![Data breaches can hang-out you greater than as soon as! [Audio + Text] – Naked Security](https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2022/12/s3-ep112-1200-1.png?w=775 "Data breaches can hang-out you greater than as soon as! [Audio + Text] – Naked Security")
DOUG. SIM swapping, zero-days, the [dramatic voice] P-i-n-g of D-E-A-T-H, and LastPass… once more.
All that, and extra, on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast all people.
I’m Doug Aamoth.
With me, as all the time, is Paul Ducklin.
Paul, how do you do?
DUCK. Very effectively, Doug.
You put some excessive drama sound into that intro, I’m happy to see!
DOUG. Well, how do you say “Ping of Death” with out saying [doom metal growl] “P-i-n-g of D-E-A-T-H”?
You can’t simply say [gentle voice] “Ping of Death”.
You’ve obtained to punch it just a little bit…
DUCK. I suppose so.
It’s completely different in writing – what have you ever obtained?
Bold and italics.
I simply went with regular textual content, however I did use capital letters, which helps.
DOUG. Yes, I believe I’d daring and italicise the phrase “death”, so [doom metal again] “The Ping of D-E-A-T-H”.
DUCK. And use a number of colors!
I’ll try this subsequent time, Doug.
DOUG. Break out the outdated <blink> tag in HTML, make it blink just a little bit? [LAUGHS]
DUCK. Doug, for a second, I used to be fearful you had been going to make use of the phrase [LAUGHS] <marquee>.
DOUG. [LAUGHS] We love outdated stuff right here!
And that dovetails properly with our This Week in Tech History phase – I’m enthusiastic about this one as a result of I hadn’t heard about it, however stumbled throughout it.
This week, on 04 December 2001, the Goner worm ransacked the web at a tempo second solely to that of the Love Bug virus.
Goner unfold through Microsoft Outlook, and promised unsuspecting victims a enjoyable display screen saver when executed.
DUCK. Goner…
I believe it obtained that identify as a result of there was a popup on the finish, wasn’t there, that talked about the Pentagon?
But it was meant to be a pun – it was “Penta/Gone”.
That was actually the worm that reminded people who, in truth, Windows screensavers are simply executable packages.
So, when you had been searching specifically for .EXE information, effectively, they may very well be wrapped up in .SCR (screensaver) information as effectively.
If you had been solely counting on filenames, you could possibly simply be tricked.
And many individuals had been, sadly.
DOUG. Alright, we’ll go from the old-school to the new-school.
We’re speaking about LastPass: there was a breach; the breach itself wasn’t horrible; however that breach has now led to a different breach.
Or perhaps that is only a continuation of the unique breach?
LastPass admits to buyer information breach attributable to earlier breach
DUCK. Yes, LastPass has written about it primarily as a observe as much as the earlier breach, which I believe was August 2022, wasn’t it?
And as we mentioned on the time, it was a really embarrassing search for LastPass.
But as breaches go, it was most likely worse for his or her PR, advertising and (I assume) for his or her mental property departments, as a result of it appears the primary factor the crooks made away with was supply code from their improvement system.
And LastPass was fast to reassure individuals…
Firstly, their investigations prompt that, while they had been in there, the crooks weren’t in a position to make any unauthorised modifications which may later percolate into the true code.
Secondly, entry to the event system doesn’t provide you with entry to the manufacturing system, the place the precise code is constructed.
And thirdly, they had been in a position to say it appeared that no encrypted password vaults had been stolen, so the cloud storage of your encrypted passwords was not accessed.
And even when it had been accessed, then solely you’d know the password, as a result of the decryption (what you known as the “heavy lifting” once we spoke about it on the podcast) is definitely performed in reminiscence in your gadgets – LastPass by no means sees your password.
And then, fourthly, they mentioned, so far as we will inform, on account of that breach, a few of the stuff that was within the improvement atmosphere has now given both the identical… or presumably a totally completely different load of crooks who purchased the stolen information off the earlier lot, who is aware of?
That did enable them to get into some cloud service the place some as-yet apparently unknown set of buyer information was stolen.
I don’t suppose they fairly know but, as a result of it could take some time to work out what really did get accessed after a breach occurred.
So I believe it’s honest to say that is kind of the B-side of the unique breach.
DOUG. All proper, we advise that when you’re a LastPass buyer, to regulate the corporate’s safety incident report.
We will regulate this story because it’s nonetheless creating.
And when you, like Paul and I, struggle cybercrime for a dwelling, there are some glorious classes to be realized from the Uber breach.
So that’s a podcast episode – a “minisode” – with Chester Wisniewski that Paul has embedded on the backside of the LastPass article:
S3 Ep100.5: Uber breach – an professional speaks [Audio + Text]
Lots to be taught on that entrance!
DUCK. As you say, that’s an incredible pay attention, as a result of it’s, I imagine, what is thought in America as “actionable advice”, or “news you can use”.
DOUG. [LAUGHS] Wonderful.
Speaking of news-you-can’t-really-use, Apple is usually tight-lipped about its safety updates… and there was a safety replace:
Apple pushes out iOS safety replace that’s extra tight-lipped than ever
DUCK. Oh, Doug, that’s one in every of your best… I like that segue.
DOUG. [LAUGHS] Thank you; thanks very a lot.
DUCK. Yes, this shocked me.
I assumed, “Well, I’ll grab the update because it sounds serious.”
And I gave myself the explanation, “Let me do it for Naked Security readers.”
Because if I do it and there aren’t any side-effects, then I can at the least say to different individuals, “Look, I just blindly did it and no harm came to me. So maybe you can do it as well.”
I simply abruptly seen that there was an iOS 16.1.2 replace obtainable, though I had had no safety advisory electronic mail from Apple.
No electronic mail?!
That’s bizarre.. so I went to the HT201222 portal web page that Apple has for its safety bulletins, and there it was: iOS 16.1.2.
And what does it say, Doug, “Details will follow soon”?
DOUG. And did they observe quickly?
DUCK. Well, that was greater than per week in the past, and so they’re not there but.
So are we speaking “soon” that means hours, days, weeks, or months?
At the second, it’s trying like weeks.
And, as all the time with Apple, there’s no indication of something to do with another working methods.
Have they been forgotten?
Do they not want the replace?
Did in addition they want the replace, but it surely’s simply not prepared but?
Have they been dropped out of assist?
But it did appear, as I mentioned within the headline, much more tight-lipped than regular for Apple, and never essentially probably the most useful factor on the earth.
DOUG. OK, excellent… nonetheless some questions, which leads us to our subsequent story.
A really fascinating query!
Sometimes, if you join a service and it enforces two-factor authentication, it says, “Do you want to get notified via text message, or do you want to use an authentication app?”
And this story is a cautionary story to not use your cellphone – use an authentication app, even when it’s just a little bit extra cumbersome.
This is a really fascinating story:
SIM swapper despatched to jail for 2FA cryptocurrency heist of over $20m
DUCK. It is, Doug!
If you’ve ever misplaced a cell phone, or locked your self out of your SIM card by placing within the PIN incorrectly too many occasions, you’ll know that you may go into the cell phone store…
…and normally they’ll ask for ID or one thing, and also you say, “Hey, I need a new SIM card.”
And they’ll generate one for you.
When you place it into your cellphone, bingo!… it’s obtained your outdated quantity on it.
So what meaning is that if a criminal can undergo the identical train that you’d to persuade the cell phone firm that they’ve “lost” or “broken” their SIM card (i.e. *your SIM card*), and so they can get that card both handed to, or despatched to, or given to them someway…
…then, once they plug it into their cellphone, they begin getting your SMS two-factor authentication codes, *and* your cellphone stops working.
That’s the unhealthy information.
The excellent news on this article is that this was a case of a chap who obtained busted for it.
He’s been despatched to jail within the US for 18 months.
He, with a bunch of accomplices – or, within the phrases of the Department of Justice, the Scheme Participants… [LAUGHS]
…they made off with one specific sufferer’s cryptocurrency, apparently to the tune of $20 million, when you don’t thoughts.
DOUG. Oof!
DUCK. So he agreed to plead responsible, take a jail sentence, and instantly forfeit… the quantity was [reading carefully] $983,010.72… simply to forfeit that instantly.
So, presumably, he had that mendacity round.
And he apparently additionally has some form of authorized obligation to refund over $20 million.
DOUG. Good luck with that, everybody! Good luck.
His different [vocal italics] Scheme Participants would possibly trigger some points there! [LAUGHS]
DUCK. Yes, I don’t know what occurs in the event that they refuse to cooperate as effectively.
Like, if they only dangle him out to dry, what occurs?
But we’ve obtained some ideas, and a few recommendation on the best way to beef up safety (in additional methods than simply the 2FA you employ) within the article.
So go and skim that… each little bit helps.
DOUG. OK, talking of “little bits”…
…this was one other fascinating story, how the lowly ping can be utilized to set off distant code execution:
Ping of demise! FreeBSD fixes crashtastic bug in community instrument
DUCK. [Liking the segue again] I believe you’ve bettered your self, Doug!
DOUG. [LAUGHS] I’m on a roll at the moment…
DUCK. From Apple to the [weak attempt at doom vocals] Ping of D-E-A-T-H!
Yes, this was an intriguing bug.
I don’t suppose it would actually trigger many individuals a lot hurt, and it *is* patched, so fixing it’s simple.
But there’s an incredible writeup within the FreeBSD safety advisory…
…and it makes for an entertaining, and, if I say so myself, a really informative story for the present era of programmers who might have relied on,”Third-party libraries will simply do it for me. Dealing with low degree community packets? I by no means have to consider it…”
There are some nice classes to be realized right here.
The ping utility, which is the one community instrument that just about all people is aware of about it, will get its identify from SONAR.
You go [makes movie submarine noise] ping, after which the echo comes again from the server on the different finish.
And it is a characteristic that’s constructed into the Internet Protocol, IP, utilizing a factor known as ICMP, which is Internet Control Message Protocol.
It’s a particular, low-level protocol, a lot decrease than UDP or TCP that persons are most likely used to, that’s just about designed for precisely this sort of factor: “Are you actually even alive at the other end, before I go worrying about why your web server isn’t working?”
There’s a particular form of packet you’ll be able to ship out known as “ICMP Echo”.
So, you ship this tiny little packet with a brief message in it (the message may be something you want), and it merely sends that exact same message again to you.
It’s only a fundamental method of claiming, “If that message doesn’t come back, either the network or the entire server is down”, somewhat than that there’s some software program downside on the pc.
By analogy with SONAR, this system that sends out these echo requests is named… [pause] I’m going to do the sound impact, Doug … [fake submarine movie noise again] ping. [LAUGHTER]
And the concept is, you go, say, ping -c3 (meaning verify thrice) nakedsecurity.sophos.com.
You can try this proper now, and it is best to get three replies, every of them one second aside, from the WordPress servers that host our website.
And it’s saying the location is alive.
It’s not telling you that the online server is up; it’s not telling you that WordPress is up; it’s not telling that Naked Security is definitely obtainable to learn.
But it at the least it confirms that you may see the server, and the server can attain you.
And who would have thought that that lowly little ping reply may journey up the FreeBSD ping program in such a method {that a} rogue server may ship again a booby trapped “Yes, I am alive” message that would, in idea (in idea solely; I don’t suppose anybody has performed this in apply) set off distant code execution in your pc.
DOUG. Yes, that’s wonderful; that’s the wonderful half.
Even if it’s a proof-of-concept, it’s such a small little factor!
DUCK. The ping program itself will get the entire IP packet again, and it’s presupposed to divide it into two elements.
Normally, the kernel would deal with this for you, so that you’d simply see the information half.
But if you’re coping with what are known as uncooked sockets, what you get again is the Internet Protocol header, which simply says, “Hey, these bytes came from such and such a server.”
And then you definately get a factor known as the “ICMP Echo Reply”, which is the second half of the packet you get again.
Now, these packets, they’re usually simply 100 bytes or so, and if it’s IPv4, the primary 20 bytes are the IP header and the rest, no matter it’s, is the Echo Reply.
That has a number of bytes to say, “This is an Echo Reply,” after which the unique message that went out coming again.
And so the apparent factor to do, Doug, if you get it, is you break up it into…
…the IP header, which is 20 bytes lengthy, and the remainder.
Guess the place the issue lies?
DOUG. Do inform!
DUCK. The downside is that IP headers are *virtually all the time* 20 bytes lengthy – in truth, I don’t suppose I’ve ever seen one which wasn’t.
And you’ll be able to inform they’re 20 bytes lengthy as a result of the primary byte will probably be hexadecimal 0x45.
The “4”” means IPv4, and the “5”… “Oh, we’ll use that to say how long the header is.”
You take that quantity 5 and also you multiply it by 4 (for 32-bit values), and also you get 20 bytes..
…and that’s the measurement of most likely six sigma’s price of IP headers that you’ll ever see in the entire world, Doug. [LAUGHTER]
But they *can* go as much as 60 bytes.
If you place 0x4F as a substitute of 0x45, that claims there are 0xF (or 15 in decimal) × 4 = 60 bytes within the header.
And the FreeBSD code merely took that header and copied it right into a buffer on the stack that was 20 bytes in measurement.
A easy, old-school stack buffer overflow.
It’s a case of a venerable community troubleshooting instrument with a venerable sort of bug in it. (Well, not any extra.)
So, when you find yourself programming and it’s a must to cope with low-level stuff that no one’s actually considered for ages, don’t simply go along with the obtained knowledge that claims, “Oh, it’ll always be 20 bytes; you’ll never see anything bigger.”
Because someday you would possibly.
And when that day comes, it could be there intentionally as a result of a criminal made it so on objective.
So the satan, as all the time, is within the programming particulars, Doug.
DOUG. OK, very fascinating; nice story.
And we’ll stick with regards to code with this last story about Chrome.
Another zero-day, which brings the 2022 whole to 9 occasions:
Number Nine! Chrome fixes one other 2022 zero-day, Edge patched too
DUCK. [Formal voice, sounding like a recording] “Number 9. Number 9. Number 9, number 9,” Douglas.
DOUG. [LAUGHS] Is this Yoko Ono?
DUCK. That’s Revolution 9 off the Beatles “White Album”.
Yoko may be heard riffing away in that music – that soundscape, I imagine they name it – however apparently the bit originally the place there’s any person saying “Number 9, number 9” time and again, it was, in truth, a check tape they discovered mendacity round.
DOUG. Ah, very cool.
DUCK. An EMI engineer saying one thing like, “This is EMI test tape number 9” [LAUGHTER], and apparently I don’t even suppose anybody is aware of whose voice it was.
That has *nothing* to do with Chrome, Doug.
But provided that any person commented on Facebook the opposite day, “That Paul guy is starting to look like a Beatle”… [quizzical] which I discovered barely odd.
DOUG. [LAUGHS] Yes, how are you presupposed to take that?
DUCK. …I figured I may dine out on “Number 9”.
It is the ninth zero-day of the 12 months to date, it appears, Doug.
And it’s a one-bug repair, with the bug recognized as CVE 2022-4282.
Because Microsoft Edge makes use of the Chromium open-source core, it too was weak, and a few days later, Microsoft adopted up with an replace for Edge.
So that is each a Chrome and an Edge challenge.
Although these browsers ought to replace themselves, I like to recommend going to verify anyway – we present you ways to do this within the article – simply in case.
I gained’t learn out the model numbers right here as a result of they’re completely different for Mac, Linux and Windows on Chrome, and so they’re completely different once more for Edge.
Like Apple, Google’s being a bit tight-lipped about this one.
It was discovered by one in every of their menace looking staff, I do imagine.
So I think about they discovered it whereas investigating an incident that occurred within the wild, and subsequently they most likely wish to preserve it below their hat, though Google normally has quite a bit to say about “openness” with regards to bug-fixing.
You can see why, in a case like this, you may want just a little little bit of time to dig just a little bit deeper earlier than you inform all people precisely the way it works.
DOUG. Excellent… and we do have a reader query that’s most likely a query lots of people are pondering.
Cassandra asks, “Are the bug finders just getting lucky at finding bugs? Or have they struck a ‘seam’ full of bugs? Or is Chromium issuing new code that is more buggy than normal? Or is something else going on?”
DUCK. Yes, that’s an incredible query, really, and I’m afraid that I may solely reply it in a barely facetious kind of method, Doug.
Because Cassandra had given selections A), B) and C), I mentioned, “Well, maybe it’s D) All of the above.”
We do know that when a bug of 1 specific type exhibits up in code, then it’s cheap to imagine that the identical programmer might have made comparable bugs elsewhere within the software program.
Or different programmers on the similar firm might have been utilizing what was thought-about obtained knowledge or customary apply on the time, and should have adopted swimsuit.
And an incredible instance Is, when you look again at Log4J… there was a repair to patch the issue.
And then, once they went trying, “Oh, actually, there are other places where similar mistakes have been made.”
So there was a repair for the repair, after which there was a repair for the repair for the repair, If I keep in mind.
There is, after all, additionally the difficulty that if you add new code, it’s possible you’ll get bugs which might be distinctive to that new code and are available about due to including options.
And that’s why many browsers, Chrome included, have an if-you-like “slightly older” model that you may follow.
And the concept is that these “older” releases… they’ve not one of the new options, however all the related safety fixes.
So, if you wish to be conservative about new options, you may be.
But we actually know that, typically, if you shovel new options right into a product, new bugs include the brand new options.
And you’ll be able to inform that, for instance, when there’s an replace, say, to your iPhone, and also you get updates, say, for iOS 15 and iOS 16.
Then, if you take a look at the bug lists, there are few bugs that solely apply to iOS 16.
And you suppose, “Hello, those must be bugs in the code that weren’t there before.”
So, sure, that’s a risk.
And I believe the opposite issues which might be occurring may be thought-about good.
The first is that I believe that, notably for issues like browsers, the browser makers are getting a lot better at pushing out full rebuilds actually, actually rapidly.
DOUG. Interesting.
DUCK. And I believe the opposite factor that’s modified is that, previously, you could possibly argue that for a lot of distributors… it was fairly troublesome to get individuals to use patches in any respect, even once they got here out solely on a month-to-month schedule, and even when they’d a number of zero-day fixes in them.
I believe, perhaps it is also a response to the truth that an increasing number of of us are an increasing number of possible not simply to just accept, however really to *count on* automated updating that’s actually immediate.
So, I believe you’ll be able to learn some good things into this.
The truth not solely that Google can push out a single zero-day repair virtually instantaneously, but additionally that persons are prepared to just accept that and even to demand it.
So I prefer to see that challenge of, “Wow, nine zero-days in the year fixed individually!”…
…I like to think about that extra as “glass half fill and filling up” than “glass half empty and draining through a small hole in the bottom”. [LAUGHTER]
That is my opinion.
DOUG. Alright, excellent.
Thank you for the query, Cassandra.
If you could have an fascinating story, remark or query you’d prefer to submit, we’d like to learn it on the podcast.
You can electronic mail ideas@sophos.com, you’ll be able to touch upon any one in every of our articles, or you’ll be able to hit us up on social: @NakedSecurity.
That’s our present for at the moment; thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you: Until subsequent time…
BOTH. Stay safe!
[MUSICAL MODEM]