SN 1030: Internet Foreground Radiation - The NPM Repository is Under Siege

It's time for security now. Steve Gibson is here. Apple denies it, but there's clearly an exploited iOS. message vulnerability a good reason not to use telegram ever ever ever and steve's evolving opinion of microsoft security i think you can guess which direction it's headed. All that and more coming up next on Security Now. Podcasts you love. From people you trust. This is TWIT.

This is Security Now with Steve Gibson, episode 1030, recorded Tuesday, June 17th, 2025. Internet foreground radiation.

It's time for Security Now. I know you wait all week for Tuesday to come around. Steve Gibson is here, the man in charge of Security Now, our expert. I shall give you the Klingon salute. Oh, that's good. Yesterday. I went, our wonderful little coffee shop in town, which has really become a community center, good friend of mine runs it, has a game night.

on monday nights and i brought my chess set down i thought oh this will be fun i'll maybe somebody will play chess with me i set it all up put the clock there nobody was playing but there was a guy across from me setting up his star trek 3d hollow chess that plugs in and the things light up and stuff and i said i came over i said hey i gotta play some he said well i don't know the rules

And I seem to have lost the booklet. So I asked ChatGPT. ChatGPT knew the rules. Fortunately, the proprietor had also saved the booklet. What ChatGPT said is, since there are no canonical... star trek rules for hollow chess you people have made them up over time i was gonna ask whether you know did i miss that episode because you know they always were moving them around yeah you knew they were playing yeah but

Here's the photo of Chris and Peggy and me playing Star Trek holochess. And it has... it has sound effects and then the pieces light up and stuff and the rules are so complicated that you get a card that you hold so you know there's a piece called the I guess that's how you pronounce G-H-H-H-K. Anyway, it was a lot of fun. We played to a draw.

I think Klingon was actually a fully realized language, wasn't it? I think there's some Klingon names in this thing. Yeah, you can actually speak Klingon. Oh, yeah, there's people who... Yeah, apparently Shakespeare has been translated fully realized language. So, yeah. Yes, because before computers, we didn't have enough to keep us. busy uh anyway it was it was a lot of fun um we and there's a name for it too uh which i can't remember off the top

No, it's something almost equally silly, like Kajit or something. But anyway. And as an accomplished chess player, Leo. Was it actually a useful game or just? No, no. Chess is so much better. If I could have just gotten anybody to play chess with me, I would have been. It's called Dejaric. Did I say Star Trek? It's Star Wars. Oh, and that does look like the board. Yes, this is the one they were playing on the Millennium Falcon. I apologize. Yeah, okay.

I get them confused. No, no, you don't. I do, and that's not good. You can't do podcasts if you confuse Star Trek and Star Wars. I'm going to take away my geek credentials. I'm sorry. That's not okay. What's coming up on security now? So we're going to talk about I had fun with the title because I've for 20 years, I've been talking about a term that I coined Internet background radiation. Yes.

Today's podcast is titled Internet Foreground Radiation. And we're going to find out what that's all about. But we're also going to look at an exploited... iOS iMessage vulnerability, which Apple is denying. Do we trust them? Are they saving face? We don't know. The NPM repository is under siege with no apparent end in sight. Two pieces of news there. Not good. Were Comcast and Digital Realty.

compromised. Don't ask them. They say, no, not here. But evidence and even some serious agencies suggest otherwise. Matthew Green.

has agreed that XChat does not offer true security. We touched on that last week. I said I might dig deeper into it. I don't have to, because Matthew did for us. We may know how Russia is convicting... users of telegram uh and it's not by decrypting their messages interestingly enough microsoft finally decides to block two insane Outlook file types, and I'm going to deliberately control my language because we have young listeners of this podcast.

Good boy. Wow. I know you want to. It turns out, just as we were doing the podcast last week, Leo, you ran across the news at 40,000. Video cameras were online on the internet. I've got the details to follow that up. Interestingly enough, where they are and who owns them. Also, there was a question about running Spinrite on encrypted drives that I'm going to cover briefly. Oh, a listener also sent the result of their dumping all of Elaine's transcripts into an LLM and then asking it.

How my opinion of Microsoft security has evolved over time. Oh, boy. And what do we know about the bots that are scanning the internet?

to create internet foreground radiation. So, and oh, a picture of the week that is, I sent the show notes out about 24 hours ago, yesterday afternoon. This one generated more. more LOLs than is common. I am going to have to describe before we explain this, what it means to refactor. code because i know that well i know you do and i i also uh have had to do so from time to time yes uh but anyway we have a great picture of the week can't wait i have not looked at it we will

See it together in just a minute or two on this episode of Security Now. Can't wait. Always look forward to this. Go ahead. Have a little sip of Java. There's a lot of work ahead of you, Steve.

Our sponsor for this segment is Delete Me. And if ever you thought you needed to delete your data from data brokers, there is a real reason to do it now. I know. People have been watching the news about what happened in Minnesota. They recovered the suspect's notebooks. And he had a list in the notebooks of all the places you can go online to get personal information about people, including their home addresses from those data brokers.

If you've ever gone online and done a search for your name, you know you see these people. They call them people searches, but they're data brokers. They're people, online sites, companies that collect your personal information and then sell it. To anybody who comes along, your name, your contact info, I was stunned to know it's legal to sell my social security number and your home address.

Even information about your family members all being compiled completely legally. There's no law against it. There really needs to be. Buy data brokers and sold online. Anyone on the web can buy your private details. This can lead to identity theft, phishing attempts, doxing, harassment, and now we know much worse. But now you can protect your privacy with Delete Me. Look, I live in the public.

I share my opinions online. I make people mad because I confuse Star Wars and Star Trek. Obviously, obviously, I'm in trouble, right? It's really important to everybody, though, to keep your personal information private. That's why we use at Twit for our management, our managers, and we recommend Delete Me.

We did it when Lisa started getting, there were phishing texts being sent to our employees to Lisa's direct reports, impersonating Lisa. And how did they know what her phone number was and who her direct reports were? Those darn data brokers. We immediately went to DeleteMe. It's a subscription service that removes your personal info from data brokers, hundreds of them.

You sign up, you give Delete Me the details about what information you want deleted because you fully control that and their experts take it from there. Now, here's the neat thing. Just the other day, Lisa got an email from Delete Me. about what the status is, about where her name is showing up and what they've done to delete it. Delete Me will continually do this. They'll send you regular personalized privacy reports showing what info they found, where they found it, and what they removed.

It's not just a one-time service. It's always working for you, constantly monitoring and removing the personal information you don't want on the internet. You know, you need this. We all do. It's sad. But until there's a law against it, thank goodness there's Delete Me. Delete Me does all the hard work of wiping you, your family, your company, your employees' personal information from data broker websites. They've got plans for businesses.

families individuals take control of your data keep your private life private by signing up for delete me we've got a special discount for individuals Today, 20% off your Delete Me plan when you go to joindeliteme.com slash twit and you use the promo code TWIT at checkout. But the only way to get 20% off is to go to joindeliteme.com slash TWIT and enter the code TWIT.

at checkout. Join deleteme.com slash twit offer code twit at checkout. I hate to bring, you know, these terrible stories in, but honestly, if ever there were a need for Delete Me. It's now. JoinDeleteMe.com slash twit. Use the offer code twit. Sometimes the world intrudes on our... Nice little space here. All right. I'm ready for the picture of the week. Set me up. Okay. If you're willing to wait for our listeners.

I was going to say, you could jump ahead if you didn't read it out loud. I'll wait. Okay, so what I need to explain for those who are not coders is what... what the process of refactoring a code base is. And it really comes from, it came from math where, for example, if you have the number 30, there are a bunch of factors. 30. 2, 5, 10, 15, 30. So the point is there's different ways to break that 30 down into its factors.

One of the things that happens with code... is you start off with kind of an idea of what you're going to do, and you say, okay, I'm going to put these things in this file, and the things for the user interface, they're going to go over here, and things for the database go in the database file. And everything sort of starts off right. And then, you know, reality hits. You know, it's time for version 1.5. And some guy says, well, but AI now. We need an AI. It's like, ooh.

Crap, where do I put that? So you kind of stick it in somewhere just to get it working because the boss says you got to ship this yesterday. What's taking you so long? And a few years go by and. The point is that code notoriously does not evolve well. It just kind of it gets stuff hung on it like barnacles and strange. fungus and it's not good. And so it gets to a point typically where you say, okay, at some point you say, okay, wait, we're having a hard time maintaining this because

It just doesn't make any sense anymore. And so we need to refactor it. It basically means sort of just saying, OK, hold on. This thing over here should really go over there. And this one function ended up with So many arguments that nobody knows what it does anymore. So let's break this up into multiple smaller pieces, each which has a...

clearer task. I mean, it's sort of, it's like a rethinking of something big and complex. Okay. So with that background, the title I gave this This perfect snippet from Twitter or X was a perfect summation of where we are today with AI. All right, now I have not seen this. I'm going to scroll up here. And you should read it to yourself. Claude, I just refactored my entire code base in one call. 25 tool invocations, 3,000 plus new lines, 12 brand new files.

It modularized everything, broke up monoliths, cleaned up spaghetti. None of it worked, but boy, was it beautiful. Yeah. Yeah, I've seen that happen, actually. Oh, this is just great. So anyway, so this guy, Vaz, is his handle on Twitter, or his name. His actual handle is a lot longer. He dumped some massive code base into Claude 4 and said, fix this. And, oh, it was so impressive.

Of course, it broke his code completely. Yes. He says, but, oh, my God, it's just so pretty now. Yeah. Doesn't work. Doesn't work. But, wow. If it did. That would be great. Anyway, yes. Where we are today with our AI. Okay, so the mobile threat hunting security firm iVerify.

posted the news of their discovery under their headline, I verify uncovers evidence of zero click, which, you know, is the worst kind. mobile exploitation in the US. And at that point, it's like, okay, that seems kind of generic. It could be whatever. Then we find out they wrote throughout late 2024. quite recently, in early 2025, iVerify detected anomalous activity on iPhones.

belonging to individuals affiliated with political campaigns, media organizations, AI companies, and governments operating in the United States and the European Union. Specifically, we detected exceedingly rare crashes typically associated with sophisticated zero-click attacks via iMessage.

an exploitation technique previously unobserved in any systematic way in the United States. Subsequent forensic examination of several of these devices ultimately revealed a previously unknown vulnerability in the imagent. I-M-A-G-E-N-T, the imagent process, you know, image agent. So they crunched it together process, which owing to its relative position in the operating system and its functionality.

would provide attackers a primitive for further exploitation. This vulnerability was patched by Apple in iOS 18.3. We've dubbed this vulnerability nickname. Because that's – it's – taking advantage of apparent flaw in iMessage's nickname functionality. They said, in the course of our investigation, we discovered evidence suggesting, but not definitively proving,

This vulnerability was exploited in targeted attacks as recently as March of this year. Specifically, we learned that Apple sent threat notifications. to at least one device belonging to a senior government official in the EU on which we saw the highly anomalous crashes. So some correlation there. We don't know about causation.

Likewise, one device demonstrated behavior frequently associated with successful exploitation, specifically the creation and deletion of iMessage attachments in bulk within a matter of seconds. on several occasions after an anomalous crash. Again, that's not normal. We only observe these crashes on devices belonging to extremely high-value targets. And these crashes... constituted only 0.0001% of the crash log telemetry taken from a sample across 50,000 iPhones.

They said, while this evidence does not definitively prove exploitation, it is nonetheless difficult to ignore and merits a public discussion, particularly in light of signal gate. Our findings suggest it doesn't matter what channel... is being used to communicate if the device itself is compromised. And of course, that's what we've been saying all along, right? Even with signal, if you've got a compromise in the device.

It's before it's encrypted and after it's decrypted on the device. Our findings suggest it doesn't matter what channel is being used to communicate if the device itself is compromised. Attackers have access to all conversations. regardless of whether those happen over Signal, Gmail, or any secure application. This is why it's crucial.

that organizations on the front lines of digital conflict, including the US government, adapt their mobile security models to face modern threats. Our findings have been vetted by multiple... Independent third parties, including iOS security experts such as Patrick Wardle from the Objective by the Sea Foundation, who have confidence in our conclusion.

that mobile compromise is real, not academic or hypothetical, and that it's happening here in the United States. So what exactly are those findings? So far, we've observed six devices total. that we believe were targeted for exploitation by this threat actor, four of which demonstrated clear signatures associated with nickname.

and two which demonstrated clear signs of successful exploitation. Interestingly, All of the victims had either previously been targeted by the Chinese Communist Party, the CCP, meaning they were confirmed to have also been targeted by Salt Typhoon, They were engaging in business pursuits counter to or of particular interest to the CCP, or they had engaged in some sort of activism against the CCP.

We don't have enough evidence, they wrote, to make clear attribution or a full view of an exploit chain, but the circumstantial evidence could indicate the CCP. So how does it work?

iPhones allow you to set a nickname or avatar for numbers in your contact list. The vulnerability is likely triggered by sending repeated rapid-fire nickname updates. to iMessage, which results in a use-after-free memory corruption. And of course, in the last few months, we've extensively looked at The idea of what is used after free and how a race condition could cause something that has been freed to get used before the access to it has completely disappeared.

They wrote, this makes nickname a good candidate for a primitive to pivot off of as part of a... exploit chain. We believe this vulnerability correlates with successful iPhone exploitation due to four concurrent factors. First, the extreme rarity of these specific crash patterns.

less than 0.001% of all crash logs. Second, their exclusive appearance on devices belonging to high-value targets. Third, similarity to crash patterns seen in previously known spyware attacks, and finally, evidence of successful exploitation, including the receipt of at least one Apple threat notification. proximal to the observed behavior and evidence of cleaning behavior. So, is it still active?

Differential analysis reveals the vulnerability was patched in the iOS 18.3.1 release. However, nickname could be one link in a larger exploit chain. It's possible that there are other elements of the exploit chain that are still active, which is why we're only speaking about the link in the chain that has definitively been patched. We provide a full technical analysis and look forward to sharing any additional material findings when our investigation concludes.

I've got a link in the show notes to their full technical report, which is extremely thorough. And it's important to disclose that Apple is actively contesting this, although... Boy, I mean, the evidence surely does point at this. Axios reported Apple has fixed the flaw, which was present in iOS versions through 8.1.1. but disputes that it was ever used to hack devices. Ivan Kirstick, head of Apple Security Engineering and Architecture, said in a statement,

We've thoroughly analyzed the information provided by iVerify and strongly disagree with the claims of a targeted attack against our users. Kerstik added, Apple confirmed the underlying nickname bug but said its own field data from iPhones points to it being a, quote, conventional software bug that we identified and fixed in iOS 18.3. He said, I verify has not responded with meaningful technical evidence supporting their claims.

And we are not currently aware of any credible indication that the bug points to an exploitation attempt or active attack. We are constantly working to stay ahead of new and emerging threats. and will continue to work tirelessly to protect our users. Okay, so the results are at best ambiguous. On the iVerify side,

If it walks like a duck and quacks like a duck, which this flaw certainly did, then it really would be reasonable to conclude that it's probably a duck. But as we have observed and talked about long ago, Back when Kaspersky discovered some of their iPhones containing very similar malware, the very fact that iPhones have been so tightly locked down.

actively thwarts the type of post-exploitation forensic analysis that would allow third parties like iVerify to to be able to dig more deeply and to help put pressure on and kind of keep Apple honest if indeed they were not already being. I mean, Apple certainly doesn't want this to be true. Boy, but the circumstantial evidence, which is circumstantial because it's the only evidence you can get because.

These iPhones are so well protected. The trouble is that the stakes in all this, as we know, have been raised to such a high level. iVerify referred to SignalGate in their posting, reminding us of the threat. that high-level classified military operations planning was now known to have been conducted on non-secured civilian smartphone hardware.

They didn't identify who these people were that were attacked, but they were explicit about saying individuals in the U.S., very high-value targets in the United States. They ended their disclosure.

With an important reminder, iVerify did. They wrote, iVerify recommends that high-risk users keep their phones updated and... Turn on Apple's lockdown mode, which is designed to guard against spyware. iVerify COO Rocky Cole said that it's likely that lockdown mode... would have prevented these potential infections. And so that's just a reminder about that, given that all the evidence continues to show.

You know, just consider last month's pwn to own competition against fully patched systems that we do not still do not currently have the technology or capability to. perfectly secure our devices. So having a bifurcated feature set where fewer features can be offered optionally to obtain greater security.

makes all kinds of sense. It's like Microsoft disabling their edge browsers JIT, their just-in-time JavaScript compiler, after observing that 80% of their chromium-based browsers security problems were being discovered in the just-in-time compiler and it's with computers having become so fast today that the just-in-time compiler optimization is way less necessary than it once was. So as we recall, they did some experiments where they experimentally turned it off in Edge, and nobody noticed.

And so they thought, well, let's just leave it off because we have a much more secure browser with it that way. So anyway, no one's ever going to know. There was some reporting, I think it was last week or the week before where. Somebody that I was referring to had made the comment that while we don't get details from Apple, they do keep fixing things and rebooting our phones.

Oh, it was about the whole jailbreak, the evolution in jailbreaking and how it was now much less feasible to like, certainly not as a hobby, you know, offering jailbreaking services. Those days are gone. But the point being, you know, Apple is still releasing super critical, important updates. They don't tell us why or how or what. They're happening. It feels like also if you really are a high-risk subject, you shouldn't be using a consumer-grade smartphone to begin with, right? Yes. Yeah.

Yeah. As we covered at the time, it was, I think it was Obama who was very upset that they took away his blackberry. Blackberry. He's like, hey. But that's what, you know, that's what our. security agencies do is they create hardened devices for this yeah and they're much less fun to use yeah sure yeah of course they are yeah it's just they don't have all the bells and whistles and and goodies because

every extra goody is one more opportunity for exploitation, as we well know. Okay, so I've got two quick bits that should serve to remind us, and that's just why I'm doing this, that...

The open source library system is more or less under constant attack, which is, you know, Leo, where we say why we can't have nice things because really, you know, gosh. Okay. So. The node JavaScript package manager, NPM, the facility, its facility description. reads, just to remind everybody, relied upon by more than 17 million developers worldwide. NPM is committed to making JavaScript development elegant, productive, and safe.

The free NPM registry has become the center of JavaScript code sharing and with more than 2 million packages, the largest software registry in the world. Our other tools and services take the registry and the work you do around it to the next level. Great. And of course, Claude Code is installed, as are many tools, through NPM. Right. So if you're doing vibe coding, you probably use an MPM. And I mean, the concept of.

of a huge repository of useful libraries where you can say, oh, I need a regex parser. Grab it from here. Oh, I need a background log writer. Oh, grab it from there. And, you know, you. You piece together a package using the well-intentioned and hopefully proven work of many other authors in order to glue together solutions much more easily. Unfortunately. Its openness is also its challenge. The first piece of news that caused me to pause here was...

84 malicious NPM packages were discovered and taken down last week. The advisory said, check out the GitHub security advisory portal for more details. This also includes two packages spotted by Socket that would wipe production systems. Almost as well as an AI can. Nasty. Yeah. Almost as bad as asking AI to refactor our code, please. It used to work. I hope there's an undo on this. The second piece of news was a threat actor has compromised 16 NPM libraries from the glue stack UI framework.

The attacker compromised a glue stack admins account, adding a remote access Trojan to the libraries and pushed updates on Friday. The affected packages are extremely popular and have almost one, get this, Leo, one million weekly downloads. Akito Security says the attacker is the same threat actor behind another supply chain attack on the RAND user agent package last month. Oh, we talked about that. Yeah. Yeah.

And I have a snippet from Keto Securities posting in the show notes. They note active NPM supply chain attack, 1 million weekly downloads. They wrote, today we uncovered a rapidly evolving supply chain attack targeting glue stack packages on NPM. More than 15 packages compromised so far. Nearly, again, 1 million weekly downloads. Malware includes a full-featured remote-access Trojan. Lovely abbreviation is RAT. Of course, the latest package was compromised just one hour ago.

before their one hour previous, you know, before their posting. Wow. The same threat actor behind the RAND user agent attack is now targeting UI-focused packages like at React Native Arius. and at glue stack hyphen UI slash utils and more. The malware gives attackers the ability to run shell commands. upload files, persist across even after update, I'm sorry, persist access even after updates. This could have a massive impact, particularly for mobile developers using React Native.

So developers, check your dependencies now. Security teams, review access logs for anything suspicious. They said they finished. We're tracking this live, so we will give updates. So, you know, this is another PSA. In this case, it's a programmer service announcement reminding and cautioning all of our listeners who may have be availing themselves.

Of the true value. I mean, this is the problem is this stuff is really valuable. So there's a strong interest in going there and using it. This true value of shared open libraries. to nonetheless always remain vigilant and aware that not everyone who places code there is motivated by altruism. Are there... Silly question. Libraries like this for assembly language? Any assembly language package repositories? It's funny because there's never been a market, believe it or not.

In the early days, there were a couple assembly language libraries. Like macro libraries or something. Yeah. And the floppy disk and later a CD bound into the back cover. And it was like some well-meaning programmer sat down and wrote a toolkit. Here's a bunch of... things to put text on the screen. Here's a bunch of sorting routines. Here's a, you know, this, this, and that just sort of a hodgepodge. But after selling two copies, the publisher decided that Gibson buy them both.

Okay. You know, that's one of the reasons I like Common Lisp. There's nobody messing with the Common Lisp package libraries. There's a good one called Quick Lisp. There's a new one called Ultra Lisp, but I don't... think attack it's not a target rich environment shall we say no it's why i kept my realtor on windows 98 for so long yeah because she was worried about viruses and i said judy

You have different DNA in your computer. Viruses don't know. They look at that and go, where am I? They don't care. I don't want this person. Time for a break. I'm going to wet my whistle. And then we're going to look at what happened with Comcast and Digital Realty. I didn't know about Digital Realty. They're a massive. data center provider. It turns out that AWS and Google and those guys, they subcontract their space. That's a good business. If you think about it. You want to make money.

Don't be a gold miner. Be the guys who make the picks and shovels. Yeah. We'll get to that in just a second. But first, a word from Bitwarden. You know I love talking about Bitwarden, the trusted leader in password management. Yes.

but of course we got to include passkeys now all my passkeys are in bitward i am so thrilled more and more sites are using passkeys it makes me so happy they're also good for secrets management if you're a developer You know you have a lot of API keys and secrets and stuff. And gosh, how close have you come to committing it in public to GitHub, right? I know you have because so many people do. And you've stopped.

If you store them in Bitwarden, you don't have to worry about it. SSH keys too. Bitwarden is consistently ranked number one in user satisfaction by G2 and software reviews. More than 10 million users across 180 countries. And this is something maybe you didn't know. Of course, we know Bitwarden is great for individuals. 50,000 businesses too. It's great in business. Oh, and if you're traveling, Bitwarden Password Manager can make your travels safer and easier.

Do what I do. Add your passport to your vault for easy access to, I don't know, tax-free shopping. Secretly share your hotel or locker code with your travel partner. there's a lot of stuff as you're traveling around you'd want to keep on your phone you want to keep with you but you don't want just anybody to see it i got my driver's license my social security my passport it's all in bit warden

Let's say you're at an airport or hotel and you want to use the Wi-Fi, take proactive steps to secure your data, encrypt it, right, with Bitward and protect against cyber threats. And by the way, only connect to the official airport Wi-Fi network, okay? And if you're using Bitwarden, turn on autofill for credentials because then you don't have to worry about automatically filling a phishing site with your password. That's a very nice feature.

Prevent your device from automatically reconnecting to public Wi-Fi but forgetting the network in your device's settings. This is just good advice after use. Avoid downloading files or clicking unfamiliar links or accessing sensitive personal or work accounts while connected to public Wi-Fi. It has nothing to do with Bitwarden.

you know what they care about you they want to keep you safe students are now mostly online right they spend learning and homework but also socializing and gaming i think kids nowadays 90% of their time is online. And with all this comes, of course, many accounts, many passwords. And you may have a smart student in your family or in your friend group.

Even if the student knows the security risks, a lot of times convenience takes precedent. Kids, you know, they feel invulnerable. Make sure the young people in your life have a password manager like Bitwarden. It generates unique, strong passwords that are only used once on every site. Students can use them, access them from any device. And by the way, Bitwarden is free for individuals because it's open source.

Now, Steve and I, I think, pay the $10 a year for the supporter badge, but it's free forever for individuals, unlimited passwords, pass keys. hardware keys, all of the features I just talked about. And by the way, tell the kids, this is going to help your job prospects when you get out of school. Cybersecurity skills are in high demand. Potential employers will appreciate.

employees with a solid understanding of password management. You know, if I were an employer, I'd put that on the interview. Do you use a password manager? I would certainly want to know that before I hired anybody. And good news in business and anywhere, Bitwarden setup only takes a few minutes. You can import from most password management solutions automatically. And as I always hammer in, I think anytime you use cryptography, it should be open source.

bitwarden is fully open source gpl licensed the codes on github anyone can look at it and of course they always Every year, bring in third-party experts to assure you that it's exactly as safe as they can make it. They meet SOC 2 Type 2, GDPR, HIPAA, CCPA compliance, ISO 27001-2002 certs.

Get started today with Bitwarden's free trial of a team or enterprise planner. Get started for free across all devices and individual user. Get those students, the young people in your life, an account. Do them a favor. Tell them it'll help you get hired. Bitwarden.com slash twit. In your business, if somebody, if an employee, future employee, prospective employee says, I use Bitwarden, you know they're good. Bitwarden.com slash.

Twitter, we thank them so much for their support of the good works that Steve does here at security now. Okay. So I was scanning reports.

of a possible undisclosed breach of Comcast and the major data center enterprise digital realty when I encountered this comment. quote, inside two major U.S. telecom operators, incident response staff, Leo, are you sitting down? Incident response staff have been instructed by outside counsel. Not to look for signs of salt typhoon. As a Comcast user, we're using it right now.

I'm a little disturbed. Perturbed. Inside two major U.S. telecom operators, incident response staff have been instructed by outside counsel not to look for signs of salt typhoon. said one of the people declining to name the firms because the matter is sensitive. Because he wouldn't want to find it. Gee, you think? So that's what has evolved from the intersection of big business.

cybersecurity and legal accountability. The reporting is from NextGov's cybersecurity reporter. The headline of the story was U.S. agencies. assessed Chinese telecom hackers likely hit data center and residential internet providers. Now, this headline teases us with the phrase U.S. agencies, which begs the question, which U.S. agencies made this assessment? To that end, the reporting says two U.S. security agencies listed mass media provider Comcast and data center giant Digital Realty.

among companies likely ensnared by a Chinese hacking group previously found inside major U.S. and global telecom operators. According to three people, Familiar with the matter. So triple sourced reporting. And guess who those two U.S. security agencies are? The National Security Agency. Yes, our NSA, they wrote, made the determination that Comcast had likely been impacted by the group.

known as Salt Typhoon, according to two of the three people, the Cybersecurity and Infrastructure Security Agency, our illustrious CISA, cataloged digital realty as being potentially compromised, the third person said. The people spoke on the condition of anonymity to discuss the matter's sensitivity. Salt Typhoon breached major telecom carriers in a global, multi-year espionage campaign uncovered last year.

Over time, news trickled out about the scope and scale of the incident, which was first reported by the Wall Street Journal. The hacking unit is part of a broader syndicate of state-backed groups tied to different military and intelligence arms.

of China's central government. The typhoon moniker comes from a Microsoft naming convention for Beijing-linked cyber actors. Such intrusions especially into a data center environment, could give the hackers a potentially far deeper foothold into infrastructure. supporting the world's information service providers than previously known. This is what was really creepy about this. I hadn't really considered that data centers offer.

a different view than telecom providers. They wrote the agency's assessments have not been previously reported. There's uncertainty among officials about who was impacted. by Salt Typhoon. Various agencies across the U.S. government are in possession of lists CISA. for instance, is in possession of a list of both telecom and information technology companies, but an FBI tabulation shows different entities. And here it comes. They wrote making investigations into the breach more complicated.

is that multiple telecom providers have invoked legal strategies to protect themselves from disclosing compromise by the hackers. And this is what I quoted that caught me, that just brought me up short. Inside two major U.S. telecom operators. Incident response staff have been instructed by outside counsel not to look for signs of salt typhoon, said one of the people, declining to name the firms because the matter is sensitive.

Yeah, I bet it's... So yes, now we have deliberate... and internally formalized heads buried in the sand strategies in place because employees, after all, may be deposed under oath. I hope that any cross-examining counsel has the presence of mind to ask whether they were ever instructed. by anyone to avoid looking for signs of external intrusion, not just are they aware of any signs of external intrusion.

The article continues, one of the sources said that having been assessed as likely victims, oh, and I should just mention, It might be that the external counsel knows that counsel, that cross-examining counsel might ask them just that. Were you ever instructed not to look? And that when you think about it, saying, yes, I was instructed not to look, is probably less damaging than looking and finding. That is, it's like...

Better to say, yeah, my bosses told me don't look. So, whoops, I don't know. It's probably better not to know. I mean, even to admit that you were told not to look than it is to be able to, you know, than if you did look and then had to say, yeah, and I did find evidence that we were compromised. Think about it. That's probably more damaging. What a world. One of the sources they wrote said that having been assessed as likely victims, CISA representatives should have contacted

Digital Realty, and Comcast multiple times since December. It's not clear whether consistent back-and-forth communications were established. CISA tends to initiate outreach to potential victims when it's believed their networks are compromised, according to another person familiar with the Cyber Defense Agency's notification process. Now, of course, a new concern this year is that CISA has recently suffered a significant and controversial reduction in personnel.

as a result of the job cuts enacted by Doge. In the same way that it's impossible to prove a negative, it can be challenging to justify the presence of staff. whose job is to prevent trouble, right? It's like, well, they're here to prevent trouble. Of course, this is the problem. This is a familiar problem. It's one that corporate CISOs also face.

But on a government agency scale, in the case of CISA, someone challenges, what are all those people doing over there? To which the reply is, well, they're keeping an eye on things. which is then followed by the difficult to defend challenge. So why do we need so many of them? Right. You know, I don't know. So as all of our listeners will appreciate, CISA, as we've often said on this podcast, has been doing a surprisingly tremendous job since it really got rolling a few years ago.

I've often commented that I've been surprised by how proactive and effective it has been, especially considering that it's a government agency. So I hope I sincerely hope these cutbacks will not compromise that. It's probably impossible to accurately gauge since we cannot know how things would have been with a significantly smaller CISA. We'll just need to watch and see.

The reporting continues, writing, a Comcast spokesperson told NextGov, quote, we've worked with law enforcement and government agencies and have closely monitored our network. So this is Comcast speaking. We have found no evidence that Salt Typhoon has impacted our enterprise network, unquote. An intrusion into either provider could carry significant national security risks. Comcast, they write, facilitates Internet access for millions of users and businesses, while digital realty.

hosts troves of physical infrastructure used by telecom operators, cloud providers, and governments to route global web traffic. A CISA spokesperson said, quote, For their part, declined to comment, and the FBI did not respond to a request for comment. Digital Realty did not return multiple requests for comment.

NextGov reported in December that hundreds of organizations were notified, hundreds of organizations, were notified of potential salt typhoon compromise. Last month, CyberScoop reported that CISA and the FBI devised a coordinated notification campaign to alert affected companies and help them deter the hacks. The FBI concurred with other agency assessments that the salt typhoon attacks, broadly speaking, are the most egregious.

National security breach in U.S. history by a nation state hacking group. Mark Rogers, a seasoned telecommunications cybersecurity expert, said, quote, a breach of Comcast and digital realty. would confirm what many of us in the cybersecurity industry already suspected, that the SALT campaign was broader than just telcos and we have low confidence.

The attackers have been evicted. NextGov obtained an internal CISA list of communications sector hardware and software products found to have been exploited by... the China linked hacking groups of several listed. One of those vulnerabilities first discovered in 2018 was found in micro tick routers. and some of the software flaws exploited by Salt Typhoon were first disclosed in 2018, same year.

as the micro tick router flaws. Mark Rogers said, something that isn't being talked about enough is that the initial way in which these attackers used were simple flaws like. eight-year-old vulnerabilities and credential theft. Instead of talking about ripping and replacing, we should be looking at why we aren't simply patching and maintaining.

our existing critical infrastructure. Eric Hanselman, the chief technology, media, and telecommunications research analyst at S&P Global Market Intelligence, explained that, quote, Chinese access into data center and co-location firms would provide the hackers with a different target set compared to messaging services operated by traditional carriers. This is him speaking. The additional risk created would be they're gaining the ability to monitor.

intra-service and intra-application communications traffic that does not normally traverse the internet backbone. That could include storage traffic moving from co-location environments into cloud or traffic moving from hosted environments into on-premises infrastructure. that traffic might have less robust protections as it's not traversing the open internet. In other words, it might all be behind firewalls.

So where we trust everybody inside behind the firewall. Digital Realty, writes NextGov, has over 300 data centers. This was a surprise to me. Digital Realty has over 300 data centers across 25 countries and 50 metropolitan areas. including to a company marketing webpage. They list Amazon Web Services, Google Cloud, IBM, Microsoft, and NVIDIA among their clients.

The company is considered one of the largest data center co-location providers in the world, housing the physical systems where cloud and telecom networks exchange data. And they're believed to have been compromised. Eric Hanselman said, we can reasonably assume that these attackers already have sufficient access into Internet. infrastructure and are looking to expand the depth with which they can monitor other activities that are taking place within data center environments.

Comcast's broadband and data and cable customer base is around 51 million, while its total wireless customer count totals around 8.1 million, according to recent earnings data.

It's widely believed that Salt Typhoon has still not been excised from telecom systems, despite public statements from companies saying otherwise. On the other hand, they've been told not to look too closely. On Thursday, they write, well-known Republican Senator Josh Hawley said in a Senate Homeland Security Committee hearing that the hackers are still inside.

He said, quote, if a foreign actor chose to concentrate on any member of the audience here, we were told behind closed doors, of course. But what we were told. is that foreign actors basically have unlimited access to our voice messages and our telephone calls. President Donald Trump. Vice President J.D. Vance and a range of U.S. officials had their calls and texts directly targeted by salt typhoon hacks. The cyber spies accessed providers' lawful intercept systems. Wow. And remember...

That as we previously saw, Salt Typhoon's apparent way into these major telecom backbone providers was not rocket science nor advanced. pwn-to-own style elite hacking it was simply that someone somewhere With Intelcom's sprawling and largely out-of-control infrastructure, somewhere, somewhere there were older, unpatched systems still online. with known vulnerabilities. The reporting says a spokesperson for the House China Select Committee said in an email.

If these reports are accurate, they point to yet another serious and deeply concerning example of the Chinese Communist Party targeting America's digital infrastructure. and noted that, quote, the panel has repeatedly warned about the CCP's efforts to exploit access points into our communications networks.

and this apparent breach reinforces the urgent need to harden our defenses. In March, the House's Homeland Security Committee Republican Representative Mark Green of Tennessee sent a request to DHS asking the agency to transmit internal documents about salt typhoon. and another Chinese hacking unit, Volt Typhoon. Green said in a statement to NextGov, quote, every new detail that emerges surrounding the salt typhoon intrusions teaches us the lengths.

Chinese backed hackers will go to undermine the integrity of our critical infrastructure. Our U.S. sovereignty. and the privacy of Americans. Green said this is in reference to recent testimony from DHS Secretary Kristi Noem saying CISA is lacking detailed information.

about the telecom hacks okay it's difficult not to wonder whether some additional manpower a system might help green added my colleagues and i on the committee share this concern, which is why we sent a letter in March to examine the previous administration's response to the Volt and Salt Typhoon intrusions.

Now, I was about to comment on that. That is that they were sending a letter about the previous administration's responses when I saw that NextGov's reporting had already done so. They wrote the Cyber Safety Review Board. A DHS body that was dismissed at the start of the Trump administration was in the middle of investigating the Chinese telecom hacks.

Lawmakers have called for it to be reinstated. CISA has also been mired in budget plans to slash significant parts of its workforce and operations. So, I hope... that CISA will be able to recover and rebuild whatever effectiveness it may have lost. It seems pretty clear that, unfortunately, private industry is unwilling to expend the cost and effort required to fully secure its own business operations. They'd rather have their attorneys say, oh, don't tell anybody.

But we'd like you not to look too closely because you could be put under oath and cross-examined and... We would rather have you say we were told not to look than we looked and found evidence of Chinese intrusion into our enterprise. When the public depends upon the security of those operations, there is clearly a legitimate need for oversight, for regulation, which can only come from the government.

and for accountability that apparently needs to be imposed by the government so um let's hope we get that um matthew green

Our illustrious cryptographer says, well, he concurs. I mentioned briefly in passing last week that someone named Matthew Garrett. had looked at the encryption mechanisms underlying X's supposedly new, all new, remember rewritten in Rust, end-to-end encrypted XChat DM, you know, direct message. facility and had decided that it was no better than the old one. He shared Elon's declaration about how it was written in Rust, and unfortunately, it turns out it's still written in C and C++.

Since then, Matthew Garrett's posting came to the attention of another Matthew. This Matthew was none other than the renowned Johns Hopkins University cryptographer Matthew Green. This Matthew is well known to this podcast. So this Matthew's posting last week titled a bit more on Twitter slash X's new encrypted messaging is of interest.

Matthew's post is longer than we need, and I've included a link to the entire thing in the show notes. So I'm just going to share his relatively short bullet-pointed introduction and summary. really tell us as much as we need. So he wrote, Matthew Green posted, Matthew Garrett has a nice post about Twitter. X's new end-to-end encryption messaging protocol, which is now called XChat. The TLDR...

of Matthew's post is that, from a cryptographic perspective, XChat is not great. The details are all contained within Matthew's post, Matthew Green writes, but here's a quick... TLDR from Matthew Green. First, there's no forward secrecy. Unlike Signal Protocol, which uses a double ratchet to continuously update the user's secret keys, The XChat cryptography just encrypts each message under a recipient's long-term public key.

The actual encryption mechanism is based on an encryption scheme from Libsodium. Second, user private keys... are stored at X. XChat stores user private keys at its own servers. To obtain your private keys, you first log into X's key storage system using a password, such as a PIN. This is needed to support stateless clients like web browsers. And in fairness, he writes, it's not dissimilar to what Meta has done with its encryption for Facebook Messenger and Instagram. Of course.

Those services use hardware security modules. And third, he says, X's key storage is based on Juicebox. To implement their secret storage system, XChat uses a protocol called Juicebox. Juicebox shards your key material across three servers. so that in principle, the loss or compromise of any one server won't hurt you. Okay, so...

And we've talked about key sharing schemes in the past where a key is broken up into pieces so that no one person has the entire key and you need some number of individuals to all come together in order to reassemble the original. key. This sounds like what Juicebox is doing. So our Matthew Green writes, Matthew's post. correctly identifies that the major vulnerability in X's system is this key storage approach.

If decryption keys live in three non-HSM servers that are all under X's control, then X could probably obtain anyone's key and decrypt their messages. X could do this for their own internal purposes. For example, because there, he writes, their famously chill owner got angry at some user. or they could do it because a warrant or subpoena compels them to. If we judge XChat as an end-to-end encryption scheme, this seems like a pretty game-over type of vulnerability.

And he says, so in a sense, everything comes down to the security of juice box and the specific deployment choices that X made. Since Matthew wrote his post, writes Matthew Green. I've learned a bit more about both of these. In this post, I'd like to go on a slightly deeper dive into the juice box portion of X's system. This will hopefully shed some light. on what X is up to and why you should not use XChat. So the bottom line is that Matthew Green concurs with Matthew Garrett.

which is to say that no one should consider any encrypted messaging system to be securely end-to-end encrypted when such a system externally stores on its users behalf their private keys now a perfect example is apple's currently controversial advanced data protection What it explicitly does is give its users discretionary control over whether or not a copy of their private key is also retained by Apple.

Allowing that enables additional features, but it also enables Apple to similarly respond to court-ordered subpoenas. In the case of advanced data protection, if that's not what you want, and if you're not in the United Kingdom, and... all of your devices are running Apple OSs that support ADP, you know, iOS or iPad OS 16.2 or later in the case of iPhone and iPad, then you can turn that on.

And a new private key Apple has never seen will be created and shared only among your iDevices. So no one should confuse Apple's. state-of-the-art encryption technology, and for that matter, signals with what Elon is peddling. I'm not suggesting that anyone necessarily needs end-to-end encrypted DMs. But everyone should be aware that they're not really available there.

to the same degree they are elsewhere, nor for that matter, are they available on Facebook Messenger or Instagram, which as Matthew Green notes, similarly stores its users' private keys in their own. data centers in order to enable the features that are necessary. Leo, we're at an hour in. I want to talk about what we learned about Telegram. Let's take our third break.

Indeed, we shall. Thank you, Steve. This is a good time to mention that this portion of Security Now is brought to you by Material. Because you know what? When it comes to security... you need security in your email don't you material is the multi-layered detection and response toolkit for email nowadays we all you know have a cloud office right we use

Google Workspace, maybe use Microsoft's 365. It's the heart of your business. But the problem is traditional security tools don't really know about that. They treat email and documents as kind of afterthoughts. Which means your most critical assets are exposed. Material transforms cloud workspace protection with a revolutionary approach. It goes beyond traditional security paradigms.

Dedicated security for modern workspaces ensures purpose-built protection specifically designed for Google Workspace and Microsoft 365. You get complete protection across the entire security lifecycle. That means defending your organization before, during, and even after potential incidents, not just attempting to block them or prevent them. Material allows you to scale security without scaling your team.

Because your team is now using intelligent automation to multiply their impact. It's a force multiplier. They provide security that respects how people work. eliminates the impossible choice between robust protection and productivity. And it's all very cleverly done. Turns out Google Workspace and Microsoft 365 have very robust APIs.

that allow material to protect you without having you send your data through material. Material delivers comprehensive threat defense through four critical capabilities. phishing protection they have ai power detection that identifies sophisticated attacks again api based they also help you with data loss prevention they have intelligent content protection and sensitive data management

They will help you with your posture management, identifying misconfigurations and risky user behaviors. And, of course, identity protection, comprehensive control. We were just talking about it over access and verification. You know who uses material? Figma. I love this. The head of security of Figma. They're a design firm, right? He said, quote, it's rare to find modern security tools with a pleasant usable UI. Being at Figma.

We're obviously attracted to well-designed interfaces, and materials interface was just so smooth and so slick, and that's because of their secret sauce. api-based protection from automatic threat investigation to custom detection workflows material converts manual security tasks into streamlined intelligent processes it provides visibility across your entire digital workspace

which means your security team can focus on strategic initiatives instead of endless, pointless, sometimes alert triage. Protect your digital workspace. Empower your team. Secure your future with material. Go to material.security. You can learn more and book a demo. That's material.security. This is a modern way to protect yourself and very, very effective in this modern time where we're all kind of living in the cloud. Material.security. Thank you, Material, for supporting Steve Gibson.

I'm so jealous of that top-level domain. Isn't that great dot security? How much? It's insanely expensive. Yeah, of course. I think it was like $25,000 a year. Oh, that's nothing, dude. Crazy. What would you do? GRC dot security? I don't know. No, I don't really want it. i love grc.com is pretty darn good yeah you know those three letter tlds are are even more expensive yeah oh i get offers all the time sure yeah okay so

I also recently mentioned that telegrams encrypted privacy had recently been called into some question when Russian citizens who were supporting Ukraine. naughty Russians, were being arrested and convicted by Russia's FSB. It turns out that the culprit might not be any weakness in Telegram's It's a little questionable encryption, but it's probably good enough. It could instead be a compromise of its network infrastructure.

In other words, there may be some leakage of messaging metadata. And we've talked about metadata a lot. we know that it can be notoriously difficult to prevent metadata leakage. You know, it's why we've gone to all the lengths of creating the Tor network. You know, and when you, turns out. You couple that with the fact that Telegram's network infrastructure appears to be directly under Russia's control. That's a problem for privacy. So this could explain how people are getting in trouble.

for who they contact without needing to see inside their messages. I'm not going to spend any more time on this because this brings us to another of those I wouldn't use Telegram in any event if you really care about privacy, but apparently it is worth noting that Telegram's networking infrastructure is entirely under the control.

of at least Russia sympathizers. I've got a link to extremely detailed coverage of this in the show notes for anyone who wants more. The report is titled, Telegram the FSB. and the man in the middle, the technical infrastructure that underpins Telegram is controlled by a man whose companies have collaborated with Russian intelligence services. So again, who you connect with can be just as damning as what you say during that connection.

especially if you're in Russia and you're connecting to a telegram contact that supports the Ukraine, apparently. So don't do that. OK, Leo, here's where I need to control my.

my, my language. Bleeping Computer. I want to hear what this AI figured out about your opinion about Microsoft. Oh, yeah. We're going to get there in a second. Bleeping Computer brings us the news that's starting in July. So next month, starting next month. Sometime next month, Microsoft Outlook will be blocking two additional file types. Bleeping Computer reported Microsoft announced.

It will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month. The company said in a Microsoft 365 Message Center update that Outlook will block .library-ms and .search-ms file types. beginning in July. Microsoft said, quote, as part of our ongoing efforts. To enhance security in Outlook Web and the new Outlook for Windows, we're updating the default list of blocked file types in OWA mailbox policy starting in early July 2025.

The .library-ms and .search-ms file types will be added to the blocked file types list.

Windows library files dot library hyphen MS, which define virtual collections of folders and files in the Windows file system.

were used earlier this year in phishing attacks targeting government entities and private companies to exploit a Windows vulnerability, CVE 2025-24054, Okay, now let me just pause here for a moment to say that if I didn't know... that we have many young people listening to this podcast with their parents while they're on their way to school in the morning, as well as many other settings.

and that those parents have grown to trust me to keep the colorfulness of my language under control for those young ears, at this point, I would loudly expand upon the well-known abbreviation WTF. Why in the world Microsoft would have ever, by default, ever considered allowing any email client which inherently, think about it, inherently presents as large an attack surface as any web browser.

and which is being constantly bombarded with unwanted and potentially malicious content to handle .library-ms files, which we are now told... Define virtual collections of folders and files? I've been in this business, as have you, Leo, since long before it was a business. And I've never seen. a .library-ms file. How is it that this is a file type that all Outlook users' clients should have ever

been able to open? And how can that possibly be addressing the need that anyone has in email? It's just utterly unbelievable to me. as it should be equally unbelievable to anyone trained in the practice of cybersecurity. How many times have we talked about the security benefit that flows from first? blocking everything by default, and then only allowing selected known safe and needed content through any security perimeter.

Email is a security perimeter. This is unbelievable. I am I'm so surprised by this because any rational security aware design. would never be permitting the reception and handling of, by default, any wacky file type somebody at Microsoft might come up with in the future. Which is apparently what happened here, because that file type didn't exist in the past. Ah, that's why they didn't block it. Okay.

But they shouldn't be. They shouldn't be. Unless we know it's bad, we're going to let it through. You're saying it should be a whitelist, not a blacklist. Yes. It's a security perimeter. Email is getting bombarded with all kinds of crap. Okay. Take a deep breath, Steve. So what about this other file type? Bleeping Computer tells us.

The .search-ms URI protocol handler has also been exploited in phishing and malware attacks. Get this. Since at least June of 2022. Oh, that's a long time. That's three years. Yes.

When Hacker House co-founder and security researcher Matthew Hickey found that it could be used to automatically launch Windows search windows on recipients' devices to trick... them into launching malware when chained with a Windows support diagnostic tool, that's MSDT, Remote Code Execution Vulnerability, CVE 2022-3190. Well, Isn't that just beachy? What year was that? Oh, yeah. 2022. So it only took Microsoft, what, three years to finally announce that.

Next month, not this month, no, next month, they plan to start blocking this other unneeded and clearly abuse-prone file extension. Bleeping Computer reports that in Microsoft's announcement, Microsoft wrote, quote, the newly blocked file types are rarely used. except by hackers and malware and bad guys who just love using them. So most organizations, they say, will not be affected by the change.

However, if your users are sending and receiving affected attachments, yeah, like when did anyone ever get a dot search hyphen MS attachment in email? they will report that they're no longer able to open or download them an Outlook web or the new Outlook for Windows. Apparently, the old Outlook for Windows is screwed. You're still going to get those. No action is required if your organization does not rely on these file types.

If your organization does rely on these file types, you've got a different set of problems. The update will automatically apply to all OWA mailbox policies in your organization. If your organization needs to allow these files. you can add them back to the allowed file types property of your user's OWA mailbox policy objects before the rollout. Why not just have that always been that way? If your organization needs one of these wacky, no one has ever heard of them file types, then turn them on.

for, you know, your people and good luck to you, rather than exposing the rest of the world to this nonsense. Bleeping computer that explains.

You can find the complete list of blocked Outlook attachments, it's apparently a very short list, on Microsoft's documentation website. Enterprise users with a Microsoft Exchange server account can ask Exchange server administrators to... just security settings for their mailboxes to accept attachments blocked by Outlook if they can't be shared as an archive using a different extension or using OneDrive or SharePoint.

This move is part of a much broader effort, apparently which Microsoft has just initiated, to remove or secure and turn off. Office and Windows features that have been abused and exploited to infect Microsoft customers with malware. Wow. What a concept. I'm shocked. We'll see what AI thinks about this rant. It started in 2018 when Microsoft expanded support for its anti-malware scan interface, AMSI.

to Office 365 client apps. Apparently, you know, they haven't had anybody looking at this ever since 2018. Somebody woke up and said, oh, look, let's add some more stuff to the AMC. to block access using office WBA macros. Since then, the company began blocking VBA office macros by default. Another great jump, a leap for security. Disabled XL 4.0 XLM macros. I remember covering that. Yay. Introduced XLM macro protection. We even gave it a nice name and started blocking untrusted XLL adding.

by default, because what could an untrusted LLM do? Wow. Microsoft also announced in May 2024, so a year ago, it would kill off VBScript and disabled all ActiveX controls in Windows versions. Boy, you know, I don't know. Again, it is truly, I mean, really inexplicable that Microsoft has been so utterly... lame about the security of their email clients on the desktop and in the cloud. The only rational explanation.

is this was all originally put in place by engineers who had zero training in security. Hubris is the only explanation. for a policy of allow everything to run by default. It is the exact equivalent. of having an allow-all firewall policy and believing that it could ever be secure to only block the dangerous ports. Nobody does that. Haven't for a long time. Microsoft's just beginning to wake up.

to this and say, oh, look, three years ago, people began exploring the .search-ms extension, which nobody has ever needed or uses, but which Microsoft says, oh, look, let's open that. My God. Okay. Take a deep breath. I mean, yeah, I can't think of any reason. I mean, one thing would be that engineers say, well, you should just be able to send anything you want. Why wouldn't? Yeah, what could possibly go wrong? All of our code is perfect. We never have any flaws. Just ignore those 125.

critical updates that we had last month and the next 150 that we've got planned for this coming month Really, those are just exceptions. Besides, none of those were dot search hyphen MS. So, you know, you know, wouldn't have been what this wouldn't have helped anyway. It's unbelievable. I mean, again, that all should be turned off. And if for, by some bizarre, for some bizarre reason, some enterprise has to send, I don't even virtual folders and directories through email.

email what not through email never no i mean that's what this does dot whatever that was it's it's unbelievable I'm looking forward, Leo, to October when they stop messing with Windows 10 and just will leave it alone. And then it'll have a chance to settle down and then we can just keep using that. That'll be good. Okay. I don't need any more coffee. That's for sure. As we were recording.

Last week's podcast, Leo, you encountered the news of 40,000, four, zero, zero, zero, zero cameras having been found online. Now this raised a bunch of questions. The first of which was probably what sort of exploit might have been needed to hack into and compromise such a huge inventory of Internet. connected cameras and the answer it turns out is none all 40 000 of these video cameras are simply online and wide open viewable by anyone, anywhere, anytime.

The news of this came from BitSight, an internet scanning company that offers to keep an eye on the IPs and ports of its own clients to let them know when anything like this might be happening to them. them in their in bit sites report they wrote welcome to 2025 where microsoft is still getting around no Welcome to 2025, where thousands of internet-connected cameras meant to protect us are actually putting us at risk. In our latest research at BitSight Trace,

we found over 40,000 exposed cameras streaming live on the internet. No passwords, no protections, just out there. We first raised the alarm in 2023, and based on this latest study, the situation has not gotten any better. These cameras, intended for security or convenience, have inadvertently become public windows into sensitive spaces.

often without their owner's knowledge. No matter the reason why one individual or organization needs this kind of device, the fact that anyone can buy one, plug it in, and start streaming with minimal setup is likely why this is still an ongoing threat. And it doesn't take elite hacking to access these cameras. In most cases, a regular web browser and a curious mind are all it takes, meaning that 40,000 figure is probably just the tip of the iceberg.

Okay, for their key takeaways, they wrote, bit site trace. has found more than 40,000 security cameras openly accessible on the internet, allowing anyone to view their live footage. The United States and Japan. Rank first and second for camera exposure. Most times, all that an attacker needs to spy on homes or even large organizations is just a web browser and the right IP address.

We detected conversations on the dark web where bad actors are discussing exposed cameras. We scanned the entire internet for exposed HTTP-based... and RTSP-based cameras. The United States leads the charge with roughly 14,000 exposed online cameras, followed by Japan, Austria, Czechia, and South Korea. Given the high prevalence of exposed cameras in the United States,

We also analyzed their distribution across each state. I grabbed the heat map both of the world and of the U.S. And what's curious is that... The U.S. map is not at all uniform. It shows that a huge preponderance of open cameras are located in California and in Texas. Like way more than any other two states. You know, it would be interesting actually to determine why. I have no idea. As I said, the distribution is extremely non-uniform.

BitSight noted that not all cameras are bad. Some people stream beaches or birdhouses on purpose. But here's where things get problematic, they said. Residential cameras watching front doors, backyards, and living rooms. Office cameras disclosing whiteboards and screens full of confidential information. factory cameras showing manufacturing secrets, even public transportation cameras streaming passengers' movements. By leveraging the intelligence gathered by our...

Awesome cyber threat intelligence colleagues. We dug into dark forums where people openly discuss tools and tactics to find and abuse the content being exposed by these cameras. Some even sell access. They said, this isn't hypothetical. It's happening right now. Then they finished their synopsis with a section titled, what should I do to protect myself?

or my company, their advice is what any longtime listener of this podcast would echo. They wrote, if you have a security camera at home or manage surveillance cameras for your company. then taking the right precautions can make the difference between keeping your footage private and unintentionally broadcasting it to the world. Here are some simple but essential guidelines to ensure your cameras are secured. First,

Check if your camera is accessible from the Internet. Try accessing it from a device outside your home network. If you can reach it remotely without logging in through a secure app or VPN, it's exposed. Second, change default usernames and passwords. Many cameras come with weak or publicly known default credentials. Set a strong, unique password. Third,

Disable remote access if you do not need it. If you only use your camera on your home network, there's no reason to allow outside connections. Fourth, keep its firmware up to date. Manufacturers often release security updates that fix known vulnerabilities, regularly check for updates and install them. Additionally, they wrote if you manage security cameras in your organization, restrict access with firewalls and VPNs.

Ensure that only authorized personnel can access camera feeds using a VPN or firewall rules that block access from untrusted sources. And finally, monitor for unusual activity. Set up alerts for unexpected login attempts. It really would be interesting, I think, to follow up and track down a large set of those cameras to determine. whether they are likely being deliberately shared publicly or may be inadvertently exposing parts to the physical, you know, like.

views of the physical world to a global audience that should not have access to it. The idea, you know, like of a corporate camera aimed at a conference room's whiteboard is terrifying. I mean, maybe they just think it's a security camera and don't realize that some configuration misstep allowed this thing to go out over the internet. Clearly, the consequences could be devastating. Leo, we're an hour and a half in. Let's take a break, and then I'm going to talk briefly about...

using Spinrite on an encrypted drive, share some feedback, and then we're going to start talking about internet foreground radiation. All right. I hope you're enjoying the show so far. I certainly am.

We thank Steve for doing such a good job putting this all together. And we thank our sponsors who make it all possible. This episode of Security Now brought to you by Drada. If you're leading risk and compliance at your company. Well, you have our deepest sympathy, but you're probably wearing 10 hats at once, right? You're managing security risks, compliance demands, budget constraints. And it's hard to say one's more important than the other, right?

And you're then all the while trying not to be seen as the roadblock that slows the business down. But GRC isn't just about checking boxes. It's a revenue driver that builds trust, accelerates deals.

and strengthens security that's why modern grc leaders turn to drata a trust management platform that automates tedious tasks so you could focus on reducing risk proving compliance and scale in your program with drada you can automate security questionnaires automate evidence collection automate compliance tracking gives you more time to do whatever you want you could stay audit ready with real-time monitoring

I mean, this just takes a huge load off your shoulders. It also will help you simplify security reviews. Auditors love Drada's Trust Center. And you'll get AI-powered questionnaire assistance that makes it a snap to fill those questionnaires out. Instead of spending hours proving trust, build it faster with Drata. Are you ready to modernize your GRC program? Visit drata.com slash security now to learn more. D-R-A-T-A, Drata.

Now, this is the premier name in automating compliance, and man, you deserve it. That's all I could say. You deserve the help. Drada.com slash security. Now, thank him for our support and security now when you talk to him. All right, Steve. On we go.

My tech support guy, Greg, forwarded an interesting question about Spinrite, which bears sharing because its answer is not always intuitive and sometimes results in some confusion. as it did when it was recently posted over in GRC's web forums. Lee Garrison sent the email through Greg. Hi, Steve. I need to run Spinrite 6.1 on a three terabyte partition.

which is encrypted with VeriCrypt for the purpose of locating and fixing bad sectors on this encrypted partition. The drive is a Western Digital 4TB hard disk drive, meaning a spinner. which also has the rest of the drive space occupied with an unencrypted partition. My question is...

Should I first decrypt this partition with Veracrypt before running Spinrite on it, or should I leave it encrypted while running Spinrite on it? We've been discussing this problem over on your GRC forums under the... running spin right topic, but with varying opinions persisting. Yes, Leo. Leo's raising his hand. Yes. I don't have your audio. I didn't turn on my microphone, so you didn't hear my, oh, oh, Mr. Gibson, oh. It doesn't matter. Am I right? It doesn't matter.

Correct. All right. I went over to the forum to see what the dialogue had been over there since he referred to that. And it was as Lee had asked. The answer, as you said, Leo, is that Spinrite has no problem running on drives that have been encrypted with VeriCrypt, TrueCrypt, BitLocker, or any other form of encryption since Spinrite 6.1. is seeing the drive as nothing more than opaque blocks of data, it doesn't care whether the data might be encrypted or not.

Now, what's interesting is that Spinrite has this real-time monitor screen, which presents a cool window that allows its user to see the data that's passing by as Spinrite. is working on it. And one of the cool things that Spinrite users notice is that they often see their own recognizable data flashing past that window while Spinrite is running on their drive.

But that's an example of what encryption would change. When Spinrite is running on an encrypted drive or partition, that real-time monitor window will never reveal. any of its users recognizable data. Everything will just look like monitor static. It will be digital noise because, as we know, the result of high-quality encryption is data that is indistinguishable from completely random noise.

By all means, Lee, run Spinrite over that encrypted partition, and any damaged sectors that Spinrite is able to recover will result in recovered files. once that encrypted partition is remounted and viewed through its decryption. Okay, some other feedback.

Jason Egan wrote, Steve, I wanted to send along my thanks to you for reminding me of the Tower of Hanoi puzzle. I had forgotten how much I'd enjoyed it as a child. I picked one up for my children who are eight and 10 for Father's Day. And Leo is showing it to us on camera. And they are hooked. It's so great.

He said, it makes me proud. He said, thanks for not only bringing us timely and informative security news, but also for interesting and fun things like this. I appreciate what you do every week, Jason. I did the same thing because I told you I grew up with one of these and I just couldn't resist going out and buying one. They're expensive and they're a lot of fun. Yeah, and that's a nice one. Different colored wood.

Yeah, so you kind of know the even and odd. It makes it a little easier to spot it. And it all folds up and goes into this. Yeah, very cool. Put it away. I was wondering if the pegs are attached to the lid enough so that you're able to move the discs around. Yeah, but they do come out. You have to really jam them in so they don't. Nice. They do come out so you can put it all in the box. Nice. Yeah, I love this. It was nothing. It was on Amazon. It was nothing.

Yeah, that's a great. As I said last week, there are pages of. Oh, yeah. And many of them are those really nice looking blue ones with their own little box. So, Jason, thank you for your note. I very much appreciate it. And all the feedback, our listeners take the time to send. every week. And it's interesting. A surprising number of our listeners mention that the podcast also makes them laugh. I assume

That's mostly thanks to the picture of the week. Not our silliness. Yeah, we do encounter things in the security space that are so absurd.

as to be ridiculous and funny. So anyway, when it is occasionally impossible to both inform and entertain, well, that's a win. Brian Tillman wrote, What I'm curious about is how a newspaper can claim that its LLMs, users, He's referring to an article we talked about last week, how a newspaper can claim, I think it was New York Times that was leading a group of newspapers that were suing, I don't remember who it was.

that an LLM's users are reading data that's supposed to be behind a paywall. If there's a paywall in place, how are the LLMs gaining access to that material? Same way. Doesn't seem like a very good paywall to me. No, it's not. And I think that's a really good point. You just turn off JavaScript. Yeah. Many sites like coding forums will have huge historical depth of.

code that could be plumbed once. So once an LLM got in there and sucked out all of its content, it's game over for that site. The information has escaped. But the point of a news site is that it's news. So to Brian's point, although it may not have been clear several years ago, today's LLMs have learned that they must legally abide by robots' exclusion rules and not traverse into any sites that have explicitly banned their entry.

Or put up a paywall. That's key. And I would be pretty sure that's no longer happening. Yeah. Well, it depends on the LLM. Some of them are very aggressive and ignorant. And I did just see something. I haven't had a chance to follow up. I mean, it was like literally during one of our commercial breaks. Someone said something about how LLMs are getting. Clever about like being LLMs are being used by hackers to get around these things. Cloudflare complained of that. They said, you know.

then most many many of these spiders don't adhere to robots.txt but i think more and more that's going to make them liable in courts that's that's going to be the real problem right If you put up a clear specification saying, you know, LLAI not welcome here. Right. And then there is evidence that AI got trained here. That's a good case. Yeah.

Okay, so Zeev said, hi, Steve and Leo. My name is Zeev. Yeah, Z-E-postrophe-E-V. So I'll go with Zeev, actually, I think. You think it's, what, Zeev? Yeah. Okay, Zeev. Well, unless he's Hawaiian. Oh, that's where it's from. And I'm a longtime listener of the Security Now podcast. Your show is fantastic. And I'm glad to hear that there's no definitive.

end date in sight. He said, recently, like many others, I've become interested in AI. As part of a hackathon at work, I explored the Llama Index Python library, which can be used, among other things, to easily create a retrieval augmented generation, which he calls a RAG system. That immediately made me think of the incredible podcast transcripts that Elaine Ferris has created for your show.

I realized it might be an interesting opportunity to use AI to gain insights from this amazing trove of data. I ended up writing a simple Python program around 130 lines of code. that lets you run a query or prompt to get an answer based on the transcripts. After some experimentation, I found that indexing and querying the transcripts by year yields the best results. He said below are a few examples of prompts I tried and the responses I got from the LLM.

He also said the code is available on GitHub here. And he gives us a link. I've got it in the show notes for anyone who wants to go there. GitHub.com slash. Z-E-E-V hyphen B slash S-N. And he said, thank you for all the work you put into the podcast. It's been an invaluable source of knowledge and entertainment over the years. Best regards, Zev.

This is cool. Now, you could do this also with Notebook LLM if you have all the transcripts downloaded. Just give them to Google's Notebook LLM and do the same thing. In fact, I did it with just a handful of them, a few months worth. And made a little show, and it sounds just like our show, except it's two very nice AI voices. So, Zeev. shared his query and the LLM's reply about our most recommended science fiction reading material and our most recommended television shows.

But his third query, as I mentioned at the top, and the LLM's response was the most interesting to me and I figured would be the most interesting to our listeners. Zeve asked his transcript trained LLM was, quote, how has Steve's opinion on Microsoft security changed over the years? And. The LLM's reply was, Steve's opinion of Microsoft security has evolved significantly over the years.

reflecting a complex interplay of recognition of improvements, growing skepticism, and critical concerns about the company's practices. In the early years, particularly around 2015, Steve acknowledged Microsoft's efforts in managing security. noting that the company had developed defenses against constant attacks and was not frequently in the news for major breaches.

He appreciated the improvements in security, but remained cautious about privacy implications, especially with Windows 10's design. By 2016, his perspective began to shift. toward a more critical stance, particularly regarding Microsoft's handling of updates and the promotion of Windows 10. He expressed concerns about the alignment of Microsoft's interests with those of its users and highlighted issues such as the lack of transparency in updates and potential security risks associated.

with third-party antivirus software. In subsequent years, Steve recognized improvements in built-in security measures, particularly with Windows Defender. But he also emphasized the ongoing challenges in cybersecurity landscape. By 2018, he began to advocate for the use of built-in security solutions over third-party options, acknowledging the complexities of maintaining security in a rapidly evolving environment. However, as time progressed, his concerns deepened by 2019 and into 2020.

He expressed frustration with Microsoft's inconsistent handling of vulnerabilities and updates, particularly regarding support for older operating systems. He highlighted the need for users to be proactive about security and criticized Microsoft's approach to updates, which he felt often led to significant vulnerabilities. By 2021 and 2022, Steve's skepticism intensified as he noted a perceived negligence on Microsoft's part in addressing known security issues promptly.

He pointed out that the company seemed to prioritize other aspects over security, leading to a growing concern about the effectiveness of their measures. In 2023, his criticism became more pronounced. focusing on Microsoft's reliance on updates and the prevalence of known vulnerabilities in their products. He expressed frustration with the company's failure to address these issues proactively and question the ethics of their approach to forcing upgrades.

By 2024, Steve's opinion had crystallized into a broader skepticism about Microsoft's commitment to security, particularly in light of high-profile security failures and a corporate culture. that seemed to deprioritize security investments. He criticized the company's reactive approach to vulnerabilities and argued for the inclusion of essential security features in base products.

rather than as a paid add-on. As of 2025, Steve's view reflects a recognition of the inherent complexities in securing Microsoft systems, acknowledging that while improvements have been made, the legacy nature of their software creates ongoing vulnerabilities. He advocates for additional protective measures when using their products, emphasizing the need for caution and accountability in Microsoft security practices.

Overall, Steve's evolving opinion illustrates a journey from cautious optimism to critical skepticism. highlighting the need for significant changes in how Microsoft approaches security to better protect its users. I think that was fairly accurate, do you think? Yes. I mean, you know, it has that kind of vanilla feel. Yeah, that AI thing. That AI gives things. But you cannot argue that to give something... just a bunch of text. And I mean, we are living through a truly astonishing revolution.

Where we're witnessing the emergence of a technology that's able to take transcripts of 20 years of my rambling and turn them into that. Which, while, yeah. a little pablum ish still, you know, it's, it's amazing that it even is able to say this. I'm, I'm, I'm astonished. Yeah. Yeah, it is amazing. Notebook LM would do the same thing. In fact, we're going to talk to the folks from Notebook LM on IM. Tomorrow. Yeah. Oh, you know more than I do. Cool.

Cool. Okay, just for the sake of not breaking up this final piece on foreground radiation, let's take our last break, and then we're going to look at what is going on. with proactive bot scanning in the foreground across the internet. And it is very rare that we encounter something fundamental. that we have never talked about in 20 years of this podcast. Well, I am in the Neil Sadaka camp on this one. Breaking up is hard to do. So let's get the ad out of the way and then.

internet foreground radiation with mr stephen tiberius gibson who apparently knows the difference between star trek holochess and star wars holochess even though as far as i could tell They do look the same. Am I wrong? i think they do look the same star treks actually they had three-dimensional oh that's right it was three-dimensional and they had weird little three by three and four by four boards and spock would move things around and yeah no one ever explained it

Yeah, there is. And there are, you can get those chess boards too and make up your own rules. All right. Our show, the last advertiser for this particular episode of security now is big ID. They're the next generation. AI-powered data security and compliance solution. BigID is the first and only leading data security and compliance solution to uncover dark data through AI classification.

to identify and manage risk and to remediate the way you want. You can also use it to map and monitor access controls, scale your data security strategy. And it's got great unmatched coverage for cloud and on-prem data sources. In fact, they work with anything. BigID also seamlessly integrates with your existing tech stack. So you can coordinate security and remediation workflows.

Take action on data risks to protect against breaches. Annotate, delete, quarantine, and more based on the data, all while maintaining an audit trail, which is very handy. As I said, it works with everything you work with. Partners include ServiceNow, Palo Alto Networks, Microsoft, Google, AWS, and more. With BigID's advanced AI models, you can reduce risk.

You can accelerate time to insight. You can gain visibility and control over all your data. If you think about it, if you're using AI, if you're doing what we just talked about with Steve, RAG, Retrieval Augmented Generation. You want to make sure that you're not feeding AI proprietary secret information, stuff you don't want to incorporate into the models. But to do that, you need to be able to see and control your data.

That's what BigID does. Intuit named it the number one platform for data classification, and that's in accuracy, speed, and scalability. Who has the most dark data, do you think, in the world? Big IDE equipped the U.S. Army, yes, 250 years of dark data to illuminate the dark data, to accelerate this ongoing process of cloud migration, to minimize redundancy.

to automate data retention. All of these are high priorities. And what a great quote Big ID got from U.S. Army Training and Doctrine Command. This is the quote. The first wow moment with Big ID. came with being able to have that single interface that inventories a variety of data holdings, including structured and unstructured data across emails, zip files, SharePoint databases, and more.

To see that mass and to be able to correlate across all of them, completely novel. They go on to say, I've never seen a capability that brings this together like Big I.D. does. That's the U.S. Army Training and Doctrine Command. But that's not all. CNBC recognized Big Idea as one of the top 25 startups for the enterprise. They were named to the Inc. 5000 and the Deloitte 500. Not once, but for four years in a row.

The publisher of Cyber Defense Magazine says, quote, Big ID embodies three major features we judges look for to become winners. Understanding tomorrow's threats today, providing a cost-effective solution, and innovating in unexpected ways. help mitigate cyber risk and get one step ahead of the next breach start protecting your sensitive data wherever your data lives

at bigid.com slash security now. Get a free demo to see how Big ID can help your organization reduce data risk and accelerate the safe adoption of generative AI. Again, that's B-I-G. ID.com slash security now. Oh, when you get there, there's a free white paper that provides valuable insights for a new framework. It's AITRISM, T-R-I-S-M, Trust, Risk, and Security Management.

to help you harness the full potential of AI responsibly. You'll find that and everything else at bigid.com slash security now. bigid.com slash security now. Big ID, we thank him so much.

two thumbs up for big id we thank them so much for their support of security now i can never get to do it when i want to but it always does it when i don't want it to all right let's talk about foreground radiation you're the you're the guy at least as far as i know coined internet background radiation that's that's my term yep um okay so as i mentioned the top of the show

Today's podcast, titled Internet Foreground Radiation, is a play on the term Internet Background Radiation, which I coined 26 years ago, back in 1999. Wow. While developing GRC's Shields Up facility, which, by the way, Paul Therott was the first person to discover and write about. Really? Oh, that's awesome. It's a small world, isn't it?

And that came because I was observing all the random packet crap and noise that would occasionally flow into any Internet IP address. Now, Wikipedia reminds us that. Quote, cosmic background radiation is an electromagnetic radiation that fills all space. The origin of this radiation depends on the region of the spectrum that's observed. One component is the cosmic microwave background. This component is red shifted photons that have freely streamed.

from an epoch when the universe became transparent for the first time to radiation. Its discovery and detailed observations of its properties are considered one of the major confirmations of the Big Bang. Now, fortunately, unlike the cosmic background radiation, which will presumably never die, the original designers of the Internet had the foresight... to place a time to live counter into every single packet that moves across the internet. And the very first thing that...

every internet router does when it receives an incoming packet is to decrement that packet's remaining time to live. If the packet's time to live was one, and is decremented to zero, that signals that the packet has been alive long enough and that if it was ever going to reach its destination, it should have by now.

and that for the sake of the greater good of the Internet, it must now be put to rest. Sorry, packet. When this occurs, well-behaved Internet routers will see where that packet came from. from its source IP address and will send back an ICMP time exceeded message to inform its sender that the packet it sent to whatever destination IP never, for whatever reason, reached its destination. My point here is that unlike true cosmic background radiation, internet packets are strictly...

not allowed to wander around the internet forever aimlessly. And what this in turn means is that all internet background radiation has a deliberate source. somewhere and that at any time a packet is received someone somewhere deliberately formed it and dropped it onto the internet now that said that someone somewhere... could be some cranky old and forgotten NT server in a locked and forgotten closet that became infected with code red or NMDA worms back in 2001.

Those were the good old days where Code Red, for example, was a flashworm that successfully infected more than 350,000 Microsoft IIS web servers. within a few hours of its launch onto the internet. So if any skeptics might be wondering whether things have actually gotten better through the intervening years, the answer is certainly yes. We do seem to be well past the point of flash worms taking down the Internet.

Thank God. Yeah. Jeez. I forgot all about that. Yeah. But the presence, still, the presence of any monoculture should always make a prudent person nervous. Yeah. Since mistakes can always happen. My point is that even today, even though Internet packets will never persist on the Internet, true Internet background radiation being emitted from dusty servers in lonely locked closets.

may still exist. So the reason I named today's podcast Internet Foreground Radiation is that there's something else going on that an internet security firm has been observing. The distinction I wanted to make is that whereas internet background radiation, much like the cosmic background radiation, lacks deliberate intention. There is now separate internet foreground radiation behind which a great deal of deliberate intention lies. So who's generating that radiation and why?

Last week, the firm Human Security posted the results of their long-running research under the heading Opportunity Makes the Thief. how web scanner bots target new websites for cyber attacks. And I have in the show notes a link to their full research paper. Since what they found is not something that I think has ever been known before or appreciated before, I thought it would be worth sharing and taking a closer look at. They introduced the subject by writing, When a new website goes live,

It's not people who visit first. It's bots. Automated tools probe new domains within minutes. long before any customer or legitimate user arrives. These bots vary widely in intent. Some are benign, search engine crawlers indexing your pages, or commercial security scanners checking for vulnerability with permission. But many are malicious. Among the most pernicious are web scanner bots, which quickly examine websites for weaknesses and exploit them immediately.

turning reconnaissance and attack into a single automated sequence carried out at scale. Human Security's Satori... threat intelligence team monitors bot activity across our customer network and in dedicated research environments.

One such environment is a honeypot, a web server we intentionally set up to attract only bot traffic. By observing the requests hitting this fresh... otherwise unpublicized website, we're able to gain insight into the types of bots that target a website from its inception onwards. One early finding in this experiment was that web scanners consistently dominate early traffic to new sites. and continued to probe the sites day after day, long after other bot types began to appear.

This persistence underscores why scanner activity is a security concern for the full lifespan of any web property. This blog post examines the threat of these web scanner bots and shares our recent research findings on several active scanner campaigns, including the Mozi.a botnet. a Mirai variant called JAWS, and the Romanian distillery scanner. Web scanner bots are an escalating cyber threat. These bots are often the very first visitors to any new website.

probing for security weaknesses long before any human users arrive. On a newly launched site observed by human security, scanners made up an average of 70... 70% of all bot traffic in the first days, meaning web scanners scanning the entire site. And on some days, 100%. of detected bot visitors were from scanners. Bot driven scanning operations are growing more complex.

The Romanian distillery operation is a prime example. Once focused solely on harvesting SMTP credentials, it now probes for PHP services. .env files and misconfigurations across a distributed slash 24 subnet. Its scan patterns follow doubling revisit intervals and reveal a coordinated infrastructure designed for scale. In some cases, such scanners don't stop at discovery. They attempt SQL injection or deploy malware immediately after identifying a weakness.

Traditional defenses struggle to catch web scanners. Many of these scanner bots evade simple security measures. They may rotate through networks of infected devices using other botnets to distribute their scans, hide their true identity by omitting or faking their user agent strings, and rapidly change tactics to avoid signature-based detection.

Legacy security tools that rely on known malicious IP lists or obvious signatures often miss these stealthy probes. Web scanners also known as website vulnerability scanners. are automated tools designed to identify security weaknesses in web applications, websites, and APIs. They systematically probe and inspect websites for misconfigurations, exposed files, default credentials, or known vulnerable software. If a new website is still being configured or lapsed proper protections, scan...

will attempt to find and exploit any flaw they can before the site's owners have a chance to secure it. Okay, so the first and crucial takeaway. would be to never assume that any security can be added after any portion of a new site goes live. Never assume that since it hasn't... been advertised or announced in any way publicly that it might be at all safe to place anything online that hasn't already been fully hardened.

Essentially, the entire Internet has become a loaded and cocked mousetrap ready to spring and capture at the slightest provocation.

This is where my favorite of all tricks, IP-based filtering, can come in handy. It is so simple and is so absolutely robust as a security solution. If you wish to create some true external exposure, simply first block all access, then selectively allow the IPs through that you know you can trust. But never open the floodgates until you are fully prepared to be deeply attacked, because that will immediately happen. They wrote, not all scanners are bad, though.

There are good scanners run by security companies or researchers to help site owners by identifying vulnerabilities so they can be fixed before the bad scanners can get to them. But both good and bad scanners impose load on your site, and the bad ones, if not blocked, will certainly attempt to leverage any weaknesses they find.

Scanners don't visit just once. They constantly and persistently re-scan sites over time, since new vulnerabilities might appear with site updates or as new exploits are discovered.

Okay, so it's always fun to run across, as I said, something we've never touched on or talked about on this podcast. Given that this is our 1,030th podcast. We've logged many thousands of hours discussing and covering pretty much anything and everything that's happened over the past 20 years. So it's not often that we encounter something we've never discussed before. But today is one such rare day because the ubiquitous shift to TLS HTTPS website connections.

which increasingly require the use of SNI, which we were just talking about, server name indication. To be specified and provided by the connecting client in its first TLS handshake packet means that knowing the IP address of a site or having a site's IP address simply by scanning them all, is no longer sufficient to successfully establish a completed handshake to a site's servers. That's new. We've never mentioned this before. Think about that for a second.

From the birth of the internet, it has been possible to simply scan the internet's 32-bit IPv4 space for web servers and to establish connections to them. But that all changed once the likes of Cloudflare and other CDNs came along. As a result of IPv4 space depletion and the economic fact that IP sharing is inherently far less expensive since it also allows for infrastructure sharing. Today, more than 90% of today's websites are now sharing IP addresses.

leaving fewer than 10% of all sites sitting on a single dedicated IP address. This means that more than 90% of the Internet's websites have migrated behind proxies that are only able to disambiguate website destinations by examining the incoming client's SNI extension field in a TLS handshake. the client hello packet. This even applies to a modest facility like mine. GRC's .sc shortcut server, our mail, dev, squirrel,

GitLab servers and others all share the same IP. So it's not possible to reach any of them simply by their IP. Because... We don't know which server to send it to. It's necessary for anyone who wishes to connect to any server behind that IP to somehow also first know.

which domain name they expect to find at which IP address. So as I said, that's not an observation that's ever come from this podcast before. The bad news is I wish this presented a bigger problem for web scanners than it does. The guys at human security explain that scanners response to this has been to solve it. They wrote, to ensure that their scanners manage to get first in line for any new website, threat actors take advantage of feeds and services that a

that announce new websites or domains coming online. For example, threat actors monitor newly registered domain, NRD feeds. which are lists of recently registered, updated, or dropped domains, such as Whois databases and domain drop lists. Such NRD feeds are repurposed from policy feeds intended to increase corporate security to threat intelligence and monitoring feeds against the websites themselves.

Threat actors also monitor certificate transparency logs, such as CertStream, which publicly log new TLS certificates. For scanners, a new domain registration or certificate issuance indicates a new website that could be scanned. Once the large... scale SEO crawlers index the new website, scanners may also monitor the search engine's new listings, and the scale of scanners will increase even further.

One thing that hadn't occurred to me until just now, as I was reading this and paying attention to it, is that wildcard certs are an interesting hack here. If a wildcard cert is issued that just says, for example, star.grc.com, that doesn't indicate what the site's host names are. And there's no indication of that from a wildcard certificate. So there's a little bit of obscurity there. I wouldn't rely on it, but still it's there.

So for the purposes of this research, these guys are interested in identifying and, where possible, disambiguating and classifying the range of bots that are probing their honeypots. We know this doesn't matter for the sake of security, since for security it's necessary to simply be equally secure for anyone who might come knocking. But what these guys found was intriguing and revealing. Under the heading of Identifying Web Scanner Bot Traffic.

They wrote, some scanners openly identify themselves in the user agent string, which is the part of an HTTP request that might say, for example, Mozilla slash. 5.0, parens, compatible, semicolon, scanner XYZ. forward slash 1.0, and then it goes on. So this is identifying itself as a scanner, and they say security teams can easily filter or block those known scanners.

But many malicious scanners naturally deliberately mask their identity for use misleading user agents. I'm sorry, or use misleading user agents to obfuscate their true nature. In these cases, identifying them requires analyzing their behavior and deploying anti-bot mechanisms to intercept their activity. You know, like maybe a ridiculous number of... page requests per second, you could say, wait a minute, this is not a person.

On the other hand, you wouldn't want to block a search engine. And this thing might be declaring itself to be Google, you know, a Google spider. So there you'd have to know if it's a source IP corresponded with. with a legitimate known Google IP address. Anyway, they wrote, some user agents we observed suggest the presence of outdated or anachronistic systems, including the BOS.

legacy Linux kernels, and even Windows 3.1 Internet Explorer versions. Obviously, no real users are surfing the web on Windows 3.1 today. So this was a dead giveaway of automated activity. and not very smart activity, these impossibly old user agents likely came from a public user agent database that the attackers grabbed for obfuscation purposes.

a fun and benign find that should never hit any of your web servers if you have a decent bot mitigation solution deployed. And Leo, you put that on the screen a second ago, and they show some of these ridiculous user agents. strings. I particularly like the Mozilla slash 1.1 compatible MSIE 5.01 Palm OS. 3.0. I remember that one. Eudora Webb. 2.1. Yes, Palm OS 3.0. Now, my refrigerator could use that, but nothing else. And then Eudora Web 2.1. Wow. That's hysterical.

Anyway, so I would be inclined to agree with their assumption about the likely source of those bogus bot user agent strings.

You know, where else are you going to get from some old historical list somewhere under the heading of reconnaissance and probing the target? They explain what these scanners tend to do. Once they locate a new candidate target, they write, Before scanners are even deployed, operators conduct manual reconnaissance to identify likely entry points, directories, configuration files, endpoints, and services.

that may exist at newly launched sites. They then craft scanners. So they're talking about the operators who design. what the behavior of the bots will be. So they design this behavior, then they turn the bots loose. So they said they then craft scanners with predefined paths and exploitation logic. tuned to probe and attack if those elements are present and identified.

Once launched against a site, the scanner rapidly tests for these known targets. It attempts to enumerate directories, pages, API endpoints, and exposed resources, executing preset payloads loads or exploits were applicable. One of the most common methods to launch scanners is using DIRBUST. a dictionary-based attack against web servers that automates the process of discovering hidden files and directories on a website.

This tool scans through predefined lists of potential directory and file names, you know, slash admin, slash config.php, slash backup.zip, etc.

in hopes of getting lucky in finding unprotected sensitive files or admin interfaces. Now, here again, having been a website admin myself for the past 25 years, It can sometimes be tempting to imagine that it might be possible to just Briefly do something that's not entirely secure under the assumption that, you know, just for a few minutes, nobody will notice. All I can say is that on today's internet, doing anything like that is risky at best.

I've always had better things to do than wonder and worry about what percentage of GRC's inbound connection traffic has malicious intent. But for example, I have seen ample evidence of tools like that Durbust. they mention, in the logs that I sometimes briefly enable when I'm trying to track down some specific behavior. The only way to be safe is to assume that everything is malicious.

and be prepared for that. GRC's servers do not log website activity specifically because the signal to noise ratio is so low that there's virtually no signal. among all of the noise. That's the reality of today's web for sites that have been around for the last 25 years. It really has become a nasty jungle out there. It's sad it's happened. but it has. They wrote, using the scanner traffic from our research, we mapped the most targeted path types

targeted by scanners. This mapping shows that scanners have particular favorites when it comes to these initial probes. The two most targeted types of files by far were environmentconfiguration.env files and repositories for code secrets. In fact, about one-third of all scanning attempts in our study were after... .env files, and another one-third were looking for git repository data, such as .git folders or leftover export files. they wrote this is no surprise

Environment.env files often contain API keys, database passwords, and other secrets that would be a jackpot for an attacker. And Git-related files might expose source code. or credentials that enable a deeper compromise. The potential exploitation from each of these path types is listed in the table below, and the most targeted paths are shown in the chart. And I've got a big pie chart here. It is rather astonishing, mostly to see how, again, non-uniform this stuff is.

I mean, here's a hint. If you wanted to immediately increase the security of your website and you don't use .env files, or Git secret files, simply set up a trap so that any query to those file extensions on your site blacklists that source IP for some length of time. I mean, again, no legitimate user who is clicking on a URL to access a page on your site. for a site that doesn't use those file types is going to query that so you're better off without them going any further so astonishingly

Fully 33.6% of web server file type requests, which they observed were for .env files. 33.6%. And the effectively equal 33.5% were for Git secrets. So these are clearly malicious spiders. Yes. There's no other reason. No other reason for anything to probe that, period. So there's two-thirds of the probes right off the bat. you're able to identify as malicious intent. Next up at 23.4% were common PHP files. So collectively, just those three...

account for a whopping 90.5% of all website probes. This leaves 4.3% for unprotected config files, 2.9%. for YML files and 1.1% for Python mail sender files. They offered a table that explained

why different file types were being searched for. As I mentioned, the .env files... typically store API secrets, tokens, and other sensitive information that can be used by attackers to pivot and attack the Git secrets. are used to gain access to victims' repositories, leading to cross-organization compromise. Of course, common PHP, if you left your PHP config out, that might allow them to do recon. identify versions of PHP and other installed frameworks. Even WordPress, popular PHP CMS.

You know, as we know, WordPress has a long history of vulnerabilities. Attackers try to find fresh versions that are still using default credentials or endpoints that provide additional fingerprinting, such as, you know, plug it. So these can be further than scanned for vulnerabilities and exploited if they're found lacking the latest security patches. So, you know, a wealth of information. just from scouring and looking for things. And we know, we know how many unintentionally exposed

files exist on the internet that make this sort of scanning worth doing. I mean, unfortunately, there is a payoff. You just don't want it to pay off on your site. They wrap up. the topic of reconnaissance and probing by adding beyond those, scanners also commonly seek out various configuration and backup files, for example, .yml or .yaml. configs, old.back or .zip backups of the site, or files like config.php that might reveal database connection information.

Ooh, that's true. They probe for known software-specific files. For instance, requesting a URL ending in wp-config.php could indicate the site uses WordPress. and reveals its config if it's not secured. or hitting slash server hyphen status on a web server could reveal internal information if that page is not locked down. Scanners will even check for well-known vulnerable services. One example is...

for Outlook web access and Exchange server paths on sites since unpatched Exchange servers are high-value targets that could lead to a broader organizational breach. Essentially, during the probing... phase scanner bots test the site against a predefined list of files, directories, and endpoints that should never be exposed. Every directory listing, config file, or version disclosure it finds constitutes loot that can be used in the next phase of the attack.

This process is highly automated and aggressive. The scanner might attempt hundreds of different URLs on your site in rapid succession, far more exhaustive and faster than any human could manage. that behavior pattern is often a telltale sign that the traffic is a scanner bot. So when you stop to think about it, there's only one reason.

any of this exists and any of this is worth the time and trouble on the part of the attackers all of this technology we're using today contains a very long legacy of being insecure by default. That's what this is about. Right. If you have to take you have to be proactive, you have to take measures not to expose these things. I mean, it is really a sad state of affairs that.

that we have developed in a world which is insecure by default. Although this characteristic is beginning to disappear, historically, it has been entirely possible and was even once acceptable to choose not to use any password at all when setting up a new operating system or a device. unix and linux once allowed the root user's password to be null you know today we all recognize this as beyond bad but we all probably also remember a time when

Perhaps we did that ourselves. In the future, the option to skip a password won't exist. No one will believe it was even ever possible. And they'll understand that doing so. in the future would be insane. So once upon a time, though, it was not so insane. But that, you know, that has been that approach. of having no or low security has been now entirely upended thanks to the internet's steadily growing foreground radiation.

I remember a time when no one locked their doors and children would play out in the street with absolutely no fear at all. Times have changed, Steve. Used to be a friendly neighborhood. Used to be a nice place back here. No. Yeah. Got to have a password for your root user. Got to just seem sensible. Also, you got to listen to this show every Tuesday. My God, you miss an episode. You miss a.

a mountain of information that is i'm sure useful to you in your work and then at home and keeping things secure this is the show we do this every tuesday uh at right after a mac break weekly so that's about 1 30 pacific 4 30 eastern 2030 utc you can watch us during the show recording if you want to get the freshest version fresh usually means there's some you know

unbaked parts but most of the time it's pretty good if you are watching live you can chat with us so that's the advantage club members get behind the velvet rope access in our club twit discord love to see you there if you're not yet a club member please join it we'd love to have you ad free versions of all the shows and a lot of special programming just for the club including by the way all those keynotes we did last week and the week before from apple and

Microsoft and Google and all that stuff. That's all club only now. The live streams for everything we do, not only are in Discord, but open to the public at YouTube.com, Twitch, TikTok, X.com, Facebook, LinkedIn, and Kik. Pick one of those. You can watch live, chat with us live. After the fact, of course, you can download a copy. Now, Steve has some unique versions of the show. In fact, every version Steve has is unique.

different uh there's a 16 kilobit audio version for the bandwidth impaired it's a little scratchy but it is small has that virtue uh he has a normal 64 kilobit audio version we don't make those anymore so that's the place to get that He also has those great transcripts that Elaine Ferris does. Takes a couple of days to get those out. So come back maybe in Friday or Saturday and you should be there. What else?

He's got the show notes there. And if you want to get those ahead of time, you can subscribe to the show notes newsletter. In fact, the best thing to do if you want to correspond with Steve in any way is to go to grc.com slash email and sign up.

uh to get whitelisted basically you'll vet your address to make sure that it's okay you're not a spammer you can send them emails great way to submit pictures of the week or comments that kind of thing it's also great great forums there which may be even a better place to do the comments uh anyway when you're going there grc.com email you'll see two check boxes unchecked by default one for the weekly show notes and one for a much less common

uh email when steve has something to announce like the forthcoming version of his dns benchmark pro um and there's lots of other great stuff that's free forever like his famous shields up where this whole background radiation thing started. He's got all sorts of information about vitamin D and just a variety of stuff. GRC.com. Now.

Our unique versions are a 128 kilobit audio version. Don't know why, but that's what we do. I'm told it has something to do with the way Apple reencodes this stuff that if you don't have a higher bit rate, Apple munches it up anyway. That's what you can get in audio. We also have a video version if you want to see Steve's mustache at work. It's basically got a life of its own. That's all at twit.tv slash s. And I'm teasing. Only in my imagination.

twitter.tv slash sn there's a youtube channel dedicated to securing now that i recommend if you want to share clips i know often when you're listening you go oh my boss has got to hear this or my co-worker my friend my my uh my a spouse, whatever, go to the website, grc.com slash sn. There's a link there to the dedicated YouTube channel with all the videos. Makes it very easy to clip it. Best thing to do if you ask me is subscribe.

Because it's a podcast. I know it's old fashioned, but we still make these as RSS feeds. So you can subscribe and you'll get a notification the minute the new one comes out. You can even set your podcatcher to automatically download it. So it's there ready and waiting for you to watch or listen.

whenever you're in the mood. If you do that though, many of these apps have directories and have a review capability. Leave us a good review, would you? Because it really helps build the audience. When shows get... uh long in the tooth like this one um we don't get much on the charts because there's not a whole bunch of new subscribers at any given time it's just a steady hum uh so the reviews are really what makes the difference leave us five stars if you would we'd appreciate that

If you're not a member of the club, twit.tv slash club twit, 10 bucks a month, and you get all those great benefits. I think that does it for me, Steve. We'll be back here next Tuesday for 1031. Yes, we will. See you then, my friend. Bye. Nice. Nice. Yes. Nice, nice, nice. So I heard you say before. that you become a fan of GLP-1 agonists. Oh, Zempick! I asked my doctor for terzepatide, which is the dual GLP-1 and GIP agonist.

He said, I can give it to you. It's more expensive. We have to jump through some hoops, send you an endocrinologist. But I've been on a Zimpik for three weeks. I love it. My A1C, well, I don't know my A1C yet, but my blood sugar is down. It was... It was averaging 154 when I started. It's now down 125 average. Well, and you said you're really seeing a change in appetite. Yeah, I'm not interested. I don't have those.

and by the way i don't want to do an ad for this i'm not i'm not recommending this for anybody i no i waited i wanted to wait till we were off the podcast we're not on the podcast we're still streaming so if you're if you're hearing this Yeah, I'm not hiding it because I think it's really interesting. For me, no side effects. A lot of my friends have a lot of nausea and stuff, but I haven't. And I'm on the lowest dose.

It means it's amazing that it's even working at all. I mean, the doctor said, don't expect much in the first month. It's working. It's amazing. Lost five pounds already. I mean, I just feel great. And you said you went from your typical four slices of pizza to. Yes. So if there's a pizza sitting on the counter, it's really hard for me to have one. I didn't even finish a piece.

yeah it was fine i was happy it probably takes a little of the edge off you know like oh this tastes so good that's all right actually i i'm sure it does yeah i'm you know yeah but but if so if you're a foodie then you know you have to give that up a little bit but for longevity yeah it's worth it i was i scared myself my blood sugar was just getting too high so

um yeah this has been this has been great what it really just i mean you feel full most of the time you always have a full feeling because your stomach is not thinking about food that's the main thing i don't have these like oh god i can't wait to eat something i fast until uh one o'clock every i don't eat i eat it last meals are like six or seven and then i don't eat again until after you know about one o'clock good that's fine yeah

So I only have two meals a day. I don't eat all those snacks I would eat in the evening. It's a big difference. I feel good, too. I feel much healthier. Yeah. Yay. Thank you. Thank you, buddy. Yeah. Have a good one, Mr. Gibson. See you next week. Give my love to Lori. We'll see you next week. Will do. Bye. I don't want to be an ad for that drug. I don't. But I have to say, it's kind of amazing. You need to learn the disclosure spiel at the end of it.

You may cost sausage fingers and weird hallucinations. You may not be able to poop for a week, but... You'll lose weight. Side effects include instant death. Instant death. I haven't had any side effects, which is great because Will Harris said he would get terribly nauseous.

I know a number of people would just say, I get so sick every time I up my dose, but it's worth it, is what they all say. Well, all drugs are like that, right? It's very specific to the person. You know, I never have a reaction to vaccines, to medicines of any kind. Pretty insensitive, I guess, would be the word. Oh, and I do my Tai Chi like crazy. I love my Tai Chi. I am now up to, so there's 108 poses in the yang that we do, the yang style that we do.

i'm now up to 38. i could do about a third of the total but i have to say i love tai chi sometime i'll do you a little tai chi demo it's so much fun and i do it as slow as i can so i had class yesterday and i love it lisa and i are both doing it it's really good we have a nice um sensei he is a uh He is a black belt in Kenpo. He's like a super black belt. He's a very high-level Kenpo master. But he knows many other disciplines. But studied Tai Chi for...

many decades. He's about my age, since his 20s, so 40 or 50 years. But he has his own flavor. you know i look at the videos on youtube and stuff and i'm doing a little it's a little different but it's so so i really And I exercise every day. I usually row for half an hour every morning. And then I now I'm in the habit of taking a couple mile walk after dinner every night because that helps also with the blood sugar. So I'm getting good habits. Yeah, I feel.

And I have been feeling much better. Thank you for asking. Except you didn't. But there you go. You're going to hear it anyway.