Podcast Summary: Security Now Episode 1010 – DNS over TLS

Release Date: January 29, 2025

Hosts: Leo Laporte & Steve Gibson

1. Introduction to the Episode

In this episode of Security Now, hosts Leo Laporte and Steve Gibson delve into a range of critical security topics, focusing primarily on DNS over TLS. The discussion is enriched with real-world examples, listener feedback, and insightful analysis of recent security incidents affecting major corporations and individual users alike.

2. MasterCard's Five-Year DNS Typo

A significant portion of the episode is dedicated to a startling revelation regarding MasterCard's DNS configuration.

• The Issue: MasterCard had a five-year-old typo in its DNS settings. This misconfiguration, as reported by security researcher Philippe Catoregli, could have allowed cybercriminals to intercept or divert internet traffic for MasterCard by registering an unused domain name.

  • Steve Gibson highlights, "This tiny but potentially critical typo was discovered recently by Philippe Catoregli, founder of the security consultancy Ceralis S." [06:30]

• Discovery and Impact: The typo persisted from June 30, 2020, until January 14, 2025, unnoticed until Catoregli registered the domain akam.ne to prevent its exploitation.

  • Steve Gibson elaborates, "Philippe enabled a DNS server on akam.ne and noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe." [09:40]

• MasterCard's Response: MasterCard acknowledged the mistake but assured there was no risk to their systems.

  • Steve Gibson remarks, "MasterCard acknowledged the mistake but said there was never any real threat to the security of its operations." [16:45]

• Implications: This incident underscores the potential vulnerabilities introduced by minor configuration errors and the importance of diligent DNS management.

3. Script Kiddies Fall Prey to Trojanized RAT

The episode also sheds light on a deceptive cybersecurity threat targeting novice hackers.

• The Attack: A malicious actor distributed a tainted version of the Exwyrm RAT builder, specifically targeting script kiddies eager to build their own botnets.

  • Steve Gibson explains, "These script kiddies think they're getting a RAT builder tool, but instead, they're installing malware on their own systems." [38:12]

• Scale and Impact: Over 18,459 devices globally were compromised, with significant activity in countries like Russia, the USA, India, Ukraine, and Turkey.

  • Steve Gibson notes, "These wannabe hackers are being hacked themselves, installing malware they believe is a tool to enhance their hacking capabilities." [42:59]

• Malware Functionality: The Trojanized RAT can exfiltrate sensitive data, perform keylogging, and even launch disruptions within infected systems.

  • Steve Gibson states, "Browser credential theft allows actual attackers to impersonate users on any websites where they're logged in." [42:59]

• Conclusion: This incident highlights the dangers of engaging with unverified cybersecurity tools and the cunning tactics employed by seasoned threat actors to exploit the ambitions of less experienced hackers.

4. Explosion of DDoS Attacks

DDoS (Distributed Denial of Service) attacks continue to surge, posing significant challenges to internet infrastructure.

• Record-Breaking Attack: Cloudflare reported handling a 5.6 terabit per second (Tbps) UDP DDoS attack, the largest ever recorded, lasting only 80 seconds.

  • Steve Gibson comments, "Cloudflare successfully detected and blocked a 5.6 Tbps DDoS attack, keeping the targeted site online without any performance degradation." [52:08]

• Increase in DDoS Activity: In 2024, Cloudflare blocked 21.3 million DDoS attacks, marking a 53% increase from the previous year. Additionally, there was a 1,885% quarterly growth in hypervolumetric attacks exceeding 1 Tbps.

  • Steve Gibson states, "Nearly 5,000 DDoS attacks per hour were blocked, illustrating the relentless nature of these assaults." [52:04]

• Implications: The rapid escalation in both the frequency and volume of DDoS attacks underscores the urgent need for robust mitigation strategies and advanced defense mechanisms to protect online services.

5. Let's Encrypt Introduces 6-Day Certificates

Security enhancements in web encryption protocols were another focal point of the discussion.

• New Offerings: Let's Encrypt announced the introduction of six-day lifetime certificates, alongside their existing 90-day certificates, to bolster web security.

  • Steve Gibson explains, "Let's Encrypt is offering short-lived certificates to improve the security of the web PKI." [125:57]

• Technical Challenges: Implementing shorter certificate lifetimes introduces complexities, such as increased load on certificate authorities and potential connectivity disruptions during renewals.

  • Steve Gibson elaborates, "Shortening certificate lifetimes requires scaling up infrastructure to handle more frequent renewals, which can be burdensome for service providers." [124:00]

• Timeline: The phased rollout began in February 2025, with general availability expected by the end of the year.

  • Steve Gibson notes, "We expect to make short-lived certificates generally available by the end of 2025." [125:57]

• Conclusion: While the move towards shorter certificate lifetimes aims to enhance security by reducing the window of vulnerability from compromised certificates, it necessitates careful implementation to avoid service disruptions.

6. Spinrite and the 8-Terabyte Drive Failure

An intriguing user story highlights the reliability of modern storage solutions.

• User Experience: A Spinrite user reported that while testing four Western Digital Red 8TB drives using Spinrite Level 3, one drive exhibited significant failures midway through the process.

  • Steve Gibson describes, "One of the four 8TB drives started showing problems at 94% completion, indicating severe issues with that particular drive." [71:32]

• Spinrite's Role: Spinrite, a renowned storage maintenance utility, effectively diagnosed the failing drive by analyzing SMART (Self-Monitoring, Analysis, and Reporting Technology) data.

  • Steve Gibson explains, "The SMART parameters like ECC error correction and sectors relocated were drastically reduced, signaling imminent drive failure." [72:00]

• Insights: This case underscores the importance of proactive storage diagnostics and the utility of tools like Spinrite in ensuring data integrity and drive performance.

7. Listener Feedback and Discussions

a. EM Client Adoption:

Listeners shared their positive experiences transitioning to EM Client, highlighting its user-friendly interface and robust feature set, including support for end-to-end encrypted GNU PG email and address books.

• Dan Taylor positively remarks, "It's wonderful! I only got a 32GB drive for the price, and I'm thoroughly impressed." [94:18]

b. One-Time Password (OTP) Security Concerns:

A listener questioned the strength of OTPs, suggesting that with sufficient resources, an attacker could brute force OTPs despite the system's throttling mechanisms.

• Steve Gibson responds, "It's crucial for servers to implement strict throttling to mitigate such brute force attempts." [95:08]

c. Syncthing and UDP Hole Punching:

Joe Havelatt inquired about Syncthing's resilience without Tailscale, attributing its functionality to STUN protocols facilitating direct connections.

• Steve Gibson acknowledges, "Syncthing's ability to establish direct connections without Tailscale is a testament to its efficient use of NAT traversal techniques." [95:35]

d. Email Spam Mitigation:

Jason raised concerns about increasing spam with long-standing email addresses. Steve shared his strategy of annually rotating email addresses, significantly reducing spam influx.

• Steve Gibson advises, "Changing your email address periodically and forwarding old addresses can drastically reduce spam without losing important communications." [71:32]

8. Conclusion and Final Thoughts

The episode concludes with reflections on the evolving landscape of internet security, emphasizing the balance between enhanced privacy measures and maintaining system performance. The hosts reiterate the importance of staying informed and proactive in adopting best security practices.

• Steve Gibson sums up, "Encrypting DNS queries adds a layer of privacy but introduces complexities that demand robust infrastructure to manage effectively." [125:57]

• Leo Laporte adds, "Understanding these changes is crucial for both individual users and organizations to navigate the increasingly complex security environment." [159:32]

The episode serves as a comprehensive exploration of current security challenges and advancements, providing listeners with actionable insights to bolster their cybersecurity defenses.

Notable Quotes:

• Steve Gibson: "These script kiddies think they're getting a RAT builder tool, but instead, they're installing malware on their own systems." [38:12]

• Steve Gibson: "Cloudflare successfully detected and blocked a 5.6 Tbps DDoS attack, keeping the targeted site online without any performance degradation." [52:08]

• Steve Gibson: "Let's Encrypt is offering short-lived certificates to improve the security of the web PKI." [125:57]

• Steve Gibson: "Changing your email address periodically and forwarding old addresses can drastically reduce spam without losing important communications." [71:32]

Conclusion:

Security Now Episode 1010 provides an in-depth analysis of pressing security issues, from DNS vulnerabilities and sophisticated malware campaigns to the implications of enhanced encryption protocols. Through expert commentary and engaging discussions, the hosts equip listeners with the knowledge to navigate the complex and ever-evolving landscape of cybersecurity.