Security Now 1009: Attacking TOTP – Detailed Summary

Release Date: January 22, 2025

In this milestone 1009th episode of Security Now, hosts Leo Laporte and Steve Gibson delve deep into the intricacies of security protocols, vulnerabilities, and the evolving landscape of cybersecurity. The episode weaves together discussions on Microsoft's Patch Tuesday, GoDaddy's enhanced hosting security, DJI's controversial firmware changes, CISA's advancements in vulnerability management, and an in-depth exploration of attacking Time-Based One-Time Passwords (TOTP). The conversation is enriched with listener feedback, expert insights, and real-world implications of current security practices.

1. Microsoft's Record-Breaking Patch Tuesday

Timestamp: 04:19 – 32:34

Steve Gibson opens the discussion by addressing the unprecedented volume of patches released by Microsoft on Patch Tuesday. Last week's update encompassed 160 critical patches, marking the highest number in years. The breakdown of these vulnerabilities, as reported by CrowdStrike, highlights:

• Remote Code Execution (RCE): 36%
• Elevation of Privilege: 25%
• Other Vulnerabilities: Including security feature bypass (9%), denial of service (13%), and information disclosure (14%).

Gibson emphasizes the severity of RCE and elevation of privilege vulnerabilities, noting that they constitute 61% of the total patches, underscoring their critical nature.

Steve Gibson [07:00]: "But it's not guaranteed that we would... For random events, it's all about probabilities and 693,147 guesses."

He further critiques Microsoft's strategy of forcing updates, particularly the mandatory installation of a new Outlook client on Windows 10 and 11 devices. Gibson expresses concern over Microsoft's approach, highlighting the challenges it poses for enterprises reliant on legacy systems.

Steve Gibson [04:19]: "There is absolutely no possible way for an attacker... unless they were to get insanely lucky."

2. GoDaddy's Enhanced Hosting Security and FTC Mandate

Timestamp: 70:44 – 84:23

Gibson transitions to discussing GoDaddy's recent security lapses that have attracted the scrutiny of the U.S. Federal Trade Commission (FTC). The FTC has mandated GoDaddy to overhaul its cybersecurity measures due to multiple breaches between 2019 and 2022. Key points include:

• FTC's Allegations: GoDaddy failed to implement industry-standard security protocols, leading to breaches that compromised customer websites and data.
• Required Reforms: Similar to the actions taken against Marriott, GoDaddy must adopt comprehensive security measures, including regular third-party assessments and stringent protection protocols.

Gibson draws parallels between GoDaddy and Marriott, emphasizing the lessons large organizations must learn about due diligence and integration of acquired entities.

Steve Gibson [70:44]: "But again, this was being exploited before any problem was known and before any patches were available."

3. DJI's Controversial Geo-Fencing Firmware Update

Timestamp: 66:26 – 110:00

A significant portion of the episode examines DJI's recent decision to remove firmware restrictions that prevent its drones from entering no-fly zones in the U.S. Initially reported with alarming language likening the move to "giving the middle finger," DJI later clarified that the update aligns with FAA regulations by shifting responsibility to drone operators.

• Initial Reaction: Public and listener backlash revolved around privacy concerns and potential misuse of drones in sensitive areas.
• DJI's Clarification: The company asserts that the Geo system remains an educational tool, not an enforcement mechanism, and that operators are now responsible for adhering to FAA-designated zones.

Gibson and Laporte discuss the implications of this shift, pondering the balance between user control and regulatory compliance.

DJI Statement [110:32]: "This change gives back control. They write to operators and provides them the information they need to fly safely."

4. CISA's Progress in Vulnerability Remediation

Timestamp: 113:22 – 144:04

Steve Gibson highlights the substantial improvements made by the Cybersecurity and Infrastructure Security Agency (CISA) in helping organizations manage and remediate vulnerabilities. According to CISA's latest report:

• Enrollment Growth: Vulnerability scanning services saw enrollment double over two years, reaching 7,791 organizations.
• Vulnerability Discovery: 1,200 new vulnerabilities were added to CISA's catalog within the same period.
• Remediation Efficiency: Average remediation times have been halved from 60 days to 30 days for critical infrastructure organizations.

Gibson underscores the significance of these advancements, noting that proactive vulnerability management is crucial in mitigating potential cyber threats.

Steve Gibson [113:22]: "We have a chart showing the average remediation time over the past two years... It's clear, it's a significant change."

5. Brute Forcing TOTP: Feasibility and Implications

Timestamp: 145:53 – End

The episode culminates with an exhaustive analysis of attacking Time-Based One-Time Passwords (TOTP). Inspired by listener Lachlan Hunt's experimentation with TOTP, Gibson explores whether the typically used 80-bit secrets in TOTP authenticators are sufficiently secure against brute force attacks.

Key Insights:

• Secret Key Length: Many services utilize 16-character base32 secrets, equating to 80 bits, below the recommended 128-bit minimum.

  Listener Lachlan Hunt [145:53]: "However, the longest secret I saw was a full 256 bits, which seems extreme."

• Attack Strategy: Gibson outlines a brute force approach where an attacker, armed with multiple TOTP outputs, attempts to guess the secret key by iterating through possible combinations.

• Probability Analysis:

  • Single Attempt: A six-digit code offers a 1 in 1,000,000 chance of guessing correctly.
  • Multiple Attempts: Even with multiple code samples, the sheer volume of possible keys (1.2 x 10¹²⁰ for 80-bit) renders brute force impractical.

• Security Margin: Transitioning to a 128-bit secret exponentially increases the difficulty, making brute force attacks virtually impossible within feasible time frames.

Steve Gibson [150:57]: "So this is, yeah, that one, yes, exactly."

Gibson concludes that while current implementations with 80-bit keys offer a baseline of security, adhering to the 128-bit recommendation would significantly enhance protection, especially as computational capabilities continue to advance.

6. Listener Feedback: Active Directory's Password Hashing Practices

Timestamp: 133:19 – 184:02

A pivotal moment in the episode features feedback from a listener managing security for a local government police department. The listener raises concerns about Active Directory's inability to salt password hashes, referencing outdated hashing methods that do not meet current security standards.

• Current Challenge: Active Directory relies on NT LAN Manager (NTLM) protocols that do not incorporate salting, making stored passwords susceptible to brute force and rainbow table attacks.

  Listener [133:19]: "Active Directory does not SALT user password hashes."

• Microsoft's Suggested Solution: Migration to cloud-based services like Microsoft Entra ID (formerly Azure AD), which necessitates moving away from on-premise domain controllers. However, this poses challenges:

  • Feature Limitations: Government Community Compliance (GCC) tenants lack many features available to standard enterprise customers.
  • Cost Implications: Upgrading licenses and transitioning to cloud services incurs significant expenses.

Gibson critically assesses Microsoft's approach, lamenting the forced migration to the cloud as an inadequate response to fundamental security shortcomings. The discussion highlights the tension between regulatory compliance, budget constraints, and the necessity for robust security measures in governmental IT infrastructure.

Steve Gibson [133:19]: "There is no way around it. There is no way to add this to Active Directory."

Conclusion

Episode 1009 of Security Now provides a comprehensive exploration of critical cybersecurity issues facing enterprises and individuals alike. From dissecting massive patch rollouts and corporate security failures to scrutinizing the robustness of authentication protocols, Gibson and Laporte offer invaluable insights into the current state and future directions of cybersecurity. The episode underscores the importance of proactive vulnerability management, adherence to security best practices, and the continual evolution of protective measures in an increasingly digital world.

Notable Quotes:

• Steve Gibson [04:19]: "There is absolutely no possible way for an attacker unless they were to get insanely lucky."
• Steve Gibson [07:00]: "But it's not guaranteed that we would... For random events, it's all about probabilities and 693,147 guesses."
• Steve Gibson [70:44]: "But again, this was being exploited before any problem was known and before any patches were available."
• DJI Statement [110:32]: "This change gives back control. They write to operators and provides them the information they need to fly safely."
• Steve Gibson [113:22]: "We have a chart showing the average remediation time over the past two years... It's clear, it's a significant change."
• Steve Gibson [133:19]: "There is no way around it. There is no way to add this to Active Directory."

This detailed summary encapsulates the essence of Security Now's Episode 1009, providing a clear and structured overview for listeners and newcomers alike.