Security Now 1014: FREEDOM Administration Login
Release Date: February 26, 2025
Hosts: Leo Laporte & Steve Gibson

1. Apple’s Standoff with the UK Over Advanced Data Protection (ADP)

Timestamp: [05:51] - [26:18]

In this episode, Steve Gibson delves deep into Apple's recent decision to disable Advanced Data Protection (ADP) for new users in the United Kingdom, a move that has sparked significant debate within the tech and cybersecurity communities.

Apple’s Decision:
Apple has ceased offering ADP to new UK users, with plans to extend this restriction to all existing users at an unspecified future date. ADP is a feature that ensures end-to-end encryption, making it impossible for Apple or governments to access users’ iCloud data.

Steve’s Perspective:
Steve views this as a strategic maneuver by Apple, suggesting that the company is testing the UK's resolve before potentially rolling out similar restrictions globally. He posits, "Apple holds all the cards here. They can be forced to turn it off, but then they're just going to disadvantage UK citizens." (Timestamp: [05:51])

Industry Reactions:

• Matthew Green, a cryptography professor at Johns Hopkins, advised non-UK users to enable ADP to bolster its usage against potential disabling.
• Alan Woodward, a cybersecurity expert, criticized the UK government’s actions as self-harm, stating, "The UK government has achieved weakening online security and privacy for UK-based users."
• Caro Robson, an online privacy expert, acknowledged Apple’s unprecedented move but expressed concern over its implications for other companies potentially withdrawing encryption support worldwide.

Leo’s Concerns:
Leo Laporte echoed fears that this could set a dangerous precedent, enabling other governments to mandate similar backdoors, thereby undermining global encryption standards. He remarked, "Apple capitulated and UK government got most of what they wanted, which is there's no end-to-end encryption available from Apple in the UK." (Timestamp: [26:18])

Potential Global Impact:
Steve highlights the risk of a domino effect where governments worldwide might follow the UK’s lead, leading to a widespread erosion of encryption and privacy protections.

2. The Illegality of Paying Ransoms to Cybercriminals

Timestamp: [03:13] - [07:00]

The discussion shifts to the increasingly contentious topic of ransomware payments. Recent legal clarifications indicate that paying ransoms to cybercriminals may often be illegal, potentially exposing organizations to sanctions and legal repercussions.

Legal Implications:
Paying ransoms can violate international sanctions, especially if the payment indirectly supports sanctioned entities or nations. This revelation urges organizations to reconsider their crisis response strategies and prioritize robust cybersecurity measures over capitulating to attackers.

Steve’s Insight:
"Paying a ransom is often illegal, which adds another layer of complexity to an already challenging situation."

3. La Liga Blocks Cloudflare: Collateral Damage for Piracy Prevention

Timestamp: [32:00] - [68:35]

The Spanish soccer league, La Liga, recently won a lawsuit compelling Internet Service Providers (ISPs) to block certain Cloudflare IP addresses to curb piracy. However, this broad IP blocking has unintentionally disrupted access to legitimate websites like GitHub and Reddit across Spain.

La Liga’s Actions:
La Liga targeted Cloudflare to prevent access to pirate streaming sites for their matches. However, due to Cloudflare’s shared IP infrastructure, this resulted in widespread access issues for numerous legitimate services.

Cloudflare’s Response:
Cloudflare emphasized the detrimental effects of IP-based blocking, highlighting violations of net neutrality and the unintended consequences of such measures. They urged for more targeted and rational solutions to combat illegal piracy without affecting innocent users.

Implications:
Steve and Leo discuss how this action not only hampers internet freedom but also sets a concerning precedent for other entities to adopt similar broad-blocking tactics, potentially leading to a fragmented and unreliable internet landscape.

4. Critical Vulnerabilities Discovered in OpenSSH

Timestamp: [73:18] - [104:57]

OpenSSH, widely recognized for its security prowess, has been found to harbor two significant vulnerabilities, shaking the confidence in this essential open-source project.

Vulnerabilities Identified:

• CVE-2025-26465: Enables man-in-the-middle attacks regardless of the Verify Host key DNS setting.
• CVE-2025-26466: Allows pre-authentication denial-of-service attacks, potentially crippling SSH servers.

Steve’s Analysis:
Despite OpenSSH's robust reputation, these flaws underscore the continuous need for vigilance and regular updates. Steve advises all users to upgrade to OpenSSH version 9.9p2 promptly to mitigate these vulnerabilities.

Community Response:
The discovery has sparked discussions on the importance of responsible disclosure and the challenges inherent in maintaining security within widely used open-source projects.

5. US’s Struggle Against Chinese Cyberattackers in Telecommunications

Timestamp: [68:32] - [104:57]

Steve and Leo examine the US’s ongoing difficulties in eradicating Chinese-backed attackers, specifically the Salt Typhoon group, from its telecommunications infrastructure.

Salt Typhoon’s Tactics:
The group exploits outdated Cisco iOS XE vulnerabilities and misconfigured web interfaces to gain persistent access to telecom networks, facilitating data exfiltration and system compromise.

Government Response:
Former NSA head, General Paul Nakasone, expressed grave concerns about the US falling behind in cybersecurity, emphasizing the need for offensive and defensive strategies to counteract persistent threats like Salt Typhoon.

Strategic Challenges:
Steve highlights the systemic issues, including the sluggish update cycles of critical infrastructure and the complexities of international cyber warfare, which impede effective countermeasures against sophisticated adversaries.

6. Largest Crypto Heist in History by North Korean Hackers

Timestamp: [110:26] - [154:44]

A staggering $1.5 billion worth of Ethereum tokens were illicitly siphoned from Bybit, the world’s second-largest cryptocurrency exchange, marking it as the largest and most complex crypto heist to date.

Heist Mechanics:
North Korean-backed Lazarus Group infiltrated Bybit’s systems by compromising multiple employees and manipulating the multi-signature (multisig) transaction process. They altered the user interface to approve fraudulent transactions without raising suspicion.

Aftermath:
Bybit has initiated a bounty program, offering up to $150 million for the recovery of the stolen funds. Meanwhile, Lazarus Group is engaged in rapid financial laundering to obscure the thefts’ origins and movement across various cryptocurrency exchanges.

Lessons Learned:
Steve emphasizes the critical need for enhanced security measures, such as air-gapped systems and more stringent authentication protocols, to protect substantial cryptocurrency reserves from such high-stakes breaches.

7. Former NSA Chief Warns US Is Lagging in Cybersecurity

Timestamp: [155:07] - [123:01]

General Paul Nakasone, the former head of the NSA and Cyber Command, publicly stated that the United States is trailing behind its adversaries in cyberspace, particularly highlighting the persistent vulnerabilities exploited by groups like Salt Typhoon.

Key Points from Nakasone:

• The US faces ongoing cyber breaches affecting critical infrastructure.
• There is an urgent need for adopting AI-powered offensive cyber capabilities.
• Persistent engagement strategies with cyber adversaries are essential to deter future attacks.

Steve’s Commentary:
The hosts express concern over the implications of Nakasone’s remarks, pondering the feasibility and ethical considerations of aggressive cyber retaliation strategies suggested by policymakers.

8. Picture of the Week: Freedom Administration Login - A Security Nightmare

Timestamp: [110:26] - [159:56]

The episode concludes with an alarming case study of a widely exposed access control system named "Freedom Administration Login," which has left numerous apartment buildings vulnerable due to default credentials and improper configuration.

Vulnerability Details:

• Default Credentials: The system uses a hard-coded username ("Freedom") and password ("viscount"), which were never prompted to be changed during setup.
• Exposure: Over 700 systems are accessible via the internet, with a 43% success rate in unauthorized access using default credentials.
• Implications: Unauthorized individuals can unlock doors remotely, access residents’ personal information, and manipulate building access controls.

Responsible Disclosure:
Security researcher Eric Daigle documented his discovery and responsible disclosure timeline, revealing the negligence of the manufacturer, Hirsch Enterphone, in addressing these critical security flaws.

Steve’s Analysis:
Steve underscores the systemic failures in design and implementation, advocating for:

• Eliminating default credentials.
• Restricting access control systems to internal networks only.
• Enforcing unique, strong passwords during initial setup.

Leo’s Reflections:
Leo emphasizes the ease with which such vulnerabilities can be exploited using simple Google searches, highlighting the urgent need for manufacturers to prioritize security over convenience.

Conclusion

Security Now Episode 1014 provides a comprehensive overview of pressing cybersecurity issues, from corporate and governmental challenges to glaring vulnerabilities in everyday systems. Steve Gibson and Leo Laporte offer insightful analyses, blending technical expertise with practical advice, underscoring the pervasive and evolving nature of security threats in the digital age.

Notable Quotes:

• Steve Gibson on Apple’s Maneuver: "Apple holds all the cards here. They can be forced to turn it off, but then they're just going to disadvantage UK citizens." ([05:51])

• General Paul Nakasone on US Cybersecurity: "Our adversaries are continuing to be able to broaden the spectrum of what they're able to do to us." ([110:34])

• Steve Gibson on Ransom Payments: "Paying a ransom is often illegal, which adds another layer of complexity to an already challenging situation." ([07:00])

For Further Information:

• Subscribe to Security Now: Stay updated with the latest in cybersecurity by subscribing to the Security Now podcast on your preferred platform.

• Stay Secure: Regularly update your software, use strong, unique passwords, and remain vigilant against potential security threats.

Disclaimer: This summary is based on the transcript provided and aims to encapsulate the key discussions and insights shared during the podcast episode. For detailed information and context, listening to the full episode is recommended.