SN 985: Platform Key Disclosure - Crowdstrike Post-mortem, Entrust Update

There have been several security incidents and discoveries in the news recently. CrowdStrike, a security company, experienced a major event and is dealing with the aftermath. Firefox, a popular web browser, was found not to be effectively blocking third-party tracking cookies. A flaw was discovered that affects nearly 850 different PC makes and models. Microsoft's inability to keep recall data safe was discussed, and the importance of cybersecurity in today's world was emphasized. Lookout, a sponsor of the show, was introduced as a way to help safeguard data and secure hybrid work. The podcast ended with a light-hearted moment about a sign in a bookstore.

Despite a major outage experienced by CrowdStrike, the value and functionality they offer in cybersecurity surpasses that of their competitors like Microsoft Defender for Endpoint. The listener, who works in cybersecurity at a large enterprise organization, shared his perspective on the CrowdStrike outage and the importance of their software in preventing potential network breaches and saving companies from significant financial losses. He emphasized the top-notch monitoring features, integration capabilities, and excellent customer support offered by CrowdStrike. The listener also criticized Microsoft's customer support and the lack of protection offered by MDE compared to CrowdStrike. Despite the outage, the listener believed that CrowdStrike's proven track record of preventing catastrophic events justifies their continued use. Additionally, a listener named Dan Mutal shared a workaround for bypassing the BitLocker recovery key requirement when booting into safe mode, which can be helpful for system admins in recovery situations. Overall, the feedback emphasizes the importance of robust cybersecurity solutions and effective customer support during critical incidents.

CrowdStrike's expensive security solution was able to save a large organization from a potential disaster despite a major issue with a rapid response content update. This update contained an undetected error that led to a massive outage for many users. However, CrowdStrike's well-trained support team was able to quickly remediate the issue through a cloud-based recovery process, allowing users to simply reboot their computers for a self-repair. Although the issue was not caused by sensor content, which undergoes extensive testing before release, the rapid response content was not subjected to the same level of testing and was delivered in a proprietary binary format that is interpreted. This highlights the importance of thorough testing and the potential risks of interpreters in security software. Despite the initial concerns and questions about how such an issue could have occurred, CrowdStrike has since provided more information about the incident and the inner workings of their security solution.

A recent update from CrowdStrike caused a significant issue leading to crashes on sensors running in the Windows operating system. The update introduced a new Inter-Process Communication (IPC) template type designed to detect novel attack techniques abusing named pipes. The template type underwent stress testing and validation checks before being released. However, a malformed instance of the template was released due to a bug in the content validator and interpreter. This malformed instance contained problematic content data that caused an out-of-bounds memory read, triggering an exception and resulting in a Windows operating system crash. The incident highlights the importance of thorough testing and validation processes to prevent such incidents. Additionally, it underscores the potential risks associated with updates and the need for robust error handling mechanisms.

Decluttering and letting go of possessions, even those with significant value or nostalgic attachment, can be a challenging but necessary process. The speaker, who is downsizing his studio, shared his experiences of deciding what to keep and what to leave behind. He mentioned the difficulty of parting with items like a giant demonstration slide rule and old computers, but recognized the importance of traveling more and not burdening his children with his possessions. The conversation also touched on the concept of "Swedish death cleaning," which involves preparing for one's death by getting rid of items that loved ones may not want. The speaker mentioned a friend who converted his CD collection to audio files and threw away the physical CDs. The discussion also highlighted the creation of a fully functional, emulated PDP-10 console by Oscar Vermeulen. The speaker expressed his desire to buy it, but acknowledged that it was running on a Raspberry Pi and was more powerful than the original PDP-10. The speaker also shared his experience of demonstrating the console with his family and being surprised by his son's reaction to the concept of bits and switches. Overall, the conversation emphasized the importance of letting go of possessions and the joy of discovering new technology. The speaker encouraged listeners to consider their own possessions and the impact they may have on their loved ones.

CrowdStrike, after experiencing a major software issue that led to widespread system crashes, has promised to enhance its security measures to prevent such incidents from happening again. The company plans to implement a staggered deployment strategy for rapid response content, improve monitoring, provide customers with greater control over updates, and add additional validation checks to its content validator. These actions are intended to address the centralized problem that led to the initial issue and ensure more robust and reliable software. It's important to note that no system is foolproof, and mistakes can still occur despite the best efforts to prevent them. However, CrowdStrike's response demonstrates a commitment to learning from the incident and improving its processes to minimize the risk of future problems. Additionally, third-party antivirus vendors, including CrowdStrike, can effectively protect systems without being in the Windows kernel, as Marcus Hutchins explained in a detailed YouTube video. The CrowdStrike incident serves as a reminder that even the most trusted software can have vulnerabilities, and ongoing efforts to strengthen security measures are essential.

Microsoft's ongoing evolution of Windows kernel access has been a long-standing issue, with third parties requiring access to maintain their solutions on older Windows platforms. Marcus' perspective is that Microsoft is responsible for the ongoing instability. In the tech world, this isn't an unusual situation, and it's currently the topic of discussion regarding Entrust's recent webinar. Entrust customers will soon need to prove domain ownership to SSL.com instead of Entrust when purchasing web server certificates. Additionally, Entrust wants SSL.com's name to be hidden, with Entrust's name appearing in web browsers instead. Firefox's strict mode, designed to block third-party cookies, is not functioning as intended, adding to the ongoing challenges in the tech industry.

Firefox may be selectively blocking some third-party tracking cookies while allowing others, leading to potential confusion and privacy concerns. This behavior, which may be based on some sort of heuristic or value judgment, is different from how other browsers handle third-party cookies and goes against the user's preference for strict cookie settings. This issue, if confirmed, raises questions about transparency and truthfulness in Firefox's UI and could potentially leave users vulnerable to tracking. It's important for users and security experts to investigate further and determine the extent of this issue. Additionally, the incident of a North Korean hacker posing as a software engineer highlights the risks of hiring remotely and relying solely on online information. Companies must be cautious and implement robust security measures to prevent such attacks.

The debate surrounding Google's privacy sandbox and the potential elimination of third-party cookies is a complex issue with various perspectives. Some argue that Google was attempting to monopolize the ad tech market, while others believe the EU's decision to allow third-party cookies to remain was influenced by commercial interests. Regardless, it's clear that the online collection and sale of personal information has become a powerful industry, and addressing privacy concerns requires a collective effort from both the tech industry and government. As consumers, it's crucial to stay informed and advocate for transparency and control over our data. Additionally, it's important to note that automakers are also collecting and reselling driving data without clear consent from consumers, further highlighting the need for stronger privacy regulations.

A vulnerability known as Platform Key (PK) Fail, which allows attackers to bypass secure boot and run untrusted code, affects a significant number of devices in the market. This vulnerability exists due to the use of untrusted platform keys, which should have been replaced by unique and secure keys during the manufacturing process but were not. These keys, which are shared among various vendors and manufacturers, have been identified in firmware images from major device vendors. The private part of one such key was even discovered in a public data leak. The complexity of the firmware supply chain, where multiple companies contribute to the production of a single firmware image, makes it challenging to ensure the security of each component. Despite the vulnerability being known since at least 2016, it continues to affect a substantial number of devices. To address this and other software supply chain security vulnerabilities, there is a need for advanced tools that can analyze firmware images and detect PK fail and other security issues. The impact of PK fail can be severe, as it allows attackers to bypass secure boot and run malicious code, potentially leading to data theft or system compromise. It is crucial for device manufacturers and vendors to prioritize the security of their firmware supply chain and take steps to replace untrusted keys with unique and secure ones.

A security vulnerability, known as PK fail, was discovered in firmware from AMI, affecting secure boot on various devices from multiple vendors. The vulnerability stems from the use of test keys marked as "do not trust" but still being shipped and used in production. These keys have been in use since at least 2012 and were even found in heterogeneous products like gaming laptops and server motherboards. Despite the vulnerability being publicly known since 2016, the number of affected devices has remained high, with some still in use today. Users can check their systems for these insecure keys using specific commands on Linux and Windows. The recommended solution is to update firmware when vendors release patches and to replace compromised databases. The primary danger is local boot tampering, and the vulnerability does not make systems actively vulnerable to remote attacks. The manufacturers are expected to respond to this issue, as there is no excuse for their negligence in not generating their own platform keys.

Individuals should have the right to make informed decisions about their data and privacy, especially regarding new technologies like recall storage. Microsoft's emphasis on security does not negate the importance of individual choice. The discussion also touched on the importance of secure boot and its limitations, as well as the various tools and resources available to help secure digital systems. Ultimately, it's crucial for individuals to stay informed and take steps to protect their data, whether through tools like Steve Gibson's Grc.com or by staying updated on the latest security threats and trends. The ever-changing digital landscape requires constant vigilance and a commitment to staying informed.