Radio waves so mysterious they’re recognized solely as X-Rays. Were there six 0-days or solely 4? The cops who discovered $3 billion in a popcorn tin. Blue badge confusion. When URL scanning goes flawed. Tracking down each final unpatched file. Why even unlikely exploits can earn “high” severity ranges.
DOUG. Twitter scams, Patch Tuesday, and criminals hacking criminals.
All that and extra on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast, everyone.
I’m Doug.
He is Paul Ducklin.
Paul, how do you do at present?
DUCK. Very nicely, Doug.
We didn’t have the lunar eclipse right here in England, however I did get a short glimpse of the *full* full moon by way of a tiny hole within the clouds that emerged as the one gap in the entire cloud layer the second I went outdoors to take a look!
But we didn’t have that orange moon such as you guys did in Massachusetts.
DOUG. Let us start the present with This Week in Tech History… this goes manner again.
This week, on 08 November 1895, German physics professor Wilhelm Röntgen stumbled upon a but undiscovered type of radiation which prompted him to seek advice from stated radiation merely as “X”.
As in X-ray.
How about that… the unintended discovery of X-rays?
DUCK. Quite wonderful.
I keep in mind my mum telling me: within the Fifties (should have been the identical within the States), apparently, in shoe outlets…
DOUG. [KNOWS WHAT’S COMING] Yes! [LAUGHS]
DUCK. People would take their youngsters in… you’d stand on this machine, placed on the sneakers and as a substitute of simply saying, “Walk around, are they tight? Do they pinch?”, you stood in an X-ray machine, which simply principally bathed you in X-ray radiation and took a reside photograph and stated, “Oh yes, they’re the right size.”
DOUG. Yes, easier occasions. Somewhat harmful, however…
DUCK. A LITTLE DANGEROUS?
Can you think about the individuals who labored within the shoe outlets?
They should have been bathing in X-rays on a regular basis.
DOUG. Absolutely… nicely, we’re somewhat safer at present.
And with regards to security, the primary Tuesday of the month is Microsoft’s Patch Tuesday.
So what did we be taught this Patch Tuesday right here in November 2022?
Exchange 0-days mounted (ultimately) – plus 4 model new Patch Tuesday 0-days!
DUCK. Well, the super-exciting factor, Doug, is that technically Patch Tuesday mounted not one, not two, not three… however *4* zero-days.
But really the patches you would get for Microsoft merchandise on Tuesday mounted *six* zero-days.
Remember these Exchange zero-days that had been notoriously not patched final Patch Tuesday: CVE-2002-41040 and CVE-2022-41082, what turned often called ProxyNotShell?
S3 Ep102.5: “ProxyNotShell” Exchange bugs – an skilled speaks [Audio + Text]
Well, these did get mounted, however in basically a separate “sideline” to Patch Tuesday: the Exchange November 2022 SU, or Software Update, that simply says:
The November 2022 Exchange Software Updates comprise fixes for the zero-day vulnerabilities reported publicly on 29 September 2022.
All you need to do is improve Exchange.
Gee, thanks Microsoft… I believe we knew that that’s what we had been going to need to do when the patches lastly got here out!
So, they *are* out and there are two zero-days mounted, however they’re not new ones, and so they’re not technically within the “Patch Tuesday” half.
There, we have now 4 different zero-days mounted.
And in the event you imagine in prioritising patches, then clearly these are those you need to take care of first, as a result of any person already is aware of easy methods to do unhealthy issues with them.
Those vary from a safety bypass, to 2 elevations-of-privilege, and one distant code execution.
But there are greater than 60 patches in whole, and in the event you have a look at the general record of merchandise and Windows parts affected, there’s an infinite record, as regular, that takes in each Windows element/product you’ve heard of, and lots of you in all probability haven’t.
So, as all the time: Don’t delay/Do it at present, Douglas!
DOUG. Very good.
Let us now speak about fairly a delay…
You have a really attention-grabbing story concerning the Silk Road drug market, and a reminder that criminals stealing from criminals continues to be against the law, even when it’s some ten years later that you simply really get caught for it.
Silk Road medication market hacker pleads responsible, faces 20 years inside
DUCK. Yes, even people who find themselves fairly new to cybersecurity or to going surfing will in all probability have heard of “Silk Road”, maybe the primary well-known, bigtime, widespread, widely-used darkish internet market the place principally something goes.
So, that each one went up in flames in 2013.
Because the founder, initially recognized solely as Dread Pirate Roberts, however finally revealed to be Ross Ulbricht… his poor operational safety was sufficient to tie the actions to him.
Silk Road founder Ross Ulbricht will get life with out parole
Not solely was his operational safety not excellent, plainly in late 2012, they’d (are you able to imagine it, Doug?) a cryptocurrency cost processing blunder…
DOUG. [GASPS IN MOCK HORROR]
DUCK. …of the kind that we have now seen repeated many occasions since, that went round not fairly doing correct double entry accounting, the place for every debit, there’s a corresponding credit score and vice versa.
And this attacker found, in the event you put some cash into your account after which in a short time paid it out to different accounts, that you would really pay out 5 occasions (or much more) the identical bitcoins earlier than the system realised that the primary debit had gone by way of.
So you would principally put in some cash after which simply withdraw it over and time and again, and get a much bigger stash…
…after which you would return into what you would possibly name a “cryptocurrency milking loop”.
And it’s estimated… the investigators weren’t positive, that he began off with between 200 and 2000 bitcoins of his personal (whether or not he purchased them or mine them, we don’t know), and he very, in a short time turned them into, look ahead to it, Doug: 50,0000 bitcoins!
DOUG. Wow!
DUCK. More than 50,000 bitcoins, identical to that.
And then, clearly figuring that somebody was going to note, he cut-and-run whereas he was forward with 50,000 bitcoins…
…every price an incredible $12, up from fractions of a cent only a few years earlier than. [LAUGHS]
So he made off with $600,000, identical to that, Doug.
[DRAMATIC PAUSE]
Nine years later…
[LAUGHTER]
…virtually *precisely* 9 years later, when he was busted and his residence was raided underneath a warrant, the cops went looking out and located a pile of blankets in his closet, underneath which was hidden a popcorn tin.
Strange place to maintain your popcorn.
Inside which was a sort-of computerised chilly pockets.
Inside which had been a big proportion of stated bitcoins!
At the time he was busted, bitcoins had been one thing north of $65,535 (or 216-1) every.
They’d gone up nicely over a thousand fold within the interim.
So, on the time, it was the largest cryptocoin bust ever!
Nine years later, having apparently been unable to eliminate his ill-gotten positive aspects, perhaps afraid that even when he tried to shove them in a glass, all fingers would level again to him…
…he’s had all this $3 billion price of bitcoins which have been sitting in a popcorn tin for 9 years!
DOUG. My goodness.
DUCK. So, having sat on this scary treasure for all these years, questioning if he was going to get caught, now he’s left questioning, “How long will I go to prison for?”
And the utmost sentence for the cost that he faces?
20 years, Doug.
DOUG. Another attention-grabbing story happening proper now. If you’ve been on Twitter recently, you’ll know that there’s a whole lot of exercise. to say it diplomatically…
DUCK. [LOW-TO-MEDIUM QUALITY BOB DYLAN IMPERSONATION] Well, the occasions, they’re a-changing.
DOUG. …together with at one level the thought of charging $20 for a verified blue examine, which, after all, virtually instantly prompted some scams.
DUCK. It’s only a reminder, Doug, that each time there’s one thing that has attracted a whole lot of curiosity, the crooks will certainly comply with.
And the premise of this was, “Hey, why not get in early? If you’ve already got a blue mark, guess what? You won’t have to pay the $19.99 a month if you preregister. We’ll let you keep it.”
We know that that wasn’t Elon Musk’s concept, as he said it, however it’s the sort of factor that many companies do, don’t they?
Lots of corporations will provide you with some sort of profit in the event you stick with the service.
So it’s not fully unbelievable.
As you say… what did you give it?
B-minus, was it?
DOUG. I give the preliminary e mail a B-minus… you would maybe be tricked in the event you learn it shortly, however there are some grammar points; stuff doesn’t really feel proper.
And then when you click on by way of, I’d give the touchdown pages C-minus.
That will get even dicier.
DUCK. That’s someplace between 5/10 and 6/10?
DOUG. Yes, let’s say that.
And we do have some recommendation, in order that even whether it is an A-plus rip-off, it gained’t matter since you’ll be capable to thwart it anyway!
Starting with my private favourite: Use a password supervisor.
A password supervisor solves a whole lot of issues on the subject of scams.
DUCK. It does.
A password supervisor doesn’t have any human-like intelligence that may be misled by the truth that the gorgeous image is correct, or the emblem is ideal, or the online type is in precisely the correct place on the display with precisely the identical font, so that you recognise it.
All it is aware of is: “Never heard of this site before.”
DOUG. And after all, activate 2FA in the event you can.
Always add a second issue of authentication, if potential.
DUCK. Of course, that doesn’t essentially defend you from your self.
If you go to a faux web site and also you’ve determined, “Hey, it’s pixel-perfect, it must be the real deal”, and you might be decided to log in, and also you’ve already put in your username and your password, after which it asks you to undergo the 2FA course of…
…you’re very doubtless to try this.
However, it provides you that little little bit of time to do the “Stop. Think. Connect.” factor, and say to your self, “Hang on, what am I doing here?”
So, in a manner, the little little bit of delay that 2FA introduces can really be not solely little or no problem, but additionally a manner of really bettering your cybersecurity workflow… by introducing simply sufficient of a velocity bump that you simply’re inclined to take cybersecurity that little bit extra significantly.
So I don’t see what the draw back is, actually.
DOUG. And after all, one other technique that’s powerful for lots of people to abide by, however may be very efficient, is to keep away from login hyperlinks and motion buttons in e mail.
So in the event you get an e mail, don’t simply click on the button… go to the positioning itself and also you’ll be capable to inform fairly shortly whether or not that e mail was legit or not.
DUCK. Basically, in the event you can’t completely belief the preliminary correspondence, then you possibly can’t depend on any particulars in it, whether or not that’s the hyperlink you’re going to click on, the cellphone quantity you’re going to name, the e-mail deal with you’re going to contact them on , the Instagram account you’re going to ship DMs to, no matter it’s.
Don’t use what’s within the e mail… discover your personal manner there, and you’ll brief circuit a whole lot of scams of this type.
DOUG. And lastly, final however not least… this must be widespread sense, however it’s not: Never ask the sender of an unsure message in the event that they’re official.
Don’t reply and say, “Hey, are you really Twitter?”
DUCK. Yes, you’re fairly proper.
Because my earlier recommendation, “Don’t rely on the information in the email”, akin to don’t cellphone their cellphone quantity… some persons are tempted to go, “Well, I’ll call the phone number and see if it really is them. [IRONIC] Because, obviously, if the cook’s answer, they’re going to give their real names.”
DOUG. As we all the time say: If doubtful/Don’t give it out.
And it is a good cautionary story, this subsequent story: when safety scans, that are official safety instruments, reveal greater than they need to, what occurs then?
Public URL scanning instruments – when safety results in insecurity
DUCK. This is a widely known researcher by the title of Fabian Bräunlein in Germany… we’ve featured him a few occasions earlier than.
He’s again with an in depth report entitled urlscan.io‘s SOAR spot: chatty safety instruments leaking non-public knowledge.
And on this case, it’s urlscan.io, an internet site that you should utilize without cost (or as a paid service) the place you possibly can submit a URL, or a site title, or an IP quantity, or no matter it’s, and you may search for, “What does the community know about this?”
And it is going to reveal the total URL that different folks requested about.
And this isn’t simply issues that individuals copy-and-paste of their very own alternative.
Sometimes, their e mail, for instance, could also be going by way of a third-party filtering instrument that itself extracts URLs, calls residence to urlscan.io, does the search, will get the end result and makes use of that to determine whether or not to junk, spam-block, or go by way of the message.
And that signifies that typically, if the URL included secret or semi-secret knowledge, personally identifiable data, then different individuals who simply occurred to seek for the correct area title inside a brief interval afterwards would see all of the URLs that had been looked for, together with issues which may be within the URL.
You know, like blahblah?username=doug&passwordresetcode= adopted by an extended string hexadecimal characters, and so forth.
And Bräunlein got here up with an interesting record of the sort of URLs, significantly ones that will seem in emails, that will routinely get despatched off to a 3rd get together for filtering after which get listed for looking out.
The sort of emails that he figured had been positively exploitable included, however weren’t restricted to: account creation hyperlinks; Amazon present supply hyperlinks; API keys; DocuSign signing requests; dropbox file transfers; bundle monitoring; password resets; PayPal invoices; Google Drive doc sharing; SharePoint invitations; and publication unsubscribe hyperlinks.
Not pointing fingers there at SharePoint, Google Drive, PayPal, and so on.
Those had been simply examples of URLs that he got here throughout which had been probably exploitable on this manner.
DOUG. We’ve obtained some recommendation on the finish of that article, which boils right down to: learn Bräunlein’s report; learn urlscan.io‘s weblog publish; do a code evaluate of your personal; you probably have code that does on-line safety lookups; be taught what privateness options exist for on-line submissions; and, importantly, discover ways to report rogue knowledge to a web-based service in the event you see it.
I seen there are three… sort-of limericks?
Very inventive mini-poems on the finish of this text…
DUCK. [MOCK HORROR] No, they’re not limericks! Limericks have a really formal five-line construction…
DOUG. [LAUGHING] I’m so sorry. That’s true!
DUCK. …for each meter and rhyme.
Very structured, Doug!
DOUG. I’m so sorry, so true. [LAUGHS]
DUCK. This is simply doggerel. [LAUGHTER]
Once once more: If doubtful/Don’t give it out.
And in the event you’re gathering knowledge: If it shouldn’t be in/Stick it straight within the bin.
And in the event you’re writing code that calls public APIs that would reveal buyer knowledge: Never make your customers cry/By the way you name the API.
DOUG. [LAUGHS] That’s a brand new one for me, and I like that one very a lot!
And final, however actually not least on our record right here, we’ve been speaking week after week about this OpenSSL safety bug.
The large query now could be, “How can you tell what needs fixing?”
The OpenSSL safety replace story – how are you going to inform what wants fixing?
DUCK. Indeed, Doug, how do we all know what model of OpenSSL we’ve obtained?
And clearly, on Linux, you simply open a command immediate and sort openssl model, and it tells you the model you’ve obtained.
But OpenSSL is a programming library, and there’s no rule that claims that software program can’t have its personal model.
Your distro would possibly use OpenSSL 3.0, and but there’s an app that claims, “Oh, no, we haven’t upgraded to the new version. We prefer OpenSSL 1.1.1, because that’s still supported, and in case you don’t have it, we’re bringing our own version.”
And so, sadly, identical to in that notorious Log4Shell case, you needed to go on the lookout for the three? 12? 154? who-knows-how-many locations in your community the place you may need an outdated Log4J program.
Same for OpenSSL.
In idea, XDR or EDR instruments would possibly be capable to let you know, however some gained’t assist this and lots of will discourage it: really working this system to seek out out what model it’s.
Because, in spite of everything, if it’s the buggy or the flawed one, and also you really need to run this system to get it to report its personal model…
…that looks like placing the cart earlier than the horse, doesn’t it?
So we printed an article for these particular instances the place you really need to load the DLL, or the shared library, and also you really need to name its personal TellMeThyVersion() software program code.
In different phrases, you belief this system sufficient that you simply’ll load into reminiscence, execute it, and run some element of it.
We present you ways to try this so you may make completely sure that any outlying OpenSSL information that you’ve in your community are updated.
Because though this was downgraded from CRITICAL to HIGH, it’s nonetheless a bug that it’s essential to and need to repair!
DOUG. On the topic of the severity of this bug, we obtained an interesting query from Naked safety reader Svet, who writes, partially:
How is it {that a} bug that’s enormously complicated for exploitation, and might solely be used for denial of service assaults, continues being categorised as HIGH?
DUCK. Yes, I believe he stated one thing about, “Oh, hasn’t the OpenSL team heard of CVSS?”, which is a US authorities commonplace, in the event you like, for encoding the danger and complexity degree of bugs in a manner that may be routinely filtered by scripts.
So if it’s obtained a low CVSS rating (which is the Common Vulnerability Scoring System), why are folks getting enthusiastic about it?
Why ought to it’s HIGH?
And so my reply was, “Why *shouldn’t* it be HIGH?”
It’s a bug in a cryptographic engine; it may crash a program, say, that’s attempting to get an replace… so it is going to crash over and time and again, which is somewhat bit greater than only a denial of service, as a result of it’s really stopping you from doing all of your safety correctly.
There is a component of safety bypass.
And I believe the opposite a part of the reply is, on the subject of vulnerabilities being became exploits: “Never say never!”
When you’ve one thing like a stack buffer overflow, the place you possibly can manipulate different variables on the stack, probably together with reminiscence addresses, there may be all the time going to be the possibility that any person would possibly work out a workable exploit.
And the issue, Doug, is as soon as they’ve figured it out, it doesn’t matter how difficult it was to determine…
…as soon as you understand how to take advantage of it, *anyone* can do it, as a result of you possibly can promote them the code to take action.
I believe what I’m going to say: “Not that I feel strongly about it.”
[LAUGHTER]
It is, as soon as once more, a type of “damned if they do, damned if they don’t” issues.
DOUG. Very good, Thank you very a lot, Svet, for writing that remark and sending it in.
If you’ve an attention-grabbing story, remark or query you’d wish to submit, we’d like to learn it on the podcast.
You can e mail suggestions@sophos.com, you possibly can touch upon any one in all our articles, or you possibly can hit us up on social: @nakedsecurity.
That’s our present for at present; thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you till subsequent time to…
BOTH. Stay safe!