Podcast Summary
Massive toothbrush DDoS attack and password security: Stay skeptical and vigilant, passwords may not be as secure as we think, and protecting personal information is essential. Honeypots and services like DeleteMe can help.
Key takeaway from this episode of Security Now is the importance of maintaining robust security measures, especially when it comes to passwords and personal information. Steve Gibson discussed a massive toothbrush DDoS attack that may not have been as it seemed, highlighting the need for skepticism and vigilance. He also questioned the effectiveness of password security, suggesting it can be more of a "security theater" than a real solution. Furthermore, they discussed the BitLocker hack and how DeleteMe can help protect personal information from data brokers. The episode also touched on the importance of honeypots in cybersecurity and the potential implications of Apple's decision to open iOS in the EU. Overall, the message was clear: staying informed and taking proactive steps to secure your digital life is crucial.
Securing Routers: Challenges and Solutions: Turn off UPnP for router security, but consider consequences. New Bitwarden features enhance password management. Be cautious with public funds.
Securing routers remains a challenge, especially with the use of Universal Plug and Play (UPnP). Turning off UPnP is a recommended step, but it may have unintended consequences such as making personal email servers less practical. A recent vulnerability affecting Trusted Platform Module (TPM) Protected BitLocker Systems is a significant concern. On a positive note, Bitwarden, an open-source password manager, continues to add features like account switching and Helm chart support for Kubernetes deployments. It's free for personal use and supports various authentication methods. Bitwarden's easy-to-use interface and strong security make it a trusted credential management system. Remember, municipal tax dollars can sometimes be put to questionable uses, as shown in the picture of the week, where a short sidewalk extension is followed by a "End of Sidewalk" sign. Always ensure you're getting the most value for your tax dollars. Stay tuned for more discussions on cybersecurity and technology.
Inconvenient and dangerous consequences of non-compliance: Non-compliance with accessibility regulations and factual reporting can lead to significant inconvenience, financial damage, and potential harm.
The lack of compliance with accessibility regulations can result in inconvenient and even dangerous situations for individuals. The example given was of a curb cut that was only half-implemented, leaving people with disabilities unable to fully use the sidewalk. Similarly, the recent news of hacked electric toothbrushes being used in a cyber attack serves as a reminder that even seemingly unimportant connected devices can be vulnerable to malicious actors. The mass reporting of this incident, which turned out to be false, highlights the importance of fact-checking and critical thinking in journalism. In both cases, the consequences of non-compliance or misinformation can lead to significant inconvenience, financial damage, and potential harm.
Blurred lines between hypothetical and actual scenarios in cybersecurity reporting: Clear communication and fact-checking are essential in cybersecurity reporting to prevent the spread of erroneous information. Accurately identifying and addressing vulnerabilities requires reliable data sources and effective search engines.
The line between hypothetical and actual scenarios in cybersecurity reporting can be blurred, leading to erroneous information being spread widely. This was highlighted in a recent incident where a Swiss company, Fortinet, had to clarify that a reported DDoS attack using toothbrushes was not based on their research, but rather an illustrative example given during an interview. Fortinet's failure to correct the record promptly led to numerous publications repeating the false claim. The incident underscores the importance of clear communication and fact-checking in cybersecurity reporting. Moreover, determining the number of internet-facing hosts affected by a new vulnerability is crucial in assessing its potential impact. However, accurately counting these hosts has become increasingly challenging. For instance, the Volm Czech team noted that while the Atlassian Confluence vulnerability (CVE 2023 22527) had been exploited frequently, a simple Shodan query revealed over 240,000 potentially vulnerable servers. This highlights the importance of using reliable data sources and search engines like Shodan to identify and address vulnerabilities. In summary, the Fortinet incident serves as a reminder of the importance of accuracy and clarity in cybersecurity reporting, while the challenges of counting internet-facing hosts underscore the need for effective vulnerability assessment strategies.
Identifying Confluence Servers: A Tale of 240,000 Honeypots: Researchers identified over 240,000 potential Confluence servers but found only 4,187 were real, emphasizing the importance of distinguishing real threats from honeypots to effectively secure networks.
The internet is filled with potential threats disguised as legitimate servers. In this case, researchers identified over 240,000 hosts that appeared to be Confluence servers based on certain headers and cookies. However, upon closer examination, many of these hosts turned out to be honeypots, set up to attract attackers and distract from real threats. This is a significant issue because it makes it more difficult for defenders to discern real threats from decoys. The researchers used various methods to filter out the honeypots, including looking for specific headers, cookies, and favicons. In the end, they concluded that there were approximately 4,187 real Confluence servers publicly exposed to the internet, and over 236,000 honeypots. This highlights the importance of being precise when assessing the scale of potential threats and the need to differentiate between real threats and honeypots. The expanding use of honeypots can make it more challenging for defenders to understand real-world attack surfaces.
Rethinking Port Scanning for Internet Vulnerability Detection: Assuming a service is vulnerable based on a simple scan could lead to false positives due to the increase in honeypots. Future scanning tools may need to be more sophisticated to distinguish between honeypots and real servers. Companies should also address unmanaged devices accessing their data by implementing security checks before login.
The reliance on simple port scans to identify vulnerable services needs to be reevaluated, as the number of honeypots in use has significantly increased. This means that assuming a service is vulnerable based on a simple scan could lead to false positives. Additionally, the future of Internet vulnerability scanning may involve more sophisticated tools to distinguish between honeypots and real servers. It's also important to note that many companies allow unmanaged, untrusted devices to access their data, which can pose a significant security risk. Collide, a security solution, addresses this issue by ensuring no device can log in to approved apps until it passes security checks, providing an additional layer of protection. For those looking to access content on their home network while traveling, a VPN server is no longer the optimal solution, and alternative methods should be considered.
Secure cross-device networking with overlay networks: Overlay networks like Tailscale, Nebula, and ZeroTier provide secure and private connections between devices, allowing access to home networks and services while traveling, and email-only authentication, when implemented correctly, can be a reliable and secure alternative to traditional password-based authentication.
Overlay networks offer a simple and effective solution for secure cross-device networking through the public Internet, without the need for complex router configurations or leaving machines running at home. Overlay networks like Tailscale, Nebula, and ZeroTier provide world-class security and are easily accessible through free solutions. These networks allow users to create a secure and private connection between devices, making it possible to access home networks and services while traveling. This eliminates the need for email-only passwordless authentication, which while convenient, may not be as secure as traditional email and password combinations due to the reliance on email as the only form of authentication. However, if implemented correctly, email-only authentication can serve as a reliable and secure alternative to traditional password-based authentication. It's important to note that every login system, including those that rely on email, should include a "forgot password" or similar mechanism, making email control a crucial aspect of account security. In summary, overlay networks offer a simple and effective solution for secure cross-device networking, while email-only authentication, when implemented correctly, can serve as a reliable and secure alternative to traditional password-based authentication.
Email-based OTPs offer a more secure alternative to passwords: Email-based OTPs can provide stronger security than passwords by eliminating the need for users to remember or share them, and can be made unpredictable and non-repetitive through encryption and tokenization.
While passwords are commonly used for login authentication, they can be considered as mere security theater due to the weakest link being the forgotten password process. Email-based one-time passcodes (OTP) can provide an equally secure alternative to passwords, as long as the user's control over their registered email account is verified. This can be achieved by sending a direct login link with an OTP as a parameter, which eliminates the need for users to transcribe the code. To ensure the OTP's unpredictability and non-repetition, a monotonically increasing 32-bit counter can be encrypted using a secure encryption algorithm like AES-Rheindahl, which generates a unique and unpredictable 128-bit result. This result can then be converted into a 22-character one-time token using a base 64 converter. The system should maintain a pending logins list, where each item includes the token, email address, and a timestamp. Upon clicking the link, the system checks the pending logins list for a matching token and timestamp, granting access only if both match. This approach offers a more secure and user-friendly alternative to traditional password-based login systems.
Passwordless login with self-expiring tokens: Unique tokens for each login attempt, expiring after a set time, offer increased security and convenience for users, reducing the need for weak passwords and preventing unauthorized access.
A passwordless login system using self-expiring tokens can offer increased security by eliminating the need for users to remember and potentially weak passwords. The system works by generating a unique token for each login attempt, which expires after a set time. When a user attempts to log in, the system checks the token and the associated email address. If the token is valid and has not expired, the user is granted access and the token is removed from the system to prevent unauthorized use. This system, used by platforms like Medium, offers convenience for users and an additional layer of security against password breaches. The discussion also touched upon the trend of platforms asking for email addresses instead of passwords for login, as a response to the phase-out of third-party tracking. A listener shared an experience with Facebook notifying him of a password change and offering the option to reset it if he didn't recall making the change. The system's usefulness was debated, with some seeing it as a positive feature for preventing unintended password resets, while others viewing it as an annoyance. Overall, the conversation emphasized the importance of security and the evolving nature of login systems.
Facebook's proposed feature to remember retired passwords: Facebook's new feature helps users manage multiple passwords and avoid sharing accounts, while web browsers may regain dominance by adopting open standards.
Facebook's proposed feature to remember and suggest retired passwords can be a helpful solution for users who share accounts or forget their own passwords. This feature, which is not a security risk, is a user-friendly solution to the common problem of remembering multiple passwords. Additionally, the discussion touched upon the topic of web browsers and the possibility of a return to browser dominance. It was concluded that other browsers will likely adopt the same open standards as Chrome to remain competitive, and there is no indication that Apple will open its devices to other browsers outside of EU regulations. The conversation also mentioned the third CISA recommendation regarding user intervention for security changes, but unfortunately, there is no effective solution for the security issue with UPnP at the moment.
Security risks of UPnP and email addresses replacing passwords: UPnP's convenience comes with security risks and email addresses replacing passwords could lead to unintended consequences and privacy concerns.
The free and easy nature of UPnP comes with significant security risks, and while it may be convenient for devices to operate without manual intervention, it poses challenges for secure network traffic. Regarding website access, some sites are requiring email addresses instead of passwords to track users, which could lead to password reuse and bad habits. Spiders, which index the web, may face challenges with paywalls and registration requirements, but could potentially bypass them by logging in like regular users or using well-known IP addresses. However, the impact on web indexing and potential solutions are yet to be seen. Earl Rod's experience with Fox News illustrates how email addresses are being used instead of passwords for website access, and while the friction for users is minimal, it could lead to unintended consequences and privacy concerns.
Websites use email addresses for tracking instead of cookies: Some websites are using email addresses as an alternative to cookies for tracking user data, increasing the risk of spam and unwanted marketing emails.
Some websites, including Fox News and PC Gamer, are using email addresses as a form of tracking in place of cookies, which are being blocked by privacy regulations like the California Privacy Act (CCPA). This allows sites to identify and target users, and in turn, monetize their data through advertising. Users who sign up for newsletters or other site features often unknowingly provide their email addresses, which can lead to an increase in spam and unwanted marketing emails. This practice is not new, but it has become more prevalent as websites seek to circumvent privacy regulations. Users who want to protect their email addresses can create throwaway or burner emails specifically for these types of sign-ups, but even these emails can be tied back to individuals through various means. The use of email addresses for tracking highlights the ongoing tension between user privacy and the data collection practices of the advertising industry.
Maintaining Battery Health and Email Deliverability: Keep modern devices charged to preserve battery health and trust companies to manage battery effectively. Email deliverability poses challenges, and costs for interpreting delivery failures continue to rise.
When it comes to battery health for electronic devices, it's generally better to keep them charged rather than letting them fully discharge. This advice applies to modern lithium-ion batteries, which don't respond well to deep discharges or overcharging. Steve Gibson, the host of Security Now, shared his personal experience of keeping his devices plugged in at all times, and he's never had a battery die on any of them. He also advised trusting companies like Apple to manage their batteries effectively. Regarding email deliverability, Mark Jones asked for Steve's thoughts on the challenges posed by SPF, DKIM, and DMARC, as well as his stance on maintaining one's own email server. Steve acknowledged the difficulties in email deliverability in the current era but didn't offer specific advice. He did mention that costs for services interpreting delivery failure events continue to escalate.
Running Own Email Server vs. Using a Service: Pros, Cons, and Alternatives: Considering the costs and responsibilities of running an email server, some users may prefer using a service like Fastmail for email management. Regularly checking and deleting unnecessary apps can help free up space on iOS devices, and using Spinrite 6.1 on an old Intel iMac can recover data from failing drives.
Running your own email server comes with significant responsibilities and costs, which may outweigh the benefits for some users. Mark's consideration of giving up running email off his own domains stemmed from the escalating costs of EZDMark and the challenges of email delivery in the current age of SPF, DKIM, and DMARC. However, those who have established a positive reputation and run their own email servers with commercial IP addresses and proper authentication may continue to do so. In contrast, Fastmail offers a solution for those who prefer not to manage their own email servers, providing DKIM, DMARC, and SPF authentication for users' domains. Regarding app sizes on iOS devices, a useful tip shared during the discussion was the importance of regularly checking and deleting unnecessary data to free up space. Apple does not offer a built-in space cleaner, but users can delete apps and reinstall them to eliminate unwanted data. An advanced tip from Andre Arroyo involved booting an old Intel iMac from a USB drive and running Spinrite 6.1 directly on it. This allows users to recover data from failing drives without the need for an external drive or additional software. In summary, the discussion touched upon the pros and cons of running one's own email server, the importance of managing app sizes on iOS devices, and an advanced tip for using Spinrite 6.1 on older Intel iMacs.
Running data recovery tools on Samsung SDHC cards with bad spots: Automated, persistent level 2 scans with Spinrite may recover more data from Samsung SDHC cards with bad spots. Security concerns around BitLocker encryption and TPM chips highlight the importance of physical security measures.
A Samsung SDHC card with bad spots may benefit from running a data recovery tool like Spinrite with automated, persistent level 2 scans to potentially heal and recover more data. Spinrite's developer discusses the possibility of creating a script to automate this process, which could result in a more efficient and effective recovery. Additionally, a security concern was raised regarding BitLocker encryption and TPM chips, as physical access to a machine could allow an attacker to intercept and capture the decryption key during the pre-boot process. This underscores the importance of securing systems not only with encryption but also with physical security measures.
Design flaw in some systems separates TPM key storage and consumer, creating vulnerability: Design flaw in some systems can expose encryption systems like BitLocker to physical attacks, but modern systems with firmware TPMs are less susceptible.
The design flaw in some systems that separates the Trusted Platform Module (TPM) key storage and the consumer of that stored key in separate components with accessible communication pins, creates a vulnerability to physical attacks. This issue, which has been discovered multiple times in the past, can affect encryption systems like BitLocker on millions of machines. The most recent Intel and AMD processors have addressed this issue by integrating the TPM's storage functions into the system's processor. However, it's unclear if all future CPUs will follow this trend. The good news is that many modern systems, including budget desktops and laptops, use firmware TPMs that are integrated into the processor, making them less susceptible to external attacks. High-end laptops, on the other hand, may still use external TPMs, making them more vulnerable. To check which type of TPM your system uses, you can go into the Windows Security Center and look at the device security screen. If your TPM's manufacturer is Intel, AMD, or Microsoft, you're likely using a firmware TPM. But if you see another manufacturer listed, you might be using a dedicated external TPM. Overall, this issue highlights the importance of staying informed about security vulnerabilities and taking steps to protect your personal data.
Adding a PIN to your system for extra security: Adding a PIN to your system can provide an extra layer of security against TPM only attacks, even for systems with BitLocker encryption. Use a complex PIN and regularly update it for added security.
Adding a PIN to your system can provide an extra layer of security against TPM only attacks, even for systems that already use BitLocker encryption. This can be done by enabling enhanced authentication requirements in the local group policy editor and setting up a new PIN using a command prompt. While this additional security measure may not deter highly motivated and technically skilled attackers, it can help protect against lesser skilled attackers and prevent unauthorized access if a device is lost or stolen. Microsoft recommends using a complex PIN and regularly updating it for added security. While BitLocker is a convenient option for many users due to its built-in nature, some may prefer more secure options like VeriCrypt for stronger encryption. Ultimately, the decision between convenience and security is up to the individual user, but requiring something you know, such as a strong PIN, is the only true protection against unauthorized access.
Steve Gibson Releases Spinrite 6.1: Secure Your Email and Data: Steve Gibson, the tech expert, offers a free update of Spinrite 6.1 to secure email and data. Listen to 'This Week in Tech' for the latest tech news and trends in space exploration, available for free at grc.com or through podcast players.
Steve Gibson, the creator of Spinrite and other tech tools, is releasing an updated version, Spinrite 6.1, which users can get for free if they have the previous version. Gibson, who is known for his late-night coding sessions, emphasizes the importance of securing email and data. The show, "This Week in Tech," can be accessed for free at grc.com, with unique versions available for different bandwidths. Gibson's work, including Spinrite and Shields Up, is highly regarded in the tech community. The show also offers a video version, which can be found on YouTube and tweet.tv/sn. Rod Pyle, the editor in chief of Bad Astronomy Magazine, co-hosts the show, discussing the latest news and trends in space exploration. The show airs every Tuesday after Mac Break Weekly and is available for subscription through podcast players.