Radio waves so mysterious they’re identified solely as X-Rays. Have been there six 0-days or solely 4? The cops who discovered $3 billion in a popcorn tin. Blue badge confusion. When URL scanning goes improper. Monitoring down each final unpatched file. Why even unlikely exploits can earn “excessive” severity ranges.
DOUG. Twitter scams, Patch Tuesday, and criminals hacking criminals.
All that and extra on the Bare Safety podcast.
[MUSICAL MODEM]
Welcome to the podcast, everyone.
I’m Doug.
He’s Paul Ducklin.
Paul, how do you do at the moment?
DUCK. Very properly, Doug.
We didn’t have the lunar eclipse right here in England, however I did get a short glimpse of the *full* full moon via a tiny hole within the clouds that emerged as the one gap in the entire cloud layer the second I went outdoors to take a look!
However we didn’t have that orange moon such as you guys did in Massachusetts.
DOUG. Allow us to start the present with This Week in Tech Historical past… this goes approach again.
This week, on 08 November 1895, German physics professor Wilhelm Röntgen stumbled upon a but undiscovered type of radiation which prompted him to confer with stated radiation merely as “X”.
As in X-ray.
How about that… the unintentional discovery of X-rays?
DUCK. Fairly superb.
I bear in mind my mum telling me: within the Nineteen Fifties (should have been the identical within the States), apparently, in shoe retailers…
DOUG. [KNOWS WHAT’S COMING] Sure! [LAUGHS]
DUCK. Folks would take their children in… you’d stand on this machine, placed on the footwear and as a substitute of simply saying, “Stroll round, are they tight? Do they pinch?”, you stood in an X-ray machine, which simply mainly bathed you in X-ray radiation and took a reside picture and stated, “Oh sure, they’re the correct measurement.”
DOUG. Sure, less complicated instances. Just a little harmful, however…
DUCK. A LITTLE DANGEROUS?
Are you able to think about the individuals who labored within the shoe retailers?
They should have been bathing in X-rays on a regular basis.
DOUG. Completely… properly, we’re just a little safer at the moment.
And as regards to security, the primary Tuesday of the month is Microsoft’s Patch Tuesday.
So what did we be taught this Patch Tuesday right here in November 2022?
Alternate 0-days fastened (finally) – plus 4 model new Patch Tuesday 0-days!
DUCK. Effectively, the super-exciting factor, Doug, is that technically Patch Tuesday fastened not one, not two, not three… however *4* zero-days.
However truly the patches you can get for Microsoft merchandise on Tuesday fastened *six* zero-days.
Keep in mind these Alternate zero-days that have been notoriously not patched final Patch Tuesday: CVE-2002-41040 and CVE-2022-41082, what turned often called ProxyNotShell?
S3 Ep102.5: “ProxyNotShell” Alternate bugs – an professional speaks [Audio + Text]
Effectively, these did get fastened, however in basically a separate “sideline” to Patch Tuesday: the Alternate November 2022 SU, or Software program Replace, that simply says:
The November 2022 Alternate Software program Updates comprise fixes for the zero-day vulnerabilities reported publicly on 29 September 2022.
All it’s a must to do is improve Alternate.
Gee, thanks Microsoft… I feel we knew that that’s what we have been going to need to do when the patches lastly got here out!
So, they *are* out and there are two zero-days fastened, however they’re not new ones, and so they’re not technically within the “Patch Tuesday” half.
There, we have now 4 different zero-days fastened.
And in the event you imagine in prioritising patches, then clearly these are those you need to take care of first, as a result of someone already is aware of find out how to do dangerous issues with them.
These vary from a safety bypass, to 2 elevations-of-privilege, and one distant code execution.
However there are greater than 60 patches in whole, and in the event you have a look at the general checklist of merchandise and Home windows elements affected, there’s an infinite checklist, as regular, that takes in each Home windows element/product you’ve heard of, and lots of you most likely haven’t.
Microsoft patches 62 vulnerabilities, together with Kerberos, and Mark of the Internet, and Alternate…form of
So, as at all times: Don’t delay/Do it at the moment, Douglas!
DOUG. Superb.
Allow us to now speak about fairly a delay…
You have got a really fascinating story in regards to the Silk Highway drug market, and a reminder that criminals stealing from criminals remains to be a criminal offense, even when it’s some ten years later that you just truly get caught for it.
Silk Highway medication market hacker pleads responsible, faces 20 years inside
DUCK. Sure, even people who find themselves fairly new to cybersecurity or to going surfing will most likely have heard of “Silk Highway”, maybe the primary well-known, bigtime, widespread, widely-used darkish internet market the place mainly something goes.
So, that every one went up in flames in 2013.
As a result of the founder, initially identified solely as Dread Pirate Roberts, however finally revealed to be Ross Ulbricht… his poor operational safety was sufficient to tie the actions to him.
Silk Highway founder Ross Ulbricht will get life with out parole
Not solely was his operational safety not excellent, plainly in late 2012, they’d (are you able to imagine it, Doug?) a cryptocurrency cost processing blunder…
DOUG. [GASPS IN MOCK HORROR]
DUCK. …of the sort that we have now seen repeated many instances since, that went round not fairly doing correct double entry accounting, the place for every debit, there’s a corresponding credit score and vice versa.
And this attacker found, in the event you put some cash into your account after which in a short time paid it out to different accounts, that you can truly pay out 5 instances (or much more) the identical bitcoins earlier than the system realised that the primary debit had gone via.
So you can mainly put in some cash after which simply withdraw it over and time and again, and get a much bigger stash…
…after which you can return into what you would possibly name a “cryptocurrency milking loop”.
And it’s estimated… the investigators weren’t certain, that he began off with between 200 and 2000 bitcoins of his personal (whether or not he purchased them or mine them, we don’t know), and he very, in a short time turned them into, look forward to it, Doug: 50,0000 bitcoins!
DOUG. Wow!
DUCK. Greater than 50,000 bitcoins, similar to that.
After which, clearly figuring that somebody was going to note, he cut-and-run whereas he was forward with 50,000 bitcoins…
…every price an incredible $12, up from fractions of a cent just some years earlier than. [LAUGHS]
So he made off with $600,000, similar to that, Doug.
[DRAMATIC PAUSE]
9 years later…
[LAUGHTER]
…virtually *precisely* 9 years later, when he was busted and his residence was raided underneath a warrant, the cops went looking and located a pile of blankets in his closet, underneath which was hidden a popcorn tin.
Unusual place to maintain your popcorn.
Inside which was a sort-of computerised chilly pockets.
Inside which have been a big proportion of stated bitcoins!
On the time he was busted, bitcoins have been one thing north of $65,535 (or 216-1) every.
They’d gone up properly over a thousand fold within the interim.
So, on the time, it was the largest cryptocoin bust ever!
9 years later, having apparently been unable to get rid of his ill-gotten beneficial properties, perhaps afraid that even when he tried to shove them in a glass, all fingers would level again to him…
…he’s had all this $3 billion price of bitcoins which were sitting in a popcorn tin for 9 years!
DOUG. My goodness.
DUCK. So, having sat on this scary treasure for all these years, questioning if he was going to get caught, now he’s left questioning, “How lengthy will I am going to jail for?”
And the utmost sentence for the cost that he faces?
20 years, Doug.
DOUG. One other fascinating story happening proper now. If you happen to’ve been on Twitter these days, you’ll know that there’s plenty of exercise. to say it diplomatically…
DUCK. [LOW-TO-MEDIUM QUALITY BOB DYLAN IMPERSONATION] Effectively, the instances, they’re a-changing.
DOUG. …together with at one level the thought of charging $20 for a verified blue verify, which, in fact, virtually instantly prompted some scams.
Twitter Blue Badge e mail scams – Don’t fall for them!
DUCK. It’s only a reminder, Doug, that each time there’s one thing that has attracted plenty of curiosity, the crooks will certainly observe.
And the premise of this was, “Hey, why not get in early? If you happen to’ve already acquired a blue mark, guess what? You received’t need to pay the $19.99 a month in the event you preregister. We’ll allow you to maintain it.”
We all know that that wasn’t Elon Musk’s concept, as he said it, however it’s the type of factor that many companies do, don’t they?
Plenty of firms offers you some type of profit in the event you stick with the service.
So it’s not solely unbelievable.
As you say… what did you give it?
B-minus, was it?
DOUG. I give the preliminary e mail a B-minus… you can maybe be tricked in the event you learn it shortly, however there are some grammar points; stuff doesn’t really feel proper.
After which when you click on via, I’d give the touchdown pages C-minus.
That will get even dicier.
DUCK. That’s someplace between 5/10 and 6/10?
DOUG. Sure, let’s say that.
And we do have some recommendation, in order that even whether it is an A-plus rip-off, it received’t matter since you’ll be capable to thwart it anyway!
Beginning with my private favourite: Use a password supervisor.
A password supervisor solves plenty of issues in the case of scams.
DUCK. It does.
A password supervisor doesn’t have any human-like intelligence that may be misled by the truth that the gorgeous image is correct, or the brand is ideal, or the net type is in precisely the correct place on the display with precisely the identical font, so that you recognise it.
All it is aware of is: “By no means heard of this web site earlier than.”
DOUG. And naturally, activate 2FA in the event you can.
All the time add a second issue of authentication, if attainable.
DUCK. After all, that doesn’t essentially shield you from your self.
If you happen to go to a faux web site and also you’ve determined, “Hey, it’s pixel-perfect, it should be the true deal”, and you might be decided to log in, and also you’ve already put in your username and your password, after which it asks you to undergo the 2FA course of…
…you’re very possible to try this.
Nevertheless, it provides you that little little bit of time to do the “Cease. Suppose. Join.” factor, and say to your self, “Grasp on, what am I doing right here?”
So, in a approach, the little little bit of delay that 2FA introduces can truly be not solely little or no problem, but additionally a approach of really bettering your cybersecurity workflow… by introducing simply sufficient of a velocity bump that you just’re inclined to take cybersecurity that little bit extra severely.
So I don’t see what the draw back is, actually.
DOUG. And naturally, one other technique that’s robust for lots of people to abide by, however may be very efficient, is to keep away from login hyperlinks and motion buttons in e mail.
So in the event you get an e mail, don’t simply click on the button… go to the positioning itself and also you’ll be capable to inform fairly shortly whether or not that e mail was legit or not.
DUCK. Mainly, in the event you can’t completely belief the preliminary correspondence, then you may’t depend on any particulars in it, whether or not that’s the hyperlink you’re going to click on, the telephone quantity you’re going to name, the e-mail handle you’re going to contact them on , the Instagram account you’re going to ship DMs to, no matter it’s.
Don’t use what’s within the e mail… discover your personal approach there, and you’ll brief circuit plenty of scams of this type.
DOUG. And eventually, final however not least… this must be widespread sense, however it’s not: By no means ask the sender of an unsure message in the event that they’re respectable.
Don’t reply and say, “Hey, are you actually Twitter?”
DUCK. Sure, you’re fairly proper.
As a result of my earlier recommendation, “Don’t depend on the knowledge within the e mail”, similar to don’t telephone their telephone quantity… some persons are tempted to go, “Effectively, I’ll name the telephone quantity and see if it truly is them. [IRONIC] As a result of, clearly, if the prepare dinner’s reply, they’re going to offer their actual names.”
DOUG. As we at all times say: If doubtful/Don’t give it out.
And it is a good cautionary story, this subsequent story: when safety scans, that are respectable safety instruments, reveal greater than they need to, what occurs then?
Public URL scanning instruments – when safety results in insecurity
DUCK. It is a well-known researcher by the title of Fabian Bräunlein in Germany… we’ve featured him a few instances earlier than.
He’s again with an in depth report entitled urlscan.io‘s SOAR spot: chatty safety instruments leaking personal knowledge.
And on this case, it’s urlscan.io, an internet site that you need to use totally free (or as a paid service) the place you may submit a URL, or a site title, or an IP quantity, or no matter it’s, and you may search for, “What does the neighborhood learn about this?”
And it’ll reveal the total URL that different folks requested about.
And this isn’t simply issues that individuals copy-and-paste of their very own alternative.
Generally, their e mail, for instance, could also be going via a third-party filtering software that itself extracts URLs, calls residence to urlscan.io, does the search, will get the end result and makes use of that to resolve whether or not to junk, spam-block, or move via the message.
And that implies that generally, if the URL included secret or semi-secret knowledge, personally identifiable data, then different individuals who simply occurred to seek for the correct area title inside a brief interval afterwards would see all of the URLs that have been looked for, together with issues that could be within the URL.
, like blahblah?username=doug&passwordresetcode= adopted by a protracted string hexadecimal characters, and so forth.
And Bräunlein got here up with an enchanting checklist of the type of URLs, significantly ones that will seem in emails, that will routinely get despatched off to a 3rd get together for filtering after which get listed for looking.
The type of emails that he figured have been positively exploitable included, however weren’t restricted to: account creation hyperlinks; Amazon present supply hyperlinks; API keys; DocuSign signing requests; dropbox file transfers; bundle monitoring; password resets; PayPal invoices; Google Drive doc sharing; SharePoint invitations; and publication unsubscribe hyperlinks.
Not pointing fingers there at SharePoint, Google Drive, PayPal, and many others.
These have been simply examples of URLs that he got here throughout which have been probably exploitable on this approach.
DOUG. We’ve acquired some recommendation on the finish of that article, which boils right down to: learn Bräunlein’s report; learn urlscan.io‘s weblog submit; do a code evaluation of your personal; when you’ve got code that does on-line safety lookups; be taught what privateness options exist for on-line submissions; and, importantly, learn to report rogue knowledge to an internet service in the event you see it.
I seen there are three… sort-of limericks?
Very inventive mini-poems on the finish of this text…
DUCK. [MOCK HORROR] No, they’re not limericks! Limericks have a really formal five-line construction…
DOUG. [LAUGHING] I’m so sorry. That’s true!
DUCK. …for each meter and rhyme.
Very structured, Doug!
DOUG. I’m so sorry, so true. [LAUGHS]
DUCK. That is simply doggerel. [LAUGHTER]
As soon as once more: If doubtful/Don’t give it out.
And in the event you’re accumulating knowledge: If it shouldn’t be in/Stick it straight within the bin.
And in the event you’re writing code that calls public APIs that might reveal buyer knowledge: By no means make your customers cry/By the way you name the API.
DOUG. [LAUGHS] That’s a brand new one for me, and I like that one very a lot!
And final, however definitely not least on our checklist right here, we’ve been speaking week after week about this OpenSSL safety bug.
The massive query now could be, “How will you inform what wants fixing?”
The OpenSSL safety replace story – how will you inform what wants fixing?
DUCK. Certainly, Doug, how do we all know what model of OpenSSL we’ve acquired?
And clearly, on Linux, you simply open a command immediate and sort openssl model, and it tells you the model you’ve acquired.
However OpenSSL is a programming library, and there’s no rule that claims that software program can’t have its personal model.
Your distro would possibly use OpenSSL 3.0, and but there’s an app that claims, “Oh, no, we haven’t upgraded to the brand new model. We desire OpenSSL 1.1.1, as a result of that’s nonetheless supported, and in case you don’t have it, we’re bringing our personal model.”
And so, sadly, similar to in that notorious Log4Shell case, you needed to go searching for the three? 12? 154? who-knows-how-many locations in your community the place you may need an outdated Log4J program.
Identical for OpenSSL.
In idea, XDR or EDR instruments would possibly be capable to let you know, however some received’t help this and lots of will discourage it: truly working this system to seek out out what model it’s.
As a result of, in any case, if it’s the buggy or the improper one, and also you truly need to run this system to get it to report its personal model…
…that appears like placing the cart earlier than the horse, doesn’t it?
So we revealed an article for these particular instances the place you truly need to load the DLL, or the shared library, and also you truly need to name its personal TellMeThyVersion() software program code.
In different phrases, you belief this system sufficient that you just’ll load into reminiscence, execute it, and run some element of it.
We present you the way to try this so you can also make completely sure that any outlying OpenSSL recordsdata that you’ve in your community are updated.
As a result of though this was downgraded from CRITICAL to HIGH, it’s nonetheless a bug that you might want to and need to repair!
DOUG. With regards to the severity of this bug, we acquired an fascinating query from Bare safety reader Svet, who writes, partially:
How is it {that a} bug that’s enormously complicated for exploitation, and may solely be used for denial of service assaults, continues being categorized as HIGH?
DUCK. Sure, I feel he stated one thing about, “Oh, hasn’t the OpenSL group heard of CVSS?”, which is a US authorities customary, in the event you like, for encoding the danger and complexity degree of bugs in a approach that may be mechanically filtered by scripts.
So if it’s acquired a low CVSS rating (which is the Widespread Vulnerability Scoring System), why are folks getting enthusiastic about it?
Why ought to it’s HIGH?
And so my reply was, “Why *shouldn’t* it’s HIGH?”
It’s a bug in a cryptographic engine; it may crash a program, say, that’s attempting to get an replace… so it can crash over and time and again, which is just a little bit greater than only a denial of service, as a result of it’s truly stopping you from doing all your safety correctly.
There is a component of safety bypass.
And I feel the opposite a part of the reply is, in the case of vulnerabilities being was exploits: “By no means say by no means!”
When you’ve gotten one thing like a stack buffer overflow, the place you may manipulate different variables on the stack, probably together with reminiscence addresses, there’s at all times going to be the prospect that someone would possibly determine a workable exploit.
And the issue, Doug, is as soon as they’ve figured it out, it doesn’t matter how difficult it was to determine…
…as soon as you understand how to use it, *anyone* can do it, as a result of you may promote them the code to take action.
I feel what I’m going to say: “Not that I really feel strongly about it.”
[LAUGHTER]
It’s, as soon as once more, a type of “damned in the event that they do, damned in the event that they don’t” issues.
DOUG. Superb, Thanks very a lot, Svet, for writing that remark and sending it in.
You probably have an fascinating story, remark or query you’d prefer to submit, we’d like to learn it on the podcast.
You may e mail ideas@sophos.com, you may touch upon any certainly one of our articles, or you may hit us up on social: @nakedsecurity.
That’s our present for at the moment; thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you till subsequent time to…
BOTH. Keep safe!
