Episode Transcript
[00:00:04] Speaker A: You're listening to Technato.
Welcome and thanks for joining us for another episode of Technato. I'm one of your hosts for the show, Sophie Goodwin. Of course, as always, we want to thank our sponsor, ACI learning. Those are the folks behind it pro, and that's what we do in our day jobs. We teach these courses about audit, cyber, and it. And it's a lot of fun. If you haven't checked it out already, head over to the ACI learning website and you can see us do what we do. But as I said, I'm not your only host for the show. I'm not alone. As always, I've got Don Pezet to my left. Don, how are you doing this morning?
[00:00:32] Speaker B: I am doing great. Last week, we forgot to report on some very important news, which was that the groundhog did not see his shadow.
We totally failed at Groundhog day reporting.
[00:00:44] Speaker C: Did you watch Groundhog day on Groundhog day?
[00:00:46] Speaker B: I did.
[00:00:46] Speaker C: I did as well.
[00:00:49] Speaker B: So we have an early spring predicted for this year, which means the hackers can get out of their houses where they're staying warm and out and about, back out to the parks and stuff.
[00:00:58] Speaker C: Does that mean there'll be a less hacking because they'll be outside?
[00:01:01] Speaker B: I think the groundhog actively predicts how significant our cybersecurity threats are going to be each year.
[00:01:07] Speaker A: That's really the whole reason we do Groundhog Day. If you look at the history of it, it's a real holiday, not a made up holiday like Valentine's Day. It's real. Daniel, did you watch the broadcast live? I'm assuming, since you asked, of Groundhog Day. Did you catch.
[00:01:20] Speaker C: I did not watch that. I watched the movie Groundhog day.
[00:01:23] Speaker B: With Bill Murray.
[00:01:24] Speaker C: With Bill Murray. Because it's amazing.
[00:01:26] Speaker A: Okay.
[00:01:26] Speaker C: And I see that's what I do every Groundhog day.
[00:01:29] Speaker A: Oh, it's a tradition for you.
[00:01:30] Speaker C: It's a tradition.
[00:01:31] Speaker A: I caught a little bit of the broadcast where they bring that poor little groundhog out, and you can tell he's just like, they're holding him up.
It's like a rock concert, but with top hats. It's weird.
[00:01:46] Speaker B: It's very weird. I watched it recorded.
And those people take their job way too seriously considering what they're doing. Like, way too serious.
[00:01:55] Speaker C: I believe he just smiled at me.
[00:01:58] Speaker A: If my job was to sponsor a groundhog, yeah, I would take that very seriously. That's got to be the most fun job in the world. But not to short our jobs. Our jobs are pretty fun, too, because we get to talk about everything that's going right and wrong in the world of it and cybersecurity, et cetera. We'll go ahead and jump in. We've got some good stuff today. Like you said, there's a lot that's been going on this past week. I know Daniel was talking before the show about how Microsoft has had a little bit of a rough week, so we'll get to that. But this article comes to us from Tom's hardware impending Windows eleven update will let you set up Wifi connections with the camera app and QR codes. And this does seem like it'd be hey, that's pretty convenient. All I got to do is pull out my phone and scan it. But I've also heard rumors that QR codes can sometimes present a little bit of a security issue. Am I right or wrong on that?
[00:02:41] Speaker B: You are right. And this is technology that's already available in a lot of mobile devices. So if you have a cell phone, Android, iOS, the odds are you can already take a picture. You don't even have to take a picture. You just turn your camera on, point it at a QR code, and if it's got a WiFi ID and SSID and password in there, then you can pull it up on your camera, tap little link, and you automatically connect to the Wifi. Super convenient. I've been to a number of conference rooms where they just have a little placard sitting on the conference table. You scan it and off you go. Well, what's interesting here is that they're bringing it into the desktop OS. So into the Windows eleven operating system, if you're on a laptop or even a desktop, that functionality will be there. Now, on a desktop, not particularly useful. But on a laptop, most laptops have a camera. They usually only have a front facing camera, so it'll be awkward as fun if you grab a placard off the table and hold it up, and then you can kind of scan it and get it that way. So I appreciate the convenience of this. But Sophie, you're exactly right is that visually, there's no way for you to verify what a QR code is going to do. And some of the apps that are available, when you hold your camera up and you look at the QR code, it'll show you the URL you're about to click on. But thanks to URL shorteners and things, it's not always meaningful.
It's tough to trust what's in a QR code. And I feel like this system needs an extra safety layer on it. Like you see the QR code, you go to tap on it and then it gives you some kind of summary of what's about to happen before it actually does it. And that doesn't happen on a lot of devices.
[00:04:16] Speaker C: No. Plus, if it is the SSID and the password and everything, the password is in there, right? If I did have a QR code verifying app and it would show me a preview of what is actually in the QR code, would I not then also have the password? So if I were doing like a physical walk through of your environment and there were sensitive areas of your wiFi, I was just to find those QR codes and walk by and scan them, possibly pull. And nobody reuses passwords for any other thing. Sure, it's not a problem, but just in case.
[00:04:51] Speaker B: But I think that's a risk you're going to have no matter what. Because you go to these conference rooms today and the wireless password is just written right on a white.
[00:05:00] Speaker C: That's also stupid.
[00:05:01] Speaker B: Hey, if you have a guest network that's specifically designed for that, like a visitor network, then the risk is if it's a guest.
[00:05:08] Speaker C: I'm not talking about guest networks that are designed to be connected to by randoms. Right. I'm talking about the sensitive.
[00:05:15] Speaker B: Then you're in trouble.
[00:05:16] Speaker C: Yeah.
[00:05:17] Speaker B: And people do.
[00:05:17] Speaker C: I mean, it's not like we find passwords under keyboards anymore, right? That's a long gone era that does not exist anymore. I'm kidding. People still do that.
Other than that, are we really that lazy now that we can't just type in a username and password?
[00:05:34] Speaker B: Well, thanks to password complexity. And one problem this does solve is people don't like to rotate wireless passwords. That's true. And we know that we could do like with WPA three or WPA two for that matter. You can do WPA two enterprise and use certificates for authentication. Every person gets their own certificate, or even better, every device gets its own certificate. So you can turn them on, turn them off whenever you want. But it's a pain in the butt to set up. So most companies don't do it. They just do a single pre shared key. Everybody gets this key, everybody gets their devices set. And if you rotate, everybody has to change their key, which is a pain. Well, if all they had to do is come in and scan this little sign the next time they're in, it's not such a big deal. But if they have to type in a 16 character string with asterisks and exclamation point and lowercase. That's frustrating.
[00:06:25] Speaker C: It is. But, I mean.
[00:06:30] Speaker B: We'Ve broken. Daniel, what's happening here?
[00:06:32] Speaker C: It just seems like it's not that bad.
I remember being on a help desk, right? I remember back in the day when an old Danny boy answering phones, people calling up with their problems, and you got a lot of problems, like, hey, there's this weird p looking character in my outlook email that I'm creating. How do you make that go away? I'm like, you google it and you figure, or I have double spaces.
All my stuff is double spaced. I mean, does it cause a problem? I just don't like the way it looks. Okay.
This is generating a help desk ticket. For real. We had a lot of stuff that were very similar.
Let's not go down that road. I really hate the fact that we have become so dependent on automation for everything.
So I'm a huge fan of cars with stick shifts. I think that every person should learn how to drive with a manual clutch in a clutch because it makes you more attentive to the vehicle. You can't just hit the gas and go, just hit the brakes and stop. You have to downshift. You have to upshift, you have to put it in neutral at certain times. You have to rev the engine at certain speed. You have to pay attention to the flow of traffic, and you're more connected to your vehicle and what's going on on the road because you have to by default. And if that's what we're building with drivers, then automation comes and it's nice, but you still have that ingrained sense of how to work with the device itself.
[00:08:09] Speaker A: It's like understanding how to use your backup mirrors to back up in the car as opposed to just relying on a key.
[00:08:13] Speaker C: There's a lot of good that comes out of going through that little bit of struggle in your formative time of dealing with a thing, so that as you get into nice things that allow you to be able to scan a QR code, you don't just take it for granted and things become unsafe.
[00:08:27] Speaker B: Although I will say, if I'm having to shift the car, how am I supposed to send text messages?
[00:08:33] Speaker C: It is very difficult. I will concede the point, sir. Absolutely.
[00:08:39] Speaker B: It's already bad enough that I have to look up every 30 seconds or so.
[00:08:43] Speaker C: We literally have self driving cars.
Dodd's climbing in the back and reading his warm piece.
[00:08:52] Speaker B: And just for the record, I do not have a self driving.
But for me, I'm not so worried about sharing the wireless password, because there's so many easy ways to fix that.
I used to work for a bank, and we only had a public wifi. We didn't have a private wifi.
[00:09:09] Speaker C: Right. You don't have to worry about it.
[00:09:10] Speaker B: It was a public wifi that had its own Internet connection, and if an employee needed to use it, they had to VPN in to get to the private stuff, just like they were at home or anywhere else. We treated it the same.
[00:09:19] Speaker C: Nice.
[00:09:19] Speaker B: So it gave us one attack surface, you VPN in, and that was protected, and that was the way that we solved that problem.
[00:09:25] Speaker C: There's no QR code for that, but.
[00:09:27] Speaker B: So for me, it's not the wireless password that's a problem. It's that you don't know what the QR code is going to do, because some QR codes have a wireless id in them. Some of them just have a URL. Some of them actually can contain binary data. You don't know what a QR code contains. You recognize the complex ones, like the ones that are four squares instead of one. And so, you know, those do something more. And maybe you're a little more cautious there, but I don't think most people even consider that.
[00:09:52] Speaker C: I've just been so glowless. We're leery of QR codes for so long now that I just ignore them. They do not exist in this dojo.
I don't scan them. I don't do anything with them. Like, you give me a QR code, I'm like, yeah, cool, send me a link.
[00:10:08] Speaker A: When I was on campus over at the university, it was, like, about a year or two into me being there. Every single flyer that I saw, because they're everywhere. They're all over, every single polar campus. They're all over the walls, the billboards. But every single one had, instead of having the little things you tear off that, oh, check out this website. Call this number or whatever it was. Every single one was just a QR code. Just scan it because it's easier. And some of it was like, check out my mixtape. Because people still do that. Some of it was like, hey, check out the website for this club that we're going to put together of the Mr.
[00:10:35] Speaker C: Robot episode where the guy's out on the street going, hey, I got my CD, man. Buy my seat, check out my beats. And it's just malware. As soon as you plug the CD in, it's malware. If he had it on a USB drive, it was malware. And he was, like, doing sex rotation or whatever.
[00:10:50] Speaker A: I think especially because I know you had talked about how in conference rooms they'll just have the password written on a whiteboard or whatever. And I think for something like this, it says seamless connection to public hotspots. So I think, like Starbucks Panera bread.
[00:11:02] Speaker B: You can the airport personally, why are.
[00:11:07] Speaker C: We connecting to public wifi when we have five g Internet just about every dang.
[00:11:12] Speaker B: Where.
[00:11:12] Speaker A: Yeah, that's a fair point. But then it's like, okay, then what's the point of the QR codes in the first place if you shouldn't be connecting to the wifi at all? Okay. This just makes it easier to do something you shouldn't be doing.
[00:11:21] Speaker C: This is what I'm saying.
[00:11:22] Speaker A: And it seems like this is just, it solves a problem, but it creates.
[00:11:27] Speaker C: Hammer looking for a nail. Right. And to me, it's like I'm willing to give up and have a little bit of frustration for a little bit more security. Right. And that's cool. I don't mind that I can be responsible for myself, but when you're a security admin or something like that, you're going to have to deal with people that do not take security any kind of serious.
And we're trying to help me help you. Right. It's help me help you. Let's stop doing these things that just.
It's pennies in a penny jar. They just continue to add up to a more insecure environment. And we want to create more secure environments, not insecure ones. And if you get people used to this type of thing and they're more open and they go, that's not my fault. You gave me the system to abuse, and they will abuse it. So we have to help them by building more secure systems.
[00:12:23] Speaker A: I feel like you need like a TED talk microphone and like my time, ladies and gentlemen, an american flag waving behind you. Or know, there should have been some music playing.
[00:12:32] Speaker B: I think Daniel teaches cybersecurity through analogy. Hammer, looking for a nail. A jar full of pennies. That's right.
Sock and a bar of soap.
[00:12:43] Speaker C: It's Dharmach and zillow.
[00:12:45] Speaker B: That's inaugural.
Best episode.
[00:12:49] Speaker C: It really is good. If you guys haven't seen that. Is Star Trek the next generation.
[00:12:53] Speaker B: Yeah.
[00:12:54] Speaker A: I don't know why you're looking at me.
[00:12:56] Speaker C: Because I know you haven't.
[00:12:59] Speaker A: Well, I was going to wrap up this article by taking a look at some of the comments, but there are none.
This has been up a few days now and nobody has said anything about it, at least on this particular website.
[00:13:10] Speaker B: I need to respond, my comment will be duh, you got to respond with Dharmak and Delano.
[00:13:18] Speaker C: That's it. When the walls fell.
[00:13:22] Speaker A: I'm so glad this has tickled you.
[00:13:24] Speaker C: That's just such a random reference.
[00:13:29] Speaker A: Well, this next article does have some comments on us, so maybe we'll get to those in a little bit. This one also comes to us from Tom's hardware. It says, google proposes users of older Windows ten pcs to migrate to Chrome OS flex 600 devices certified. So you can keep an old pc but use a new operating system.
Sounds convenient, but I feel like that also means it's probably not. There's a way that it could go wrong.
[00:13:49] Speaker B: Yes. So last week if you listen to Technato, we talked about a couple of things. And one thing that came up was a weird ancient processor, a cpu instruction that Windows eleven is going to start requiring. And so one of the things Daniel asked was like, what happens to these computers that can't upgrade? I said, said they can just stay on Windows ten.
[00:14:11] Speaker C: By the way, when we asked people to tell us how old, what's their oldest computer, we got a lot of comments on that. That was great. It was a really cool interaction.
[00:14:18] Speaker B: People hang on to stuff, right?
[00:14:19] Speaker C: Yeah, they do.
[00:14:20] Speaker B: And so I made the comment of they can just stay on Windows ten. And you asked when does Windows ten end? And I didn't remember. So I was looking for that. And it was just kind of timely that Google had made an announcement saying, oh by the way, remember October 14, 2025. So a year and a half from now is when Windows ten support ends. And Microsoft is doing a thing where you can do paid support for a couple of years after, but people don't do that, right? That's just not a real thing if you're in government or enterprise, yes, but regular people don't. So in October of 2025, so in a year and a half, that's when Windows ten support ends. And that's when if you've got a system that doesn't have a TPM or is missing the population counter instruction set, then you won't be able to upgrade to Windows eleven. And what do you do? You can stay on Windows ten that's not supported, not getting security updates, or you can do something else. And usually what I tell people is install Linux. You'll be pleasantly surprised, right? Because it runs really well on just about any hardware.
[00:15:19] Speaker C: There's a lot of good Linux distros out there that really give you some really good look and feel of something you're used to and comfortable with and all the horsepower that goes along with it.
[00:15:28] Speaker B: But many people are either intimidated by Linux or don't want to deal with the process, aren't used to installing an os. And so Google is trying to streamline things a bit with Chrome OS Flex. And we talked about Chrome OS Flex, I don't know, probably six or eight months ago. It was a long time ago and it's basically just Chrome OS, but that you can install on any device. In the past, you couldn't do that. If you wanted to run Chrome OS, you had to go and buy a Chromebook or one of the very, very few Chrome pcs.
[00:15:54] Speaker C: And Flex is free, right?
[00:15:55] Speaker B: Yeah, it is.
You know what's free when it comes to Google, right? Remember, did you have an analogy of price to pay a fox in the hen house or something?
[00:16:06] Speaker C: That's right. There's something when the camel comes and his nose is wide, I'm making things up, looking at me like, where the hell analogy did this go? Just trying to connect.
[00:16:19] Speaker A: It's another thing I don't get. It's another reference I don't get.
[00:16:23] Speaker B: What you can do here is install Chrome OS, which is effectively Linux deep down under the hood, but it just boots up and drops you in an environment that mostly just runs Chrome. And for many people that's fine. A web based experience is what they want. But there's some challenges. Know you won't be able to run Windows apps, although there is crossover for Chrome OS that you can try. I've used it. It doesn't work very well, but you really just get kind of tied down to a single browser environment, and Google effectively gets to pick through all your stuff. So I don't think that's necessarily a trade off most people want to take, especially when you could just buy a Chromebook for $100. They're cheap.
[00:16:59] Speaker C: Yeah. I feel like the people that do install, they don't care. They don't care at all. They're like, yeah, Google take all my stuff. I don't give a crap. A. They probably don't even realize that that's happening. B if they did, the obligatory boilerplate response of, well, I'm not doing anything that I cared that anyone knows about anyway.
[00:17:21] Speaker A: I got nothing to hide.
[00:17:22] Speaker C: Yeah.
Because the abuse of private and personal information has never happened before, so I'm sure it won't happen now.
[00:17:30] Speaker B: If you can't trust Mark Zuckerberg and Sergey Brin, if you can't trust those guys, I mean, they're just regular people, right?
[00:17:38] Speaker C: Average, everyday Joe like you or myself.
[00:17:40] Speaker B: I'm just a regular person. My butler puts my pants on one.
[00:17:43] Speaker C: Leg at a time, just like everybody know. Do I not feel the cold of the gold plated toilet when I sit on it?
[00:17:51] Speaker B: People don't realize the trials.
[00:17:55] Speaker A: I know you had kind of mentioned that most people that would do this probably don't care about those potential negatives in the first place, and I think that's. I think it's pretty accurate. There was somebody in the comments that had said they were referencing a part of the article that said chrome OS currently holds a modest 1.78% share of the global pcos market. And this person, geef or geef, I'm sorry, if that's supposed to be a soft g, I don't want to mispronounce the name. That number would probably be so much lower if so many low end laptops didn't come with Chrome OS. You're feeding on the not so smart people of the world who don't check the OS before buying a laptop. Now, I resent that. I think there are a lot of people that are decently smart, that this is maybe an area that they're not super well versed in. Doesn't make them dumb people.
[00:18:34] Speaker C: Phd in astrophysics probably doesn't. Really.
[00:18:37] Speaker A: Well, yeah. I mean, you can be a perfectly intelligent person and this is maybe just something that you're not super well versed in. Or you don't care. You don't particularly care. Maybe you're not ignorant to it. Or maybe you are, but you're willfully ignorant. Right? I don't know that it's an issue of like, oh, these dumb people in the world don't check their os for buying. I don't think that's necessarily fair. That's just my opinion.
[00:18:55] Speaker C: I get where you're going with that. That makes sense.
[00:18:57] Speaker B: So I'm thinking of other areas. I'm thinking of cell phones.
[00:19:02] Speaker C: Yeah.
[00:19:02] Speaker B: Right. So if you don't know phones very well, and you go into the store and there's an iPhone sitting next to Samsung Galaxy phone.
[00:19:10] Speaker C: Right.
[00:19:11] Speaker B: For somebody who doesn't really know systems, they practically look the same. There's very little visually different in them. Even the operating systems icons laid out on a grid, they don't really look very different. And if you were to buy one versus the other, they both do the same thing. So does it really matter? Right. Even though we know here on Technato that iOS and Android are wildly different, and there's plenty of apps that only run on one versus the other. And it's two different companies to get to pick through your stuff. Yeah.
[00:19:41] Speaker C: And the philosophical things that they do internally for the os is completely different. I mean, yeah, they look a lot of the same, and they do a lot of the same things, but how they do it is different. And you ask anybody that's over 50, that is a different ballgame, because they look at an Android phone and go, this is crazy. This is just completely unintuitive. Whereas I go, that stupid iPhone is junk. I cannot believe they do things the way they do things. Yes, it does it, but where's the damn back button on the.
[00:20:15] Speaker B: Of. I see Sophia thinking of what Sophie was saying, though.
If it's preying on people, right, the one where I think they're preying on people, and it's not necessarily intentional, it's just incompetence. Remember when Microsoft first rolled out the arm tablets so that you had Windows eight?
They had the surface. Right. But then there was the Surface X. I think there still is. Right. Surface X. So if you get a regular surface as an intel processor, it's running windows, you can run all your apps, all the stuff you're used to. It's just a Windows laptop, basically, just expensive and fancy. But if you got the X version, it had an arm processor on it. And I can't tell you how many people went out and bought those and then were like, wait a minute, I can't install this app, or I can't install that app because they weren't compiled for Arm. That was one where somebody could be walking down the aisle in Best Buy and see two Windows machines next to each other and not know that one was arm and what that means. And that's a big deal.
[00:21:10] Speaker C: I mean, that's kind of true with Apple silicon as well. Right? There are some things that do not run on those because they just haven't been developed to do that quite yet. And they're working on it because we love the performance of the new Apple silicon. It's amazing. So now all the software vendors have to kind of catch up. But if you don't know that going in, you could be caught going, why doesn't this work?
This is a $3,000 laptop, and I can't run candy crush.
[00:21:40] Speaker B: Well, either way, I do not think that Google is. Well, I do think Google's preying on customers, but not with these Chromebooks. And I do think that the low cost Chromebooks have allowed a lot of people to gain access to computers and the Internet. That wouldn't have normally had that kind of access. Right. The idea of schools issuing a MacBook to every student. Right. There's plenty of schools that do that, and it takes a lot of money to do that. And when you're in an underfunded, like, inner city school where you don't have those kind of resources, you don't want to just tell the kids, hey, you get nothing. So if you can get Chromebooks or something like that, it's putting technology in front of people, which I think is a good thing.
[00:22:18] Speaker A: Yeah, absolutely. I think there's a lot of people that, even if this is something that would only be useful if you're only ever running a bunch of stuff in a web browser and you're not ever going beyond that, there's a lot of people that do that, I would argue a lot of people that I know, probably a lot of people you guys know. I know that for this audience and even in this office, maybe that's not true, but I think the general public. Yeah, I go in a browser, I check the email. I don't go into my desktop apps a lot.
This is where I exist on my machine.
[00:22:43] Speaker C: Yeah, everything's cloud based at this point.
[00:22:45] Speaker A: Yeah.
I don't know. Every time I go in the comments, I regret it because there's always something that I'm like, I don't know about that one.
[00:22:52] Speaker B: But anyway, I remember reading one comment that made me laugh because it was somebody saying they would never use a Chromebook. They're like, I don't trust Google. I don't want them getting at my information. And I should be able to fire up my laptop and go to Facebook and not have to worry about Google getting at my data. And it just made me laugh out, Facebook is fine.
[00:23:09] Speaker C: That's super funny.
I think you understand how this works, son.
[00:23:15] Speaker B: I mean, it's okay to hate Google if you want to, but don't pretend like doing you any favors.
[00:23:20] Speaker A: Don't lie to yourself. Well, we'll move on to this next article. This one. Maybe we'll have a little more fun with this one. Or maybe I won't get as irritated. This one comes to us, we're pulling this from slash. Linux becomes a CVE numbering authority, like Curl and Python. Is this a turning point? Question mark? I feel like there should be a thumbnail here. Somebody going like this. This is very much a YouTube title, so you guys probably would know better than I would. If this is truly a turning point, Linux being a CVE numbering authority, what would be the point of making this happen?
[00:23:47] Speaker B: All right, so a couple of things here. So first off, I forget what it's called. There's a named phenomenon where anytime you see a headline that has a question mark at the end of it, it can be answered with no. And so you look at a headline, is this a turning point? You just say no and then you don't even have to read the article. That's that, right?
That's the madness. Anytime you see a headline that has a question mark, it's effectively an editorial, right? So that's where you have to take it with a grain of salt. Yeah, but in this case I thought this was really neat because I try and learn something new every day, right? I try and make myself a better person each and every day. And technology lets me do that, right? I can learn a lot of new stuff. And this was one of those cases where I learned something new. The headline was Linux becomes a CVE numbering authority. And I was like, wait a minute, Mitre does CVE numbers? They are the numbering authority. And then it says like curl and python. I'm like, wait a minute. How many of these numbering authorities are there? And I wish I had an answer. I don't have an answer to that. But apparently Mitre doesn't have the lockdown on CVE numbers like I thought they did. Normally I would go to mitre.org. Mitre.org. And that's where you pull up the cvs and they issue numbers and so on. But it turns out that they're not running the show alone. There are trusted providers that are out there or trusted authorities that are able to connect into Mitre and actually generate the cves and log them in there.
[00:25:13] Speaker C: Quite a few.
[00:25:14] Speaker B: And. Oh, you found a list.
[00:25:15] Speaker C: Well, I mean, I guess these are partners by country. And in the United States alone there's 193.
[00:25:20] Speaker B: All right.
[00:25:22] Speaker C: Everybody else is like way less.
[00:25:25] Speaker B: Apparently just about anybody can issue CVE numbers.
[00:25:28] Speaker C: It's like China's number two with 20, right?
[00:25:31] Speaker A: Wow.
[00:25:32] Speaker C: And we've got.
[00:25:33] Speaker B: You think Israel would be up there, right, because of all the cybersecurity stuff?
[00:25:36] Speaker C: Germany's got 14, Japan's got eleven.
Let me see here. Israel's got nine, Ireland one, India seven.
Lithuania has one.
[00:25:46] Speaker B: I think India would have more of.
[00:25:47] Speaker C: I mean, yeah, no country affiliation has one. That seems weird. Weird.
[00:25:52] Speaker B: Or maybe that's mitre. No, it can't be mitre.
[00:25:55] Speaker C: Maybe it's like a province.
[00:25:57] Speaker B: Or.
[00:26:00] Speaker C: Like I was thinking, like, I guess Puerto Rico is technically part of the United States of America, right? But it's like a territory. Yeah, it's a.
[00:26:10] Speaker B: So anyhow, so I learned something new, which is mitre doesn't operate in a bubble where they're the ones who determine what gets a cv and what doesn't. They've got a number of other organizations they work with that do that. And the Linux kernel team has now joined that group. Now we have to be careful because the headline says Linux, and the word Linux itself can mean a lot of things. This doesn't mean canonical and ubuntu or slackware or whatever.
[00:26:36] Speaker C: This is like the Linux foundation. Right? Like the Linux kernel, the kernel team. Yeah.
[00:26:40] Speaker B: Which is actually different than the foundation as well.
Political barrier here, by the way.
[00:26:46] Speaker C: 363 total partners. Wow, that's a lot.
[00:26:48] Speaker B: Yeah, that is a lot. Which, I mean, if you issue a lot of cves, which they do thousands a year, so I guess it comes.
[00:26:58] Speaker C: In from someone's got to do all.
[00:26:59] Speaker B: That work for a nonprofit. Yeah.
So, yeah, so I learned something new. It's exciting. And hopefully you guys learn something too. I don't know, that makes us do anything different.
[00:27:10] Speaker C: Adobe systems is one of them.
[00:27:13] Speaker B: This program is devoid of value.
[00:27:17] Speaker C: Just disregard CvE.
[00:27:19] Speaker B: Ladies and gentlemen, who would know more about CVE than Adobe?
[00:27:26] Speaker C: Right? They have had a torrid history of issues with their software suites.
[00:27:33] Speaker B: Oh, man.
[00:27:33] Speaker A: I guess maybe I misunderstood how this Cve numbering works because Mitre is the name that I think of when I think of that. Because when I was first learning about this stuff, that's what came up a lot. Oh, we'll go to Mitre.org. We'll take a look at this.
It's org, right. Not, so I guess it makes sense that they're talking about how this process went, how they were able to get accepted as a numbering authority. And, oh, we'd like to thank the ceve.org group and board. So there's this whole other website that's cve.org. So I guess it just didn't register with me that Mitre is just one of apparently hundreds of organizations and it's not who's competing to number something first. It's a collaborative thing.
[00:28:11] Speaker C: Right. Well, Mitre is like the organization that's kind of like the governing body.
[00:28:15] Speaker A: Okay.
[00:28:15] Speaker C: Right. And these are partners that would be able to issue their own cves based off of that it is connected with our software or our suite of software. Right. So they're saying there's so many cves that we have to deal with and you're such a large company and you have quite a few of them are yours. Why don't you go ahead and handle the workload and we'll just kind of govern and oversee. So that seems to be what's going on here.
[00:28:40] Speaker A: Okay. Gotcha. Yeah.
[00:28:41] Speaker C: Okay.
[00:28:42] Speaker A: I didn't realize it was like this big collaborative effort with all these organizations.
[00:28:45] Speaker C: I didn't either. I thought it was all just Mitre until today. Don, you've shattered my.
[00:28:49] Speaker B: I mean, it does make sense, especially with responsible disclosure.
[00:28:53] Speaker C: Right?
[00:28:53] Speaker B: So let's say I figure out some vulnerability in the kernel, the Linux kernel. I'm not going to go to Mitre. I'm going to go to the Linux kernel team and I'm going to tell them about it and give them 90 days or whatever to fix it. Well, in the meantime, it does need to get a CVE number, right? And somebody else could discover the same vulnerability in that time. So somebody's got to make the decision on who gets credit and what number gets assigned. So it does make sense to have a system like that in place. I just hadn't heard anything about it prior to this week. It just seems surprising that it's kind of flown under the radar like that. For me, at least, it is surprising.
[00:29:30] Speaker C: Like you said, how often have we talked about cves and Mitre itself? And it just never came up or got into my vision that there were partners that were doing it for them.
[00:29:42] Speaker B: And we probably have some listeners right now who are like, what's up with.
[00:29:44] Speaker C: These idiots sleeping on this?
[00:29:46] Speaker A: Welcome to my world.
[00:29:50] Speaker C: With you. That's a reason.
[00:29:51] Speaker A: Oh, there's some legitimacy to the claims. Right.
Well, speaking of, I was going to ask a question, but I know that maybe it ends up being an obvious question and it's just something that I'm only a couple of years into this. There's still a lot that I'm learning. So I was under the impression that even if there's a vulnerability security issue that exists that doesn't have a fix yet, it doesn't mean that it can be assigned a CVE, is that correct? Or does it have to have a fix available?
[00:30:15] Speaker B: No, they issue cves for things that aren't fixed all the time.
[00:30:17] Speaker A: That's what I thought.
[00:30:18] Speaker C: Yeah.
[00:30:18] Speaker A: So there's a section in here that talks about how no cves will be assigned for unfixed security issues in the Linux kernel. Does that sound legitimate or does that sound.
[00:30:28] Speaker C: Cves will be assigned for unfixed issues in the kernel?
[00:30:31] Speaker A: Assignment will only happen after a fix is available, as it can be properly tracked that way.
[00:30:35] Speaker B: Yeah. So if I were a security researcher and I reported a vulnerability to the Linux kernel team and they were working on a fix and the 90 days ran out and they still didn't have a fix and they didn't want to generate a CVE for it or a notice.
[00:30:49] Speaker C: They don't want to disclose that that's there yet.
[00:30:50] Speaker B: Then at that point I imagine that research would need to go to Mitre and say these guys aren't disclosing it's time. Or they could just go on Twitter or X or whatever and throw it out there. That's the process. But we'll have to see if that happens. To have a high risk vulnerability go unreported. I don't think a security researcher would allow that to happen.
[00:31:13] Speaker A: Okay.
[00:31:13] Speaker C: They tend to not like that. So if I'm just some random.
A lot of organizations will have their own internal security testing team that are looking for security bugs and fixing them. And once they do find an issue they will track it themselves and the whole nine yards. So that's pretty straightforward. They'll just not disclose that until they have a patch ready because they don't want to disclose that. And since nobody knows about it yet because they haven't been informed by other people, what's the harm? At least that's their mindset. Then you have independent vulnerability researchers who find these things disclose, look for any kind of contact other than thank you for the disclosure. Like, hey, you working on this? We're waiting to hear.
I'd really like to disclose my information. I'd like to get it out there. We got to get a patch. When's the patch coming? And they just won't hear anything back and then they won't hear anything back and then it just kind of becomes a, is this dangerous enough that I think that the public should know? Maybe I should apply some pressure by publicly disclosing this.
[00:32:17] Speaker A: Okay.
[00:32:18] Speaker C: And that's a judgment call that everybody's got to make. And of course there's ethical, moral, philosophical arguments to be made for one way or the other and you got to fall on one side or the other on where you're going to go with that. And of course it's very individualistic and circumstantial. It's a lot of things that go into play of whether or not you're going to publicly disclose something that you have told them about and they have yet to fix.
So that's what's up. Mitre might just redirect them to.
So if they found something in the Linux kernel, they might just redirect them. Hey, Linux takes care of that, not us. And they'd be like, yeah, I went to Linux and we're like, they're the authority over know. That's what's up.
[00:32:58] Speaker B: Then you get public disclosure and there.
[00:33:00] Speaker C: Are people that do it. There are people that are like, hey, it's been six months, when are you doing something about this? And they get crickets. Okay, cool. Let's see what happens.
[00:33:08] Speaker A: Yeah, you had your chance.
[00:33:09] Speaker C: Yeah.
[00:33:10] Speaker B: And then suddenly a fix comes out in days.
[00:33:11] Speaker C: Weird.
[00:33:12] Speaker A: Yeah, we were working on it. We were almost there. Just give us a second.
[00:33:15] Speaker C: It's like when your dad tells you, I told you to clean this room.
[00:33:18] Speaker B: I was going to clean it today, I swear it.
[00:33:20] Speaker C: Right? And you did. You were like, I'm going to clean, this is a nightmare.
[00:33:25] Speaker A: I was just curious because sometimes I read stuff like that and it's a little like, I didn't think that's how it worked. But I guess that makes sense if that's the way the process goes. But I'm curious to see what y'all out there listening or watching have to say about what we've covered thus far. We love to hear your comments. Like Daniel said, we did get quite a bit of interaction last know telling us what your oldest device currently in use is. And that was pretty cool to hear from all of you guys what you're using out there right now. We're not using it for like, we're not going to come and hack you or anything. Oh, he's using a 20 year old laptop. What's he doing?
[00:33:52] Speaker C: I'm going to say if you haven't disclosed something yet, because you're waiting for verification from whatever organization. Tell us what that is. Let us know.
[00:34:02] Speaker A: Send us a private message. Actually, don't put it in the comments. Just let us know directly.
[00:34:05] Speaker C: I was just kidding because what am I going to do?
[00:34:08] Speaker B: We could actually do a really long tail phishing campaign through our questions.
What month were you born in? Just throw it in the comments. We're trying to find out what months are the most popular. Then later on it's like, well, what year were you born in?
After two or three years we've acquired information.
[00:34:28] Speaker C: You can log in as anyone that's in the comments.
[00:34:30] Speaker A: Legal Disclaimer please do not leave your full name, date of birth or Social Security number in the comments of this podcast.
[00:34:36] Speaker C: Security number won't show up in the comments if you type it in. Try that.
[00:34:40] Speaker A: Do not do that. By the way, before we get ourselves in legal trouble, we'll go ahead and take a quick break, but don't worry, we will be right back with some security news here on Technato. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private online instructor led formats. You get to provide professional development in a manner that fits today's expectations, entertaining, convenient, and effective. Our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info.
Welcome and thanks for sticking with us through that break here on Technato. We're going to move into our security news here in just a second, but just want to remind you whether you're listening on Spotify, Apple Podcasts, watching from YouTube, wherever you're joining us from. We appreciate you coming in and joining us for our conversation every week. Feel free to leave a comment down below. Let us know what you think of this episode. If you're enjoying it, leave a like and maybe even subscribe so you never miss an episode of Technato in the future because we wouldn't want that. We'll go ahead and jump into I know I got real serious there for a second. Daniel couldn't take it seriously, staring the camera down. Listen, be a mom. Eventually I got to get that stare down. We wouldn't want that. Clean your room. This comes to us from bleeping computer and this is part of a lovely segment. It's one of my favorites. See if I can do it.
I got a physical reaction from both of them. So that made my day. Again. This comes to us from bleeping computer new critical Microsoft Outlook RCE bug is trivial to exploit. It's just that easy apparently. And looking at this, and there were some people tweeting about it and everything, so I was going through and looking at those or Xing, I don't know what the posting about it on X Twix and it seemed like it was pretty easy to discover. It was a matter of like a punctuation mark that people were putting. So maybe you could break this down.
[00:36:42] Speaker B: All right, so this one's trivial to pull off, which means a regular person can do it. You don't even have to be super advanced on this one. Outlook Microsoft Outlook, the email client for years and years has had a number of safety mechanisms in it and there's things like file extensions that are blocked. If you try and email somebody a VBS file, it won't let you do it. So there's simple protections like that that are in there. And what this security researcher found was that they could link to a file, a malicious file, right, something that would normally be banned or whatever, and as long as they stuck an exclamation point in the file string somewhere or after the file name, then Outlook would just ignore the whole thing. It wouldn't recognize it as something.
[00:37:23] Speaker C: Does it also need the random text after it? I think there's like an exclamation point plus a string of random.
[00:37:29] Speaker B: But did it have to have the text?
[00:37:30] Speaker C: I'm not sure if it per se needed it, but it is there and they mentioned it.
[00:37:34] Speaker B: Okay, the example I saw, they just stuck like a word at the end.
[00:37:37] Speaker C: Something in that works.
[00:37:40] Speaker B: So anybody could take a file URL and put an exclamation point on the end of it and add some stuff, right? So that's not a hard thing to pull off. That's why they say this is trivial. And remote code execution. Well yeah, I mean what that file links to could be a malicious file and outlook is not going to protect you. And now we still have to entice somebody to click on it, right, but we know that's not very hard and somebody clicks on it and then now we're executing code on their system and we've compromised that.
[00:38:07] Speaker C: It's funny, it's like this is the opposite of what I was talking about earlier where we are trying to build more secure systems so that the end user doesn't have to worry about stuff. And that's our job, right. The onus is on us as the security professionals and the administrators that are out there to make that safe environment as much as we possibly can because this takes that safety mechanisms, that seatbelt that we put on them and it just goes, I'm just going to unclick that for you right there and don't worry about that. So if we get something through an email and we click on it, it goes, well yeah, I want you to be able to open it, but I don't want you to be able to execute code. So we're going to put you in a protected system, right? So it's read only mode. No one's going to be able to do anything, there's not going to be any macros that fire off. So we'll put you in this protected way. And what's interesting to me about this is that you can make a link. So like a URL link, you click on the blue letters and a little finger shows up and you click on it. It takes you somewhere, is that it doesn't have to be a URL or it is a URL, but it's in the file link format, which is just so odd to me, which is probably why it got overlooked. So if you type the word file and that's the first part of your link instead of HTTP, if you do file, it will go, okay, you want a file on your system and then you put the IP address and the link actually after that and it goes, oh, cool, it's a file on your system that's not on your system. It's this link and it kind of follows it along. But even if that was happening, it would still protect you with the Microsoft protection.
This totally says we're going to shit all over that.
And what'd you have to do? Some super serious, like, crazy hack. Oh, yeah. I put an exclamation point in random text after that file and it went, what is this? I don't know, but it's not what I think it is. And that kind of comes down to showing you how fragile security systems can be because we don't see everything, we don't think of everything. And it's a constant revamping, a constant looking and finding and fixing cat and mouse game of going through these things and discovering we have overlooked something. And this is definitely one of those times. And it can lead to some severe bad things.
[00:40:27] Speaker B: You know what I equate this to?
[00:40:28] Speaker C: What's that?
[00:40:29] Speaker B: Superman's glasses. He puts the glasses on Clark Kent.
[00:40:32] Speaker C: Clark Kent.
[00:40:33] Speaker B: Nobody, nobody knows takes glasses off Superman. Just like that. Right? Just an exclamation point. Throw that exclamation point on there. Not a biling.
[00:40:40] Speaker C: Yes. Not Superman anymore. Yep. It's Clark. Can't let him buy.
[00:40:43] Speaker B: So as, as ridiculous as Superman's disguise.
[00:40:46] Speaker C: Is, I've got you into analogy.
[00:40:49] Speaker B: It's like a hammer looking for a penny or something in a jar. A jar of hammers. You throw it at a penny and.
[00:40:58] Speaker C: Superman comes by and he throws it at Lex Luthor, liquefying his body.
Imagine Superman, I guess there are some storylines where he did kind of go off the rails, but you imagine he just walks to Lex Luther and melts.
[00:41:13] Speaker B: You.
[00:41:14] Speaker C: You have been an issue, sir. What are you going to do, put me in jail? Good luck.
[00:41:21] Speaker A: Quick fix. I don't know enough of the Superman lore, I guess, to know if that would be legitimate.
[00:41:25] Speaker B: Nobody does.
[00:41:26] Speaker A: Okay, well, maybe we've got some comic book experts in the.
[00:41:29] Speaker C: I could tell you some stuff about Superman. That dude, he used to be able to invent his own powers. Like, in early Superman.
[00:41:35] Speaker A: Like, he'd just be like, just go.
[00:41:36] Speaker C: I need to be able to do this. And he would generate it within himself to be able to do that.
Yeah.
[00:41:43] Speaker A: Crazy. He's a self made man, is what you're saying.
[00:41:44] Speaker C: He was literally a God.
[00:41:48] Speaker B: If you think about it, and I know we're.
Superman should be the coolest of all the superheroes, and yet he is the lamest. And I blame part of that on his stupid costume. Right? Like, he needs a better costume. But he has literally every power. He's invulnerable. With the exception of kryptonite. He can do anything.
[00:42:10] Speaker C: I think they had to invent kryptonite because that was the case. Was he was so invulnerable, they were like, oh. Kind of made this guy unstoppable.
[00:42:20] Speaker A: Maybe that's why. Because people don't like a superhero that doesn't have some kind of a flaw or weakness.
[00:42:24] Speaker C: Well, you have to have a weakness, otherwise Superman's here. Don't worry.
[00:42:28] Speaker B: Yeah, but you take all the other superheroes that are out there. I shouldn't say all of them, right? Because there's. Was it Captain Marvel where she's kind of like that, right? She's practically Superman.
But you take Wolverine or somebody, they have superpowers, but they're not ungodly. Like, they can die a number of ways. They still get hurt.
[00:42:47] Speaker C: Do you know that the adamantium is poisonous to Wolverine, is constantly poisoning his body, so his healing factor is reduced because it's constantly having to keep him alive due to all the adamantium in his body.
[00:43:00] Speaker B: Yeah, that was in old man Logan whole thing.
[00:43:03] Speaker C: And eventually killed him. Made him weak enough to be killed.
[00:43:08] Speaker A: I like my superheroes with a flaw. It makes them more relatable. If they can't die and they never do any wrong, well, okay, then you're nothing like me. I think people like to see a hero. They can see themselves in a little bit.
[00:43:18] Speaker C: That's probably gave rise to the anti hero. I mean, do you know Jason Momoa wanted to play Lobo? He thought when DC contacted him that that was what was going to be. He was going to be awesome. We're doing.
Come on, DC. I know this has turned into a comic book rant, but while we got your ear, if anybody out there knows people in DC. Tell them, let's make that lobo movie and make it good.
[00:43:38] Speaker B: Hey, and they'll make Deadpool money on it.
[00:43:40] Speaker C: They sure as hell will work.
And you will be swimming in cash.
[00:43:49] Speaker B: Yeah, story is already written. Just take the last Zarnian, right, and run with that one. Or go. I would pay good money for Lobo's paramilitary Christmas special.
[00:43:57] Speaker C: Oh, any day of the week.
If you made it $40 a ticket. I'm doing it.
[00:44:03] Speaker B: Preorder.
I'd break all the rules.
[00:44:08] Speaker C: Yeah, where's the gift, then?
[00:44:09] Speaker B: Go on. That one.
[00:44:11] Speaker A: Well, as much as I do like flaws in my superheroes, I do not like them in the context of cybersecurity. And speaking of which. Oh, crazy how we loop back around. Towards the end of this article, as a reminder, we were talking about an rCE bug that was trivial to exploit. Towards the end of this article, they talk about how it's an attack vector on the latest Windows 1011, Microsoft 365, but also other office editions and versions are likely affected. In fact, we believe this is an overlooked issue, which existed for decades in this ecosystem because it lies in the core of APIs. So that's fun and interesting. So cool. So we strongly recommend all users apply the official patch as soon as possible.
[00:44:50] Speaker C: You got to love it when they find bugs like this. It reminds me of, like, shell shock, right? Oh, holy crap. And how long has this been here? Since we made bash. Oh, that seems like a long time.
So everything's vulnerable to this, is what you're saying? You're like, yep, you better fix it.
[00:45:07] Speaker A: Well, maybe since we have that little. That side street about superheroes and Superman, maybe that'll produce a new segment for. And, well, speaking of segments that were just born out of thin air here on this podcast, this next segment is an old favorite. This is pork chop sandwiches.
[00:45:23] Speaker B: Pork chop sandwiches.
Yeah.
[00:45:38] Speaker A: So this article comes to us from the hacker news. Critical flaws found in connectwise screen connect software patch. Now, every time we cover one of these, it's always like, patch as soon as possible. Is there ever a case where you wouldn't patch as soon as possible?
[00:45:51] Speaker B: So, I think there's times where, and I've mentioned this a few times over the years, where the software is, like, non critical software, or the attacker would need physical access to the machine to take advantage of it or whatever, then it's like, you need to patch it. But it doesn't have to be, like, right this moment, but with this one, if this is the first time you're hearing about it. If you run a connectwise screen connect server yourself, right? If you're using their cloud service, then they're taking care of it for you. But if you run your own server, you literally need to pause the podcast and go deal with that, because this is bad. This is really bad. So think like SolarWinds. With the SolarWinds attack, when they got compromised, it was a supply chain style compromise that SolarWinds software was installed on numerous government agencies on their management networks. And so attackers were able to leapfrog in and get to those. Well, Connectwise is centralized management software that's used by a number of msps. And so this is deployed in hospitals, schools, enterprise, government. It's all over the place.
[00:46:53] Speaker C: Scariest environment, say, that's all you have to say.
[00:46:57] Speaker B: So screen connect is software that works as part of the Connectwise suite that allows, well, in theory it allows your it help desk to remotely view the screens of employees, to be able to help them and walk them through troubleshooting tickets and things like that. And they can remote execute code and so on as a part of screen connect. So this is pretty critical stuff. And if it's rolled out through your environment and attackers have a way to exploit it, that's a problem. And so there are two cves attached to this one, and the main one is the authentication bypass. That's the big concern. It's rated at a cool 10.0, the worst or the highest impact possible. Right? This is really bad. Attackers can gain access to the system and then they've effectively got access to your entire environment.
Worst case scenario. I mean, it's bad.
[00:47:46] Speaker C: This is it, right? This is the bunker moment you've been waiting for. So pull out your prep meals and go down into the silo because that is where we're at when it comes to connectwise. So John Hammond, who is one of Huntress's major and a friend of mine, principal security people over at Huntress, they actually develop a proof of concept code for this and released it out to show you that this is. And John actually put out, I think he says something to the effect of, for the love of God, patch now, because this is really bad. This is the Huntress found more than 8800 servers running a vulnerable version of Screen Connect. Yeah, that is a lot. And if, like Don said, you start thinking about who are the customers that could be running this, this is where we start going, wow, that is a lot of fire in the sky you got going on here. We should probably do something about that. So there is a patch you need to go out there and get, like you said, if you have not paused yet and you have one of these servers running, you better do it right now because it's just a matter of time if it's not already happened.
[00:48:59] Speaker B: So at our day job we do use connectwise screen connect across all of our systems but we use a cloud deployment so it was patched before the disclosure happens. We don't have to worry about it. You want to trust but verify, you need to verify it's updated. We've done that. But Daniel, you might not know this but our buddy Greg, he runs an MSP and they use Connectwise and they run their own server. And so they are their servers, but they're the great example of they're an MSP. They're managing services and security for a number of organizations that are out there.
[00:49:32] Speaker C: Some of them being law enforcement.
[00:49:34] Speaker B: Yeah, certainly a big law enforcement presence there. And so their software was vulnerable and so they had to run in and patch it. And not only do you patch the servers, the server is where the critical vulnerability is. So patching the server is enough, but then you've got to make sure that all your clients stay up to date. And that's where it gets tricky because clients, they come online, they go offline. It can be hard to make sure you get them all. But they had to scramble to put this in place.
[00:49:58] Speaker C: I didn't see. Did they say that there was any known exploitation in the wild on this?
[00:50:02] Speaker A: I went to John Hammond's Twitter or I'm sorry just to see because he had said he'd been tweeting about it. For the love of God go back to this. And he did say they were shared about 6 hours ago. As of the time that we're releasing this, other firms have publicly shared their proof of concept in the wild. Exploitation is already happening. So this is when they shared their analysis because they felt like we're not adding any risk by doing this.
[00:50:22] Speaker C: So you might have to be doing some threat hunting as well. If you find that you have a vulnerable server, might be a good idea to look for those IOCs, some IP addresses, some network.
[00:50:31] Speaker B: The.
I think what John was saying and I guess we could ask is that exploitation in the wild is happening now that the proof of concepts are. Now I don't know that there was evidence of it beforehand but even if.
[00:50:45] Speaker C: That'S so like you know how people are with patching.
[00:50:48] Speaker B: Yeah, we'll get to that.
[00:50:49] Speaker C: Right. Any moment between the time that it was discovered and the time it was released until the time you patch. That's a window of opportunity and it's just ounce of prevention is worth a pound of cure, right? You don't want to pull in the incident response team if you don't have to. So even if maybe you're coming late to the game and you just saw that this is a problem and you went and patched, you still had a moniker of time, a modicum of time before this could have occurred or that this could have occurred. So you might want to just start looking for if there's any IOCs published.
[00:51:23] Speaker A: Or anything it looks like on February 20. So it would have been Tuesday morning of this week. Connectwise shared publicly there are users affected by the recent vulnerabilities confirming in the wild exploitation. So as of Tuesday of this week, awesome this was going on.
[00:51:35] Speaker B: There we go.
[00:51:36] Speaker C: I wonder who's got some honeypots set up right now looking and gathering those IOCs, those sigma rules.
[00:51:44] Speaker A: The awesome is the word I would use to describe it.
[00:51:46] Speaker C: But yeah, with Honeypots it is awesome.
[00:51:49] Speaker B: Sure.
[00:51:49] Speaker C: Because then we learn it's a safe environment to allow these hackers to do their business and have us. Huh. I see what you did there. Now let me gather all those little pieces of information and then disseminate that to the security community through Yara and Sigma and other updates that we can use for detecting that. And now I just have to spin up my engines to go look for these. And it goes, you don't have to manually hunt that down. You can do it automatically and figure out whether or not you got an issue.
[00:52:19] Speaker A: Absolutely. It's neat to see huntress and John Hammond featured in an article like this.
[00:52:24] Speaker C: Just because they do a lot.
[00:52:25] Speaker A: Well, no, absolutely. But it's just, I don't know, it's neat to see that crossover because we do shows with him and stuff and so I don't know, it's just cool. Shouts out to John, Johnny boy is a smart. Yeah, well, yeah, that's the understatement of the year. I feel like we'll go ahead and we'll jump to this next article. This one is part of another favorite segment called who got pwned? Looks like you're about to get.
That's my favorite little audio clip that we have.
This one comes to us once again from the hacker news. They got a lot of good stuff happening this week. Well, good is probably not the best.
[00:52:55] Speaker C: Way to describe it.
[00:52:56] Speaker A: A lot of important news happening this week. WordPress bricks theme under. I'm sorry, that's not a verb WordPress brick theme under active attack critical flaw impacts 25,000 plus sites. When I first read this I thought I read it wrong, like it's bricking your operating.
It's a theme, you shouldn't be using it. We're going to go ahead and brick it. So you can't use it. No, it is a theme called bricks. Called bricks. It is actively being exploited to run arbitrary PHP code on susceptible installations. Oh, that sounds fun.
[00:53:21] Speaker C: Should they give it a name like brick bricks or bricks brick, like hacky hack. Something fun.
[00:53:29] Speaker B: Yeah. WordPress is such an important platform, right? At one point there was some 40% of Internet sites were being run from WordPress hosted systems. So it is a substantial platform that is used wildly across the Internet. And I'll tell you, if you're about to launch a new website, WordPress makes it easy. You have a whole content management system and everything's nice and structured. Creating pages are really easy. But where WordPress runs into challenges are with all the things that you add to know. A lot of people put plugins into WordPress to make it do extra things and some of those plugins have vulnerabilities. Where WordPress is, I kind of feel unique is that their themes can have vulnerabilities. And normally when you think of a theme, you think of what is it? It's like some CSS, like cascading style sheets or some graphics color codes. How vulnerable can that be? But in WordPress, themes can do a lot more than just that. They can create forms and additional modules. You have widgets and all sorts of stuff that can be part of the theme. And the people that create these themes are oftentimes web designers and graphic designers that are not cybersecurity minded. And you might think, I've got a WordPress site, I'm going to throw this theme on there to make it look pretty. When you go to do security updates and stuff, you probably don't think of, oh, I need to update my theme. It's just colors and styles and fonts, right? But because of how complex WordPress is, there's vulnerabilities in it and this is a great example of it. You might have a fully secured and locked down server, you might have WordPress properly installed, permissions are all set, right? But then it's your theme that allows the attacker to gain access. And that's exactly what's happening with the BRICS theme. It's actively being exploited in the wild right now. They have released an update, but it is hard to trust.
I do not trust third party WordPress.
[00:55:22] Speaker C: Themes and you have to do your due diligence. I mean, this just goes to show you, historically, themes and plugins have been the major bane to running a WordPress site for the very reason it's almost like IoT, right? It's third parties out there, they're trying to make a cool product and then as soon as it works, ship it. We'll worry about security later, we'll come back because we'll just let our clients basically beta test these for us after they paid for it and find oh, there seems to be a security issue because I got hacked. Oh, well, let me know about that. And I'm not saying they're not doing any security. I would like to think that at least some security is being done, but maybe not to the extent that we would like to see it. But that's not their fault. They don't have to sell you on, yeah, we're totally secure.
They don't have to make any security. It's up to you, if someone wants to bolt that into their WordPress platform to do your due diligence and say, are there any security issues around this organization historically, have they been security flawed? And how quickly do they come out with patches? And then you have to basically asset manage the fact that you have third party applications, plugins, themes, and not just go, hey, I did my due diligence with WordPress itself. Every software platform you run, you have to asset manage that and also schedule updates. And if there's critical vulnerabilities, you have to be on top of that. You have to curate all of those things. And that's what makes security really hard, especially when in a modular environment where you're pulling in a bunch of third party stuff, you're heaping on complexity to yourself when it comes to your security and make it very difficult. So just be aware that that's what's going to happen if you decide to go down that route. Don't be ignorant of the fact and think, oh, I'm good because I patched WordPress.
[00:57:12] Speaker B: And if you talk to anybody who administers a WordPress site, they'll tell you the catch 22. You end up in like an update will come out to WordPress, but their theme hasn't been updated yet for that update. And so they hold off on updating WordPress until the theme gets updated. Chicken and the egg it is.
[00:57:29] Speaker C: Yeah.
[00:57:29] Speaker B: And so you can end up in situations where there's an update that you know you need, you need to get in place, but you don't want to do it because it's going to break the site. And so just if you support or use WordPress, I want to be clear, it's a great platform and really powerful. It can do a lot of different stuff. I don't trust WordPress for security and so if you do support it, if you're responsible for maintaining it in a production environment, I encourage you to use a web application firewall, a waf.
I know secure is the one that I use. There's a couple of them that are out there. Secure is S-U-C-U-R-I I've used them for years, I've met their CEO, well actually they got bought by Godaddy now so I don't know if he's still active in it. But yeah they got acquired but what they do is they sit in between the Internet and your WordPress site. And so when a vulnerability comes out like this they block it on the waF. So it doesn't matter if you've patched on the backend or not, you still need to patch it, right. But you can now have some time pass before you get to it. It gives you that extra safety net. And to me, if I ever deploy WordPress, I've done way more deployments than I would have thought possible.
Actually I think I have two WordPress sites in production right now. Like our old blog was all run from WordPress and that's still online and I just put it behind a Waf and that gives it that protection. And I also don't use complex themes like hire a web designer and tell them to create a theme for you with no widgets and bells and whistles. Like it just needs to be colors and style sheets and all that. These themes that are out there that come with site builders and WYSIWYg editors and stuff, those are just so overly complex. That's what leads to these vulnerabilities.
[00:59:10] Speaker C: That's right. And make sure you're using all your standard security as well around your WordPress site. Make sure that you are using complex passwords, two fa for login, that kind of thing.
Because if I can gain access to your WordPress, I could also upload my own custom themes that would allow me to have access into them as well. It might be the way that I execute code is through WordPress access. So there's, like I said, a lot of complexity to dealing with this type of system. You just need to be aware of it. You have to really strategize on how your security is going to work and stay on top of that. Otherwise you're going to find yourself vulnerable.
[00:59:47] Speaker A: One term that was brought up that I didn't recognize in this article, it says, this concerns the use of security tokens called nonces. And that was something that wasn't familiar to me. Well, okay, so I've heard the word before, but it was in a wildly different context, which I'll explain in a second. But apparently a cryptographic nonce is an arbitrary number used only once in a cryptographic communication. So, okay, makes sense. Used only once, but apparently the security tokens called nonces. This is a big part of this issue, my understanding of the word nonce. It is british slang for somebody that committed a crime.
That's quite disturbing. And I won't tell you what crime, but you can google it.
[01:00:25] Speaker C: Okay, Don goes to Google.
[01:00:28] Speaker A: I read this and I was like, well, hang on a second. Where is this? What came first, what term came first? Or whatever? So obviously the nonsense has been around for a while. Yes, the slang came after, obviously, but it caused alarm in me for a moment. I was like, what's going on here? So in this case, the security tokens called nonsense.
Does the, I guess, etymology or the connotation of the word translate over where this is something? A security token that's only intended to be used once, or do you know why these security tokens are called nonsense?
[01:00:54] Speaker B: I thought it was number once.
[01:00:55] Speaker C: Number only once. Yeah.
[01:00:57] Speaker A: Okay. That's the whole reason why. That's the name that's been given to them.
[01:01:00] Speaker C: Yeah, a lot of times we'll use nonsense as kind of that randomization, which is why it's a number that's used only once, it's randomly generated, and that is used to create the randomness necessary for your cryptographic algorithm.
[01:01:16] Speaker A: Okay.
[01:01:17] Speaker C: And if that is the key to how your cryptography works, and that is available to an unauthorized user, then they can use that to bypass things that are secure.
[01:01:28] Speaker A: There's this whole disclaimer, you should never rely on nonsense for authentication, authorization, access control. Given the context, that makes a lot of sense. Of course you shouldn't. Yeah. So, yeah, that's interesting.
[01:01:38] Speaker C: They're never meant to be exposed or utilized in any way, shape, or form. It's literally just for a specific function, and then you're done with it.
[01:01:46] Speaker A: Yeah, well, that makes sense. And like we said at the beginning of this article, bricks is estimated to have around 25,000 currently active installations. So clearly pretty popular theme. So, yeah. User recommended to apply the latest patches, mitigate potential threats.
That's really all you can do, I guess, at this point. Wow. We definitely covered quite a bit on cves and stuff today. I feel like four out of our six articles we talked about cves, high rated cves and stuff. So we love those episodes. What's going on this week? Was there anything we didn't talk about? I know sometimes there will be news articles that come up that we can't cover at all. Was there anything that came out this week? Any stories that broke that the chinese.
[01:02:24] Speaker C: Data leak from their state sponsored apt. I thought was a pretty interesting story. I didn't see that the Chinese. There's a chinese government apt. That got hacked or leaked by someone and put it all in GitHub and they talk about how they have zero days for iOS and companies that they have targeted and there's like links and they found all these GitHub repositories, all these links in it, to information from the Chinese government and who they're hacking and how they're hacking and information that they have stolen.
[01:02:55] Speaker B: Wow.
[01:02:55] Speaker C: So, yeah, it was a pretty big deal.
[01:02:57] Speaker A: Sounds like it, yeah. Oh, thank you for informing us.
[01:03:01] Speaker C: Remember the shadow brokers? And they did the whole NSA leak and that's where we got eternal blue from and all that other stuff. Kind of reminds me of that. Except now shoes on the other foot.
[01:03:10] Speaker B: Yeah. There's been a lot on the international front. The whole Julian Assange thing is heating up again. He's got his final, his final extradition trial is coming up. Oh, is, you know, they're still trying to get him over here to the states. Who knows how that'll end.
[01:03:26] Speaker A: Lot of.
[01:03:26] Speaker B: A lot of crazy stuff, but nothing really exciting. If it was exciting, it would have made it on the show. Right?
[01:03:32] Speaker C: Malware variants, lockbit. That was another good one. Lockbit got taken down by multiple government organizations. Mostly us, though, I think.
[01:03:42] Speaker B: Yeah, I didn't pick that one. Just because they've been taken now before and then they come back.
[01:03:47] Speaker C: It's a fun game they play.
[01:03:48] Speaker A: It would be deja news every week if we covered that. Okay, I see what you mean. Well, maybe some of that stuff will like the Julian Assange thing. Maybe if there's more developments than that, maybe that's something that will come up in the coming weeks of techno. Who knows?
[01:03:58] Speaker B: We shall see.
[01:03:59] Speaker A: I guess we shall. If there is anything that you would like us to cover here that you look forward to hearing here on Technato, let us know in the comments. If you are watching on YouTube. Once again, all of the older episodes of Technato do live on this channel, so if you're new here, feel free to go and check those out. There's also webinars and giveaways we've done in the past that live here on this channel. We'll do live events here sometimes through ACI learning, so feel free to stick around, maybe subscribe so you never miss any of that fun stuff. I believe we've got another one coming up, another all things cybersecurity webinar coming up here in a few weeks. Remind me who our guest is. Do you happen to remember?
[01:04:28] Speaker C: I think it's Joe Helle.
[01:04:29] Speaker A: Joe Helly. That's going to be a lot of fun. And he's, I think, a new guest for us, so I'm looking forward to it. Keep an eye on the channel for things like that that will come up. And once again, we are sponsored by ACI learning. The folks behind it pro love those guys because that's what we do in our day jobs. And if you're watching from the Technato website or listening from the techno website, you can click on that sponsored by button that'll take you to the it pro website, once again, sponsored by ACI Learning. And you can use the code Technato 30 to get a discount on your it pro membership. And if you're not getting enough of us here, you can see even more of us there. I think that's pretty much going to do it. I'm losing my voice a little bit, so I'm sorry if I sound a little bit like, yeah, it's been 20 years.
[01:05:06] Speaker C: Listen here, Miley Cyrus.
[01:05:09] Speaker A: Not deep enough, not low enough. Yeah, no, but unless there's anything I'm forgetting, I think that's going to do it for this episode.
[01:05:14] Speaker B: All right.
[01:05:15] Speaker A: The half nod of approval. That's what I like to see. Well, thank you for joining us for this episode of Technato, as always, and we will see you next week.
Thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.
