window.
Speaker 1 (23:54):
Yeah, So disable autofill in your in your and I've
done that in mind, I never do out of film.
Speaker 3 (24:01):
Nop, noop.
Speaker 1 (24:02):
Okay, we moved on.
Speaker 2 (24:04):
But password managers, let's just say password managers are still
de rigger. You need to do password management because people
do not remember the passwords. Now, there's a couple of
passwords in my life that are not written anywhere, that
will never be written anywhere because they're so important.
Speaker 1 (24:19):
Same here.
Speaker 2 (24:21):
You need a varied strategy defense in depth with passwords.
But password managers are definitely a big part of that.
Speaker 1 (24:26):
Yeah, all right, So this is an interesting story. I
remember we talked about the UK that demanded access to
Apple user data a while ago.
Speaker 3 (24:33):
Yeah, one of the back door.
Speaker 1 (24:35):
Yeah, well they dropped that demand.
Speaker 3 (24:38):
Honestly, Okay, this is either one or two things. It's
either yes, this is all on the up and up
and they did drop that demand, or Apple said, sure,
we'll give you a way to do it. Just announce
to the world that you've dropped the demand exactly. My
guess is it's the former, not the latter.
Speaker 2 (24:55):
I agree because it's definitely possible.
Speaker 3 (24:57):
But only because it's Apple. Like if if it were
any other like entity that has some flavor of encryption,
they might go, yes, you're okay, we'll give you a
back door just you know, why did Gabbard Keevin?
Speaker 2 (25:09):
I don't think it's that, because the other thing is
the US is against it because the citizens of the
United States's data would also be exposed. And that was
one of my concerns as well.
Speaker 1 (25:18):
Yeah, and I think that the US government had something
to do with it because they were posting x about it.
Speaker 3 (25:26):
They don't want people knowing about their backdoor that's already there. Yeah,
of course, I mean that makes sense. Why add two?
Speaker 1 (25:31):
Yeah, you know, what are the chances we're both any
actual information?
Speaker 2 (25:39):
We have? Really non disclosure here?
Speaker 1 (25:44):
All right? Next story, why you need to update your
PLEX server asap?
Speaker 3 (25:49):
Okay, So I love PLEX. Flex is awesome. For those
of you who don't know what PLEX is, don't worry
about it. But for those of you know, you know
and you want to patch it if you know, you
know fast forward word. So, PLEX is a media server
for you to only serve out movies that you own
and media like you take home videos. You could throw
(26:12):
them up there and you know, you go on your TV,
you could throw the app for PLEX and you can
just watch them right stream them off of a computer server.
Speaker 2 (26:20):
Basically your own private Netflix.
Speaker 3 (26:21):
Yeah, yeah, exactly, yep. And if you open a port
to that server, you could do it anywhere in the world.
I could open up the app on my phone and
I could watch home movies anywhere, right, which is.
Speaker 2 (26:33):
Awesome because no one uses this for anything.
Speaker 3 (26:36):
Movies. It is just literally, hey, kids, just don't pirate things.
Speaker 1 (26:41):
What but are you talking about pirate things?
Speaker 3 (26:44):
Metallical pirates are so needless to say. Because the server
is opened to the Internet, there is a manipulation that
can be done on that particular port that can cause issues.
So if you are running aplex media server, you want
to go patch because somebody could take over your server,
(27:04):
so be careful there.
Speaker 2 (27:05):
They referenced the last Pass data breach from twenty twenty
two in this article Remote Code Execution vulnerbilary labeled CVE
twenty twenty Dash five seven four one allowed attackers access
to the Plex account of a last Pass engineer who
hadn't updated their software with appropriate patch. So that that's
(27:27):
the gift that keeps on giving. Yeah, oh, last Pass
two stories in a row, okay, oh three, No, not really,
we skipped on.
Speaker 1 (27:34):
Should we get to our top story?
Speaker 3 (27:37):
Let's do it?
Speaker 2 (27:37):
It is Yeah, I'm getting hungry.
Speaker 1 (27:38):
Yeah, well this is just a little nugget of a story.
So we'll leave a couple of nuggets around for you. Wow. Wow,
security researcher driven by free nuggets? Which is that true
or not? But unearth's McDonald's security flaw changing quote login
to quote register in URL prompted site to issue plain
(28:01):
text password for a new account.
Speaker 3 (28:04):
I don't even understand how this happens.
Speaker 2 (28:06):
It seems like it's a privileged account too.
Speaker 3 (28:08):
Yeah yeah, wow, yeah, it doesn't make any sense to me.
Why and all right, are a little rant as a developer,
As a security developer, I would never pass a clear
text password in the URL almost anywhere, Yeah, right anywhere,
because there should be in the back end databases. There
should be hash in salt, or there should be just partials,
(28:31):
or it should go to oh often, you should have
tokens or whatever. Yeah, you shouldn't have clear text passwords,
just throwing that out there.
Speaker 2 (28:37):
You shall also shouldn't be able to create an account
just by changing a word in the URL.
Speaker 1 (28:40):
Maybe they ported it from access.
Speaker 3 (28:42):
Well there's that too.
Speaker 2 (28:43):
Yeah, So what I bet happened and I haven't looked
at this code, is that there's a check during the
registration process that you get beyond once you do the
log in process, and they're using a similar state management
at that point point, and therefore if you change you
change flow at the same time. Like if I walk
(29:04):
into a car dealer and I said, hey, i'd like
to I'd like to borrow a car, and they put
plates on it and they do all the things, and
you say, yeah, I'm buying this car, and then you
just drive it away and they're like, oh, okay, well
here's the title, and you know it's your car. It
basically you got through that first door and then you
change the script on them and there was no checks.
That's how I envision this working.
Speaker 3 (29:26):
Yeah, And some of these, like the password they say
here in that case, a platform with access to private
information was secured with the password one two three four
five six, which oh my god.
Speaker 1 (29:41):
There's two two dumb things right there.
Speaker 2 (29:44):
Well, I mean it's very much more secure than one
two three four, I mean it's two more.
Speaker 1 (29:50):
And if you put an exclamation mark at the end,
it's all.
Speaker 2 (29:52):
Right, which no one would ever get now it's special.
Speaker 3 (29:57):
But coming back to passwords, like, as a developer, you
never pass passwords around. But the other thing I would
say to you, I, uh, yeah, I can talk about this.
Speaker 1 (30:11):
Edit they think about whether this is classified.
Speaker 2 (30:17):
I'm dialing the lawyer's number.
Speaker 3 (30:22):
On speed dial above his wife, like it's the lawyers
and then his wife may have been on a website
where when I logged in, you could apply permissions to users.
Let's just say, and uh, the developer was passing down
what they thought was secure passwords. I'm not entirely sure why,
but every user in the database came down to your browser. Yeah,
(30:45):
but hidden with the password, Yeah, with the password MD
five hashed, no salt, no nothing. Just do you literally
just take that MT five website I'm telling you is www.
Speaker 2 (30:57):
Dot Carfranklin dot com.
Speaker 1 (31:00):
Yeah done, I have both actually.
Speaker 2 (31:05):
Nay and the OK.
Speaker 3 (31:08):
That would get me in trouble. So, needless to say,
we do see it today. It's not like, oh my god,
how egregious is you know? McDonald's here. We see it
all the time. We're developers pass around secret information.
Speaker 2 (31:20):
What I mean, we still see sequel injection, we still
see all sorts of crazy things.
Speaker 1 (31:24):
What I thought was funny is the site is called
the McDonald's Feel Good Design Hub, their central platform for
brand assets and marketing materials used by teams and agencies
across the franchises. Yeah, across one hundred and twenty countries.
It used to be protected quote unquote by a client
(31:46):
side password. Yes, client side. Bobd Hacker said, it's the
guy who just got in love.
Speaker 3 (31:53):
I love how they say Ronald would be disappointed.
Speaker 2 (31:56):
Yeah, thank god he's dead.
Speaker 3 (31:58):
Does anybody know who told McDonald is anymore?
Speaker 1 (32:01):
He used to smile a lot, and now he turned
that smile upside down.
Speaker 2 (32:06):
I always thought he was a clown.
Speaker 3 (32:08):
On that note, you.
Speaker 1 (32:11):
Ever walked into McDonald's and say, all right, you clowns,
give me some nuggets.
Speaker 2 (32:17):
That's a good way to get some spit.
Speaker 3 (32:19):
Yeah, a little floor washing with your nuggets.
Speaker 1 (32:22):
Oh my god, you get a slap with the mop?
Speaker 2 (32:28):
How low can you go? Pretty bad stuff. Well, I
mean I can understand it though, because McDonald's they just
don't have any.
Speaker 3 (32:34):
Money, right, Yeah.
Speaker 1 (32:39):
All right, Well that was just kind of a funny story.
I think that probably the most. If we were going
to point to a clickbait story, it would probably be
the one about the you know, the the last pass
and the warden and all that stuff.
Speaker 3 (32:52):
Yeah, that makes sense, all right, that makes sense.
Speaker 1 (32:57):
All right. On that happy note, we'll call his show
and we'll see you next week. And make sure you
drop by our Discord channel and say hi, and send
us some email and check out that YouTube video from
last week if you really want to see what we
look like when we record. And that's it, Bye bye,
This just in, a truck carrying a full load of
potato chips was involved in a multi vehicle accident on
the mass Pike. Expect delays so bad. Delays are everywhere,
(00:23):
all right, guys. Before we get started with security this week,
by the way, I'm Carl Franklin that's doing La Flat
and Patrick Hines, we want to announce that we created
a video of last week's show episode. And the first
link on our website for this show is why not Yeah,
And the first link on the podcast page for this
(00:46):
show is a link to that video. So it's on
your video channel, Pulse OAR Security. Yep. Yeah.
Speaker 2 (00:52):
So we release an audio as well.
Speaker 1 (00:53):
Yeah, we released an audio as well, But we also
said in the audio that we were doing a video,
so I just want to make sure people knew where
it was and how to get there. Are we committing
to one a month?
Speaker 2 (01:04):
I think that's our goal. Yea, our goal is one
a month, Okay, And depending on that.
Speaker 3 (01:09):
I don't know. Well, I guess it depends on how
well they received.
Speaker 1 (01:11):
That's what I was just going to say.
Speaker 3 (01:12):
If everybody hates them, then maybe no, all right, maybe
nobody wants to see this no more than hiring his.
Speaker 1 (01:20):
Face with his hand. Yeah, okay, let's jump into it. Then.
The first story this week, Cisco warns of max severity
flaw in firewell Management Center.
Speaker 2 (01:30):
Wow.
Speaker 1 (01:30):
Wow, that's not a good place to have a max
severity flaw.
Speaker 2 (01:34):
I mean, it's house of cards at that point. It's
an RCE in the RADIUS subsystem of their Secure Firewall
Management Center or FMC software. I'm assuming this is something
that you would put outside the firewall, which sounds like
it shouldn't be, and it's it's it's a go patch.
We got to go patch this stuff. If you haven't, right,
(01:54):
then you might want to challenge your life choices.
Speaker 1 (01:57):
Yeah, our listeners should know that our c E stands
for Remote Remote Code Execution.
Speaker 3 (02:03):
That's right, and RADIUS stands for Remote Authentication dial in,
User service dial in. I don't know. I was just
I figured we were right.
Speaker 2 (02:11):
I thigured that was obvious.
Speaker 3 (02:12):
So I figured that was obvious. Everybody remembers dial in,
don't you.
Speaker 1 (02:16):
Well a call back to last week's show with aol
Bally throwing in the towel.
Speaker 3 (02:21):
No, we're dial in needed. Yeah. No, So although Radius
does have dial in in the name, it's still used
as an authentication protocol for you know, VPNs and that
sort of stuff, wireless all sorts of things.
Speaker 1 (02:35):
All right, So that's a go patch, go pack. This
one's interesting. This is in Secure list dot Com code
highlighting with Cursor AI for five hundred thousand dollars. I
don't really understand from the headline what happened, but apparently
some AI did some bad things.
Speaker 2 (02:52):
So someone had crypto assets in a wallet on a
system they were using Cursor Cursors a Vibe coding platform.
It's actually quite good from from all reports, and it
helps with you know, writing code from scratch, but also
for editing code upgrading. I know somebody who upgraded a
(03:13):
Angular system for versions in less than a week, which
would normally take a lot longer than that. Wow, so
it's got some value. Unfortunately, the highlight it says code
highlighting with Cursor AI for only five hundred thousand dollars.
What happened is the the AI grabbed a package that
had a crypto stealer and the guy happened to have
(03:33):
crypto on that computer and it stole half a million dollars. Wow,
actually stole all of it?
Speaker 3 (03:39):
I'm sure, Yeah, yeah, it doesn't leave any crypto steelers. Yeah,
they're not like, let's let's leave a tip.
Speaker 1 (03:45):
Yeah.
Speaker 3 (03:47):
Yeah, it's tough. You got to you got to know.
And we've seen this happen with Python packages, right. We've
talked a lot about you know, pip installing Python packages
and pulling them down, and some of them might be
malicious and you really need to look through the code
and know what those packages do. Right, So, I think
we're starting to see the advent of attackers moving into
(04:08):
that vibe coding space. So for those of you who
don't know what vibe coding is, if you are a
developer and you're creating an application and you maybe know
nothing about code or computers at all, you can now
create an app. You can talk to your computer, whether
it's typing or literally chatting, and it will create an
(04:28):
application for you. The problem is you're beholden to understanding
none of it. So it could be malicious, it could
be you know, rife with security holes and that sort
of stuff. And that's what we're seeing here is you know,
you have this people who are using vibe coding. The
assumption is they don't understand code well enough in some cases,
which is not always the case, which is not always
(04:50):
the case. So but you hit that one person who
doesn't understand the libraries or doesn't take the time to
read through them, and sure enough, yeah, you're gonna well,
that's some things into your code that you really didn't
want there.
Speaker 1 (05:01):
So if you're a real developer out there and worried
about you know, is my job over? No, it's not over.
It's just changing. Yeah. Where whereas people would call on
you to build software, now they're going to call on
you to I'm going to say, on f software. Yeah,
there you go, right, yep, go through this, figure out
what's good, what's not good, and fix what's not good,
(05:24):
and give us a report of what you did.
Speaker 2 (05:25):
But we often will take a look at an application
and test it without looking at the source code, and
we often some we often look at the source code too.
So this is nothing new to us. It's just that
normally you can assess by talking to the developer what
there do they know about sequel injection? Have they protected
against it or they think they protected and it just
it helps us understand. But with with with AI written code,
(05:49):
the assumptions are dangerous.
Speaker 1 (05:50):
Yeah, when you ask it, Hey, what did you do hear?
And it says, oh, I raised unicorns from babies and
them yellow.
Speaker 3 (05:58):
Okaya, mm hmmm, all.
Speaker 1 (06:01):
Right, cautionary tale there. Let's get to this one. Microsoft
Defender AI to uncover plain text credentials within active directory.
This sounds like a feel good story.
Speaker 2 (06:11):
Well it's it's more than that, because what is it
talking about. So you can't save your password in active
directory as clear text, but you can do other things
in clear text, right.
Speaker 3 (06:21):
Dwayne, Yeah, we do to see it. So active directory
is it's literally it's a directory. So like think like
phone book kids, for those of you who don't know
what a phone book is, turn to your parents and
ask what a phone book is.
Speaker 2 (06:35):
But it's like Facebook, the Facebook original, what's the social network?
Speaker 3 (06:43):
It's like a dictionary. Wait, no, if that's not going
to help either. No, So a directory is you can
look up any object in that directory. And for active directory,
it might be computers, it might be servers, or it
might be user accounts, and there's all sorts of other
objects with those objects, there's properties, right, and one of
those proper might be the password or the last time
the user logged in or how many times they've unsuccessfully
(07:05):
logged in that sort of stuff. Right, All of these
are properties around that object generally we see in pen tests,
And we were just talking about this beforehand, like is
this kind of an important thing. There were a lot
of times when we're doing pen tests, greater than fifty
percent of the time where we will attack a large
organization and we'll go through their active directory and there's
(07:25):
an open field on users, a notes field, and we'll
see passwords just typed in there. And a lot of
times that's because the help desk will receive a call
from a valid user and say I need to reset
my password, and they'll take that password and they'll paste
it into that notes field. But what they don't realize
is that is a open text field that anybody can read.
(07:48):
So when we pull down that open text field having nope,
privileges whatsoever, we can actually see those passwords because any user,
normal user account would have access to it. We find
it a lot with like service accounts, right, like, oh,
I'm running a sqel server over here. It needs an account,
needs a password for that account. While I'm not going
to keep it, you know, on a notepad on my desktop,
(08:10):
I'll just put it in the notes field next to
that SEQL account user, so everybody knows what it is
who has access to a d but unfortunately that's every user.
So a Microsoft is done and said and this actually
just sounds like a text search, not really a defender
AI thing, but whatever, you know, Microsoft has said, hey, listen,
we've unleashed the AI to take a look at you know,
(08:31):
open free text fields, right fields associated with objects, and
just see, hey, could this be a password? And they
found forty thousand plus credentials exposed in two and a
half thousand tenants. So that is a whole lot of
passwords sitting out in the clear.
Speaker 1 (08:51):
And if AI knew the cat names of the people
that had their passwords, they probably could make much more
accurate guesses right exactly that name one through three exclamation marks.
Speaker 3 (09:03):
I'm going to be honest. You know, Summer twenty twenty
five has been really popular, but I think fall twenty
twenty five as a password. COM's coming. You need a
long password.
Speaker 2 (09:13):
If they're well educated, they might be autumn.
Speaker 1 (09:20):
Yeah, all right, so it's a good thing. Yeah, I
think it's a good thing.
Speaker 3 (09:24):
Yeah, this is a good thing.
Speaker 1 (09:25):
Yep. Absolutely, But also the cautionary tale. There is watch
out where you put those freaking passes files.
Speaker 3 (09:31):
Exactly have a password manager, and I know a couple
of stories from now we're going to talk about issues
with password managers. But yeah, exactly, we're still got there.
Speaker 1 (09:42):
All right, one more here before the break. DARPA touts
value of AI powered vulnerability detection as it announces competition winners.
Speaker 2 (09:51):
So, for those who don't know, DARPA is the organization
that helps the military realize it's decade forward goal. So
the Internet sprang from a darker project to help the
military communicate nationwide after nukes had destroyed some of our cities.
They're the ones that started the autonomous vehicle revolution. They
(10:14):
created drones, they created GPS. Now they don't build that
stuff directly, they fund it.
Speaker 1 (10:18):
It's a research organization.
Speaker 2 (10:20):
Well, they direct funding. And so now the eye of
saar On has turned to AR powered vulnerability section, which
is great, and it's a project that they probably are
just getting ahead of now, but it's already taken off.
Speaker 1 (10:35):
We like it. Yeah, but like everything that AI tells you,
it found, you need to validate.
Speaker 2 (10:40):
Well, so we had a story about this not too
long ago where it talked about a lot of slop here.
So like when we do it a vulnerability assessment, we
look at potential vulnerabilities, but we don't know if they're
real or not unless we actually try to exploit them.
And that's when we find out, oh no, that this
just looked like it would be open, it's not. I
don't think that's happening here. So you're going to get
(11:02):
a lot of oh yeah, there's a vulnerability here, vulnerability here,
and then it's like, oh no, that's really not one.
And I don't know if AI is good at figuring
out the ones that are real versus the ones that
are just appearing to be right there.
Speaker 1 (11:15):
Yep.
Speaker 3 (11:16):
Yeah. So in this particular case, this was a competition
at Defcon forty two. So what DARPA did is said, hey, listen,
we've taken an open source project, we've forked it, we've
created our own sort of copy of it, and we've
injected synthetic vulnerabilities. Right, so we've made up vulnerabilities in here,
and we want to see how many of them you find,
(11:38):
and using a.
Speaker 2 (11:39):
They injected one hundred and one hundred and twenty were found.
Speaker 3 (11:44):
That would be awesome. So the results thoroughly impressed DARPA.
Of the seventy synthetic vulnerabilities the agency created, the finalists
discovered fifty four of them seventy seven percent success rate,
and patched that. The winning team had to not only
discover these vulnerabilities, but but remediate automatically remediate them by AI.
(12:09):
So discovered fifty four of the vulnerabilities and patched forty
three of them sixty one percent. In the process.
Speaker 2 (12:15):
I would just delete all the code and say I
remediated it.
Speaker 1 (12:20):
Patrick Hines, Tomahawk Policy.
Speaker 3 (12:23):
You know, it's funny you say that, because AI will
do that. When you're working within in vibe coding, you'd
be like, oh, there's an issue with this particular function,
can you fix it? And we'll just delete it. All
these like done, it's not an issue anymore. You're like,
wait is dude, No, Dave, I can't do that.
Speaker 1 (12:39):
Yeah, you just deleted all by code.
Speaker 3 (12:42):
Yeah, it's brutal. So this is I think this is
a good news story. In uh, we're going to start
seeing I actually start seeing We've already have AI in
pretty much everything we're using right now. If you're using
Microsoft Office, there's AI in there. If you're using Visual Studio,
theres AI in there. If you're using vs code, there's
AI in there. So we're we're seeing this really integrated
(13:07):
part of AI into development, into our day to day lives.
And it's good that it know, we can know that
maybe soon we could rely on it to actually kind
of help in the security world.
Speaker 2 (13:17):
We're not there yet, so it's let's talk about this
for a second, because a lot of people perceive and
we're starting to see the realization starting to come across
Silicon Valley. AI is a fantastic tool that can do
a lot, but it can't do it alone. We really
don't know. We're in the agentic era, but we're not
in the independent era, right and I don't know that
(13:38):
we're going to get to the independent error in my
lifetime and I'm not ninety three yet. So it's you
still need a good developer, you still need a good
security engineer, you still need a good business person to
make sense of the ideas because there's still a lot
of slop that comes through these And notice it didn't
find all of the errors. Yeah, it didn't find all
(13:58):
of the things, so it's not on nip, but yet
it's really good it's really useful, but we need to
understand there's still a role for people who understand how
to use it, and we need more of those people.
So don't get fatalistic and say, well, you know, that's it.
AI's taken my job. It's going to be more competitive
in the future. But we already had a shortage of
people who understood security, so this will help us catch.
Speaker 1 (14:20):
Up, right, and it's those that can take advantage of AI.
It make sense of it that we'll have the jobs. Yeah,
seems like we say the same thing over and over
again every week.
Speaker 2 (14:30):
Yeah, history repeats itself.
Speaker 1 (14:31):
Yeah, all right, Well, I guess this is the time
where we're going to take a little break, So pay
attention to these very important messages and we'll be right
back after the break, and we're back. It's security this week.
I'm Carl Franklin slaying La Flott and Patrick Hines.
Speaker 2 (14:48):
We haven't said this since before the break, but go patch.
Oh no, that I'm supposed to say that at the
end of this story.
Speaker 3 (14:52):
Yeah, yeah, you gotta wait till the end of the story.
Speaker 2 (14:54):
Okay, all right, all wait.
Speaker 1 (14:55):
All right, the next story. Hundreds of nuble ends central
instances affected by exploited vulnerabilities.
Speaker 2 (15:04):
And dash sounds like you're stuttering and nimble enable and central.
Speaker 1 (15:09):
And dash able and dash able and and dash central,
Which is why do they have to name their products
such incredibly stupid names that are different out and.
Speaker 3 (15:22):
Able is the name of the company, and Central is
their product, of.
Speaker 1 (15:27):
Course it is. And I could tell by just the headline, right,
what's the matter with me?
Speaker 3 (15:33):
This is? Uh, this is more a tool. This is
what's called an r MM, which is a remote management
and monitoring tool. So this is something that your IT staff,
especially if you have outsourced it, would be using to
monitor your system. So this is a smaller, medium business
medium sized businesses that are working with what we call
the manage a managed service provider an MSP. So you
(15:55):
may not have your own IT department, You may just
outsource it to a company and they would put these
servers in place and they would be able to remotely
monitor and manage all your servers and computers and workstations.
Speaker 2 (16:07):
And sounds amazingly convenient.
Speaker 3 (16:09):
You know, antivirus and backups and that sort of stuff. Right,
A central management for all of your computers with godlike privileges,
which is one to them all right, Now, we've seen
these style of tools get compromised in the past, cause Sarah, Yeah,
I think Casara thinks Solar Winds think right, this very
similar style product. So in this particular case, although both
(16:30):
of these cvees CVEE twenty twenty five eight eight seven
five and CVE twenty twenty five eight eight seven six,
both of them do require being authenticated to the device,
so you do need a username and password of some sort.
But they are pretty pretty damning. We're looking at execution
of remote code that sort of stuff. So what what
(16:52):
do you do and how do you know if you're affected, Well,
if you're affected if you have an implemented on premise,
which means on I had to explain on prem recently.
I don't I don't realize how many these terms we
just throw around, like on premise too many.
Speaker 1 (17:06):
I think it's on premises, Yeah, on premises, on the premises.
Speaker 3 (17:11):
If you have a server sitting at a building of
your your own work place, yeah, but I have it
on premise. And if you're running one on premises, it's.
Speaker 2 (17:24):
Either in the cloud or it's on premises. Yeah.
Speaker 3 (17:27):
Yeah, So if you're running one on premises, then you
want to, but.
Speaker 1 (17:29):
It is not it is not on premise.
Speaker 3 (17:32):
Though it is not on premise. On premise is entirely
different that is on the on the premise, that on
premise of yes, yeah, yeah, So if you're running one
that's twenty twenty five three dot one, then you want
to go patch that. There is an update for it. Honestly,
if you are running any of the nable devices on site,
(17:53):
then what you want to do is just go talk
to your MSP, get them to come in and do
the do the right patching.
Speaker 1 (17:58):
All right, So it's really a go patch.
Speaker 3 (18:00):
Yep, I thought I said that, yeah, but this one
you might not be able to. You may have to,
I know you said it in the you may have
to go talk to your your manager provider and get
them to go patch. But that's a good idea, all right.
Speaker 1 (18:09):
Next story, zero day click checking vulnerabilities found in major
password managers like one Password, last Pass and others.
Speaker 3 (18:19):
So yeah, and it's funny because they actually go through
I love this. We're going to post the link to this,
but they go through this chart, if you will, this
table of all of the different password managers one password,
bit Warden, dash Lane, En pass iCloud, password keep Er,
last Pass, log me in, nord Pass, proton pass, and roboform. Right,
(18:43):
all of the different password managers that you may have,
and you see there's all these little red skulls like
in every every field saying are they vulnerable, and there's
a red skull in every one of them. Yeah, they're
all vulnerable.
Speaker 2 (18:55):
And there's three that are checkboxes and not red skulls.
Speaker 1 (18:59):
Yeah. For the exit, well, those are extension elements.
Speaker 3 (19:02):
Yeah, so that's like, okay, there's a small portion of
the thing that you were technted, but for the most part,
every single one of these is vulnerable. This is a
zero click So this means you go to the web page,
you don't do anything, and they steal your password from
your password menaguer, which sounds pretty scary.
Speaker 1 (19:20):
Yeah, here's what.
Speaker 3 (19:21):
Typically happens with password menager, especially that's an extension on
your browser. When I go to a website, there are
two ways for the password manager to work. I can
either click on the username field, click a drop down
for my password manager, and then physically click on the
user I want to use right or the account, or
I can allow the password manager to auto fill those fields.
Speaker 1 (19:44):
That's what you don't want to do.
Speaker 3 (19:45):
So the moment I go to the page, it auto
fills the username in the password and automatically click submit.
By default, a lot of these password managers have auto
fill because it's easier, it's convenient. I go to the page,
it just locks me and it clicks next. I'm done.
Problem being is in here. This is what's called a
DOM based attack, which is a document object model attack.
Speaker 1 (20:07):
That's basically the metadata about what is you're looking at
in your browser exactly.
Speaker 3 (20:13):
So I can take a let's say, and just to
sort of make this a little bit simpler, let's say
on the screen I have too, I have a password
field a username and password, and it says user name
and password. But behind the scenes, I don't call those
username and password. I call those like username one and
password one, which the password manager is not going to
fill in. But then I have another field that I'm
(20:35):
able to inject your JavaScript or whatever that's hidden that
is a username and password. Well, you're you're a manager.
Your password manager doesn't know that. You can't see that field.
That just fills it in, right, and now I, as
an attacker, have those passwords. So this is a dom
attack where you're hiding those particular you know fill ins,
and your password manager just automatically fills it in. The
(20:56):
damaging thing here is a you don't see it be.
It also has the ability to do things like what
we call TOOTP or the time based one time passwords.
So those little ticky, obnoxious numbers that you may also
have in your password manager, they also can auto fill in.
And if they do that, then I can steal that
as well and bypass that. So moral of this story,
(21:19):
anything that's convenient is probably not something you want turned on.
I've heard that, so I would say, yeah, I know, right,
So in this particular case, turn off autofill on password
managers and a lot of this goes away, but it's
still good to know it's an informat.
Speaker 2 (21:34):
Now the password that gets stolen. So let's say I
go to my cornerhardware store dot com and I have
an account there. Yep, if it's if autofill is on,
it's going to fill in the use name and password
for that domain. Correct, not my master password, no, exactly
for bitwarden correct. So that site has to be breached.
Speaker 3 (21:56):
Exactly, or I have to be able to inject JavaScript
into the browse at the time, So it's could be
like a phishing attack or something along those lies.
Speaker 2 (22:03):
If I go to my other corner hardware store dot
com where I have no account, then it's not going
to it's not going to fill in. Kay, That's what
I thought, yep, because the.
Speaker 3 (22:11):
Password managers are really good about verifying the the r
L the where you are right on the internet and
not filling in the wrong password. But I can trick
you into sending you an email from you know, my
cornerhardware store dot com saying hey, there's an issue with your
account whatever, and when you click on it, it brings
you to their actual site so that the password manager
will give the actual username and password. But I've injected
(22:32):
a piece of JavaScript in the page.
Speaker 2 (22:35):
Could you do that by putting it in a frame?
Speaker 3 (22:37):
You could do it by well, so yes, you can
in some cases do it by putting in a frame,
depending on how depends on the browsers and the safeties
that are put in place.
Speaker 2 (22:45):
So this is like finding out that you know there
are knives in the world and people can use them
to stabby stabby you, right, But it's not that you
know you're going to be you know, breathing air kills
you immediately.
Speaker 1 (22:56):
You're so happy when you say stabby.
Speaker 2 (22:58):
Right, how come be happy about the internet burning? And
I can't be happy about murdering people? Why is that wrong?
Speaker 3 (23:05):
You know what I feel? You Patrick on there with you.
Speaker 2 (23:07):
But it's a nice knife right here, that's.
Speaker 3 (23:09):
A good one, good one.
Speaker 2 (23:10):
Yeah, all right, So some people need to be taken out.
Speaker 1 (23:17):
You're right, You're right about that. I have a list,
So I guess what we're saying here is like everything
else to these hacks compound, like these vulnerabilities are compounded.
Use one to get into another one. And once you
get to that, you know.
Speaker 2 (23:33):
It's like getting sick in the real world. If you're
if you're weakened immune system and and exposure to a
pathogen one or the other, you're probably not going to
get sick. But when both happen, you get sick. You
didn't get enough sleep. Yeah, not having the right So
it's the same kind of you want to live in
a healthy environment technologically right, and that means so convenience
has to go out the window.
Speaker 1 (23:54):
Yeah, So disable autofill in your in your and I've
done that in mind, I never do out of film.
Speaker 3 (24:01):
Nop, noop.
Speaker 1 (24:02):
Okay, we moved on.
Speaker 2 (24:04):
But password managers, let's just say password managers are still
de rigger. You need to do password management because people
do not remember the passwords. Now, there's a couple of
passwords in my life that are not written anywhere, that
will never be written anywhere because they're so important.
Speaker 1 (24:19):
Same here.
Speaker 2 (24:21):
You need a varied strategy defense in depth with passwords.
But password managers are definitely a big part of that.
Speaker 1 (24:26):
Yeah, all right, So this is an interesting story. I
remember we talked about the UK that demanded access to
Apple user data a while ago.
Speaker 3 (24:33):
Yeah, one of the back door.
Speaker 1 (24:35):
Yeah, well they dropped that demand.
Speaker 3 (24:38):
Honestly, Okay, this is either one or two things. It's
either yes, this is all on the up and up
and they did drop that demand, or Apple said, sure,
we'll give you a way to do it. Just announce
to the world that you've dropped the demand exactly. My
guess is it's the former, not the latter.
Speaker 2 (24:55):
I agree because it's definitely possible.
Speaker 3 (24:57):
But only because it's Apple. Like if if it were
any other like entity that has some flavor of encryption,
they might go, yes, you're okay, we'll give you a
back door just you know, why did Gabbard Keevin?
Speaker 2 (25:09):
I don't think it's that, because the other thing is
the US is against it because the citizens of the
United States's data would also be exposed. And that was
one of my concerns as well.
Speaker 1 (25:18):
Yeah, and I think that the US government had something
to do with it because they were posting x about it.
Speaker 3 (25:26):
They don't want people knowing about their backdoor that's already there. Yeah,
of course, I mean that makes sense. Why add two?
Speaker 1 (25:31):
Yeah, you know, what are the chances we're both any
actual information?
Speaker 2 (25:39):
We have? Really non disclosure here?
Speaker 1 (25:44):
All right? Next story, why you need to update your
PLEX server asap?
Speaker 3 (25:49):
Okay, So I love PLEX. Flex is awesome. For those
of you who don't know what PLEX is, don't worry
about it. But for those of you know, you know
and you want to patch it if you know, you
know fast forward word. So, PLEX is a media server
for you to only serve out movies that you own
and media like you take home videos. You could throw
(26:12):
them up there and you know, you go on your TV,
you could throw the app for PLEX and you can
just watch them right stream them off of a computer server.
Speaker 2 (26:20):
Basically your own private Netflix.
Speaker 3 (26:21):
Yeah, yeah, exactly, yep. And if you open a port
to that server, you could do it anywhere in the world.
I could open up the app on my phone and
I could watch home movies anywhere, right, which is.
Speaker 2 (26:33):
Awesome because no one uses this for anything.
Speaker 3 (26:36):
Movies. It is just literally, hey, kids, just don't pirate things.
Speaker 1 (26:41):
What but are you talking about pirate things?
Speaker 3 (26:44):
Metallical pirates are so needless to say. Because the server
is opened to the Internet, there is a manipulation that
can be done on that particular port that can cause issues.
So if you are running aplex media server, you want
to go patch because somebody could take over your server,
(27:04):
so be careful there.
Speaker 2 (27:05):
They referenced the last Pass data breach from twenty twenty
two in this article Remote Code Execution vulnerbilary labeled CVE
twenty twenty Dash five seven four one allowed attackers access
to the Plex account of a last Pass engineer who
hadn't updated their software with appropriate patch. So that that's
(27:27):
the gift that keeps on giving. Yeah, oh, last Pass
two stories in a row, okay, oh three, No, not really,
we skipped on.
Speaker 1 (27:34):
Should we get to our top story?
Speaker 3 (27:37):
Let's do it?
Speaker 2 (27:37):
It is Yeah, I'm getting hungry.
Speaker 1 (27:38):
Yeah, well this is just a little nugget of a story.
So we'll leave a couple of nuggets around for you. Wow. Wow,
security researcher driven by free nuggets? Which is that true
or not? But unearth's McDonald's security flaw changing quote login
to quote register in URL prompted site to issue plain
(28:01):
text password for a new account.
Speaker 3 (28:04):
I don't even understand how this happens.
Speaker 2 (28:06):
It seems like it's a privileged account too.
Speaker 3 (28:08):
Yeah yeah, wow, yeah, it doesn't make any sense to me.
Why and all right, are a little rant as a developer,
As a security developer, I would never pass a clear
text password in the URL almost anywhere, Yeah, right anywhere,
because there should be in the back end databases. There
should be hash in salt, or there should be just partials,
(28:31):
or it should go to oh often, you should have
tokens or whatever. Yeah, you shouldn't have clear text passwords,
just throwing that out there.
Speaker 2 (28:37):
You shall also shouldn't be able to create an account
just by changing a word in the URL.
Speaker 1 (28:40):
Maybe they ported it from access.
Speaker 3 (28:42):
Well there's that too.
Speaker 2 (28:43):
Yeah, So what I bet happened and I haven't looked
at this code, is that there's a check during the
registration process that you get beyond once you do the
log in process, and they're using a similar state management
at that point point, and therefore if you change you
change flow at the same time. Like if I walk
(29:04):
into a car dealer and I said, hey, i'd like
to I'd like to borrow a car, and they put
plates on it and they do all the things, and
you say, yeah, I'm buying this car, and then you
just drive it away and they're like, oh, okay, well
here's the title, and you know it's your car. It
basically you got through that first door and then you
change the script on them and there was no checks.
That's how I envision this working.
Speaker 3 (29:26):
Yeah, And some of these, like the password they say
here in that case, a platform with access to private
information was secured with the password one two three four
five six, which oh my god.
Speaker 1 (29:41):
There's two two dumb things right there.
Speaker 2 (29:44):
Well, I mean it's very much more secure than one
two three four, I mean it's two more.
Speaker 1 (29:50):
And if you put an exclamation mark at the end,
it's all.
Speaker 2 (29:52):
Right, which no one would ever get now it's special.
Speaker 3 (29:57):
But coming back to passwords, like, as a developer, you
never pass passwords around. But the other thing I would
say to you, I, uh, yeah, I can talk about this.
Speaker 1 (30:11):
Edit they think about whether this is classified.
Speaker 2 (30:17):
I'm dialing the lawyer's number.
Speaker 3 (30:22):
On speed dial above his wife, like it's the lawyers
and then his wife may have been on a website
where when I logged in, you could apply permissions to users.
Let's just say, and uh, the developer was passing down
what they thought was secure passwords. I'm not entirely sure why,
but every user in the database came down to your browser. Yeah,
(30:45):
but hidden with the password, Yeah, with the password MD
five hashed, no salt, no nothing. Just do you literally
just take that MT five website I'm telling you is www.
Speaker 2 (30:57):
Dot Carfranklin dot com.
Speaker 1 (31:00):
Yeah done, I have both actually.
Speaker 2 (31:05):
Nay and the OK.
Speaker 3 (31:08):
That would get me in trouble. So, needless to say,
we do see it today. It's not like, oh my god,
how egregious is you know? McDonald's here. We see it
all the time. We're developers pass around secret information.
Speaker 2 (31:20):
What I mean, we still see sequel injection, we still
see all sorts of crazy things.
Speaker 1 (31:24):
What I thought was funny is the site is called
the McDonald's Feel Good Design Hub, their central platform for
brand assets and marketing materials used by teams and agencies
across the franchises. Yeah, across one hundred and twenty countries.
It used to be protected quote unquote by a client
(31:46):
side password. Yes, client side. Bobd Hacker said, it's the
guy who just got in love.
Speaker 3 (31:53):
I love how they say Ronald would be disappointed.
Speaker 2 (31:56):
Yeah, thank god he's dead.
Speaker 3 (31:58):
Does anybody know who told McDonald is anymore?
Speaker 1 (32:01):
He used to smile a lot, and now he turned
that smile upside down.
Speaker 2 (32:06):
I always thought he was a clown.
Speaker 3 (32:08):
On that note, you.
Speaker 1 (32:11):
Ever walked into McDonald's and say, all right, you clowns,
give me some nuggets.
Speaker 2 (32:17):
That's a good way to get some spit.
Speaker 3 (32:19):
Yeah, a little floor washing with your nuggets.
Speaker 1 (32:22):
Oh my god, you get a slap with the mop?
Speaker 2 (32:28):
How low can you go? Pretty bad stuff. Well, I
mean I can understand it though, because McDonald's they just
don't have any.
Speaker 3 (32:34):
Money, right, Yeah.
Speaker 1 (32:39):
All right, Well that was just kind of a funny story.
I think that probably the most. If we were going
to point to a clickbait story, it would probably be
the one about the you know, the the last pass
and the warden and all that stuff.
Speaker 3 (32:52):
Yeah, that makes sense, all right, that makes sense.
Speaker 1 (32:57):
All right. On that happy note, we'll call his show
and we'll see you next week. And make sure you
drop by our Discord channel and say hi, and send
us some email and check out that YouTube video from
last week if you really want to see what we
look like when we record. And that's it, Bye bye,
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.