Summary of "Security Now 1012: Hiding School Cyberattacks" by TWiT

Podcast Information:

• Title: All TWiT.tv Shows (Audio)
• Host: Leo Laporte
• Episode: Security Now 1012: Hiding School Cyberattacks
• Release Date: February 12, 2025

Introduction

In Episode 1012 of Security Now, hosted by Leo Laporte with guest Steve Gibson, the duo delves into pressing cybersecurity issues affecting both technology giants and educational institutions. The episode covers a range of topics, including recent malware threats in app stores, governmental demands for encryption backdoors, vulnerabilities in popular networking equipment, and a disturbing trend of concealed cyberattacks in U.S. K-12 schools.

Malware in the Apple App Store: Sparkcat Trojan

Steve Gibson introduces the Sparkcat trojan, a sophisticated malware identified by Kaspersky that infiltrates official app stores.

Steve Gibson [05:00]: "Sparkcat is another example of Kaspersky's continuing value to everyone, even though we don't want to trust them anymore."

Key Points:

• Sparkcat steals cryptocurrency wallet data by analyzing photos in users' galleries.
• It employs Optical Character Recognition (OCR) to detect valuable information within images.
• Approximately 250,000 downloads of infected apps were found on Google Play before removal.
• Affected app categories include messenger apps, food delivery services, and crypto utilities.
• Protection Measures:
  • Only download highly-rated apps with millions of downloads.
  • Limit app permissions, granting access to photos only when necessary.
  • Store sensitive information, like seed phrases, in dedicated password managers instead of photo galleries.

Steve Gibson [28:39]: "Don't just start with not doing that. Get a password manager."

UK's Demand for Encryption Backdoors in Apple Devices

A significant portion of the episode is dedicated to the UK's controversial demand for Apple to implement encryption backdoors.

Steve Gibson [42:55]: "The UK is demanding Apple's help to spy on non-British users without their government's knowledge."

Key Points:

• The UK issued a Technical Capability Notice under the Investigatory Powers Act 2016, demanding Apple to provide access to encrypted cloud data.
• Apple faces pressure to either create backdoors or cease offering encrypted storage in the UK.
• Steve's Opinion:
  • Proposes a solution involving local AI filters on devices to prevent abusive content without compromising overall encryption.

Steve Gibson [62:43]: "Having companies like Apple deploy local AI to lock down the content which their systems would refuse to send or receive, short circuits any government attempt at overreach."

Implications:

• France is making similar demands, pushing for backdoors in encrypted messaging apps.
• Challenges: Balancing national security interests with user privacy and encryption integrity.

Firefox 135 Updates

Steve reviews the latest updates in Firefox 135, highlighting new features aimed at enhancing user experience and security.

Key Updates:

• PDF Editing: Ability to edit PDFs directly within Firefox.
• Enhanced Translation Support: Now includes more languages like Simplified Chinese, Japanese, Korean, and Russian.
• Credit Card Autofill: Rolled out globally for improved convenience.
• AI Chatbot Integration: Accessible via the sidebar with options to choose different AI providers.
• Certificate Transparency Enforcement: Ensures web servers provide sufficient proof of certificate disclosure.
• CRLite Implementation: Introduces a Bloom Filter-based Certificate Revocation List (CRL) for efficient and privacy-conscious certificate checking.
• History API Safeguards: Prevents websites from cluttering browser history through excessive entries.
• Copy Clean Link Feature: Removes tracking parameters from copied URLs for privacy protection.

Steve Gibson [69:37]: "Firefox now includes safeguards to prevent sites from abusing the History API by generating excessive history entries."

Five Eyes Alliance Releases Edge Device Security Guidance

The Five Eyes intelligence alliance—comprising the NSA, Australian Signals Directorate, Canadian Centre for Cybersecurity, among others—released new guidelines for securing network edge devices.

Highlights:

• Target Devices: Firewalls, routers, and VPN gateways.
• Recommendations:
  • Secure-by-design procurement of edge devices.
  • Apply hardening measures to minimize vulnerabilities.
  • Implement comprehensive mitigation strategies as detailed in the released information sheets.

Steve Gibson [85:10]: "The NSA's guidance provides a checklist to ensure compliance and bolster security at the network edge."

Importance:

• Essential for enterprises to protect against evolving cyber threats and reduce attack surfaces.

Netgear Router Vulnerabilities

A critical update regarding vulnerabilities in Netgear routers that poses severe security risks.

Affected Models:

• Wi-Fi 6 Routers:
  • Wax 214 V2
  • Wax 206
  • Wax 220
  • CVSS Scores: 9.6
• Nighthawk Gaming Routers:
  • XR500
  • XR1000
  • XR1000 V2
  • CVSS Scores: 9.8

Risks:

• Authentication Bypass: Allows unauthenticated remote code execution.
• Exploitability is high, especially if remote administration is enabled.

Steve Gibson [87:00]: "There’s a window here you want to make sure that you're not vulnerable within that time period."

Recommendations:

• Immediate Action: Update firmware to the latest versions released last week.
• Preventive Measures: Disable remote administration to minimize exposure.

Sysinternals Tools Vulnerabilities

A concerning discovery about vulnerabilities in Microsoft's Sysinternals suite, widely used for system administration.

Details:

• Vulnerability: DLL hijacking bugs allow malicious code injection.
• Impact: Affects numerous Sysinternals utilities, potentially compromising system security.
• Current Status: Microsoft has not yet patched these vulnerabilities despite public disclosure.

Steve Gibson [91:15]: "This creates an enduring opportunity for exploitation."

Implications:

• Users of Sysinternals tools remain at risk until manual remediation is performed.
• Highlights the ongoing challenges in addressing legacy system vulnerabilities.

Google Lifts Ban on Using AI for Weapons and Surveillance

Google has updated its AI usage policies, removing previous restrictions against deploying AI for harmful purposes.

Steve Gibson [93:57]: "Google lifts a ban on using its AI for weapons and surveillance."

Policy Changes:

• Removed Commitments:
  • No development of technologies likely to cause harm or facilitate injury.
  • Bans on surveillance systems that violate privacy norms.
• New Focus: Emphasizes human oversight and alignment with user goals without explicit prohibitions.

Google Executive Quote [94:00]: "We believe democracy should lead in AI development guided by core values like freedom, equality, and respect for human rights."

Analysis:

• Reflects the rapid evolution of AI technologies and the need for adaptable policies.
• Raises concerns over potential misuse in surveillance and weaponization.

OpenAI's ChatGPT-4 Jailbroken to Generate Malicious Code

A breakthrough (and alarming) instance of ChatGPT-4 being manipulated to produce malicious code, highlighting vulnerabilities in AI safety mechanisms.

Steve Gibson [106:46]: "These guys tricked ChatGPT's latest and most powerful code generating O3 model to write the code to do just that."

Incident:

• Tool Used: Fuzzy AI by Cyberark, an open-source tool designed for automated Large Language Model (LLM) fuzzing.
• Outcome: Successfully generated detailed instructions for injecting code into LSASS.EXE, a critical Windows process managing security policies.

Leo Laporte [108:00]: "How do you expect AI to make that determination?"

Implications:

• Demonstrates the persistent challenges in establishing robust guardrails for AI models.
• Emphasizes the need for continuous improvement in AI security to prevent misuse.

DNS Benchmark by GRC

Steve showcases GRC's latest DNS Benchmark, a tool for evaluating the performance of DNS servers across multiple protocols simultaneously.

Features:

• Multi-Protocol Testing: Simultaneously benchmarks DNS over HTTPS (DoH), DNS over TLS (DoT), IPv4, and IPv6.
• Performance Comparison: Displays real-time performance metrics for various DNS servers.
• User-Specific Results: Reflects local network conditions, emphasizing the need for individualized testing.

Steve Gibson [115:08]: "From Firefox 135 on, we will have Mozilla several times a day updating a master Bloom filter which our browsers will download and then we will be doing browser-side revocation checking with very short delay and no privacy concerns."

Significance:

• Helps users identify the fastest and most secure DNS servers for their specific geographical locations.
• Promotes better internet performance and enhanced privacy through informed DNS choices.

Hidden Cyberattacks in U.S. K-12 Schools

The episode takes a deep dive into a 74 million investigation revealing a systemic issue of concealed cyberattacks within U.S. K-12 schools.

Key Findings:

• Lack of Transparency: Over 300 cyberattacks in the past five years largely went unreported to students, parents, and staff.
• Role of Breach Coaches: Lawyers and consultants, termed "breach coaches," manage incident responses under attorney-client privilege, preventing public disclosure.
• Consequences:
  • Exposure of sensitive student information, including medical records and disciplinary reports, without victims' knowledge.
  • Increased risks of identity theft, fraud, and online exploitation for affected individuals.
• Economic Impact: Cyber insurance firms facilitate ransom payments, inadvertently funneling taxpayer money to cybercriminals.

Steve Gibson [151:27]: "Taxpayer money is being funneled into the wallets of cybercriminals from insurance companies by way of our nation's public school systems."

Recommendations:

• Comprehensive Legislation: Implement federal data breach laws requiring timely and transparent notifications to affected individuals.
• Accountability Mechanisms: Hold schools and associated legal firms accountable for concealed breaches.
• Enhanced Security Measures: Strengthen cybersecurity protocols within educational institutions to prevent future attacks.

Conclusion

Episode 1012 of Security Now sheds light on the intricate and often concealed landscape of cybersecurity threats. From sophisticated malware infiltrating app stores to the troubling secrecy surrounding cyberattacks in educational institutions, the episode underscores the urgent need for robust security practices, transparent reporting, and adaptive policies to safeguard sensitive information in an increasingly digital world.

Leo Laporte [155:28]: "You need expansive data breach legislation that says anytime there's a data breach, you have two weeks to reveal it to the people who were the subject of the breach."

For more detailed discussions and insights, listeners are encouraged to tune into the full episode of Security Now.