345: Dangerous Bug Plagues Popular File Transfer Service!

Episode 345 February 01, 2024 01:07:45
345: Dangerous Bug Plagues Popular File Transfer Service!
Technado
345: Dangerous Bug Plagues Popular File Transfer Service!

Feb 01 2024 | 01:07:45

/

Show Notes

This week, ICANN is preparing to introduce a new TLD: .INTERNAL. Overseas, a German railway is still running on Windows 3.11 - an operating system that's older than Sophie. And in hardware news, we break down the pros and cons of Framework's Laptop 16 (and whether it's any good for gaming).

 

In security news, look out for a dangerous bug in a popular file transfer software. Then, HPE falls victim to a Midnight Blizzard attack. And finally, we revisit a recent story about an overprivileged MS test account: new developments are unfolding.

 

View Full Transcript

Episode Transcript

[00:00:04] Speaker A: You're listening to Technato. Welcome to another episode of Technato. I'm Sophie Goodwin, one of your hosts here on the show. Just a quick reminder before we jump in, I want to thank the sponsor of Technato, ACI learning, the folks behind it pro. If you want to see more of Don, Dan and myself, check out those courses. You can learn a lot, and you can have fun while you do it. Once again, I'm Sophie, and of course, I'm not alone here. I have the experts themselves here alongside me. Don, how are you doing today? [00:00:30] Speaker B: I am doing great, and we got some good stuff lined up today. We talked last week on the podcast. I don't want to get too far off in the intros here, but about how the new SEC ruling with companies having to disclose breaches was going to have interesting effects. We're going to see more of that today because now we're starting to see these breaches and actually getting information about them in a timely manner. So definitely stay tuned for the second half of the show. [00:00:54] Speaker A: Oh, what a teaser trailer. Daniel, will you be joining us for the second half of the show? [00:00:57] Speaker C: I mean, I guess I'll stick around. Sounds good. [00:01:00] Speaker A: We chant him to the desk. He doesn't have a choice. [00:01:02] Speaker B: In fact, why even film the first half of the show? [00:01:05] Speaker A: Why don't we just jump ahead? [00:01:07] Speaker C: Yeah, we can do whatever we want, Don. [00:01:10] Speaker B: We make the rules here. [00:01:12] Speaker A: Well, unfortunately, we can't jump ahead the second half of the show because I have questions about these articles in the first half and a lot of questions, and they need answers stat. I'm not a doctor. I can't say that word. Okay, we'll go ahead and jump in, though. We've got some good news this week in the world of it. So this first one has to do with some stuff going on in the cloud. IcaNn proposes creating internal domain, and this domain would do the same job as the 192168 such and such ip. And this is from the register, and I kind of read through this. And if it's doing the same job as this IP address, what would be the point of creating a domain? [00:01:48] Speaker B: So this is actually a. I can't help but think like an extremely delayed response to something that happened a couple of years ago. So this would have been before you were on the show, Sophie, before you. [00:02:00] Speaker A: Were born. [00:02:03] Speaker B: But before she was on the show. Daniel, you probably remember, though, a couple of years back, we covered when they started adding all the new top level domains. Remember when they added, like museum and all these other whatever. Vaguely that they chose to add Corp, C-O-R-P. Yes. Right. And there was a big amount of concern there because in the early days of Microsoft active directory you had to pick a domain name, right. And some companies didn't have domain names back then or they just didn't care. And then Microsoft said, yeah, you know what you can do is you can just use something, something corp as your internal because it's not a real TLD, it's a fake TLD, whatever, just use it. And then you fast forward 20 years and all of a sudden they're making it a real TLD. And you got these companies that have internal private domains that now an attacker could buy the corp version of it and do a, they're kind of hosed. [00:02:57] Speaker C: At that point, right? [00:02:58] Speaker B: They are, yeah. There were a lot of people at the time saying like don't make Corp, it's going to be a big problem. But IcaNN doesn't care. It's just, well Microsoft shouldn't have told people to use fake domains. So anyhow, that was years ago. [00:03:12] Speaker C: So the megalomaniacs over at ICaNn decided. [00:03:15] Speaker B: You fast forward to today, and they're saying, hey, how do we prevent that kind of stuff in the, well you know, it's really a problem in the past. And so what they proposed is doing internal, so you can use whatever you want internal and your computer will know not to go to external DNS servers for those lookups. And DNS servers will not do it recursively. They'll either have the answer or they won't and that'll be that. Useful for a couple of things. [00:03:44] Speaker C: Seems like a good solution to their problem. [00:03:46] Speaker B: Yeah, I know a lot of systems use local. Yeah, you'll see that one a lot. Or my little system that I have at home uses lan, but those aren't reserved. And in theory those could become real top level domains one day, local and lan, and then I'd be in the. [00:04:05] Speaker C: Same situation, say we are putting our stamp of approval on this is what's going to be done and this is how the protocol is going to interpret a internal domain, whereas you're just kind of throwing something on the end there to keep it available. Like you said, there's nothing to stop an attacker from trying to discover those and buy those and use those. [00:04:22] Speaker B: Right. And I hate that the register said it does the same job as 192 168 xx because it doesn't, it's not the same thing. And it's not just that one ip range because you could use 170, 216 through 31, you could use ten, whatever. Those would all be considered internal, non. I like to say non routable, Lance, they're totally routable inside of your network. They're not routable across the Internet. Right. They're local only networks. They're private ip ranges and then an ipv six, you have the same thing, right? And so this would apply to I-P-V six. Really? Any network that uses the domain naming system, this would apply to. So I think it's a good idea. I do kind of wish they would have done local, but I guess they wanted to pick something that was a little more meaningful in other languages or that people would look at it. There were some other proposed names that were pretty dumb. So this is the one. It's a proposal right now, but it's got a lot of support behind it. So I would expect to see this become a thing. [00:05:21] Speaker C: Yeah, I totally would expect that. I mean, like you said, we've got a legitimate issue. We need a legitimate solution to that. This seems like it's going to do a fairly good job of it, actually. [00:05:31] Speaker B: Yeah. One of the ones that the reg called out was private was a suggestion. [00:05:36] Speaker C: Interesting. [00:05:39] Speaker B: I didn't like that one so much, but not for the reason they had. [00:05:42] Speaker C: Don wanted dot peaches. [00:05:44] Speaker B: Well, dot private. Honestly, maybe you just think it was like triple x or whatever. [00:05:50] Speaker C: That would be private. It's getting weird out there on the Internet again. [00:05:59] Speaker B: But they were saying that people might see it and assume that it meant it was a secure connection. [00:06:03] Speaker C: Right. [00:06:04] Speaker B: Like, oh, this must have Tls. It's private. [00:06:06] Speaker C: Private. Right. [00:06:07] Speaker B: Yeah. When in actuality, that extension doesn't. [00:06:09] Speaker C: Your grandma's like, is this how I get on that tour network? [00:06:13] Speaker B: It's that dark web. [00:06:15] Speaker C: I want to buy something. [00:06:16] Speaker B: Give me some creds. Yeah. [00:06:18] Speaker C: Where's those marketplaces you keep talking about? [00:06:22] Speaker B: Always wanted to shop on the Silk road. Here's my chance. Grandma's buying grade a heroin, so they. [00:06:31] Speaker C: Press it into like a dvd and send it to you right in the mail. [00:06:36] Speaker A: My grandma's going to have some questions after this episode. What is tour? Explain it to me. [00:06:41] Speaker C: Grandma Goodwin's got some real twisters up there. [00:06:46] Speaker A: So I went into the comments just to see what other people thought about this, because I can't just have my own opinion. And somebody made some joke about using a song lyric, but it looks like it's in German, so I don't understand the joke, maybe song lyric? Yeah, it's like this super, super long. I think they were kidding. Oh, this is what I use for my top level domain and it looks like maybe it's german or something. Googled it. I couldn't find anything. But anyway. [00:07:07] Speaker C: Interesting. [00:07:07] Speaker A: Yeah, maybe it'll be familiar to you. But somebody commented under it and talked about the 64 character limit for top level domains. I didn't realize that the character limit was that large. I understand it's like for passwords and stuff, you don't want to put a tiny character limit. But for something like this, realistically, who's going to use a top level domain that's 64 characters. [00:07:25] Speaker B: Yeah, and that's just the top level domain though. So the actual domain name could be much longer. I think it's 256 or something. It's a much higher number. Yeah. And I know the original reason for it was that the top level domain servers, the servers that are responsible for the root hint servers, in the early days there were only like 13 of them and now they're clusters and there's a lot more. But it's a shared infrastructure and so they would needed to be resource sensitive on it. [00:07:51] Speaker C: One time you had a notepad with every Internet IP written on it. [00:07:56] Speaker B: In the early days you could do that. [00:07:58] Speaker C: There wasn't an actual lot of stuff on the Internet at one time. [00:08:02] Speaker B: Yeah, before Google and when Yahoo was still a manual operation where Yahoo was like manually curating results, even before that you just had to learn like oh yeah, I can go to this IP and there's a site that has information on Linux. [00:08:16] Speaker C: What were your favorite search engines that came out through the years before Google became like. [00:08:20] Speaker B: Know the search engine? I used Lycos for a long time and they're long gone. [00:08:25] Speaker C: Askeeves was a popular one for a while. I used Alta Vista was probably my favorite for quite some time. [00:08:32] Speaker B: Do you remember Astala Vista? [00:08:34] Speaker C: Maybe that's what it was. [00:08:36] Speaker B: So Altavista was the one that was on the up and up? [00:08:39] Speaker C: No, austa la vista, that's what it was. You're right. [00:08:43] Speaker B: If you were in the early cybersecurity career or if you wanted to bootleg stuff, that was the search engine or. [00:08:49] Speaker C: You were just interested in things. [00:08:51] Speaker B: Don, if you wanted that copy of the anarchist cookbook that was totally had that. Sophie. [00:09:01] Speaker A: I don't even know what I did wrong. [00:09:04] Speaker C: That's what makes it worse. [00:09:07] Speaker A: Most of the time I'm at least a little bit lost in all things, but I find my way as I go, so it's fine. [00:09:13] Speaker B: Do you know the anarchist cookbook? [00:09:15] Speaker A: I don't believe I'm familiar with their work. [00:09:16] Speaker B: No. [00:09:17] Speaker C: The poor man. James Bond books, those were the. [00:09:20] Speaker A: You say that like it's going to shed light on anything. [00:09:23] Speaker B: For me. The anarchist cookbook, I forget when it was written, it was like created in the believe. Yeah. [00:09:29] Speaker C: Started making its rounds on like IRC and stuff. [00:09:32] Speaker B: And what it was was a book of basically like forbidden instructions. So it had napalm and how to build pipe bombs. [00:09:40] Speaker A: I see that now. [00:09:41] Speaker B: How to pick. [00:09:41] Speaker C: She's over here looking it up. [00:09:43] Speaker B: How to watch list now. Well, it had how to pick locks. It had other things, too. And the idea was that this was information that should be protected under free speech, but that the government didn't like people sharing. And so in the early days of the Internet, it was a perfect vehicle for sharing information. Like that was, hey, this is free speech and we want to get it out there. And so you could find it all over the place. It is not illegal. Some people, I think you go on Amazon and buy it now. Although it's got stuff in there that, yeah, could probably get you on a watch list. [00:10:17] Speaker C: And as a preteen, boy, when that thing, stuff came out, or at least I was able to get my hands on it because the Internet was kind of a thing, or not preteen. I guess I was a teenager when that happened, but it was just fascinating. Me and my friends just wanted to learn, and we were like, oh, let's make some of this stuff. Good news is we didn't hurt ourselves much. [00:10:37] Speaker B: Hey. Sitting there with your slayer shirt on, listening to some nine inch nails, reading the anarchist cookbook. [00:10:46] Speaker C: Reached back in time, and it was a metallica shirt. [00:10:52] Speaker A: Wow. All right, this is new to me. I don't know what I was expecting, but it was not that. So thank you for teaching me, and hopefully I don't get in trouble for that. [00:11:01] Speaker B: Yeah, hopefully I don't. Sophie has a few left fingers next. [00:11:04] Speaker C: Week, so I got the styrofoam and the gasoline. Right. [00:11:12] Speaker A: Luckily, everybody in charge of me is in this room, so if I'm going to get in trouble, it'll happen pretty fast. Going back to the article. [00:11:20] Speaker C: Article? [00:11:21] Speaker B: That's dumb. [00:11:28] Speaker A: Like Don had said, the internal domain is still the creation of. It has not been signed off on yet. But it doesn't mean, I guess you can still use it. It's just. What is it? An ad hoc TLD is what they call it. Yeah, you can still use it. It's just not like official. [00:11:45] Speaker B: Yeah, if you use it, you could potentially end up in that situation where maybe they don't create the TLD. And then down the road, it becomes a commercially available TLD. And now you're hosed. [00:11:55] Speaker A: Okay, so maybe don't take the chance. See, I don't know. I can't provide advice on this stuff. [00:11:58] Speaker B: No. [00:11:59] Speaker A: But I'd be curious to know what you all think about that. [00:12:02] Speaker B: We can't provide advice on it either. Nobody knows exactly what's going to happen there. [00:12:06] Speaker A: Oh, good. We're on the same page here. Awesome. That doesn't happen a lot, so I'm glad. Well, I'm curious to see. We love hearing your comments and questions about these things. So if you think that you'll be using the internal domain, let us know. Let us know exactly what you're going to be using it for and where. [00:12:19] Speaker C: We can find it, just so we can buy it. [00:12:22] Speaker B: Just browse to Technato local. No, internal. [00:12:26] Speaker A: Not Technato private. That's a different thing. Yeah, it's not real. [00:12:30] Speaker C: It's weird. [00:12:31] Speaker A: There. We'll move on. This next article comes to us from Tom's hardware. Ms DOS and Windows 311 still run train dashboards at german railway. Now, this is something that it says, the company listed an admin job for a 30 year old operating system, and people with the requisite experience might already have retired. But I feel like this is something that I know, Daniel, you and I have talked about it before in courses and stuff, that if you have systems that are like. People are relying on them quite a bit, and it's difficult to take them offline to upgrade them. They just won't upgrade or update them. They'll just leave them the way they are. Do you think that's what happened here? [00:13:05] Speaker C: I would assume that's exactly what has happened here. It's not broke. It's working. Leave it alone. It's probably air gapped. And all the standard security measures that were common for the time that this system was implemented, most likely. And again, they don't see any issue, so just keep letting it run. Now, this is a train station. I don't know how much traffic goes through this train station, how big of a disruption it would be for them to try to shut it down. And how would you even in place, rebuild something like that? You would have to build an entire test network with test trains and make sure everything works before you were able to flip over from one operating system to another. So it would be a big, massive undertaking to get it switched, which is probably why it's still happening. I don't know what they're going to do with this kind of stuff. And how eventually, because I know there's like power plants and water systems that are running on old operating systems to this day, and eventually that stuff is going to fail. [00:14:09] Speaker B: Yeah, this one's a little stranger to me though, because normally when you hear about it, they've got some old cobalt application, right? And in order for you to like, let's say you came in one day and said, hey, it's time to modernize, you'd have to rewrite that from scratch. You couldn't reuse that cobalt code. You'd have to choose a new language, which means all new libraries. [00:14:29] Speaker C: You're going from being on a database like a mainframe and now into servers. And it's like, it's just a completely different architecture. It doesn't do the same stuff. [00:14:38] Speaker B: Right. But in this case, because it's Windows three point eleven and obviously we can't see the source code, we don't know. It's likely just a 16 bit application, either a DOS or a Windows application. And hey, in Windows 95 you could still run 16 bit. [00:14:54] Speaker C: I wonder if they could virtualize the environment inside of a. I'm sure they. [00:14:58] Speaker B: Could, but you mentioned like SCADA systems, and usually it's hardware drivers that are the challenge, right? So if there's a hardware driver written for some kind of Unix based system, getting that working under a modern OS can be challenging here. If it's a hardware driver for Windows three point eleven or DOS, those usually aren't that hard to port over to newer systems. And so here, to me, I mean, it highlights just a lack of investment. They just don't care. I think so. Could be that's how it was with ATM machines. And it might not be like this today, but I worked for a bank back in 2008 or so. So 15 years ago up until they. [00:15:37] Speaker C: Looked at this bank account. Where's all this money coming from? [00:15:40] Speaker B: It was just a fraction of a percent. They shouldn't have noticed you got the decimal place in the wrong spot. But the ATM machines ran os two. [00:15:52] Speaker C: Oh yeah. [00:15:52] Speaker B: And os two had long since not been supported. But because it was these isolated machines that didn't have network access per se. So it was like completely isolated that there really wasn't an attack vector somebody could use to get into it. Well, I mean there's always an attack vector, but they're relatively safe and so they just didn't care to upgrade them. It's os two, but it's fine. [00:16:13] Speaker C: It's working. [00:16:14] Speaker B: It's working. [00:16:14] Speaker C: Leave it alone. It ain't broke. Don't fix it. [00:16:16] Speaker B: And I think that's what's happening here, is it's probably an isolated system. [00:16:21] Speaker C: Yeah. That was my first guess. We agree. [00:16:26] Speaker B: If I were to take that job, I'll tell you one thing I would appreciate, and that is the ability to run ski free on the systems that I work on. Do you remember that game? [00:16:35] Speaker C: I did not play that game. No. I never had a three one system. [00:16:38] Speaker B: You missed out. [00:16:39] Speaker C: I missed out. [00:16:39] Speaker B: Yeah, you missed. [00:16:40] Speaker A: That's okay. I didn't have one either. You and me, we're just alike. [00:16:43] Speaker C: I remember my grandfather, his computer had it, and I was like, oh, this is like Windows 95, except weirder. [00:16:50] Speaker B: Yeah. [00:16:51] Speaker C: Why do you have all this text? What's the text? Why don't you just run the windows part? Because you could fire up a windows graphic. Graphic. [00:17:00] Speaker B: That was new for a lot of people back then. Yeah, but ski free was a little game where you were skiing down a mountain and you could jump these little ramps and dodge rocks and trees. But the programmer who created it didn't really know how to manage memory very well. And so at a certain point, it would run out of memory. So his solution was, once you get to a certain point, a little yeti would just come out and eat you. There's no, like winning the game. There's no winning the game. You get to the Yeti or you don't. [00:17:28] Speaker C: Being eaten by a yeti was the win. [00:17:32] Speaker B: That's the end game. [00:17:33] Speaker A: Death is the ultimate victory. [00:17:35] Speaker B: What that means, death is but a doorway. [00:17:37] Speaker C: Time is but a window. [00:17:39] Speaker B: I'll be back. [00:17:41] Speaker A: Okay. I see. All right. [00:17:42] Speaker C: Yeah, it's a guy behind you. [00:17:43] Speaker A: Takes me a little bit to get it, but okay. All right. I look at these comment sections, and a lot of times they look like our conversations here, where if you skipped ahead a minute in Technato, you'd be like, how the hell did they get to where they are right now? What they're talking. Talking about? Because initially it's, oh, as long as this isn't connected to the Internet, right. No, it's no problem. [00:18:00] Speaker C: The Carpathian, right? [00:18:02] Speaker A: You skip to the next page, and it's like, well, if you're going to talk about roller coaster tycoon, it's like, how. Where did you get that? This is not the same thing. [00:18:11] Speaker B: Yeah, good times. [00:18:13] Speaker A: That's always fun to jump in the comments and look around there. But, yeah, I mean, like you guys had said, if it's just kind of isolated, then it's probably not really an issue. But it is a neat thing to read about. It's a novel thing to read about, I guess. [00:18:23] Speaker C: Yeah, it's just kind of interesting to hear that those systems are still kicking around and being useful. Right. It's not like, oh, this is just a novel thing. They're actually doing something to make people's lives better. And it's, what, 40 year old tech? At least 30 something year old tech. [00:18:40] Speaker A: Yeah. [00:18:41] Speaker C: Crazy. [00:18:41] Speaker A: Somebody said they think it's because Germans just like old stuff. Germans and Brits, they just like old castles and old houses and old operating systems. So they think that's why. Yeah, that's an interesting theory, but something tells me there's more to it than that. [00:18:53] Speaker B: Generally, this is kind of off the topic, but generally in Europe, their technology infrastructure is newer than ours and they have, like, broadband access and stuff is far superior in Europe than it is here in the US because of after World War II, when all the infrastructure was destroyed, they rebuilt it. Versus us. In the US, where our infrastructure was still around from the early 19 hundreds. And so that's like a 40 year gap where they got to jump ahead. [00:19:18] Speaker C: Like Japan is that way. Right. Because of the bombings that we did, we destroyed a lot of their major cities and infrastructure, and they got to rebuild from the ground up. [00:19:29] Speaker B: And just to be clear, I'm not saying that's a fair trade. No, that's what happened. [00:19:33] Speaker C: That's an observation. [00:19:36] Speaker A: Next week on Don gets canceled. [00:19:39] Speaker B: Oh, duh. [00:19:41] Speaker A: That's our thumbnail. It's just you doing that. [00:19:44] Speaker B: There's better ways to upgrade your infrastructure. [00:19:46] Speaker C: Way better. I mean, ultimately, they probably just have to start building new things and then eventually sun down the old stuff, right? Yeah. [00:19:58] Speaker A: Well, speaking of upgrades, this next article comes to us from ours, technica, and this is a review of a relatively new laptop. Frameworks. Laptop 16 is unique, laudable, fascinating, and flawed. Says it's got great ideas, but yeah, wamp, wamp. Awkward limitations in frameworks, 16 inch sql. Now, I'm curious if this is something that, sometimes I look at these reviews and I'm like, oh, interesting. I read. I'm like, oh, maybe it's really not that good. Or maybe this is the next big thing. And then you guys talk about it and you're like, this is crap, or this is great. So I'm curious what you all's opinion is on this. [00:20:27] Speaker B: So basically, framework. We've talked about framework a number of. [00:20:31] Speaker C: Times on the show because I didn't read this article. [00:20:33] Speaker B: Okay. I like framework. I like the company. I like what they stand behind it. All modular components, you can replace anything. They sell spare parts on their site. When you buy it. It comes with a screwdriver, so they don't void your warranty if you open it up and it's really easy to work with. [00:20:49] Speaker A: Kind of sounds fun. [00:20:50] Speaker B: I had one for a little while. Ultimately, I didn't keep it because of the non standard screen resolution. I shouldn't say it's non standard. Plenty of people use that resolution. [00:20:58] Speaker C: Four x three. What was it? [00:20:59] Speaker B: It was 16 x ten. [00:21:02] Speaker C: Oh, 16 x ten. [00:21:02] Speaker B: Like Microsoft Surface. It was super annoying. Annoying for us. If you create video content like we do, it needs to be 16 by nine. And so it's nice to have a laptop that's in that same resolution. And the framework wasn't. That was the number one thing that got me to steer away from it. My favorite feature on it was that the ports along the side of the laptop were removable and you could pick and choose what you wanted. So the regular framework laptop had four of these modules. If you wanted four USBC, you could have it. If you wanted two USBC, two USBA, if you wanted four HDMI, you could do it. Like you had that flexibility to go display. [00:21:38] Speaker C: Crazy. [00:21:38] Speaker B: Yeah, go nuts. Why not? I don't know. The cpu could really handle that because it had a pretty crappy graphics card. But anyhow, so it was neat, right? And I've been wondering, as the years go by, when they're going to release a new version. Now, Technato is not the reporting powerhouse that you might think we are, and so companies don't send us stuff ever. So I had no idea that framework was launching a new laptop. And all the reviews and things were under embargo that just lifted. And so a ton of reviews are dumping onto the market. And the reviews are a mix. Some people like it, some people don't. But I think it's important to acknowledge what they did right and what they did wrong. And on the positive side, they've gone bigger. So it's a 16 inch screen now, the previous one was 13, so it's a bigger screen, which means a bigger laptop. And that's allowing them to do some extra stuff. Instead of four removable modules, now it has six. Yeah, like three on each side. It's pretty cool. Like, total flexibility. The keyboard, I think, is really neat. So when you look at the keyboard, there's these spacers on the left and right side of it that you can pick colors and be like apple or something, but these are spacers. You can take the spacers out and slide the keyboard to the left or right and add a numerical keypad in the gap. So if you want a full size keyboard with a number key, whatever, ten key, whatever they call it, you can drop that in there. If you don't want it, you can take it out. And the keyboard is held in by magnets, so you can actually do it on the fly. [00:23:12] Speaker C: That's cool. [00:23:13] Speaker B: And move back and forth. Yeah. I get annoyed when my keyboard is off centered. So here, you could have it centered most of the time when you needed the ten key. [00:23:20] Speaker C: Right? [00:23:21] Speaker B: Yeah. [00:23:21] Speaker C: Super annoying. [00:23:22] Speaker B: That. And when they move the touchpad off center. I don't know why they do that. I'm looking at our laptops. [00:23:28] Speaker C: I have one of those as well. And it's like, why is this over here? Why is it not right here? [00:23:33] Speaker B: I don't know why they do that. [00:23:34] Speaker C: Yeah, because they hate us. That's why. [00:23:36] Speaker B: If you out there, screw you to the customer. If you know why they do that, let us know. Because it is weird. Sophie, your keyboard. Oh, you've got a full ten key on yours. [00:23:47] Speaker A: I do. The trackpad is a little off to the left, which is weird because I'm not left handed. It's a little awkward to. [00:23:52] Speaker B: The touchpad on yours is centered up with the keyboard. If you pretend the ten key wasn't there. [00:23:58] Speaker A: I see. [00:24:00] Speaker C: But it is there. [00:24:02] Speaker B: Why do they not center the effing. [00:24:06] Speaker C: The touchpad in the middle? It will drive you crazy. Because you go to. And you're like. And then you're, like, doing this. And if you're on a web call or whatever, you're kind of off center. [00:24:21] Speaker A: Because you're trying to center diagonal on the webcam. [00:24:23] Speaker C: It's so dumb. [00:24:25] Speaker B: All right, let's keep going on the positive things. [00:24:27] Speaker C: Okay. [00:24:27] Speaker B: I mentioned that the graphic adapter was pretty mediocre in the 13 inch and the 16 inch it is as well. But they also have where you can get a full blown. I think it's like a Radeon 6600 or something. I forget what the model is. That's a module that slides into the back, and it increases the weight and size of the laptop. [00:24:45] Speaker C: But it gives you power, too. [00:24:47] Speaker B: Yes. It gives you a full blown graphics adapter. Oh, it's a radeon 7700, a whole generation higher than what I said a second ago. So that's neat. If you want it. [00:24:56] Speaker C: Great, though, because how often do you need a powerhouse graphics card if you're sitting there doing spreadsheets, surfing the web, doing whatever, that kind of stuff? You don't need that stuff. So having the ability, like, okay, I'm going to be doing something much more graphically intense or intensive. I can now plug in my graphics card, get much more power out of it, and do what I need to do and then pull it off and I don't need it. I like that. [00:25:19] Speaker B: The reporter over at the verge, he did a thing where he was saying when he went to Ces, he, he left the graphics card at home, just take it out, make the laptop lighter, and he goes out there and does his reporting. When he gets back home, pop the graphic card on there, do all his. [00:25:34] Speaker C: Editing, do all the stuff he needs to do. [00:25:35] Speaker B: Yeah. And you can't do that hot. You got to shut it down, change it out, boot it back up. But it still needs. So I'd say that stuff they're doing right on the stuff they're doing wrong side, it's still made out of pretty cheap plastic. The framework laptops feel cheap when you feel them. [00:25:50] Speaker C: So do Lenovos. [00:25:52] Speaker B: Some of them do that one right there. [00:25:54] Speaker C: I have that same model, and it's very plasticky feeling, like cheapy feeling, and it was much less expensive. I got it internally phenomenal. 40 gigs of RAm. At the time I bought it, it was the top of the line intel processor. A lot of great internal stuff, but the outside is kind of chintzy. [00:26:16] Speaker B: Yeah, that is something apple does a good job with, with the aluminum case or whatever. Asus is a good. Yeah, yeah. The number one problem, though, and I saw this in pretty much every review that I read. I've not had a chance to get my hands. [00:26:31] Speaker C: Causes cancer. Well, it might, but that's unfounded. I'm just making a joke. [00:26:37] Speaker B: This is the same complaint I have with system 76 laptops, and I have owned several of those. [00:26:43] Speaker C: Do they like hairier jump jets? [00:26:45] Speaker B: Fan noise. Fan noise is ridiculously loud. And to me, that's a showstopper. I'm sitting here. Daniel, you've got a MacBook. I'm on an asus expert book. Sophie, you're on a Lenovo thinkpad. I don't hear a fan running at all. [00:27:00] Speaker C: No. [00:27:00] Speaker B: Right. And we've all got our browsers open. You've got teams open. We're doing normal workloads. Now, if you're gaming right, if you're throwing up, you expect it. You expect it. But on those system 76 laptops, bro, I could be looking at my desktop. [00:27:14] Speaker C: I had one too, right? I had the Galgo and that joker. You were just like, I'm going to make a note on notepad or whatever. What is going on? Why is this thing ramping up? Ran super hot. [00:27:28] Speaker B: I had a Gallagher, and I had a lemur. I had two lemurs, and all three of them loud fans. The framework 13, the fans were tolerable, which is not exactly a positive statement device, but it sounds like on the framework 16, be ready for it. It's like somebody running a leaf blower outside your window. Not pleasant. [00:27:50] Speaker C: Man, we got to figure this out, right? We can put a man on the moon, but we can't get a laptop to stop trying to take off from the desk. [00:27:56] Speaker B: There are companies like Noctua where they specialize in making quiet fans. So I don't know why these companies don't do. I mean, what they need to do is, one, use quieter fans, and then two, have fan profiles that better measure the temperature of the processor so they can respond like, they don't have to be zero or 100%. Yeah, they could run at 10%, but they don't, and you get this crazy. [00:28:21] Speaker C: I've also got, like, a newer MacBook Air has no fans. Zero fans in it. And it will get hot, but only under certain circumstances does it usually get, like, that, warm. But for the most part, it runs fairly cool. It's all aluminum body, so the body is part of the cooling system. Yeah, I like not having fan ramp. [00:28:44] Speaker B: Yeah, I have, actually, it's running right now. A raspberry PI at home, where the fan was kind of noisy on it, and I started looking at the temperature on the processor, and I'm like, wait a minute. This is within tolerance. I just took the fan out, and so now it runs, like, ten degrees celsius hotter, but it's still within its tolerance. So I'm like, what do I care? I'm not licking it. [00:29:05] Speaker C: It doesn't sit in my lap. [00:29:09] Speaker A: Well, I mean, this is something that I was actually not familiar with. Framework too much. So it sounds like a cool idea to be able to kind of customize it the way that you want it and have. The fact that it comes with a screwdriver, I think is great. Just shows that they expect you to take this thing apart and adjust it to your needs. But specifically for this new one, the framework laptop 16, I'm looking at the price, and it says pre built. It's about $2,500. [00:29:31] Speaker B: It's expensive. [00:29:32] Speaker A: It's a lot. And I'm looking down at the pros and cons, right? And towards the end, they talk about gaming, so they ran Cyberpunk 2077 on it. And the FPS was not great. And it basically said it's not bad for gaming, but you have to set your expectations accordingly. So what I'm getting at here is the price of this laptop. I would imagine it's only worth it if you're doing certain things on your laptop. If you're looking to do something like gaming, you might as well just go buy a laptop specifically designed for that, because it's going to be way better quality and maybe even a little bit cheaper. [00:30:00] Speaker C: So someone who is not a modern gamer, I don't really play modern games at all. I don't have a system. My pc isn't built up, so I can do that kind of thing. I've noticed that FPS is a very important piece of the puzzle for most modern gamers. Why is that? [00:30:17] Speaker A: Well, I mean, especially if you're playing a game that requires quick reaction time. I don't game a lot on my pc. [00:30:22] Speaker C: Give me an example. [00:30:23] Speaker A: Okay, so I don't know. Let's just say like Call of Duty. If you're playing Call of Duty and you want to be able to move fast and turn and see people and whatever got you. Most of the time when I'm playing, it's on a console. But the few games that I have played on a pc is my old pc at home, and it's not super fast, so it's annoying because it glitches a little bit or it lags. [00:30:40] Speaker C: Got you. [00:30:40] Speaker A: That's a big thing. It's like you don't want your game to lag. So I would imagine that that's probably a big part of it. And correct me if I'm wrong if you're a serious gamer, because I'm a casual enjoyer, but something like a laptop like this. Christian, our director, just said low frames are ugly. So there you go. [00:30:59] Speaker B: So you mentioned Cyberpunk 2077. I don't know if you guys have played it or not, but it is a visually beautiful game. It is really amazing. [00:31:06] Speaker C: Make now are insane. [00:31:08] Speaker B: When you have ray tracing turned on, the way that light is rendered, it's beautiful. So you're downtown in this futuristic city. All the buildings have crazy neon signs. There's skyscrapers everywhere, right? So as you pan your camera around, if there's a skyscraper in the background, it's got to be rendering light all the way up to the top of that skyscraper to make it show. Because in the old games, they just put fog there. Screw it. You can't see. But in the new ones, they want you to be able to see all the way through that and the rendering effort there. If it starts dedicating gpu resources to it, it starts dropping frames. [00:31:42] Speaker C: It's a jittery and glitchy. [00:31:43] Speaker B: If you get below 60 frames, you can see it with your eye and it's choppy movement, right? But when it's over 60 frames per second, you get this nice glide. Now there are people who want to be at like 200 frames per second, and I forget at what point, but there is a point where the human eye can't perceive it anymore, and I think that's dumb. So for me, I'm happy at 60 frames. I'm happy at 30 frames. To be honest with you, I grew. [00:32:07] Speaker C: Up on a 30 frame per second. I'm like, yeah, everything looks fine, let's just go. I just want to play the game. If the game is fun, then I'm happy. But if it's causing glitches where you're missing shots or whatever the case is, and I totally get that, right? [00:32:19] Speaker A: Yeah, if you're just chilling, if you're playing Animal Crossing, it doesn't matter as much. But yeah, for a game like that, or a game where, yeah, you're wanting to experience, it's a beautiful game visually. And if you're going to pay for the game, you want to experience it the way it's supposed to be experienced. So anyway, my point in bringing any of that up, I know this is not off topic shocker gaming, but my point in bringing that up is like, for me personally, if I was more into that kind of stuff, and I'm going to drop that kind of money on a laptop, I'm just going to go get one that's specially built for that. So I guess for a laptop of this price, who's going to be buying this? Who is it worth it for? [00:32:51] Speaker B: So in my opinion, it's still a bit of a hobbyist or somebody who just wants to support the cause kind of thing. I feel the same is true about System 76. System 76. This is going to sound harsh, but they don't make a good product, right? And they don't make most of their product. They're just rebranding stuff they buy from China anyway. But they've gone through the effort of making sure that it's compatible with Linux so that you don't have to worry about anything. You install Ubuntu on there, or their popos and all the drivers work, everything works out of the box and so on. That's what they do. And so people buy those devices because they want to support that. They want to encourage that kind of development. And in the future, down the road, eventually we'll get that product. That is what we all want. [00:33:38] Speaker C: Then they're planting the seeds for trees that they'll never sit under the shade. [00:33:42] Speaker B: Yes. Or probably, maybe. [00:33:46] Speaker C: Technology tends to work a little faster. So yeah, it's still possible. [00:33:50] Speaker B: So I think that a lot of what framework is doing is the right thing. And you are seeing Dell and some of the other manufacturers starting to copy some of the things that the framework is doing. I just hope that framework gets to benefit from it and not Dell. Right, but we'll see. [00:34:05] Speaker C: Well, Dell will just purchase framework. That's what will happen. We can't compete with this. We'll just buy it. [00:34:12] Speaker A: Wow, I love these optimistic future viewpoints. Well, I know we went down a couple of rabbit trails in the first half of the show, so we'll give you some time to think about it. Leave your comments, let us know what you think. If you're watching on YouTube, if you're watching or if you're listening on Spotify or Apple podcasts, maybe jump over to our channel, leave us a comment. And like this episode, if you're enjoying it so far, we'll give you some time to do that. We're going to take a quick break and collect ourselves, and we'll be back with some security news here on Technato. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private online instructor led formats. You get to provide professional development in a manner that fits today's expectations, entertaining, convenient and effective, our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info. Welcome back. Thanks for sticking around with us through the break. And if you are enjoying this episode and you haven't already, feel free to subscribe to the channel so you never miss an episode of Technato. In the future. You can check out all of the old episodes that live here on the channel, as well as lots of other cool stuff stuff. And you might see our faces in some of these other videos, so I recommend you check them out. But I know why you're here you're waiting for those security articles that Don gave us a little teaser on earlier. So we'll go ahead and jump right in. We won't dilly dally. This first one is part of one of my favorite segments. One of the better. Okay. I should do a compilation of all of them. [00:35:49] Speaker C: Kristen, that's on you, bro. You got to go back through every single episode. That has dough in it. [00:35:53] Speaker A: New YouTube short. [00:35:53] Speaker C: Just make a dough compilation. [00:35:57] Speaker A: I'm sorry. I said I wasn't going to get off. [00:35:58] Speaker B: We can auto tune it and set it to a song like Jingle Bells or something, right? [00:36:04] Speaker A: Okay. Personal project. Yeah. This article comes to us from Techradar. Popular file transfer software has a seriously dangerous change in the mood security bug that gives anyone free administrator rights. Patch it now to avoid another move it like debacle. So it is a popular file transfer software called go anywhere managed file transfer. How popular is this? Do you guys use this? [00:36:25] Speaker B: So I don't use it. And actually, this might not be the first time you've heard about it because we reported on a go anywhere MFT breach. Not breach, but vulnerability, probably six or eight months ago, a while back. This is an all new one, so don't let yourself be outdone by your past cybersecurity track record. But it's like in the last six months or so, eight months, that the malicious threat actors have started targeting these applications that transfer files. Now, when you hear about transferring files, I think of SFTP R sync, FTP, ScP. [00:37:04] Speaker C: Right? [00:37:04] Speaker B: We have all these different protocols for moving files, but those require, like, you know, you got to set up a server, you got to create user accounts, you got to get certificates and all that. [00:37:16] Speaker C: It's effort, but effort bad, Don. [00:37:19] Speaker B: If you're an enterprise or a government, like, say, the US government, you don't want to exert that effort. Instead, you want to exert dollars and pay for enterprise grade file transfer services. And that's where move it comes in. That's where go anywhere MFT comes in. It's not targeted at regular people like you and me for transferring files. It's targeted towards large businesses that need to securely move data from one location to another. And there's countless examples where that's a thing that's necessary. Well, unfortunately, just because their software is enterprise grade, which, by the way, doesn't mean anything, it doesn't ensure that they have proper security protections in place. [00:38:00] Speaker C: Enterprise grade just means enterprises use this. [00:38:03] Speaker B: Yeah, I would say it's like the word tactical. Have you noticed? Now, if you go on Amazon or whatever. You can buy a sweater and a sweater is $15 or a tactical sweater and it's $50 and it's the same sweater, but the one's tactical. [00:38:16] Speaker C: It's got like a little like Punisher skull on it. [00:38:19] Speaker B: Yeah, there's a whole store, the 511 store, where it's the same old crap you can buy anywhere else but twice the price because it's tactical. [00:38:27] Speaker C: Listen, all the operators use those. [00:38:30] Speaker B: So many operators. So that's how this enterprise grade software is. It's just regular software. It's stuff that, like Dropbox and so on. Nothing special about it, but it really should be. It should have a higher investment in the technology to make sure that it is more secure than the other things that are out there. And this is a pretty bad one. Right. So there's an all new CVE, it's a 9.8 severity score on it and that's just based on the software vulnerability. But when you couple that with the types of data that are being transferred by this. Right. If you go to their website, what they advertise is, are you a hospital and you need to transfer medical records and make sure you meet HIPAA compliance. Go anywhere. MFT is for you. Right. That's the type of data we're talking about here. This is highly sensitive data, so it's a 9.8 on the severity. But when you couple it with the type of data it's transferring, this is really significant. I know that doesn't factor into the CVSS score, but I think maybe it ends up being subjective. Launch codes. [00:39:35] Speaker C: Wouldn't we think that's more severe than whether or not it's your credit card? [00:39:38] Speaker B: Yeah. Well, who knows? Maybe they do use this for nuclear launch codes. We don't know. This one's bad. And an attacker who gains access to the system is able to create new users. And not just regular users, admin users. That means they blow the lid open once they gain access. [00:39:54] Speaker C: Well, what's the problem there? Don't cook up a couple of new admins, help them out. Right. You're in there while you're in there, clean some things up. No, it's actually a really interesting way that. So it was horizon three AI which discovered the vulnerability and they actually released a proof of concept code out on GitHub. So it's just a Python script. It's fairly straightforward. You have an endpoints for the system. So it's all web based UI. Right. So you go into a web, you log in, you can access certain things. There's clickable links and it takes you to administrative areas, or if you're just a standard user, you get access to those areas they discovered that they could access. So, you know, when you install software, a lot of times, especially if you're standing up something like a web based service, a lot of times they don't give you default creds, which is good, right? Because default creds are, they tend to stick around. So instead of doing that, what do we do? We make you create a new user. Once you first instantiate the system, you say, hey, cool, system's up and running. We need an admin user. What do you want to name it? What do you want the password to be? And you go through that. And once you get past that, now you have an admin user, it's completely custom to you and your environment. Nobody else is out there. So that you're not going to go to some website and find, here's the default creds for go anywhere, right. Cool. What they found was they were able to access, if they were trying to create a new user, they wanted to run that new setup again so they could create that user. They found that they could access that area using a specifically crafted directory traversal attack. So they could access that certain thing and then cut that off. Say, don't go all the way. And look at the actual XMl file that lets you know we have an admin user already created. Go before that. Stop there. Well, I don't see the file, and since I don't see the file to read, you must be starting this for the first time. You need to create a new user. And they go, yes, we do. And they would create their new admin user and now they're able to log in. Now the file is still good, it's still there. But now they have their own administrative user and they're able to do anything they want. So really a simple mechanism for attack. It just took some digging to find and getting creative with the attack mechanism for getting to what they needed it to do. But once they figure out the magic incantation, it was like cool. New users and their administrators. I like this game. It's fun. We need to contact, go anywhere. Let's let them know that there's a problem. And then once that was, I think they do have a patch for this though. [00:42:30] Speaker B: Yeah, and just a clarification, not for what we just said, everything's fine. But when we reported on this like eight months ago or whatever, I wasn't familiar with go anywhere at the time and I thought that it was part of the various go to solutions that were out there. Like go to meeting and all those not related completely separate. The go to products are all owned by Cisco. This go anywhere? [00:42:57] Speaker C: Fortra. [00:42:58] Speaker B: Fortra. [00:42:58] Speaker C: Fortra. [00:42:59] Speaker B: Unfortunate name. We're a fortress. But we got this extra door over here. We don't watch that one. Yeah, put Smitty on that. [00:43:11] Speaker A: Well, I know you had mentioned that there was another vulnerability in go anywhere I think last year. And I looked and it looks like it was a lower severity. So it was like seven point something. And this one's obviously 9.8. [00:43:22] Speaker B: So they've gotten better. Wait, that's how it works. [00:43:26] Speaker A: The vulnerabilities have gotten more severe. [00:43:29] Speaker C: You know what the IOC for this is? You look at the admins group and see if there's new admins. That's bad. I don't recognize that admin. [00:43:40] Speaker A: There's no evidence of the vulnerability being splitted in the wild yet, but because, I mean, there's a patch, so might as well. [00:43:45] Speaker B: Patch might as well. [00:43:47] Speaker A: Why take the chance? You don't want to take that risk? And I was poking around at the hacker News, had an article on this as well. So if you want more information on the specifics, they have more stuff on like the numbers and stuff, you can check that article out as well. But we'll go ahead and move on. We have another segment. It's another one of my favorites. This one is who got pwned? Looks like you're about to get. And I don't have a voice for this one. It's not like go where I can't do that voice. I don't think. I can't really do that. So we'll jump into this next article. Comes to us from itpro. Different, not. Don't get it twisted. Midnight Blizzard claims another big tech scalp with HPE hack just days after Microsoft breach. And more victims could be coming. Yeah, I was going to say they always got to put a little thing on there to scare you a little bit. Is this as scary as it know it's bad. [00:44:41] Speaker B: Midnight Blizzard is making the rounds right now. They are compromising systems, getting into some of these organizations, and surprisingly they're able to hang about in a couple of cases for an entire month before they're being caught, which means this is a very effective threat campaign and it is something we need to be concerned with. HP kind of split in half. So you had the regular HP, which makes terrible printers and terrible laptops, and then you have HPE, which is HPE Enterprise, which makes networking gear, firewalls and so on. So whenever you hear about a company that's making enterprise hardware that has a compromise like this, it goes back to what I was saying in the last article, is the value of the data that's compromised is much, much higher. But this seems to be another state sponsored attack. They got into the system and what they're alluding to, and we haven't seen this yet, but could this be setting the stage for another supply chain style attack where imagine if you get a HPE switch to install on your network and the switch's firmware is already compromised right before you even plug a power cable into it, like it's coming from the factory compromised, and you bring that up in a secure air gap network or whatever. That's the risk that we have with something like this. [00:46:06] Speaker C: What was interesting about this article on how we see Midnight Blizzard, also known as apt 29, also known as Cozy Bear, also known as continue, continue, is that they're targeting these big tech companies, these tech giants, Microsoft. Here we are, HPE, they are a state sponsored group. I don't see like what's the end game, right? You talk about supply chain attack. I think that's probably right on target, supply chain attack. But what are they really after? What are they trying to get at? And a lot of these companies are utilized by the government, right? Microsoft obviously is going to be used because they're used by everybody. But if you're enterprise hardware that could be inside of government, they keep talking about the companies being attacked and not necessarily what could the end game be? Now I know that would be all speculative, but at least starting to have that conversation, I just don't see that in these articles. It's just more focused on the fact that big tech was breached and it was through this Apt. They are a state sponsored group. They are an enemy of this country. If you're in America, United States, that is, then that is their main enemy. I wonder if russian news, like did their tech news go, american threat, know Diamond sun or whatever has attacked us yet again. Obviously we're doing the same thing. [00:47:33] Speaker B: Yeah, I wonder. Let me. [00:47:34] Speaker C: I just never hear about it. [00:47:35] Speaker B: I'll have to look up. I know some of their sites that definitely are what we would label as propaganda, but they would label as just news or do they just hide that? Now I will say on the supply chain side, supply chain hardware attacks, I only know of one effective campaign. [00:47:53] Speaker C: That was the NSA and it was. [00:47:55] Speaker B: Us that did it. [00:47:56] Speaker C: Yeah. [00:47:56] Speaker B: Where the NSA was intercepting Cisco gear as it was leaving the country and adding, that was us. [00:48:04] Speaker C: Like I said, I know we're doing stuff. I never hear about that. [00:48:07] Speaker B: Do you remember a couple of years back, super micro? There was an article that was released that said, super Micro is bringing in, and if you're not familiar with super micro, they make low cost server motherboards and things. I love them. I use their stuff for all sorts of things. [00:48:21] Speaker C: Vaguely remember this. [00:48:22] Speaker B: They were saying that the boards were coming from China already with back to. There was hardware that was on the motherboard that wasn't in any of the documentation. And they're like, what's up with this? Well, it was a big news thing. It made a big splash. It went around the circle, and then a lot of people, myself included, we started looking at it and saying, how does this make any sense? Because it was tapped into, like, a network adapter. And I'm like, if it's tapped into a network adapter, you'd see traffic on the network, but they weren't seeing anything. How is it getting data? It just didn't make a lot of sense. And over the next week or two, a lot of people called it into question, and then the whole news story just disappeared. It disappeared. Like, nobody ever apologized to super micro. Supermicro never sued anybody for libel or slander. It just disappeared. It was super weird. Yeah, that is super weird. It should be a tinfoil hat segment now, but it just went away. And so with some of these, I kind of wonder, would HPE have even told us about this breach in the past if it wasn't for that SEC rule that says you've got to disclose it? I don't know. And then what were they able to do once they were in the system? We might not ever find that out. [00:49:37] Speaker C: Yeah, crazy. [00:49:38] Speaker A: I got down a rabbit hole because you guys started talking about american hacker groups, and I was like, I wonder. I cannot find anything on american state sponsored hacker groups. Things like Midnight Blizzard and stuff, which, of course, if you can't find it online, that means it doesn't exist. So I'll just leave that where it lies. [00:49:54] Speaker C: Pictures didn't happen, right? [00:49:55] Speaker A: Yeah, right, exactly. [00:49:57] Speaker C: Pictures of the NSA people putting chips on the Cisco boards. [00:50:00] Speaker A: Yeah, but that was a long time ago. There's no way that that's still going on. Yeah, no way that bad things are still happening. [00:50:06] Speaker B: There's no way something we've done in the past, we would ever do that again in the future. [00:50:09] Speaker C: Now the question becomes, is Russia and China and all the others are they know because they got a little more control over their media than what goes on here? Are they just shoveling that, sweeping it under the rug? Or are we just so good at hiding it that they're not detecting it? [00:50:29] Speaker B: I can't imagine. I can't imagine that being maybe we do have, Space Force has a whole cybersecurity division. We certainly have our own state sponsored stuff. [00:50:39] Speaker C: I have heard that when it comes to hacking we are definitely tip of the spear. We have advanced groups that don't get talked about and you're not catching them. That we have the most advanced out there. And the reason that we keep hearing about people like fancy bear, obviously, or cozy bear, I think they are fancy bear as well. Obviously they're very good at what they do, but they're not good enough to not. [00:51:05] Speaker B: But they're pretty damn good. They're pretty good because we can't even say for certain that it was midnight Buzzard or whatever. Midnight Blizzard is apt. 29 and we can say they're state sponsored. We can't say for certain what state it is. And so I would say it's still effective. [00:51:22] Speaker C: No, I'm not saying they're not absolutely good at their jobs. [00:51:25] Speaker A: I think if Midnight Blizzard was an american state sponsored group, we'd already have a dairy queen treat named after it. So we can. It's just a dark chocolate blizzard. [00:51:33] Speaker C: They're double agents. Right. [00:51:36] Speaker B: I do know that hardware supply chain attacks are hard to pull off. Software is far easier. Just look at the solar winds breach, right. And imagine if you were a russian citizen in the russian government and you had a machine running Microsoft Windows, right? Millions of lines of code. That's all compiled. You can't see it, you can't review it, you don't know what's in there. How could you possibly trust software like that? Even if we were friends, which we sort of were at one point, but aren't and I haven't been in a while, but even if you're friends with another country, like if we get software from the UK, how can you trust something like that when you can't? [00:52:16] Speaker C: Isn't it kind of like a wink and a nod and a nudge that we're friends but we're still looking at you? [00:52:24] Speaker B: Yeah. [00:52:24] Speaker C: And then they have the whole, like, what was it, five eyes? [00:52:26] Speaker B: I was going to say five eyes. [00:52:28] Speaker C: Hey, I know you can't spy on your people because that's illegal. But nothing says we can't. And then me to just go, hey, did you drop this? Is this information. Yours. I found it. And then they go, well, let me look at it and say, oh, my word, this is all about our own people. We'll review it and make sure. [00:52:44] Speaker B: And we don't usually do the privacy stuff here on the show. And there was an article I passed on. There's a whole new story about how some of our agencies here in the US, they're not able to get subpoenas to gather data on us citizens, so instead they're just going and buying it from private companies to gather the data. Which is the same thing. Which is the same thing. Yeah. So there's some unfortunate stuff going on there. [00:53:08] Speaker A: I want a one man stage play put on by Daniel of that whole, like, well, you can't spy on your people. But nothing says I can. And I want it to just be Dan. I want it written and directed and produced by Will. I will pay money to see that. That can be a new segment on Technato. Yeah, well, it's probably not the. I'm sure it's not the first time we've talked about midnight Blizzard and probably not the last. And speaking of news that just keeps coming up, this next segment is called Deja News. [00:53:32] Speaker B: Deja News. [00:53:38] Speaker A: This is a fun one. It's got a little nice little song. [00:53:41] Speaker C: I'm looking at the comment section, and one of the users who I was telling you that comment earlier, the username was Frodo Douchebaggins. [00:53:55] Speaker A: Well, if that's not a good lead in, I don't know what the R's. Technica comment section. This article says in a major gaffe, hacked Microsoft test account was assigned admin privileges. All kinds of admin troubles this week. Now, before we get the Frodo douchebaggins comment, let's talk about the meat of the article. [00:54:14] Speaker B: That is the article, just a vehicle. [00:54:18] Speaker A: For us to talk about trolling from the shire. So what's going on here? Before we get out to all that? [00:54:26] Speaker B: All right, so this is probably one of the fastest deja news turnarounds we've had because we just reported on this last week that Microsoft had a breach. And it was pretty embarrassing for them because the attackers were able to gain access to a test system. And once they were in that test system, they were able to use it to create accounts with administrative credentials in the not test system and start to spread throughout the network. And Microsoft was able to stop it and clean up the mess. But talk about embarrassing. And at the time, we didn't have a ton of details to go on. In fact, when we covered the story originally, it was me saying, look, here's what these SEC disclosures are going to result in. We're going to learn more about when these breaches happen. [00:55:07] Speaker C: Microsoft does not like that. [00:55:08] Speaker B: No, they don't, but they're doing it. [00:55:10] Speaker C: Because they have to. [00:55:11] Speaker B: So this is a case of, and you guys know me probably better than the listeners, but I'm not a fan of government regulation and government overreach. But in this case, it certainly seems to be working in a very positive manner. And so this week we've gotten more details from Microsoft on what happened. And it does not paint a picture of confidence in Microsoft managing their internal security because what happened was the way they were able to pull this attack off is that the attackers got into the test server and the test server had the ability to sign testing applications, but it was also just able to sign applications in general to be able to execute inside of the network, not just test applications. And so they created an application that was able to be signed using an Oauth credential to make it an administrative account. And from there they were able to make that leap and go crazy. And that's a mistake that was made by a person. Right. Some human said, here's a test server. It needs app signing credentials. I'm going to give it app signing credentials with way bigger a scope than it should have. In fact, an unlimited scope as opposed to limiting it to only applications that would run in the test environment. And that's a big mistake. And that's the kind of thing that Microsoft will blame us for as users, where they'll say, oh, you got hacked. We gave you the tools to protect yourself. You just didn't use them. Well, turns out Microsoft didn't use them either. [00:56:42] Speaker C: Yeah. This necessarily was not a hack per se or a vulnerability. It was a vulnerability, but not like traditionally where there was some issue with the software and they were able to exploit that. This was just like, hey, you got some weak creds. That is a vulnerability. We got to log in and now, oh, I see what's going on here. You've got this nice little application and it has full reign over your entire system. I wonder if we could use that. That would be fun. And it was for them, not for us so much, or Microsoft in that case. So really interesting. And I do like how it kind of comes off the way that Microsoft quotes. Can I quote Microsoft a little bit here? [00:57:23] Speaker B: Sure. [00:57:24] Speaker C: Says threat actors like Midnight Blizzard compromise user accounts to create, modify and grant high permissions to Oauth applications that they can misuse to hide malicious activity. Right. The misuse of OAuth also enables third actors to maintain access to applications even if they lose access to the initially compromised account. Midnight Blizzard leveraged their initial access to identify and compromise a legacy test Oauth application that had elevated access to the Microsoft Corp environment the actor created. And what do they say? They basically say this wasn't, we didn't do anything. Our software is still good. Our software is amazing. Nothing's wrong with the software. Just some yahoo over here put too much permissions on the thing. I mean how is this my fault? [00:58:12] Speaker B: Anybody can do it, right? [00:58:13] Speaker C: You can still trust Microsoft in their software, which technically is true, but to be able to continue to frame and push the idea that there's nothing to see here, it was just a misstep by an administrator and now he's been taken care of. Don't worry about that guy, right? He's got a banker's box under his arm. [00:58:36] Speaker B: Yeah, I do wonder about that. And they'll never disclose information on an individual employee. We do have employee protections in the United States where they're not allowed to do that. But I do think that it's frustrating that there's times where these vendors, these software vendors will tell you like we've given you all the tools to protect yourself, but they're not enabled by default or you need to configure them and you really need to understand that configuration. It's not a matter of I'm going to stumble through and hit these radio buttons and see what happens. As an IT guy, I get it. I hate reading manuals and if I can launch some new software and stumble my way through it, I'll try it. [00:59:11] Speaker C: Have you read that app? It's horrible. [00:59:13] Speaker B: But if it's going to be in production then you need to really spend some time on it. But in here, this is a case of being able to jump from test to production. So shortcuts in test become a risky thing, especially for a large target of value like Microsoft. [00:59:31] Speaker C: It's so interesting and I understand the impetus, the desire to like we just need to make sure all this stuff is going to work. Well, what's the easy button on making that work? We'll just give it the admin creds and now it won't be a permissions issue if something breaks. We just want to see if the software is working in all its intended areas. So they give it some admin creds so they never bump up to a permissions because invariably, if you just give it some standard user permissions, it's going to fail due to being under permissioned for whatever. And you got to kind of run that down. And I'm sure some developer at Microsoft or developers or group or whatever the case is has somebody breathing over their necks going, when is that going to be done? When is that going to be done? We need to ship that. It's got to go. We got a deadline. And they have no idea what it takes to make that actually happen. They just came down and said, here's your deadline. [01:00:23] Speaker B: Yeah. [01:00:24] Speaker C: You didn't consult me on whether or not that's a good deadline. I don't care. I told the board this is the deadline. So now you got to eat it, make it happen. That's what goes down. [01:00:33] Speaker B: Are you intentionally quoting me? [01:00:38] Speaker C: All right, that was too funny. [01:00:40] Speaker B: What's our takeaway here? Yeah, I say these things. What's our takeaway here? Our takeaway is unless your test environment is truly isolated, you've got to secure it the same as your production environment. And in today's world of cloud based and connected software, where your test environment likely needs Internet access, you just can't isolate it like you used to. And so you need to spend time securing your test networks. [01:01:06] Speaker C: Amen, brother. [01:01:07] Speaker A: Yeah, real quick, before we move on from this article, Proto douchebaggins. Yeah, proto. Well, sure him. But I kept going. It was somebody named Crying Croc, which isn't quite as fun, but e for effort had raised the point that when I first saw this, I thought that, okay, why would you give a test account admin privileges like that? And like you had been talking about, I'm sure there's reasons for it, but this person raised the question, maybe this is something they do routinely. They assign admin stuff to grunts at the bottom of the pay scale. Their words, not mine routinely. And so it wasn't like, oh, we needed to give it admin privileges, like for the reason you said. It's just, well, of course we did, because everybody has those privileges. Do you think that's likely or like a worthy theory, I guess, of something that they could be doing? [01:01:51] Speaker B: So maybe back, I'll use the bank that I worked at years ago where we had developers, and the developers were all given test environments and they had full blown admin credentials in their test environments, but their test environments ran, they would each get like a cluster of four virtual machines that ran from a centralized vmware vsphere environment. And so they had admin credentials within that little realm that they were given the test world and every night it would get blown away and rebuilt. So every morning they came into a fresh and clean test build that they would then run with. So even the lowest, we hired a brand new developer right out of college and stuck them in there the next day. They had a small environment, they had admin creds to it. [01:02:34] Speaker C: But Microsoft said, here is our actual production environment credentials to you. Developers use that and that's what they used instead of something much more controlled, right. Much more secure because it didn't have as much access. And I think I get it. Like, you got deadlines, you got everything that that's going down. But the benefit to struggling through running up against, oh, that didn't work. We did not think about that. And now, because we butted up against it and everything broke, we now have to rethink that, make sure that those avenues work and everything is doing as what we expect it to do. And now that we jump that hurdle, let's hit the next one and go, okay, now I fixed that, but now this is broken, okay, because it's hard to think your way through all the possible little edge cases and scenarios that can happen. Anybody, that's. And if you think, oh, you just got to be diligent, go out and build a small application, something tiny that does something simple, you will find out real quick that your assumptions on what you can do and how it gets done are going to get broken real quick. [01:03:49] Speaker A: Easier said than done, really? [01:03:51] Speaker C: Very much so. And having to fight around that and go, well, it doesn't work that way. I didn't know it didn't work that way. I thought it was going to be something simple like this. Well, it's simple in your mind because a human brain can do it easily, but the computer has to be told you have to do it this way and in that way. And if that doesn't work, then this, and if that doesn't work, then this. And you got to think of every little possibility be and make account for it. That gets really difficult to do, and that's why security vulnerabilities work. So a lot of times they just go, well, let's just hit the easy button and make sure everything works. And I don't want permissions to be the thing that stops me because permissions is usually the thing that stops you. [01:04:26] Speaker A: Yeah, you're telling me. Sometimes people are smarter than computers in. [01:04:30] Speaker C: The way our brains work. Yeah, crazy. We take for granted things like time. It's really easy for us to go, oh, that's in a month. And we all go, oh, yeah, we understand what a month is. And we also understand, well, if you mean next month or this month, which is, are we in February or is today the last day of January? So, yeah, we're in February. February has got 28 days instead of 39 this year, but 29 this year. Your brain does that like that. A computer goes, what's a year? What's a month? Define a month for me. Explain to me the idea and concept of time. I have a time library, but how does that work within the context of what you're building? And things get weird and you have to figure it out. So that's what happens. [01:05:17] Speaker A: Wow, I love hearing you guys break stuff. It's so fun. I feel like I'm watching one of those baby sensory videos, and I'm just like, yeah, what's the next thing? So it's always so entertaining for me. And I know you mentioned that we had obviously talked about this story a little bit last week, hence Deja news. So if you missed last week's episode and you want to know what the heck we talked about, feel free to go back and watch that. It lives here on the channel as well as anywhere that you can listen to podcasts. And if you haven't already, feel free to subscribe. So you never miss an episode like that in the future. I have a frog in my throat and I'm sure you can hear it. And if you enjoyed this episode, we would love it. If you would leave a comment, let us know what you liked, what you want to see in the future. You can also check out other videos on this channel. We've got ACI learning live webinars and live on social events. We actually have one this week. The day this episode is released, it's going to be another all things cyber show with myself and Daniel and Mr. Zach Hill, who now works for Black Hills Information security, which is super exciting. Are you excited, Daniel? [01:06:11] Speaker C: I'm excited because we love the Black Hills. [01:06:13] Speaker A: We do. We love the Black Hills. [01:06:14] Speaker B: Both the actual Black Hills and Black Hills info section. Right? [01:06:17] Speaker A: The people, the organization, the location. It's all great. [01:06:20] Speaker C: It is phenomenal. [01:06:21] Speaker A: And Zach's been on the show with us before, so it'll be nice to have him back and catch up with him a little bit and bring your questions, because those two really have a wealth of knowledge and I have a. [01:06:29] Speaker C: Wealth of questions, subpar jokes. [01:06:32] Speaker A: You won't want to miss it. And then I believe we have an it webinar next week as well. So there's just so much going on. Know you really don't want to miss it. And of course, want to thank our sponsor once again, ACI learning the people behind it pro. If you are watching from the or listening from the Technato website, you can click on that orange sponsored by button and that will take you to the itPro website. Like I said before, that's what we do in our day job. If you want to see more of Don, Dan and myself, check out those episodes. Check out those courses. We do have a lot of fun, and I'm not just saying that to be nice, it is genuinely super fun and you learn a lot. If I'm learning things, I know you can learn some things. So drop a comment, let us know what you thought about this episode. Let us know if you're going to go check out it pros courses, what you think about those. And I think that's pretty much it from me. I got to get this frog out of my throat. So anything from you guys? [01:07:14] Speaker C: Ribbit, ribbit. [01:07:16] Speaker A: Wow. Croak I feel like is a more accurate noise. No lizards this week in the studio, just frogs. [01:07:22] Speaker C: The turtle in here. [01:07:23] Speaker A: Next time it's just me being slow on the uptake. That's all that is. Well, thank you so much, guys, for walking us through this week's secure and it news. And thank you for joining us. And we will see you next week for more Technato. Thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.

Other Episodes

Episode 295

February 23, 2023 00:55:52
Episode Cover

Technado, Ep. 295: Apple Addresses New Zero-Day Flaw

Catch up on the cybersecurity and tech news of the week with Don, Dan, and Sophie as they cover the latest. This week, Asus...

Listen

Episode

June 17, 2021 00:48:28
Episode Cover

Technado, Ep. 208: Lookout’s Victoria Mosby

This week on Technado, the team welcomed Victoria Mosby from Lookout to discuss the state of mobile device security. Spoiler alert: It could be...

Listen

Episode

September 18, 2017 00:36:22
Episode Cover

ITProTV Podcast 6: Choosing a Linux Distro (Audio)

RedHat, Manjaro, Slackware, Ubuntu - there are so many Linux distributions available, so how do you choose? In this episode, Don Pezet and Daniel...

Listen