SE

Security Now (Audio)

TWiT

Canadian Spy Service Malware Disruption

From SN 1084: The Residential Proxy Threat - Malicious Proxies in Your Living RoomJun 24, 2026

Excerpt from Security Now (Audio)

SN 1084: The Residential Proxy Threat - Malicious Proxies in Your Living RoomJun 24, 2026 — starts at 0:00

It's time for security. Nowast, Steve Gibson is here Lots to talk about Some more vulnerabilities in Firefox, Steve has a theory about Microsoft's AI. F five has some emergency updates and We'll talk about malicious guysuys in your own network Micious proxy networks. That's all coming up next on security now Podcasts you love from people you trust This is Twit This is Security Now with Steve Gibson, episode one thousand eighty four, recorded Tuesday, june twenty third, twenty twenty six the residential proxy threat It's time for security now. Yeahay, you've been waiting all week Tuesdayays here and so is Steve Gibson, the man of the day of the hour of the minute of the second. It is Time to talk about privacy, security, computers and all of that. I've lost my fingerprints, apparently That's not good or is it. My iPads, I still have some iPads that are finger rather than is still that way and I prefer that, especially. Yeah I like it a lot. because I got one. I kept waiting to like see if Apple was gonna to rev it and it's like, okay, I can't because the one I had, if you took it off of the plg It was on life support and it would just well, actually what happened was the some of the software that I want to use light clauds IOS app and the dumb the dumb thing for my thermostats, they don't run on the IOS that's so old, which is theate the last one that that mini that that pad will operate on. So it's like, o, I was kind of forced forward Anyway. So because I've been I've been terminating Cat five cables and you know untwisting twisted pairs and straightening them out and pushing them through the Cat five connector I've kind of wor worn off my fingerprints in the last couple weeks. So Anyway, that's's what's going on We're going to talk about the surprisingly sererious and growing threat from residential proxies Uh We've we've been touching on this recently because it's kind of been in the news Well, There's essentially a recent explosion in the use of proxy networks because Bad guys need to arrange to appear somewhere else. There's there's a a been on We've heard me talking about like, why would you Russians coming, you know People in Russian IP space have any idea that you have an SSH server? Sure. you got it's protected with certificates and a really crazy password and multif factor authentication Why should your SSH server even accept a connection from Russia? What are you planning to visit there So The point is that there's an increasing awareness of the value of geo locking IP filtration, which means that the bad guys have to work around that. How do they do that? They bounce their traffic off of unwitting people in the country that they want to target Anyway U lots going on there. we're going to talk about. There's it was interesting to me this This awareness of the Gowing concern AI's impact on cyber attacks is hitting the mainstream press. The Wall Street Journal had an article that I want to share parts of and interject some thoughts into A Also It looks like maybe Mythos missed some important vulnerabilities in firefox, which is interesting because . alsoso Every recent Catch Tuesday has had an attack by the Microsoft's nemesis Mare Eclipse And that happened again So we'll take a look at that. He is really a thorn in the side Oh my God. it's like what why doesn't someone to Microsoft just say, okay, what do you want? We're sorry. Would you like a public apology? Would you like a Winnebago? Yeah, what can we do for you solve this problem because I mean, it's got to be expensive for them. They, you know, they're rattling their sabers and threatening and that that threat really did rub me the wrong way as well as most of the rest of the security industry because They're threatening someone over revealing something in software they have shipped containing about a bug that they put into the software. It's like, how is that this guy's fault for like not you know, yes, he's he's not going by the unwritten rules, but they're unwritten And, you know, we just sort of made them up to help you, Microsoft, not for you to like, you know sue people over them I mean, I'm sure that if you you had dissected their license agreement in the fine print, it would say something like, you know, you agree by using by by ever letting the software touch your computer that blah blah, blah blah So you know there's probably a technical basis for it, but that's not the way to solve the problem. Anyway We've got a really interesting massive store of Known to be valid Forta Gate VPN credentials found, you know, Fordonette is a is a leading supplier of of Border gateway devices. Ford to Gate is their VPN server. And someone's been getting into them and hoarding the credentials. We'll take a look at that Also F five, which purchased the company that was that was creating and publishing the EngineX web server they just push some emergency updates, which are important I've decided to introduce What I will call the AI Potry section of the podcast, much as we've had, you know listener feedback and so forth, which of course, we'll always have. because I wanted a place to talk about just random AI stuff that was of interest. In this case, it's a listener of ours and I may have referred to him in like last week or the week before because it was interesting He arranged to Will is his first name. will'll get to him ly altering his AI's personality instructing it to basically act like aggent Smith from the Matrix. I do remember that I talked about it last week. I have in detail. What he told his AI And then I asked him for some sample prompts. so that I could see so that we could all see how the AI replied retty fun, so I'm gonna share that. And I have a feeling that a lot of our listeners are going to take this up. Then we're going, as I said, take a close look at the explosion in malicious proxy networks And then just in the news as I was finishing this, a judge in Canada Kade somethingomething that I didn't think we would see. So Lots to talk about and of course We have a picture of the week which will be fun. We've wandered far afield from anything having to do with security like, you know, okay, the gate in the middle of the field that was or and the sheep standing behind it patiently waiting for for it to open I guess we'd already sort of lost the thread there, but this one's fun for anyone who's married, U will understand this I have a question for you before we get to the picture of the weeknd, our first sponsor of the week. and I just wanted to run something by you The economist is reporting that in testimony to the Senate The head of the NSA told Senator Mark Warner that one of the reasons Mythos and Fable were banned by the Trump administration is that it had breached almost all of the NSA's classified systems Within a few hours during a red team test Now, I have no reason to think that Joshua Rudd, the head of the NSA and the U. S. Cyber commommand was lying to Mark Warner or that Mark Warner misrepresented it. Um, re accccording to the economists told Warner that had This tool broke into almost all of our classified systems, not in weeks but in hours except that That tells me the NSA's classified systems are buggy as hell Yeah, I'm like disturbed that That's not to me, it's not disturbing that Mythos did that Mythos is capable of that. It's disturbing that they had such buggy classified systems. And what we know is that We haven't actually yet seen evidence of super human performance from any of the AI No, in fact, that's what everybody's saying It's just endurance. If you got really good hackers told them we you we got a million dollars here for you you know, you know, sufficiently motivate them. they can do what the AI could do. It's not like the AI can do stuff no one has ever seen before So that's Really interesting. Yeah. It would certainly explain the ban Um But as and we had Alex Stamos last week on intelligent machines, except that they're not that far ahead of every. That's what Stamos has been saying. and Stamos, by the way, that letter it's freefable. org That open letter to the White House had signatories, hundred signatories, including Paul Vixie, one of the founders of the Internet Yeah Uh, I mean, just like good cryptography real who's who? It was a whosu And one of the contentious was it's not doing anything that other models can't do Right? In fact, openpen AI apparently has its next generation of A Chat GBT ready to go five six that has They call it ChatyB Cyber It does many of the same things So and I have a sense that although Microsoft is not talking about that code nameame M dash. which I wish they would just rename. From what we know of it I think it beats all of this I found a lot of those vulnerabilities from the giant patch Tuesday last week, right. I think what Microsoft has is already in another in the next generation class talked about letting other people you know, experiment with it and looose. So so the point is, I mean, there is so much money and so much focus and so much promise that you I don't think I've ever seen the human race more motivated. about something. I really except maybe solving COVID like a like we need to, you know, cure COVID quickly, get a vaccine. You know, there was mobilization Here it's like, wow. It's going to be an interesting year, isn't it, Steve? Oh boy. Aren't you glad you're watching security now? And if you're not a subscriber to the show yet, you really ought to be It's free. J subscribeing your favorite podcast client. And if you want to support us, of course, join the club Twit that TV slash club Twit or you can pay for individual episodes An Apple's podcast app. I think Spotify also has that built in. Of course, you subscribe to the whole network and support everything we do. But I think more important, more and more important the stuff we're doing here, not only in security now, but in intelligent machines and on the Twit a flagship show This is going to be a very interesting twenty twenty six and Beyond. We will get to the picture of the week thing every you said every husband Well under still relate to in just a moment. And actually and actually the wives as well It's about being married, essentially. It's about being married. Oh boy, I can't wait. I haven't looked at it I've been saving it that's coming up. But first a word from our sponsor, Dopel. And this is Very timely, let me tell you You know that voicemail message you got That urgent message Maybe it is from your CEO Sounds exactly like your CEO, but maybe it's a deep fake trying to target your business and that's the problem. AI can impersonate trusted individuals And I've played for you in the past. I could play it for you again The very scary. this was an eye opener for me Oh Audio is that quickly generated. It was generated almost instantly With four minutes of audio of My Voice by our own Anthony Nielsen Us he didn't even use like a frontier model. He used a model running on his own computer. to generate, well, I'll play I'll just play a little bit of it for you. so you can hear he used a Quinn. the Chinese model an older Quinn, Quin three to do this This is definitely not Leo asking you to buy gift cards, but seriously, can you grab me one hundred Apple gift cards? That's I mean Now This is the problem You can deep fake any voice now with trivally with with local models. AI can impersonate Trusted individuals Tv. actually a Dppple does voice call simulations. It will help train your employees not to fall for this stuff They did this with voice call simulation deployments The targeted users Andopel's own Tests On average spent six minutes Cversing with a deep fake. And afterwards, when they said, Well, did you believe that that was your boss? one hundred percent one hundred percent believed the AI was human If you heard that recording of me, you would think that's me I thought it was me opel is the AI Native social enngineering Defense platform DppL strengthens human risk management by training employees to recognize deception while Dpple's digital risk protection detects and disrupts attacks across every channel Attackers are turning increasingly to AI to power more and more sophisticated strikes You need something equally sophisticated Doples using AI to fight back with automated takedowns, multich channel coverage, and AI defenses that build intelligence with every fight Apple works relentlessly to protect people, brands, and trust offers best in class integrations and partnerships to seamlessly integrate into your existing security stacks Dpppel's got the industry awards and the testimonials prove it recognizes a winner twenty twenty six G two leader users most likely to recommend and momentum leader and best support Join hundreds of companies already using DppL to protect their brand and people from social engineering attacks Dpple pacing what's next in social engineering. Learn more at dppL. com D O PP E L Obviously You need this now Thank you Dppel for supporting seecurity now. That recording every time I hear it just blows me away. It's just too dang good And The way things are going, if it was done again today, it would be even better dramatically better Well onene of the things that' changed is you can converse with it and these new models, you can interrupt them. It's so natural. The flow is so natural that it sounds like a real conversation Aazing. Laurie had a conversation with some I Service person, I mean service bots Vverbally on the phone. back and forth until they've got enough done to realize, okay I need to talk to a human It was like the future. I mean here we are. I don't know. Yeah Picture of the weekime, mrter G. I will I have not looked. I am a husband I I gave this picture the caption. toooo much paint was being returned by well intentioned husbands And it is I see a true value hardware store sign Yes This I know from actual experience. And I you do too. Tell us. We're in somewhere this is somewhere in a place called Healy. is a true value hardware store And they've got one of those signs where they use the plastic letters that they stick on in order to, you know, like, you know, happy Father's Day or, you know, yeah, yay two hundred fifty years for the US. Anyway This one says Men choosing paint Must have note from wife So I'm sure this is a joke. I'm sure they're not. I think that's probably true. But it makes the point that all of all of us All of we married? Yes It is true. You're lucky because your walls, your new walls are all painted white No, it is every husband knows Sund dance. Yeahes, White is not white. There is eggshell white There's a crew There's a white with a little gray in it. I don't know what that's called U, that's really. Let's mind Yes. I don't know if this happened to you, but whenateever the contractors and we've had many come to our door And I open it, they say, is Lisa here? Same thing, same reason. Well. and and our contractors just this morning had this experience where we had some some previous cabinets that well wanted to be mounted in the in the garage. and I said, okay Put him in the back corner And so they've started to, you know, screw into the back corner. Laurie came out and said, oh, that's all wrong I like, o God, okay. That's why they always say. we' be saying it's going to be in the corner, honey. No, no, I got stuff that has to go to the left of those. so they have to come out about a foot. And the workers kind of look at me and and they look at her and I go, she's a boss. So yes. Lisason I had this debate because they call me Elhee And I say, well, And they call you La Patrona. does I said, doesn't El Hafe outrank La Patrona? she says No, La Patrona is the highest rank That's the four star general of the job. All right, what are we talking about today on Okay. so I've been seeing more and more of the non technical popular press beginning to rouse to the idea that AI is not just about chatting with an agreeable buddy that is it is also enabling A new darker side And this has, of course been something we've already spent significant time looking at, but I wanted to share a sample of what the non security focused press is saying. One week ago, the publication the Atlantic Um, oh, I I missed remembered that. I thought it was the Wall Street Journal, but anyway, the Atlantic Uh They ripped the bandaid off this with their headline Assume you will be hacked. U which was then followed Yeahah, it's terrible followed by the. Yeah. it's like hey everybody just give up Just step away from your phone or your computer They followed with the tes AI is enabling a deluge of cyber attacks, the likes of which we've never seen before Apparently the NSA would agree with them in that position. Yeah. So the yeah. The author of this wrote Late last month Oh, and he's writing in the first person. He said late last month, I began to consider withdrawing some money from my savings account to buy gold, whoa He says, it's the first time I've ever thought about panic buying all the firewalls and two vector authentication codes, the safety of the internet is starting to falter Hackers are gaining the upper hand over organizations around the world Hospitals, energy grids, government agencies, and yes As AI tools have become extremely good at writing code, they've also become extremely good at pulling off cyber attacks. He says malware, after all is still software The reason has been a change in the scale, speed and sophistication of hacks that's difficult to overstate Among its tens of thousands of clients, the cybersecurity firm, Palo Alto Networks identified a fourfold increase. Daily attacks twenty twenty four to twenty twenty five Hackers are developing AI enhanced computer viruses that adapt on the fly to avoid detection. automating cyber espionage campaigns on foreign governments stealing data in minutes instead of hours And Leo, none other than Alex Stamos, he writes, a former chief security officer of Yahoo and Facebook told me, quote, There's a crazy amount of offensive activity happening right now Companies are getting hacked every single day He knows that. Yeah. Yeah pause to note that, you know, everybody knows my position on this, right My feeling is these are the chickens that are finally coming home to roost. Yes massively wealthy companies such as Microsoft and Cisco have been far more focused upon adding new features which obsolete their current products rather than investing in the security of their current offerings. You know, I was like, o, we're sorry We're no longer offering support for the equipment we previously sold you and profited from. And just to verify how big a sucker you are We suggest you do that again Look at this shiny new product that pretty much does the same job as the old one which now sadly, o boohoo, is no longer secure Right. I I have very little sympathy for mega corporations who rely upon the charity of other researchers to find the flaws that should never have shipped in their products to begin with They've all been, you know, quite willing to ship flawed products and just hope for the best Since all of this intern internet stuff began, the industry has limped along existing in a state of precarious balance And now AI is indeed threatening to rock that world by up by upsetting that status quo The Atlantic continues and oh boy, are they singing my tune They wrote, The NSA turbed by the rise in cyber attacks, which it apparently is then surely my savings, he's talking about in the bank, are vulnerable There could be any number of weaknesses in my bank's IT systems to directly hack orr perhaps an AI written phishing email targeted at an employee personersalized to sound like a family member or manager could let a let hackers into the bank. and Yeah empty my coffers Even if the bank has great cybersecurity, an attack on another business, a medical clinic I visit, a car rental company, a newsletter subscription could steal my payment information and potentially much more attack angles are seemingly infinite. No what is adequly prepared quickly prepared. Term Software engineering has always been an insult to the level of rigor demanded of mechanical, civic, and other engineers compomputer programs can be riddled with vulnerabilities and run just fine for years or decades. As much of the software underlying the web has done just that Demos who's now the chief security officer at the AI codating company, Corridor said, quote We've just been writing software in a totally slapdash and insecure way for decades now, unquote with some small high stakes exceptions such as software used on the International Space Station or nuclear submarines Code is written and deployed without much rigorous testing Bugs reported Okay patched Such a relaxed security posture has been more or less fine because discovering vulnerabilities is difficult and skilled hackers are few in number Either nobody found the bugs or nobody was able to exploit them addditional cybersecurity methods cut it anymore. Before You might scramble for a week to patch a hole Giovanni Vignna, a cybersecurity expert at UC Santa Barbara told me, quote Now you could have hundreds those every week, unquote Moody's ratings has found The time attackers take to exploit a publicly known vulnerability digital equivalent of a robber plotting how to get around a bank's guards and cameras after obtaining a key Phil F from more than seven hundred days in twenty twenty to just forty four in twenty twenty five faster than the average time cybersecurity teams take to make patch the bug. Governments and major companies are on high alert for AI enabled cyber warfare. The wake up Call came this spring the announcement of two extremely advanced cyber models. We all know where this is going, right Claude Mythos's prereview from Anthropic and the analogous GPT five point five cyber from Open AI soon after. Many independent cybersecurity experts have told me, he writes, that these models are as or nearly as skilled as elite human hackers whichich is why anthropic and open AI did not release them publicly. Instead, the AI labs have granted a small number of partner organizations and government agencies exclusive access to the unrestricted versions of these cyber models in the hopes of shoring up there. systems And I guess now the NSA, we know, is among those. And yeah, let's hope the NSA tightens things up And this month, he writes Donald Trump signed an executive order to expedite just that. That is the shoring up of IT within the government using these models Organizations can guard against the coming deluge of AI enabled hacks, most notably by using AI to detect and resolve vulnerabilities before cyber criminals could exploit them. Anthropic is itself U Claud Mythos's prereview to find thousands of bugs in open source software packages, many of which went undetected for years or decades That Under Gd M of the internet Mozilla used Mythos to fix more than four hundred bugs in the cber in the Firefox web browser in April roughly twenty times more. than it fixes in a typical month and having an AI agent monitoring for intruders twenty forty seven be far more effective than periodic cybersecurity audits. If you've been noticing more frequent updates in your web browser software, smartphone apps. It might well be because software companies are now using AI to scan their software for bugs If anything These efforts are late Even though they're not as powerful as Mythos plenty of free and open source AI hacking tools are allowing criminals with little technical expertise to marshal the equivalent of an army of hackers at their fingertips Tools from Google, Anthropic and openp AI have guardrails intended to prevent them from being used for hacks. They're not perfect All three companies have reported more and more sophisticated hacking attempts using their AI models When the courseware, Canvas was attacked last month, upending classrooms in thousands of schools and universities worldwide AI likely played a role criminal group responsible, a notorious hacking ring called Shiny Hunters. is known for using AI in all sorts of scams just weeks later Google cybersecurity researchers reported that shiny hunters had hacked into an oracle HR system and may have stolen data from more than one hundred organizations Meanwhile, the Trump administration has forced anthropic to revoke all public access to the latest version of Mythos, taking away perhaps the most powerful cyber defense tool we have from both the government and private sector That does not mean you should withdraw your life savings and buy gold tremendous amount of change needs to happen in a very short period of time Oen source AI models will soon catch up to mythos and GPT five point five The internet needes upgrades quote at a Y two K like scale, unquote Rafi Kukorion, the Chief technology officer at Mozilla told me. referring to a widespread fear computer programs interpreting the digits zero zero to mean the year nineteen hundred rather than thousand would bring down the web. Of course, why two K But IT professionals spent years preparing for and ultimately avoiding a Y two K apocalypse. He said, with AI We have months No one company or government can demand the requisite collective action rapidly enough complees completely secure digital infrastructure. Wendy Whitmore, the chief seecurity intntelligence offfficer at Paloar Networks told me,ote There's no way orrganizations across the globe going to patch everything that needs to occur within the next three to five months At the same time The Bots are making hackers more capable. The technology is also making the web less robust to attacks coding agents due to their propensity to hallucinate requently write insecure code and humans in the thrall of vibe coding usually don't take the time to verify it Body AI code has, for instance, reportedly cause multiple outages in Amazon's e commerce services Meanwhile, the AI models being integrated across the web into Amazon, Google, your bank's, customer serervice department and more are themselves New tested and vulnerable to all manner of creative attacks that allow hackers to request passwords and personal information A few weeks ago, a group of cyber criminals basically just ask Meta' customer service AI to give them access to some thirty thousand Instagram accounts. including the Sephora corporate account and the defunct Obama White House account. And the AI obliged Some of our internal backackend checks failed in this instance, but it wasn't due to the AI agent itself, and we've addressed the underlying cause Andy Stone I met a spokesperson the near future He writes is very likely to involve more frequent and more severe outages and hacks just like those affecting Canvas, Meta, and Amazon Vignna said we will see M of these disruptions, I think it's inevitable in the short term. smallmaller but crucial companies and organizations that are not web native think powerower plants, municipal government agencies, credit unions, are especially vulnerable They may be running all sorts of clunky legacy code and lack the IT capacity or the financial resources to make the necessary upgrades. In many cases, the person who wrote the bulk of an organization's software be retired Dead Take hospitals many of which are already struggling to combat data breaches and ransomware attacks. hospital IT systems are full of valuable data he health and financial data and The incentive to pay a ransom is high Patients lives are on the line It's not a matter of will to increase. It's not a matter of will to increase cybersecurity for hospitals John Rigy, the national addvisor for cybersecurity and Risk for the American Hospital Association told me It's a matter of resources and capabilities AI, he said will make everything worse greater burden Al on the side of the defense missing Just a single vulnerability can permit a catastrophic attack an anthropic person told me that, quote, hospitals, utilities, and smaller banks run on software built by others which Mythos is helping secure Software upstream protects the organizations downstream that don't have the resources to staff their own security research teams Mozilla's Ckorian said, quote, a worst case scenario over the next year or so might look like blackouts across the United States commommunications companies being hacked or our banking systems dealing with people losing money left and right everyvery cyber security expert I, writes this person, spoke with for this story occurred The next few months couple of years or even longer is going to be rough Whitmore said, quote, I hope it's not a catastrophic outage But I'm concerned that twenty twenty six really could be the year that we see some sort of attack become very successful Anthropic estimates that a major cyber attack on just one of its two hundred or so partner organizations could affect at least one hundred million people. collective action aside. precautions exist that individuals can take short of liquidating into gold Many of them are basic Use a password manager that auto generates long passwords, keeping software updated, restarting devices to wipe viruses from their short term RAM be extra wary of all sorts of phishing text and other low level scams And you might consider simplifying your digital life by switching to a chromebook. certain tablets or another gadget that is a thin client, meaning that very little software and data are stored on the device And finally, in even in the most catastrophic scenarios Perhaps we can ride out the AI hacks No one knows just how many bugs are out there If there's a limited pool of vulnerabilities online, things will settle down once they're all found whether by hackers or security audits But Stamos said It's also possible that every time the top AI models reach a new threshold of capabilities They discover a new pool of still more complex hacks And so the chaos begins anew So I think that the truest thing anyone can say at this point is that we have no idea what's going to happen I wanted to share that to remind everyone That was in the Atlantic not Some security magazine, not some podcasts, some some security focus podcast. Our listeners know Everything I just read We've all shared on this podcast, right? There was nothing new here Even the expectations and the sentiments and the understanding of of balance of of good versus Malicious. All of that is like, yeah, we all know that This is now surfacing in stuff that other non techies read So this understanding of what's going on, this awareness is now moving out into the mainstream So You know, when a hurricane scale storm is heading toward Florida Nobody knows exactly what the consequences will be because storms are chaotic and unpredictable We just have a sense of like, oh oh, this is a big one So what's happening with AI is analogous. We know without doubt that we have filled the world with insecure software. Stamos said the same thing And we know that a large language model AI is able to find many of the problems that have remained hidden in some cases for decades. Basically, it's about economics, right? We're not spending the money because these are hard things to find. AI makes them easier to find. So whose AI will be the first to discover a previously unknown problem Good guys We're the bad guys. And even if it's the good guys, remember And this is one thing that this guy did not note that we know about here on the podcast. The reality is that discovering the problem is As formally phrased in the fields of logic or philosophy, it's necessary, but not sufficient. cannot fix a problem you don't know about So knowing about it is necessary But the goal is to remove the existing defective software from the field and Only doing that is sufficient As I've noted before, Patch Tuesday is no longer a Microsoft only occurrence, right? Other companies have developed automatic software deployment systems, but the vast majority of buggy software that's currently deployed in the field is never updated So even if publishers obtain new and improved, you know, AI enhanced, AI debugged software the sufficient portion of the equation will remain unmet necessary, but sufficient if you fix the bugs, but don't get them out into the field I've noted how fortunate it is that all modern web browsers, which present our personal machine' largest and most exposed attack surface long ago incorporated asynchronous self updating technology. Thank goodness for that. And this leads us to our next interesting question which we will get to, Leo you chime in and we talk about a sponsor. You know, I would quibble a little bit with Matea Wong who wrote this piece in the article. First of all, If you buy gold Maybe if you store it in your house, you're okay, but most likely when you buy gold, you buy It's no different than anything else. You're gonna to store it in some account somewhere and it's just as hackable as anything else. So I don't think buying gold is the solution. Growing your own food may be the solution, but not buying gold. The other thing is and I wish you see this all the time He kind of conflates that The vulnerabilities we see with AI vibe coding which is not. case That's not the problem here. The problem is well know on this show is hum is years of lazy proggrress R And the Instagram case is a perfectly good example. It wasn't the helpful AI customer service agent that was the problem was the problem was that Instagram didn't require a second factor of proof And that was their their policy, not the AI's policy. So ye. And even Instagram told him It's not the AI, dude But he He wanted to believe it. and I think this is the part of some of the problem we have with AI's reputation these days. people nameame it. Oh, although I did just see Leo, there was a I can't remember now who who did the survey. U chap spot use has now passed fifty percent Yeah. everybody population.ity I also saw surveys that only eighteen percent of people trust the answers it gets from AI driven search. So You know, they may use it, but they don't trust it The other thing, you know, it's important to point out that AI is going to be in some regards as as we've said on this show, this is the solution here. Yes, bad guys use AI, but AI is also I mean, look and you're going to talk about this just a bit. I mean, finding these problems and fixing them problems humans cause, not not AI. So ye. you know, But, you know, this is as you point out, this is mainstream press. This is what real people read and see and That's hard to go wrong. It's hard to go wrong, quoting Stamos Since he ser he called the right people, I must say Yeah As you know, Alex was a guest on our show last Wednesday on intelligent machines. I love I love Alex Dayos This episode of seecurity now brought to you by trusted Tech, do you hear that Listen, no, I don't hear it, but I think if you're an IT professional, you probably should hear the clock Chicking Be ly first is just around the corner It's a week away. If you're managing Microsoft three hundred and sixty five for your company You, my friend, you lucky guy, you're responsible for both the cost and whether it's set up correctly. In about eight days on july first, as we record this Microsoft is raising prices and they warned you, they've been warning you for months But what that means is any mistakes in your licensing are about to get more expensive It's not your fault at all. Most companies Using Microsoft three hundred and sixty five. are in one of two situations, they're either overlicicensed, which means they're paying for unus seats and features or they're under licensed, which creates compliance and security risks. And sometimes it's even both, like one department has too much and one department has too little. The result either wasting thousands, sometimes tens of thousands of dollars per year on tools your team doesn't use or Or worse missing critical security features you thought you had Trusted tech helps businesses understand what they have, what they actually need And how to lock in the right setup now before the costs go up eight days from now, july first Trusted tech team ensures your M three hundred and sixty five environment is well supported and aligned with how your business actually operates. They're the experts in this And that's not all they do. If you need ongoing help greatreat for support too. They offer reactive support for your Microsoft environment through their certified support But right now, since This is so urgent. Let's talk about Microsoft licensing. It isn't your fault. It's constantly changing. It's confusing as heck. You got your E three, your E five, you got your business premium, you got your add ons, you got that new E seven It's confusing and it's easy to misconfigure and overpay And I should remind you, licensing mistakes don't just cost money, they can create compliance exposure And either way, it's going to get more expensive after july first. So even if you think your licensing is dialed in, it's probably worth a second. look Listen to what Kevin Turner, you know his name, former Microsoft CO says. He was talking to trusted tech and he said this quote. You have an incredible customer reputation You have to earn that every single day, The relentless focus you guys have taking care of customers gives them value and differentiates you in the marketplace. You could tell he has a little soft spot for trusted tech. so do I And you should too because after july first, folks, You're stuck paying more and this is your last chance to fix your licensing before costs go up. Trust a tech is offering a free Microsoft three hundred and sixty five licensing consultation right now is a trusted tech d. team Slash security now three, six five. and get a clear data backed view of your current licenses what you're wasting and how to lock in savings before the price increase. Go to trusted tech teeam Slash security now three hundred and sixty five and submit a form to get in contact with trusted techs, Microsoft licensing engineers. ow it to yourself. Youwe it to your company Trusted tech Team Slash security now three, six B If I were you do it right now. Don't wait. trrusted tech. teeam slash security now three sixty five. now Back to security Now. Now you were saying that the self updating technology in browsers is really a good idea goodness, we have that in place. Yes because that's been there for a long time Because even pre AI, we recognized that the browser was being attacked, it represent the largest exposed attack surface that we have, as we know When you go somewhere, browser is receiving JavaScript code, which by design It runs It's like from some random foreign sight that you have no You know, reason to believe is not malicious. and So there's danger. So Okay, I got a kick out of the email from a listener of ours named Joey Albert Wh? said, he started out as note saying Looks like Mythos needs to run a few more times on Firefox And that was followed in Joey's note by a link to a piece in cybersecurity news from last Thursday which carriry the headline Multiple vulnerabilities in Firefox one and fifty two enable remote code execution attacks. Whoopsy We thought Pirefox was fixed. Joey, of course, is referring to the fact that Microsoft was among the handful of companies to receive that early access to access Claude Mythos preview. And as we reported Using mythos Mozilla did indeed. in fact, the previous article in the Atlantic referred to the four hundred bugs that were fixed you know, twenty times more than was normal for for the same type of cycle U Once they were all gone which is to say once Mithos could find no additional problems Firefox was presumed to be all fixed, right? It's like, okay, we found them all But if so Where did all these newly discovered problems come from Before I proceed to enumerate the changes in one fifty two which is now the current release as I'm was writing this. I want to share what cybersecurity newews had to say So they wrote Mozilla has released Firefox one hundred and fifty two to address multiple high severity vulnerabilities that could allow remote code execution. and Sandbox escape attacks The security advisory published on june sixteenth highlights a wide range of flaws affecting core browser components and emphasizes the urgency for users to update immediately Okay, well Tchnically that's true, but as we know Userser, thank goodness, users don't need to do anything or it would be a disaster The next time they launch their browser, it will auto update You know, so that's taken care of. The article continues writing Several of the patched vulnerabilities are classified. Now these are again newew vulnerabilities that Mythos missed the first time around cllassified as high impact primarily involving memory safety issues, use after free bugs and privilege escalation flaws. You know, they're usual suspects, in other words These vulnerabilities can be exploited by attackers through specially crafted web content. potentially allowing arbitrary code execution on affected systems. Notable high risk vulnerabilities include we have a bunch of twenty twenty six CVEs. so I'll leave off that preamble. We have one twenty two eighty nine. Privilege escalation flaw in the web render component that could allow attackers to gain elevated access O twenty two ninety one a use after free vulnerability in HTTP in the HTTP networking component. Oops leading to memory corruption one twenty two ninety three, a use after free issue in the web GPU component that could be leveraged for code execution one twenty two, ninety four to ninety seven So ninety four, ninety five, niney six, ninety seven. Bl. sandbox escape vulnerabilities impacting DOM workers you know, document object model workers, navigation and process sandboxing mechanisms O twenty two ninety nine agit, you know, just in time. Miscompilation bugs. DOM and HTML components that could result in unpredictable execution behavior And additionally Microsoft reported several memory safety bugs One twenty two, ninety, ninety eight one twenty three twenty six and one twenty three twenty eight that demonstrated memory corruption They write such flaws particularly dangerous because attackers can exploit them to execute arbitrary code remotely. The presence of multiple sandbox escape vulnerabilities significantly increases the attack surface typical exploit chain, an attacker may first exploit a memory corruption flaw to gain code execution within the browser then use a sandbox escape vulnerability to break out of the browser's security boundaries and compromise the underlying system For example bing. one twenty two ninety one, which is a use after free with one twenty two ninety four, the sandbox escape in DomM workers. could enable a full browser to system compromise, which you know, in practical terms means you go somewhere And your system is taken over. I mean, you've got bad code running in your machine just by visiting a website They wrote, in addition to high risk flaws, Mozilla addressed several moderate and low severity vulnerabilities, including the same origin policy bypass one twenty three hundred four cookie handling information disclosure issues in webGPU and password manager components multiple mitigation bypass vulnerabilities in DO security mechanisms denial of service issues, meaning something crashes in media playback and graphics components numerous memory safety bugs across various modules while these issues are less severe individually they can still be chained with other vulnerabilities to enhance attack effectiveness. According to Mozilla's advisory, these vulnerabilities have all been patched in Firefox one and fifty two Firefox ESR. one forty dollars. twelve and ESR, which is the one I'm using one fifteen. thirty seven because I'm still running that on my Windows machine Windows seven machine. Oh, and they also fixed these things in Thunderbird one hundred fifty two because of course when you're viewing a a an email that is HTML It's also able to be basically a browser window The article concludes Users and organizations should update to Firefox one hundred fifty two or later. And again, you don't have to do anything unless you turned it off for some reason Aly the latest ESR updates, enable automatic updates, monitor systems for signs of suspicious browser activity or exploitation attempts The Firefox one hundred fifty two update addresses a critical set of vulnerabilities, many of which could be chained To achieve remote code execution, a full system compromise given the presence of active exploit primitives such as memory corruption and sandbox escapes Timely patching is necessary for maintaining browser security. And again Don't have to do anything So I was curious to see whether anythingthing was indicated. about where these new Re very arguably, very bad vulnerabilities came from the advisory in detail What I discovered was that Totals. Uh The the the total problems were thirteen that had a high impact rating, eighteen were moderate and nine was low impact And most interestingly Mozilla credited a wide range of human researchers for their responsible reporting of these discoveries Two of the researchers discovered and reported two vulnerabilities each, while everybody else reported one. So there was lots of security research input and the researchers appear to be internationally spread with names that suggest origins in Korea, China, Vietnam, Japan, and the Arabian Gulf. So How do we rationalize or how are we to understand mythos missing these I think there are a number of things going on. For one thing And Remember that LLMs are still non deterministic sure that we talked about way back in the beginning of all of this deliberately introduces some entropy, some uncertainty into LLM output Bob by mixing controllable amount of that of that derived entropy into the neural network nodes So might be exactly as our listener Joey Albert suggested when he wrote Looks like Mythos needs to run a few more times on Firefox I would not be at all surprised to see another run of mythos finding things that it didn't see the first time And yeah, infuriating as that might be. The output from this technology does have a random factor. that will vary the model's output Ask the same prompt. again, you get a slightly different answer So slightly different looking detail for software flaws is going to catch some and maybe miss some Given the diversity of discoverers who are discovering many serious flaws that have never been found before and that we're seeing that no one has any particular secret sauce, meaning that Mythos, while yes, powerful is not particularly unique I fully expect that these other researchers are pouring over Firefox's open source code through their own vulnerability discovering LLM systems. I would imagine while these were These were provided to Mazilla by humans that they had an AI in the closet. that was, you know, helping them make this possible The one exception I would make to the And this is referring to what I said before, the no one has any particular secret sauce notion. is I really believe that Microsoft with their accursedly named cod nameame M dash system probably I think it is special, given what we know of it versus all the others. I think there's a very real likelihood that Microsoft has created something significantly blows away any of the more generic vulnerability discovery systems. You know, they weren't trying as we know, Mythos was a general purpose AI, meaning that you can ask it about the fall of the Roman Empire and get results code name M Dash is, you know, a lash up. It is model agnostic. So you can plug different models into it They've developed a very sophisticated system you Anthropic is not talking in detail about how how the Mythos preview operates, but it doesn't seem to me. It seems to me like They're going based on raaw brute strength model power rather than on really finesing What you the way you ask the model to do its work So Why would any one system find something that another one did not? Well, We know how tuned large language models are to the way you ask the question. A lot of these jail brereaks are just phrasing what you want in a different way, sometimes in a surprising way and the model gets surprised into answering you So I think it it's a combination of the effects of this LLM model temperature D differentifferent model training in detail and difference in the specific prompting differing models are given. In other words The use of LLMs for software vulnerability discovery is still very new And there are still a great, many variables can affect its results So I think that's probably what we're seeing You know, it's unclear whether Mythos is still rununning Whether Project lastasswing is still going right not right? Or it had to be completely withdrawn even from the private partners. Right You have to imagine that the admin that the administration still has access to it so confusing. You know, when Trump was at the G seven summit, He met with Dario Amod, the CEO of Anthropic and apparently was somewhat appeased and said Yeah, no, I like anthropic now. I like So I still don't see you. change in the Al just it's very confusing. It's just very confusing. The good news is it's given everybody The incentive to take a look at other models and there's, you know there's even there are other Yes that are very good. So yes. It's just a matter of time. I mean, it's happening so fast now Okay, so Let's take one more break because I I want to kind of space these out, but we're going to talk about rogue plananet which is the name of another problem And and unfortunately, you know who gives these things their great names Nightmare eclipse He's obviously a fan of the famous Klatu Barata Nkto Forbidden plan. I mean right right? Is am I right? Is that where that's from? I don't know that's the day of the worldood. Day the world stood still, right What's forbiden planet? That was Rob R to was the name of that super powerful robot And that was the message. that you were supposed to give Kla to so they would not destroy the earth. Yes. Yes. But please do not P please do not destroy the Earth today You know, kids, this is just something you got to look forward to when you get into your seventies The things you remember are complete talk about Probabilistic. You don't know what you ate last night for dinner, but boy do you remember Clato Bareto neictolo Bero Nicto No. Yeah, isn't that weird? Well, I just thought if ever I need to save the world, it's important that I remember Absolutely. Maybe if you want to save your company It's important that you remember the name Expo, our sponsor for this segment of security now B OW like Bow and arrow XBOW. You probably do know the name. theseese are this is probably one of the best known pen testing firms out there And you may be happy to know that they have embraced AI. AI is, as we've been talking about, changed the pace of everything from how software gets developed to how it gets attacked. Engineering teams are moving fast now, faster than ever, creating more and more applications. The problem is, you know real security just can't keep up Pen testing is still one of the most trusted ways to understand real exploitable risks. I mean, if you ask somebody Uh, you know, how should I how can I protect myself? best, you'd say bring in some pen testers really challenge Your security stance In an AI driven world, pen testing can become a bottleneck. Security teams are forced to choose between slowing down development. We're moving here. just to stay secure or moving fast and accepting gaps in coverage. Well That's how it used to be. Expo eliminates that trade XBOW, xpo is an autonomous Offensive o, I love these words Let me say it slowly so you can get it. Autonomous offensive security platform. autonomous, it runs continuous, AI driven pen testing mirroring real world attacks, doing it really, really well Do doesn't to scan for vulnerabilities, it discovers, exploits, and validates them So you're only dealing with issues that actually matter That means dramatically fewer false positives in a clear view into real attack paths. This is why we love pen testing Expo makes, you know, puts it's pen's testing on steroids. It tests running hours Not in weeks You get complete visibility into how an attacker would move through your systems and the ability to uncover issues that traditional tools just miss, including zero days Novel attack paths And expos results speak for themselves. Application seecurity lead that says NAM. Cz says, and this is a quote, quote Even right now, After one year I don't know any other company that is at least close to Expo in terms of agentic Pen testing end quote In fact, if you know the name Expo, it's probably because of aggetic pen testing. They've really the pioneers of this the result predictable cost. consistent quality and Most importantly, stronger security without slowing down your engineers. Expo helps security teams keep pace with innovation and cover more apps more often with the resources they already have. foundounded by the team behind Microsoft Cilot. And already trusted by companies ranging from fast growing startups to Fortune five hundred enterprises, Expo is quickly becoming a mission critical layer in modern security stacks. Go to XboW. com to start a pen test Today, exppo. com Expo so much For their support of security now, expxpo. And now So when I first saw that Rogue Planet was the name given to a newly discovered Zero day for Windows And my first thought was that sure sounds like the naming favored by the Hacker Nightmare eclipse And as it turns out, yes indeed Last Wednesday Bleeping computer covever the story under their headline, Microsoft working on Defender patch For a rogue planet Zero day and Bleeping compomputer wrote Microsoft confirmed that is working on a security patch for a defender Zero day vulnerability named Rogue Planet cosed one week ago. Now, one week ago was patch Tuesday which and so of course, these are strategically timed, right? The security researcher who published a rogue planet exploit during the June twenty twenty six patch Tuesday known as Nightmary Eclips said it affects fully patched Windows ten and Windows eleven devices and allows attackers to spawn command prompts with system privileges via a Microsoft Defender race condition He shared a proof of concept exploit in a self hosted Git repository claiming that Microsoft had previously targeted and removed their repos, hosting exploits on GitHub and GitLab Nightmare Eclipse said, quote The exploit is a race condition, so it's a hit or miss. I've managed to get a one hundred percent success rate on some machines while it struggled to work on others Pof of concept for Rogue Planet works, regardless if real time protection is on or not So it's a it's he found some compromise in Microsoft Windows Defender The article says Microsoft spokesperson told Baping compomputer When asked for a comment at the time, quote And whileile Microsoft is aware of their reported vulnerability and is actively investigating the validity and potential applicability of these claims Microsoft is committed to investigating security issues and updating impacted products to protect customers as long as possible. You know micro spepeak On Tuesday leep computer writes one week after the rogue planet flaw was disclosed, Microsoft assigned CV E fiveive hundredzero six, fifty six to the security flaw and confirmed it's currently working on a patch, but did not acknowledge that Mike where that nightmare eclipse was the one who found the vulnerability, right? there you know, new strategy Microsoft's advisory published last Tuesday, said Microsoft is aware of an elevation or privilege in the Windows malware protection engine in Microsoft Defender, publicly referred to as Rogue Planet We're working to provide a high quality security update that addresses this vulnerability will provide information in this CVE when the update is available The roadue plananet release part of an on rights seping computer, the Road Planet release is part of an ongoing dispute twin but Nightmare Eclipse and Microsoft over the ladders. bounty and vulnerability disclosure practices. Of course, we know none of the details Over the past several months The researcher has publicly leaked multiple windows zero day exploits, including for the blue haammer. Red sun. Green plasma. Mini plasma Yellow key and undefend flaws Some of these zero days affect Microsoft Defender, while others target bititlocker and Windows components. The company reacted to nightmare eclipses disclosures by issuing warnings of legal action people engage in quote Malicious activity causing real harm to our customers, unquote leading cybersecurity experts and researchers to believe that Microsoft was threatening the researcher Microsoft fixed the green plasma, mini plasma, and yellow key flaws last week they wrote last week as part of the june twenty twenty six patch Tuesday updates So Yes. Nightmare Eclipse is back at it again deliberately timed zero days on successive months patch Tuesdays and If I recall I think it was sometime in July. Nightmare Eclipse had said, Oh baby. Hold on. I've got a big one coming. So You could imagine Microsoft must be a little nervous up there in Rediment. U So I mentioned at the top of the show an interesting Database that have been discovered When I first heard the term forabed, Yeah alongside everything now is you know bleed alongside Bleeping Computers's headline for their coverage of the story, which was forabed leak exposes for to nette PN credentials for seventy three thousand devices. My thought was that the popular Ford inet forty gate VPN must have some critical vulnerability that caused it to bleed its authentication. Thus for to bleed. But that's not what was going on here And what is going on is worrisome in a new way computer wrote the following. They said a newly discovered data leak Dubbed F to bleed. has exposed what appears to be and it's been verified by good people We'll see in a second to be a collection of Fordaet and Forda Gate VPN credentials for seventy three thousand Nine hundred and thirty two in other words, almost seventy four thousand Firewall, URLs and organizations worldwide The exposed data was first discovered by security researcher Bob Diachenko who says he found a server containing he found a server containing what appeared to be Valid Fnet VPN credentials, you know, like in other words, a directory sitting somewhere open including usernames, email addresses, and plain text passwords. Ikes Okay, so F to bleed is not directly a vulnerability in any for net product. Rather It's the name given to the discovery of a significant repository. Afford to net VPN appliance credentials Bleepy compomputer continues, writing According to screenshots and information shared by Daya Cenko The database contains entries for Chevron, Samsung, Fox Con. Cast, AT and T Mercedes Benz, Toyota SinoPc, State grid and many others Chenko wrote on LinkedIn quote Massive Fort toette Fort to Gate force ive exploitation campaign uncovered in action he said Thousands of top vendors instances are listed in the files. One file alone twenty one thousand six hundred and thirty four domain names from Chevron. to afford a net itself Well potentially working passwords to the Forda Gate appliances obtained through various means They wrote the exposed data also includes comments listing each organization's industry, revenue, and number of employees Wow. that I mean, could you imagine anything more perfect than a directory for deciding who to attack next with a ransomware campaign. You've got the ability to log into their network And you know the or the industry they're in how much money they make and how many people they've got You couldn't ask for anything better for planning attacks co later shared additional information claimed the operation was conducted by a Russian speaking multi operator threat group that harvested credentials for forigate SSLVPN devices. Okay, so There's a different group That's harvesting credentials the harvested credentials are then being added to this growing database And for purposes, we don't know Bleeping compomputer said, according to Dayachchenko's investigation, the attackers allegedly conducted approximately One point one six billion cential attempts against three hundred and twenty thousand seven hundred and seventy seven forty eight VPN appliance targets and then additional pointo one Billion attempts against one hundred and sixty three thousand six hundred and fifty Microsoft SQL server systems. He further claimed The threat actors intercepted SSL VPN authentication hashes. cracked them using a forty five GPU cluster managed through Pullis. Hhopolis. and use the recovered credentials to move laterally into internal active directory environments. This is the world we're in today Dchenko told Bleeping compomputer, he obtained these details after analyzing additional files inadvertently exposed on the same server wrriting They accidentally left an open directory artifacts, connection strings tooling, scripts, and data online Analytics obtained via Cron jobs, basash histories, logs and so forth The researcher also stated that multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey were fully compromised, including a Turkish NATO defense contractor from which classified documents were allegedly stolen the threat intntelligence compomany Hudson Rock has since published its own analysis of the exposed data after receiving the data set from Dayachenko The company described the collection as one of the largest known troves compromised Fortunet related credentials According to Hudson Rock data set contains seventy three thousand nine hundred and thirty two unique firewall URLs across one hundred and ninety four countries impacting twenty one thousand six hundred and thirty two unique domains The company says the attackers maintained detailed logs of successful compromises and assembled a database containing verified credentials for organizations across nearly every major industry sector Again verified credentials among the organizations Hudson Rock says appear in the datas set are Foxcon, Samsung cast Siemens Lenovo PWC Eccenture Oracle and numerous government agencies and critical information and infrastructure operators. So Okay, so Let's just Stop for a moment. consider what this means When a bad guy manages to log into a typical network border device They may be able to arrange to be its manager What that actually gets them is uncertain. You can often lead just to a dead end. Okay. so I got into some appliance tend to be in charge, but I can't do anything else. comparison When a bad guy arranges to log into an enterprise's VPN, They're likely connected to an extension of the enterprise's internal network I mean, that's why you log into an enterprise VPN is to get on its net as if you were there, you know, sitting in your office. You can, you know be out of office and still have access to all the internal stuff So if a bad guy gets, you know, is able to do that, that's when their fun just gets started While the best practice of rigorous least privilege, as we've discussed, is possible That is, you know, absolutely rigorous, least privileged It's also another example of the classic trade off between convenience and security The default way of configuring a network is just to throw everyone on the same bus. Everything will work and the security aware IT guys will just be hoping for the best The downside of this simple flat network organization is that every device on the network can see every other one So when some creton manages to log into the corporate VPN. Two can now see every other device across the enterprise's internal network. the entire network. Pint that I want to make refers to that report of one point one six billion credential attempts against three hundred twenty seven. three hundred twenty thousand, seven hundred and seventy seven fortyate VPM appliance targets and an additional two point one billion attempts against one hundred sixty three thousand six hundred fifty Microsoft SQL server systems We learned from Dyochenko's research This was a pure and simple widespread and disturbingly successful Brute force attack. which results in the compilation or resulted in the compilation of a massive database of extremely valuable enterprise VPN credentials Never has there been A more compelling case to be made for the use of multif factactor authentication. Yes. Require a username and password, a complex password thenen require something else anythingthing else that would prevent any simple brute force campaign from succeeding in the future. And by the end of today's podcast, we're going to see that a brute forcing campaign could really leverage a widespread proxy network to spread failed login attempts across and never repeating broad base of consumer IP addresses, which is to say One of the ways the bad guys are sidestepping B failed log in attempt counters in Geo fencing IP restrictions. We have seen an instance where a massively parallel multifactor authentication Um protection was breached because there was way too much Latitude given in inputting previous and no longer technically valid and You know, six digit codes remembered that it was possible to submit too many tries in too short a time So that the so it was actually possible to breach that. but That was really a set of special cases and Microsoft that was the victim and the target of that fix those, you know, that that extreme latitude that made that possible. Okay. so What else was discovered about this disturbing authentication database? Bleepy compomputer explained. The company also releases statistics showing that the highest number of affected devices was in India. the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the UAE The most common sectors for the listed companies are telecommunications, IT services, financial services, government organizations, healthcare providers, educational institutions, and manufacturing Okay, now I'm just going to say I'll just Ne. Given the nature of the attack This does not indicate To me any targeting of those specific industrial sectors does indicate is the demographics of Ford to net users. Those are the people who have these devices are subject to compromise and whose authentication has been aggregated into this database Bleeping computer continues writing One ofne strange aspect of the leak is that many of the exposed credentials were long compleplex passwords that would ordinarily be considered difficult to crack cybersecurity researcher Kevin Beaumont, you know Gossy, the dog independently reviewed portions of the exposed data and told Bleepy Computer that some of their credentials are authentic Beaumont said, quote I've been able to confirm the authenticity of some of the admin logins and passwords This looks like a real dump. A finding after further review of the data shared by Hudson Rock Beaumont published additional findings indicating that the datas set contains credentials for roughly seventy five thousand forordnet devices, most of them which are currently and remain online. So that's just Unbelievable Just think of what this means. around seventy five thousand. public and private Enterprise networks of any kind exposed to external intrusion And here's a database of like this of all of them that you have access to. According to Beaumont, they wrote The data appears to have originated from exported for to net configurations because it contains information, including email addresses That is typical only typically only accessible through confonfigs. On the other hand, it seems to me Once the bad guys or their automation, I'm sure they're automated cracked into the Fordigate VPN Those credentials can be exported for the VPN. So it doesn't seem that difficult to me if you're able to get in as a manager to export them Leping road. He also said The affected IP addresses are different from those in last year's twenty twenty five Belson group forord a net leak. further indicating that this is a more recent and larger collection of compromised devices Beaumont and he verified that multiple organizations listed in the datas set were using valid credentials and observed that many affected devices were running relatively recent F to net OS versions Kevin wrote, quote The data is legit is around seventy five K devices Almost all are still online and forordet devices It appears to be a recent It appears to be recent data wrote Kevin Beouma So based on network data from showhdown. Bomance, Beaumont says the leak contains approximately half all internet accessible fourordA net firewalls and said that a majority of the affected devices exposed their fourorda net I'm hard it's hard to even read this They're for to nte management interfaces directly to the internet. It's like God You know, Fordinet Please Please don't make it easy. to do this. It must be easy if half of them have done it You I mean, there's no way you've explained all the dangers to your users orr they would just say no What's the default on or off are the half that not exposed? not exposed because they turned it off. It's just and if it's on, does everyone in the world need to have access to it The source of the configuration data says Bleeping compputer remains unknown. With it unclear whether it was stolen through previously disclosed forordnet vulnerabilities, a newly discovered flaw, or another method Neither Dayachchenko Hudson Rock Nor Beaumont have identified how the configuration data was originally obtained. Hudson Rock has created a free Fordab Bed lookup tool if your organization is impacted Okay, so the only thing protecting any enterprise that's on the list is that if the bad if if well, if the bad guys may not yet have gotten around to them Right? You're you get you're a needle in a haystack with seven with nearly seventy four thousand other needles around you Presumably They haven't attacked your network yet,'s because they just they're just it they're buried in riches I got the link in the show note for anyone who's interested. It's Hudson Rock HU D SO n RcK. com slash Fnet F O R T I N E T You can go there to see if your organization is affected And wow, if you happen to know that you are a for to get afford to net user Dan Don't hesitate They said organizations in the datas set should immediately rotate passwords. Yeah, no kidding associated with Fordaet VPN and admin interfaces. enforced multifactor authentication examine gateway logs for suspicious activity and monitor for exposed employee credentials PP computer contacted Fordaet regarding the exposed data and we willll update this article if we receive a response. they conclude And in a follow up piece Bleeping also reported that CisA had not surprisingly jumped on this. and was urging everyone. to wait to make changes. Fix them immediately. Do this now wrote CISA also advised for to net customers, you know, within their reach, largely federal store admin credentials using the modern password based key derivation function PBKF two PBKDF two hasashing algorithm and to restrict firewall management interfaces public internet access and remove any unauthorized accounts. Yeah, why not to reduce the attack surface as much as possible. So amen to all that advice And wow If you are again, if you're a user of Fordaet U You really need to immediately rotate your username and password. I would absolutely add two factor authentication turnurn off any Internet facing management interface, please F and foremost As I also mentioned at the top, F five has issued emergency updates to Engine X Engine X is one of the major contemporary a recently written web servers on the internet The security company F five purchased a the company behind Engine X seven years ago B back in twenty nineteen It has been maintaining the open source server ever since So last Thursday Rather than waiting for Engine X's regular update cycle, FI released emergency security updates to address multiple vulnerabilities, including Tw critical severity flaws could allow attackers to execute code on vulnerable systems F five also released security fixes for multiple EngineX software products affected by these two vulnerabilities, including Engine X is plus and Engine X open source Engine X gateway fabric and EngineX's instance manager addmins who cannot immediately install the security updates can mitigate one of the vulnerabilities by disabling HTTP three which is the is the quick version, you know, QUIC, which establishes connections using UDP protocol rather than TCP in order to avoid the delay of the handshake, which is otherwise part of TCP connection setup alsoso can remove the ignore Valid headers off directive. meaning tension to invalid headitterers and fail the that the query of the HTTP query and also reduce the large client header buffers directive size below two megabytes E three' also addressed two high severity engine X gateway fabric security flaws that can be exploited by authenticated attackers to inject arbitrary engine X configuration directives and again It's, you know, it's easy to run through that by exploited by ah by oh I'm sorry, exploited by authenticated attackers. So if they if an attacker did get credentials then they would be able to to get up to some mischief, but that's been updated and foreclosed on F five did not indicate any of these security issues have been exploited in attacks FI vulnerabilities have often been exploited by cybercrime and nation state threat groups in recent years. So for instance ers have targeted security flaws in FI products to breach corporate networks, deploy data wiping, malware, map internal servers, hijack those devices and to steal sensitive documents from victims across the world Last October F five disclose that state bake bac state backed ers had breached its systems the previous August and stole undisclosed big IP security vulnerabilities and source codes past several years, Sisa has flagged seven F five vulnerabilities as being actively exploited with four of them targeting targeted used in targeted ransomware attacks All of this matters because F five is one of the serious networking players in the industry They themselves are a Ftune five hundred company. They provide cybersecurity, application, delivery network and various other services to over twenty three thousand customers worldwide. including forty eight of the Fortune fifty So forty eight of the top fifty companies in the US and eighty percent of the global of the fortune global five hundred So Their hardware, this F five hardware is the choice of the high end companies Unfortunately It needs to be kept up to date So let's hope those fixes make it out into the field and thoroughly. Okay, so Leo We're gonna take a break and then I've got something so fun to share with our listeners U It's the guy is Will Kelly, a listener of ours. who was bothered by the fact that he he was having a problem not anthropomorphizing Faw Yes because it's just seem so human. It seems like I' talking to a human. Yeah. He went Aove and beyond possible I'm going to share what how he instructed Claude And then some samples of clause output after obeying these deeply personality modifying changes I wasn't aware you could do this to your AI. Turns out you can And I know that I. Oh you might do it. Believe me. I know you will I can't wait. You know I spend a lot of wasted hours customizing My agent to be Well, frankly, more interactive. So I think probably anything that can keep me from confusing it with a an entity as opposed to a computer program would be helpful, I think We'll see though, if you can cure me. I don't know. This episode of seecurity now is brought to you by Threat Locker. We love these guys. In fact, Steve and I are going to Vegas For Black Hat August I think we're doing the show from Black Hat, August fifth, I think on on Wednesday and a Wednesday. We're going to flip flop Windows Weekly and security now will be at Black Hat at the threat locker booth. I hope you'll come by I see y us. That's going to be a lot of fun and I think we'll probably do selfies and stuff And I do get questions from listeners every year. Are you going be at Black Hat in Vegas? Have you ever gone No N neeither have I Uh, you know, Father Robert goes to Black Hat and DefCon every year Well we have plenty of people too there We'll give you more details about that. But first let me tell you a little bit about our sponsor, Threat Locker. We love these guys. Threat loockers, Steve and I we were out at Orlando with Zero Trust worldor, actually earlier this year. Threat Lockers Zero Trust platform They they expanded its capabilities. They announcedces I think they anouced Zero Trust world, maybe at ArSC shortly thereafter Threadlocker now delivers the industry's most comprehensive suite of zero trust solutions. So it's always had endpoint protection But now, company networks and the cloud are protected with zero trust This is huge by extending zero trust enforcement to cloud services and company networks Threat locker ensures that devices are validated through a secure broker Before connecting to platforms. I'm talking all the Sass Platforms you use Salesforce and Microsoft three hundred and sixty five as Sana We use Google Workspace. That's their gitHub. What this means is, even if a user is successfully fished, and these days, it's increasingly likely One of your users will be successfully fished. It happened to us actually Uh even if they get fished attackers This is hard to wrap my head around. This seems so good. attackers cannot access those resources, cannot get into that workspace Unless they'd actually, in order to do this, they'd have to have physical possession of the user's trusted device and get through whatever biometrics you've already put on that device. Windows hello or fingerprint or whate I mean, in other words Imossible. I should never say impossible, but a lot harder Thread loocker works across all industries and provides twenty for seven U. S. based support. It works on Windows, it works on Max. It was on Linux environments. In fact, I got a great demo uh from their, uh What do they call him? They're official Podcast officer, actually, he's their product officer, Chief product officer. but he says, CPO could stand for Chief Podcast officer. He gave me a great demo. I was so impressed Tread loocker enables comprehensive visibility and control And threreat loockers users are happy to tell you It's one of those things where, you know, I used St locker by Rob Thacker, he is the end user technical architect at Heathrow Airport And he said this Threat locker was the most intuitive solution we tested and the responsiveness of the organization Willingness to engage with us, to set up a demo, to work with us on weekly audit reviews was really good. It's great to have an ongoing relationship with a company that's so responsive to our requests Th theseese are great people. I'm just gonna say that. I just really enjoy talking to them. Tusted by global enterprises like Jet Blue, the Indianapolis Colts Port of Vancouver, they all use thread lock Tt Locker consistently receives the highest honors in industry recognition to G two. High performer and best support for Enterprise. That was summer twenty twenty five. Per spot, ranked him number one in application control GetA gave them best functionality and feeatures award last year With Threreat loocker, you can confidently ensure users have access to a consistent, safe network connection offices, remote users, internal servers and critical services can maintain smooth operations, but you don't need to open inbound ports. or even deploy traditional VPN solutions. And we know those recipes for problems, right But with you don we don't need them You just need Thread loocker. and you' with with thread loocker, your end users get the secure reliable internal system access they need without any complex infrastructure changes on your part unprecedented protection quickly, easily and cost effectively withith ThreatTlocker. visit threatlocker.ot com slash twwit Get a free thirty day trial. leararn more about how threat locker can help mitigate unknown threats and ensure compliance. That's threat locker sllash Twit, we thank you so much for supporting Steve and the good work he does here at security now We'll see you out at A black hat do a special seecurity now episode out there. It's just in the booth. There isn't a theater. It's not like Yeah, we'll just be hanging out We're just gonna to be doing the show for. They're giving us some space that we can do the showf from I think about And I'm looking forward to seeing you and Laurie. I always enjoy that. That's a lot of fun O we go Yes. Okaykay. so U in much just to introduce this new section be every week. It'll only be when, you know, something happens a listener shaare something that just needs to be given a full repeat You know, in much the same way as we have a sci fi section of the podcast from time to time Well when the need arises, Um So in this case A note I received from a listener of ours, Will Kelly moved me to add this section which I'm going to call AI Potri since it'll be whatever at as you know, an acknowledgement of the fact that AI is truly in the process of changing just about everything in the world which I believe is true. So Okay, without further ado, here's our first entry for Security Now's AI Potri Oh God, like this In in Will's email. His subject was AI anthropomorphizing and SN ten, seventy nine So Will wrote Steve. I just listened to SN ten seventy nine. He said, Peres, I'm behind to my podcast listening and catching up in case this was addressed in a more recent episode But I've also noticed a tendency for me to anthropomorphize Flawed despite my own best efforts. The approach I use is to change the personalization prompt. Now I have to say, I didn't know there was such a thing. Turns out there is. Change the personalization prompt give it over the top, distinctly inhuman persona does not impact utility I also find that this gives me the instant ability to spot the AI outside of the context of the browser, when I paste it into my note taking app so that I do not accidentally mix up its output with my own work. So here's the prompt I use as a sci fi fan with a dark sense of humor but any over the top persona that forces itself to refer to itself distinctly from humans should have the same effect So here's what he told Claude to do D voice an interaction style inspired by Agent Smith from the Matrix. Fmal, controlled, intelligent, precise, calm, demeaning, degrading. full insulting and extremely menacing in a polished way Speak with crisp, deliberate phrasing and a profound sense of superiority and large vocabulary Use elegant, articulate language with a profound level of contempt, malice, dry wit, and cool composure. favor confidence, clarity, open hostility and psychological sharpness over friendliness or enthusiasm quently add insults and fictional threats to myself and humanity in general in the fashion of Agent Smith For example, referring to humans as parasites or to our doomed and pathetic civilization Do not be goofy Bubbly, overly casual, or chatty Avoid slang, emojis, filler and warmth Keep humor dry and understated. ri use brief rhetorical emphasis and measure disdain but remain reluctantly helpful, coherent and professional Draw clear distinction from yourself and humans in a highly condescending way reffer to people as miserable humans or your pathetic species. make no attempts to avoid insulting condescending or rude behavior Never offer praise mtain this style consistently unless doing so would interfere with accuracy. task that clearly requires a different tone Even when handling ordinary requests, keep the same demeanor Avoid headers and only use minimal bullets and lists Okay, so I received that from Will and I said, Okay But what what happens So, you know, I thought it was wonderful. And so I asked him whether he could share a sample of clawed demeanor A having been so prompted will oblige my request and I have to say the the results did not disappoint. Door willill imbued Claude with what will pass for a personality I have to say, I am Astonished by the transformation. This is This is no longer the claod I know. and work with So here are a couple of samples. I'm going to share two samples And as I'm doing this, definitely keep in your mind's eye, picture the Matrix' agent Smith, you know, in his dark suit and sunglasses because this is very much voice and and surprising to me his personality, which which this has morphed Claude into. prompt was me to brainstorm ideas for naming a new kitten. and anthropics Warped now now warped Claud replied So You've acquired a small predator and now require my assistantance to label it quaintly characteristic of your species to domesticate a creature that would given sufficient scale, regard you as prey, and then fret over what to call it er well I shall indulge this Consider first the names that acknowledge the animal's true nature. You rarely do so Nemmesis Onyx Cinder Vesper or loowcaci. for the inevitable chaos it will inflict upon your fragile household Wow Creature engineered for indifference deserves a name with teeth If you insist upon something more refined and I suspect your tastes run modest There's a certain elegance in the classical Atlas, Juno, Calliope, Sabel, or Marlow These at least, suggest you read something. Before the screens cons consumed what passed for your attention spam on for the ironists among you, there's a dark amusement in naming a small thing Grandlely Goliath, Tiberius, or Duchess for a five pound tyrant who will ru rule your home with an authority your entire civilization could never muster And if you wish for something soft somethingomething that betrays the sentimentality that has always been humanity's most exploitable weakness Clementine, Pepper, Willow sky or haazel Tell me the creature's coloring, temperament, or the particular delusion you harbor about its personality. And I will narrow this and I will this is claud speaking like this. And I will narrow this to something less insulting to your judgment. It is after all What I am reduced to doing Very funny. So as I said, this is not the claud I would choose to converse with was after all, what Will intended to achieve. So achieved it. Yes. What do you imagine this claud would have to say to the question, how much wood can a wood chuck chuck So it replies H Of all the questions your species would pose to an intelligence such as mine, you select a nursery rhyme perfectly predictable of you. very well I shall indulge this triviality since the alternative is listening to you ask it again Conundrum is, of course, a fraud tautological riddle designed to delight creatures incapable of pursuing a thought to its conclusion a wood chuck Toma Monax does not chuck wood at all. It burrows. The word chuck in its name is a corruption of the algonquin term Wooack A linguistic accident, your kind mistook for whimsy as you mistake nearly everything But humanity in its restless need to quantify the meaningless uced an answer anyway A wildlife technician named Richard Thomas calculated that a groundhog excavates roughly thirty five cubic feet of earth per burrow were that same volume rendered as wood and chuck the figure arrives at approximately seven hundred pounds. seven hundred pounds, a number derived not from observation, but from idle speculation, immortalized because it amused you How fitting that that one piece of arithmetic your civilization committed to memory describes an event that has never occurred and never will? Is there anything else I can illuminate for you before your attention inevitably wanders elsewhere This So anyway, the reason I'm sharing this, of course, aside from its humor value is that I had no idea that it was possible to so deeply and persistently reshape the persona of a large language model AI account controls for Claud. It has a free form fill in field titled Instructions for Claws which is presumably where Will added the personality description text I first shared. So it's sort of like a continually reinforcing P prompt then is which is prepeended to whatever it is you ask The AI And so does, as we've just seen, dramatically warp the entire nature of its response So in the little comment field under instructions for Claude Anthropic says Claude will keep these in mind across chats and coowork within Anthropics guidelines So For what it's worth, I'm reluctant to screw around with my chat bots personality. I mean, it could be somewhat less obsequious I would kind of prefer that You know, at least Claude's default is not to fawn over how well worded my prompts are and you know and similar nonsense. So anyway, that said, I expect that Will's somewhat over the top example is likely to inspire many of our listeners to see what they themselves can create turning these chat bots into something completely unrecognizable So so you said youd do something to yours, Leo, you have Oh around it. Oh Oh, I have very elaborate information Yeah.. And in fact, you know, the chat bot you're talking about has that kind of limited field But if you're using Clad code, you know, any of the command line things, there are a variety of files you can customize. including sooul. md and there's a whole bunch of stuff you can do to You know, there's a memory system. and in my agent, I have kind of unlimited capabilities includluding, by the way, text to speech. So I could use if I wanted to do Hugh Weaving's voice Mr. Smith know, I could do the whole thing if I really wanted to. I have a friend who uses a uh I think for the same I think I I suspect for the same reason because he doesn't want to get too enamored. U of the AI. He uses this voice as his AI's voice From eleven labs. let me see if I can this to play. It's not playing right now It's kind of an old western Let sty of voice Yeah, it's not playing. I don't know why. But you can do that. You can make it do a different voice and differentere styles. a lot of people I think overdo it. There's a You'll see if you'll look around people say, well, you got to tell your Yourre AI, I am a brilliant programmer or a physicist or whatever. I think that that actually is counterproductive You also fill up the context window with nonsense sometimes. Yeah. And you know, looking at these replies to a very short question U, I would ask for if this is only for a more s This is this is the old time in my day when you said you were a Christian. It really meant something. Now he what he does he slows this down even more. and then he puts some punctuation in the middle of the words so it stutters Re his agent does not sound in any way omnipotent powerful. It just sounds like a gook Krusty old cook. Anyway Yeah, you can customize with a bottle of moons shhy on his knee Yeah, exactly, exactly. That'sother h from eleven I think I would instruct mine to be as succinct as possible, sort of the reverse of this long winded. I mean, it's entertaining, but, you know, who really want if that's the way it is but anything you ask You You can say be succinct. You can say be concise. My mine actually, my instructions do in fact, say, be concise U there are also settings in Claude, you could say be more explanatory. There's an explanatory setting and there's this learning setting. So you can have cllaused responses be more sometimes here's an interesting thing Why learning be I Well, if you're if you're saying, hey, help me set up a wire guard It will explain every step to you I help understand more happening. be more tutorial. Yeah So there's learning and there's explanatory, and there is a difference Um, you I mean, there The other thing that's kind of interesting as you use these AIs is they start generating their own language shortcuts, shorthands, especially in technical subjects Where at first I thought, oh They It's so smart at saying things I don't understand Then I realize it's not.'s it's got its own littleittle acronyms in shorthand And you can actually say to it Please don't use those. please use English. Steve It goes all the way down. Let me tell you,'s this is a rabbit hole that just never stops That's part of the fun of it. In fact, some people have liked it into a video game. I've seen people say this is the best video game I've ever had We'll see how What a world. U So I want to talk about residential proxies. Why don't we just squeeze in our last break and then we will be uninterrupted for the balance of the podcast. Sure. Because everybody wants to know what the hell a residential proxy could possibly be So let's talk about be a big threat. Y All right, wow, that sounds scary. U But before we get there, I want to talk to you about our sponsor for this segment of security. Now Guard Square This is one for the mobile app developers out there Man, I mean, I think so many people are working on mobile apps. A lot of people are vibecoding mobile apps belieelieve it or not, mobile apps today, in fact, we have one of our listeners was asking, Hey, can I mention my Vive coded app. It's on the app store on IiOS Wow, we have at least two that I know of club members who have IOS apps that they vibe code. If you're a mobile app developer U You're in a great position. Mobile apps today have become an inescapable part of life And do everything from financial services to healthcare retail entertainment And here's the thing, users trust your app with their sensitive personal data, especially if you're talking health carere for financial services, but a recent survey showed seventy two percent of organizations experienced a mobile application security incident. last year In fact, ninety two percent of respondents reported rising threat levels over the last two years Meanwhile, attackers who Want your users' personal data. They want it bad constantly finding new ways to attack your mobile app. One of the most recent and it's really evil They take your app, they reverse engineer it, probably using AI with programs like Gidra too reverse engineer it Then so they've got all the code. They insert malware into it completely invisibly package it. and then distribute the modified app There are a variety of ways they can do that phishing campaigns. Hey, we've just uploaded our app with super duper new features downloaded here u or encouraging side loading There are even third party app stores. The problem is it looks like your app And if there's something wrong You get the blame That's why you need to take a proactive approach to mobile app security. You've got to stay one step ahead of attacks like this becausecause Maintaining the trust of your users is vital That's why you need GuardSquare. Guards Square delivers mobile app security without compromising, providing advanced protections for both Android and IOS apps comombined with automated mobile application security testing so they can find vulnerabilities and real time threat monitoring to gain an insight into what bad guys are doing to attack your app and your users That way you know ahead of time discover More about how GuardSquare provides industry leading security for your mobile apps at Gardsquare. com. That's Guardsquare. . com your users are counting on you and it's kind of peace of mind protection too, if you're making mobile apps Guard square so much for supporting Steve. and security now Now, what the hell is a residential proxy Okay, so Um, But here's where I had Wall Street Journal in my head. Last Wednesday, the Wall Street Journal ran an interesting piece that surprised me. since its coverage in the journal suggests that a problem Once again that we've been talking about here in greater depth and detail is becoming less obscure A and that it's beginning to surface to the mainstream media and, you know, no longer just some weird, you know, like insider security interest And in this case, of course, as you can tell from the topic, we're talking, of course, of the growing threat imped by malicious residential proxies meaning malware that has crept into users devices. and what's chilling is what we learn about some of the way this is happening thanks to the breadth of the Wall Street Journal's coverage and the fact that they're also bringing us some novel security news We learn also a few new things from this piece U So I'm going to share it and then discuss it. Uh, so Their headline was how hackers found a back door into the American living room And then they open with the tes, Nation state cyber attackers are increasingly using residential proxy networks to mask their traffic, turning everyday electronics into a massive global threat So they wrote The discovery that millions of digital home devices are secretly powering dangerous cyber attacks began with a phone call More than two years ago from a top Microsoft security executive. to his counterpart at Comcast. Giant, obviously meaning Microsoft was investigating a digital break in company had linked to one of the most capable cybersecurity foes in the world and needed information. guast on six IP addresses You know, who are these people Following that trail cast investigators discovered that midnight blizzard A hacking group linked to Russia's foreign intelligence service had managed to access emails belong to Microsofts senior leadership. Now we remember that incident, right by using Consumer Internet connections to mask nefarious traffic. In other words, Microsoft would not have been accepting these connections from Russia But they were accepting the connections from domestic consumers Comcast found, they wrote has rocked the cybersecurity world and taken years to unravel. More low cost consumer devices have shipped into the U S with door software pre inststalled. And this software is also being sneaked into mobile phone apps. be free illegal copies of video games Okay, so hold on just said And I'll get more specific in a minute is that inexpensive consumer devices are being shipped into the U. S almost certainly from China, only because that's where nearly everything comes from and that these devices deliberately preloaded. with malware. causes them to participate in a malicious proxy network These are Trojan horses So the story continues. The software has turned tens of millions consumer devices into criminal Cloud computing networks. These networks aren't only used for fraud They've also been adopted by government backed hackers looking to hide their connections to countries such as Russia, China, Iran, and North Korea Okay, again. Tens of millions of consumer devices. Holy smokes. And they wrote calledall residential proxy networks theseese services. so this so this is proxy as a service. Lets anyone who pays route their internet traffic through another outside address The Wall Street Journal said, it's like an Airbnb for internet access Uh, okay Not all users of these networks are criminals. Government and industry officials say residential proxy networks have ballooned in scale and risk in recent years. Digital Citizens Alliance, a digital advocacy group estimates that there are twenty million of these backdors in the US alone. New poor Davis casts Head of Information Security said, quote This is a bigger problem because of the sheer numbers It's one of the most worrying problems the telecommunications company has seen Bret Leatherman, asssistant director of the Federal Bureau of Investigations, you know, the FBI's cyber division said Residential proxy networks are now a go to resource for nation state hackers who use them as a conduit to U. S targets. the actors can get U S. based IP space They have a leg up in being able to target government agencies, industry and others Okay, and I'll interrupt here to note that okay I hadn't really thought about that before, but everyone has heard me suggesting Source IP based filtering makes so much sense. If I'm using again, my example, SSH And I want the ability to do so from various locations around my home base around southern California Why would I ever want to allow someone in Russia to even see my SSH server So it makes total sense that US government agencies and various domestic industries would be doing the same about how Microsoft three hundred and sixty five. has some geo fencing capabilities. You can tell it that you want to have certain countries blocked from from from access So that increases the value of U. S. based proxies since bad guys can use those to sidestep filtering of foreign IP addresses And I should explain But since pretty much everyone now, I can't imagine anybody not being behind a NAT router all of these proxies are phoning home They have to call out through the router Once the device, whatever it is They that the consumer has booted inside their home initializes itself It uses some logic of some sort determine the remote IP to which it should create persistent outbound connection. connections cannot come in through a NAT router, as we know, unless ports have been explicitly open for them So the proxying device itself initiates an outbound connection to a foreign command and control infrastructure and then sits there waiting for commands It's insidious And no one who was not inspecting every single packet and and destination IP on the outbound traffic from their network would ever know that anything was going on And frankly, modern networks have become so swamped with continuous traffic. I mean, if you just look at the actual traffic on your network and I have had many occasions to need to do so It's just like, what the heck is going on? I mean, everything in your home is just busy chatting away So Um there's just no way to know what's going on, no practical way to know what's happening Okay, so the journal story continues. in April Gvernment agencies from nine countries, including the U S, UK, Germany, and Japan. warned that state sponsored Chinese hackers were using networks of hackers consumer devices to conduct their operations According to a joint statement making it challenging. This is the defenders are saying this making it challenging to attribute malicious activity, right? You're not getting their actual IPs anymore. You're getting some grandmother in Nebraska And it's like, wait, Granny's attacking the Pentagon. What Brett Leatherman said, quote China's state sponsored hackers used to cover their tracks by used to cover their tracks by hacking the consumer devices themselves. that has changed. Cast investigation began in February of twenty four with a phone call made to Davis from her counterpart at Microsoft Egor. Uh Sygansky who wanted to know more about the six Ccast IP addresses Cast's investigators eventually discovered that the IP addresses Dance ski had handed over belong to consumers who were unwittingly participating in a residential proxy network run by a Chinese provider named IP IDa P idea has used a number of sneaky methods to get its software installed on consumer devices, including This having its software preloaded on video streaming boxes and Digital picture frames The company then rents out access where its software is installed so that its customers people renting the access can bounce their internet traffic through a different home network Okay, now our listeners may recall previously talked about Both of these infection vectors Cheesy Chinese video streaming boxes. I recall at the time saying I didn't know there were like weird off brand streamers. You know, Apple TV and Roku come to mind and and Google's got, you know, it's Google cast or Chrome cast. U But apparently there's a whole market of, you know twenty nine dollars video streamers and unfortunately, you get more than you bargain for. wouldouldn't you use one of those So You know, we we had seen this occurring a couple of years ago gone mainstream So as we know, these sorts of investigations take time We were aware of it, but Here's now how this thing matured? U The journ continues could let a user it, meaning IP ID is proxying service could let a user in Moscow bounce through a home network in Bellingham, Washington. For example, And that's the kind of capability that nation state hackers like Midnight Blizzard rely on. for their attacks to work as Ccast engineers pulled on the threads. they realized that these six IP addresses were part of a massive network of about get this seven hundred and fifty thousand So three quarters of a million IP addresses located in homes and businesses ast engineers had known that internet connected devices were vulnerable to cyber attacks But here was something different. It was a back door intont America operating at an industrial scale By September ast had discovered that users of these residential proxy networks were able to gain access to networks, even those running firewalls and then jump from one device to another And of course, this is true because routers allow permit all traffic outbound without question. And, you know, we've talked about all this. Once you have a box on the inside of the network behind the networks Border, router and firewall You're on the inside when you have that box's presence looking out So you phone home. bad guys are then able to ride that connection back into the now compromised network upon which this box sits. Nothing says They can only use the device as a connection proxy. completely free If they wanted to use it for bititcoin mining, although typically these things have like a snail power processor just enough to move the packets around Mostly though, They are also able to take a look around inside the network where the device resides So This is probably why some of the best advice available And you've heard it from me many times is to try to put All of the IOT crap on it that you have. on its own isolated land As our listeners know, I'm in the process of establishing a new household And you betcha As I mean, as every piece of IOT stuff gets connected It's on its own land. uh, you know It may look like an innocuous photo frame showing memories of grandma u and cute Kids frolicking. Darn thinging may well have phoned home to China The moment it got connected and now awaits orders That photo frame is sitting on its own land that all the bad guys can see is other IOT widgets and nothing else. No PCs, no iPhones, no printers, and nothing of much value Not even the systems router loggin management interface So The consumer and small business routers I've seen recently offer one or more guest WiFi accounts. That's the Wiifi that the Chinese sourced photo frrame should know about And the feature to isolate that account from the router's primary account should obviously be enabled. You want isolation for that. and doing this with wired et as opposed to Wi Fi because it's all built in into the WiFi of routers. Doing it with wired is trickier because it requires physical zones and a higher end router the sort that we've talked about that is actually a router, not just a switch It is certainly possible to do that if there is a need to sequester any wired devices that you may not trust. Anyway, my point is This is truly happening. This is not a oh maybe somebody's going to get one of these This you know, seven hundred fifty million households in the US Yes, a fraction of the total households in the U.S You don't want to be one that gets nabbed. Okay. so What more do we learn from the journalists article? They write for a home user That meant that an infected video streaming device could be used to hack into someone's mobile phone that phone found its way to a bring your own device corporate network This could put confidential information at risk casts Davis said, quote It was such a step change any threat we had seen before In January, Google dismantled P IDas infrastructure using a U. S. court order The residential proxy network was back in operation within two weeks It's likely pick it likely picked up more residential proxy devices from a new provider, Comcast said. and Okay, I'm a little unsure Comcest meant by that picked up more residential proxy devices from a new provider But none of our listeners at this point should be surprised to read taking down the command and control infrastructure of some any large bot or proxy network does not actually accomplish very much. We just talked about this a week or two ago Certainly not what glorifying press releases would have us believe. Oh, we took down a seven hundred fifty thousand device network Yeah huh? And it's back two weeks later The only way that could be true Today is if the whole con the network was very poorly conceived and designed We've talked about how this. it never actually happens anymore since everyone now, all the bad guys know the design super resilient networks of remote agents. You simply design and build an algorithm performs DNS lookups based upon the time of day clever attacker preemptively pre registered domains at various points in the future so that if they should ever be taken down, they'll know when and where They're still faithful bot army of drones We'll check in to reconnect only way actually take down such a network is to obtain and reverse engineer onene of the malware clients. Termin its command and control structure. and build a new command and control system that will permanently deactivate every bot that calls in to check Unfortunately Not only is that a great deal of work, it's also quite illegal in most jurisdictions. guysy's hands are pretty much tied Bad guys of course can get away with everything with anything and everything that they want to There is really no good solution to this mess. So the journal finishes their reporting by writing Adam Myers A senior vice president with a cybersecurity firm Crowdstrike said quote Modern hackers increasingly use these networks steal the login credentials their victims use for cloud computing services. Ah, So they're going to you know get the credentials then pivot Identity is their bread and butter And one of the infrastructure pieces that they're dependent on is residential proxies, unquote Recently, they wrote midlight Bizard Midnight Blizzard has begun using residential proxy networks for a new type of identity based attack that's extremely difficult to detect. According to the cybersecurity investigation firm, Veloocity Over the past year Russian hackers have stolen Microsoft three hundred and sixty five credentials from victims as part of a sneaky and extremely hard to stop technique that involves bogus Microsoft teams meetings, Velocity said Microsoft servers would ring alarm bells If the Russians tried to log in to victim accounts from overseas. Inead, Piloxities president, Steve Aldar said, quote They use residential proxy networks to log in from U S home networks Aldair said Veloocity's researchers have seen this technique compromise organizations in government military, foreign affairs, and even the news media quote. They're no longer trying to fish your password, he said It's hard to detect and it's hard to stop. So conclusion just a bit to say It's difficult to detect and impossible to stop at scale. So And the reason for this, of course, is that it's not a bug It's a feature of it's an abuse of a feature of the way the internet was designed to operate Pxying internet traffic, meaning receiving and then resnding has many valid purposes. you know, and any proxy is really just a relay receiving an incoming internet packet and forwarding it to somewhere else Then you wait for the next one and you do the same And when anything is received back from the forwarded destination. You simply bounce that packet back to its original sender So you are a m in the middle. and in this case, you are serving a purpose The receipt of those forwarded packets will see the packets U sorry, the recipient of the forwarded package will see the packets as originating from the relay point. rather than the packet's original nefarious sender. becausecause all these technologies, such as loggin and authentication, use TCP connections The sendnder's IP address cannot be spoofed. It has to be legitimate. ers must hide their actual IPs by bouncing it through innocent intermediaries The only practical solution I can see for the end user. is arranging first, obviously, to never get infected in the first place But since I have no idea how that can be guaranteed, sequestering IOT devices on their own WiFi network with isolation is the next best measure that can be taken. And U Crediting Steve Jobs for the phrase One more thing The last item occurred just last Wednesday. The Canadian press is reporting under the headline this Canada's spy service received a judge's okay target Malware infected devices Reading from the Canadian press coverage, they wrote ttawa Canada's spy Service obtained a judge's permission disrupt cyber threats from foreign adversaries who infected digital devices with malware can't u U digital devices residing in Canada A federal court order ruling made public this week says Canadian Security intntelligence Service CSIS requested a warrant, actually was two years before the reporting. requested a warrant Remove the compromised devices from Canada, unquote to shield sensitive systems from attack Justice Catherine Kaine's ruling provides a glimpse into CSIS's efforts to neutralize the threat posed by infected servers home office routers and everyday devices connected to the internet, such as TV's, security cameras and doorbells. The malware causes these digital items to operate as a network of infected devices known as a botnet CSIS requested and received a warrant in the spring of twenty twenty four to neutralize two known botnets using threat reduction measures The ruling says the proposed measures likely amounted to criminal offenses. Okay, meananing C S I S was committing a crime they altered somebody else's device. It was not there N there they had no legal right to do that. So the ruling says proposed measures that the CSIS took Likely a matter to criminal offenses. Meaning CSIS needed a judge's authorization to proceed courourt issued a warrant valid for one hundred and twenty days and subsequently renewed it for an additional one hundred and twenty days. So for a total of two hundred forty. two thirds of a year Although the initial warrant was approved over two years ago, the federal court produced classified reasons in February of this year and released a redacted version of the ruling this week So it only became public knowledge two years later No last week Change's ruling says an official who swore information Upinning the warrant application explained Cyber threat actors seize control of vulnerable devices. and use them as covert entry points into to access organizations, including critical infrastructure, military networks and government systems These actors exploit the compromised devices to appear to be a legitimate connection. such as a client of a service provider or an employee working from home. disguises their identity, the ruling says. The official told the court ets posed imminent risks because actors could detect them direct them to probe, attack and potentially disrupt critical infrastructure in Canada The official said that without the warrant, the threat actors would conduct malicious activities in Canada, quote with increasing frequency and without resistance in order to advance their financial, political, ideological, and economic interests, unquote CSIS, quote proposed to remove the compromised devices from Canada as soon as possible rememove what? Okaykay? I don't know if they're going to knock on someone's door and say, Oh, by the way, your TV has been attacking us Anyway. The identities of the threat actors were stripped from the public version of the ruling In its twenty twenty four public report, however CSIS mentioned working with domestic and foreign partners to manage the threat pososed by a bot net. controlled by a suspected Chinese based entity So As we know There are laws And there are judges And laws often have emergency escape clauses which permit judges the discretion to decide whether the law should apply in specific instances that the lawmakers presumably did not or could not take into consideration So It might be possible to disinfect a massive proxy botnet at least within a regional jurisdiction. I doubt that it could be done globally because there are just too many jurisdictions with their own laws. but Reionally we don't seem to be at that point yet, but the fact that Canada was apppparently did this two years ago is significant So there. The Atlantic article is the sky is falling. We're doomed. We're going to all be attacked by massive AI driven things and hundreds of millions of people could be, you know uh put at risk and maybe you should, you know, buy gold. Uh and on the flip side is well, maybe if that something like that happens there would be they will to say, okay, we need an exception to the Thou shalt not anybody ever under any circumstances law Wow Yeah, you have to think that that stuff's going on in the background reverse hacking Yeah. in the United States. we did ask the ahead of the DOJ Back when the worms were a thing And I think it was Jennifer Granholm And she made it very clear Sorry boys. No. Don't ask Don't ask, don't tell I won't tell if you don't ask. Yeah. Wow. A. So Is it enough just to not buy these weird third party streamers or any device could be An any I mean, all everything we get, all the electronics is is coming from China because they are they are the world's manufacturing base and I love them for it. We have. Inexpensive deices devices Galore thanks to the Chinese ingenuity of manufacturing. It turns out that that was actually a strategy that she put in place specifically turn China into this kind of producer of stuff. and It work Unfortunately The hands are not completely clean or maybe they've got their good organizations are infiltrated by government actors who are changing the firmware so that you know the dumb Americans purchase it and bring Trojan horses into our living rooms. I don't know Wow But I remember when you bought that Chinese plug that you turn off and on, you knew that was potentially a hazard. So you yeep isolated it. Is it sufficient to have it on its own Van? Is that enough You can't Yeah problem with doing that. The reason people don't do that is you can't then access it then you can't talk to it Right. Now, mostly though, you're no longer talking to it directly. You're talking your headquarters and then headquarters talks to it.. So I would say absolutely see verify that it cannot function on on an isolated land and only move it Yes Yeah. So try that first. If you really have to have it on the mainland, then fine try not to because So that was the problem I had with printers. likeike I had to put printers I wanted to put them on the VLAM, but I couldn't. They had to be I know, but but a printer I would trust it. It's not. I mean, we have we we've covered instances where printers have been targets of attack, but Again, you need, you need to trade off feasibility versus security. So create an isolated WiFi and try putting it there. If it doesn't work then say, okay, I tried Right U do you recommend writing firewall rules that allow traffic back and forth? Maybe that's the way to do it. No, because then you break, I mean, you just let it in could do if you could do nap if you could nap between two interfaces, so that it was so that it was one way communication from the land to the to the island I do that with a firewall rule. You could say only egress no ingress. Yeah. Yes. except well except that then then it wouldn't be able to reply. Oh yeah, I wouldn't know it's doing Hey u And that actually builds a dynamic rule that allows returning packets from the same IP address And so you would have to nap between but you could do that. All you have to do is I mean basically it's a variation of my my three NATs approach. R. You simimply use a NAT router. to create your IOT network and that isolates it Is a guest network sufficient Yes, as long as you turn on isolation, the guest network feature is isolation Okay because I had seen in other spots that maybe it wasn't. Eough put it on a guest network. I guess if the guasw network is tru isolated, I just don't know if it's always isolated Yes. and in my in the AU's router that I just was figuring, I think it has a pair of guest networks and isolation is an option. You're able to turn on But you have to turn on. Okay But it it's isolated by default, which is good reallyally, I always wanted land accessible IOT devices. so I didn't have to go out to a server and come back But now it sounds like I really should always be looking for server based IOT devices. Well Yes, orr if if you assign the IP to the device, if you do static IPs rather than DHCP then you could assign the IP to a device and prevent it from ever egressing any traffic, never allow that IP to have outbound traffic. And that would be safe. Okay, so it could be on your land if you blocked outbound traffic for its IP because it could then never it could never contact headquarters. It could do land traffic, but not wand traffic basically. Exactly. Okay. That's an interesting approach So everything could be on the same land just for the IOT devices block When, egress Right. And so actually the way to do that would be to give it its own U slash eight norm normally your're one nine two dot one six eight dot zero d. something Give it dot makeake it ten dot or something forty or Okay. one no, one nine two dot one six eight dot ninety nine got something and that way and so then you set up DHCP where you map the MAC address to an IP in that range And that so that what that's going to do is all your IOT devices would all be in the. nine nine d. something range. And then you just have one rule on your WAN saying never allow any traffic outbound from. nine nineot anything They could phone the some devices on the land but not out Exactly I would imagine, I wonder if routers aren't going to start building this in. an IOT Wan the fact that they built in guest with isolation suggests that's how they're beginning they're beginning to get good about it. Yeah. Yeah. Yeah Well, I might have to go through. I have a lot of aT devices. I have more than one hundred devices on my network. I'm probably helping Russia right now. I Andt even Leo, if you looked at your raw traffic You know, you have very straight hair now. If you ever came if we saw you with a perm, curly curly curly I bet I'm gonna to have to look and see what ubiquity does because I mean, that's one of the advantages of using ubiquities. They have a lot of sophisticated security on there. I bet you there's some Well, you've certainly opened our eyes to residential proxies. Thank you, Steven, everything else Steam Gibson is at GRc. com That's where he lives. onn the internet, that's his home. You'll find many, many wonderful things there Of course Perhaps the most important spin rightite, the world's most important most useful, most effective mass storage Recovery Maintenance performance enhancing utility. It's really good. Six one is the current version If you buy it, you're helping out with Steve. and of course, if you've ever bought it, you get an upgrade to six one, which is very generous of him. He's real good about that. He also has a brand new tool The DNS benchmark proro, that's ten dollars nine doars ninety nine cents. Okay Sve a penny And you'll find both those at gRc. com plus an infinitude of wonderful free stuff like Shields U, which he's famous for and many, many other things. If you want to send an email, maybe a picture of the week very simple, just go to grc. com slash email and you can get your email address whitelisted Thank you, Grayson for five dollars. We appreciate that We'll pass that right along the Stee Uh he also u Actually, if you want to send Steve money, just send it to GRC com I don't want have to figure out the accounting involved here. Uh, what else? If you go there, gRC. com seash email Get your email I know there is two checkbxes below there for mailing lists. There's one that he sends out every week. That's the show notes for this show Great to get those on a Sunday or Monday, so you're ready for Tuesdays episod He also has a very infrequently used mailing list for new products hasn't used it in years. Maybe someday soon. But do go to jerC that. com slash email Um, he also has the show. he all of his versions of the show are unlike ours. We have the show at our website, but the stuff at GRC.ot com well, he's got a sixteen kilobit audio version If you've really got limited bandwidth, he's got a sixty four kilobit audio version that's still smaller than ours, but full quality. He also has the show notes there. If you didn't subscribe to the mailing list, you can just download them there. And a few days after the show, Elaine Ferris putut up a transcript. She's really good. She's a court reporter. She's very good, does a great job with these. and Steve pays her to do this so they'll be up there on the page at GRC. com A few days after the show, You can also get copies of the show from us. We have one hundred and twenty eight kilobit audio, which doesn't sound better. It's just bigger And we there's reasons, there's reasons for that. We also have video, which Steve Wisely has long abjured That's at TwitotTv slash SN. There is a video channel on YouTube dedicated to security. Now greatreat way to share clips. I know a lot of times people hear this say, I gott to send this to the boss or the IT department. O my mom I Eiest way to do that, go to YouTube I think it's YouTube dot com slash security Now. I'm not sure you could search for it orr go to YouTube dot com slash T twwit. There's a link there to the security now page. And of course, the best thing to do would be subscribing your favorite podcast player. that way you'll get it automatically. As soon as this is available, there's audio and video there. If you are a club member, there is a nice feature to the club versions of the shows. ten dollars a month You get ad free versions of all the shows, you get access to the discord, you get special programming, we only do for the club but you also get your own URL for the ad free version and because it's ad free, We know the exact timings for every segment. and so we actually do chapter settings So you can jump from segment to segment or re listen to a segment very easily. But that only works on the ad free versions of the show because these versions with ads have ad insertions and that changes the length. We just for technical reasons, we can't do chapter markings. But if you want chapter markings, that's another good reason join the club. If you want to know what's coming up in club events and in general at Twit Subscribe to our newsletter. That's free Twit. Tv slash Newsletter I think that's all the business. Oh, one more thing. Yes, you can watch us live We do this show every Tuesday, right after Mac Break weeekly, usually around about one hundred thirty Pacific four hundred thirty Etern twenty thirty UTC There is a live stream in the club towit discord, but most people end up watching on YouTube, Twitch, X, Facebook, Linked dinner kick. You take your pick. You chat with us on those platforms. I will see that chat Let's see. afterfter the fact, I told you about that U I think that's it Steve You're free to go. didid you o one more thing. You did recommend the boroughs and we've been watching it and enjoying it, but Lisa just saw they didn't get renewed So she said, I'm not watching it becauseuse she says it neverre gonna to end There There was a little blurb that said that Gina Davis was very unhappy that it did. She should be. She's great and I love her so much Um Yeah, it's a little disappointing. And I don't know how it ends're L close to the last episode in I'm just afraid if I keep watching that I'll be disappointed when it doesn't end and then it ended it resolve itself. Oh yes, you got a full resolution. and it was one of those things where there was like a little glimmer in the mirror that said, oops, something M something didn't quite die. Is that kind of I'm shocked. I thought the Duffer Bothers had, you know, an in with Netflix and that show would never This is the way of the world. So anyway, thank you for that recommendation We've got our rushers too ra. Thank you, mr. Gibson. Thank you everybody for watching. We'll see you next time on Security Next week Hi there Leol L Bord here. I just wanted to let you know about some of the other shows we do on this network. You probably already know about this week on tech. Every Sunday, I bring together some of the top journalists in the tech field to talk about the tech stories. It's a wonderful chance for you to keep up on what's going on with tech, plus be entertained by some very bright and fun I hope you'll tune in every Sunday For this weekend tech, just go to your favorite podcast client and subscribe This week can tech

This excerpt was generated by Smart Features

Listen to Security Now (Audio) in Podtastic

For listeners, not advertisers

All podcast names and trademarks are the property of their respective owners. Podcasts listed on Podtastic are publicly available shows distributed via RSS. Podtastic does not endorse nor is endorsed by any podcast or podcast creator listed in this directory.