Steve Gibson (3:00)

You like dipping in on all those social media places. I do, I do, I do. Dip 27 of them right now.

Leo Laporte (3:08)

It's unbelievable how many. Yeah, they're growing like Topsy.

Steve Gibson (3:12)

I think that makes more sense for you. For me, it's like, oh, my God, I just did it. I forgot to post on Twitter again. Shoot.

Leo Laporte (3:20)

Don't post on Twitter. Skeet. You got to skeet, man. Be a skeeter. That's blue sky.

Steve Gibson (3:28)

Like I said, old school for me. Yes.

Leo Laporte (3:32)

All right, well, you could post on Twitter when I do the first ad, which is coming up. But first, I'd like to know what we're going to be talking about today.

Steve Gibson (3:39)

We're going to talk about. Well, okay, I just gave this the title of the week, which was the most emailed thing that I saw, which is all of this huffing and puffin about a big bad Bluetooth backdoor that had been discovered and was revealed by a pair of Spaniards, Spanish security researchers last week at the big annual global Spanish Security Conference. It's an interesting story and we're going to cover it, but we got to talk about Utah passing the first age verification requirement for app stores. And I'm going to spend a little time talking about age verification again. We have before, but, boy, is it a hot topic among our listeners. I get so much feedback from people who are mostly upset at the idea that they need to verify their age on the Internet. My take is this is as significant as cryptography, as privacy, in as much as it's one of those things that it's a problem created by the fact that cyberspace is different than physical space. So we're gonna spend a little time on that. Also, we've got a really interesting piece, the inside story on fake North Korean employees, written with the details provided by an individual who keeps having these North Koreans trying to get hired by his firm.

Leo Laporte (5:28)

Oh, wow.

Steve Gibson (5:28)

And he says they really don't sound like they're from Texas. Anyway, we've got an update on the ongoing bybit crypto high saga. Several more pieces. I mean, for something that this is this big, right? There's. There's a lot of. A lot of tendrils sort of oozing from it. The like where, where did the crypto go? What has happened? The industry looks like it's going to actually respond in some interesting ways to more like in a larger, bigger way also. How did this happen? We know more now about that Safe Wallet guys and exactly what the exploit was that caught them, that then caused them to get infiltrated and allowed them to pass the attack forward. Also, Apple is pushing back against the order that never was in the uk so we have a little bit of news about that. Also, did somebody crack pass keys? Something happened. Yeah, but, and we'll, we'll look at that. Also, the UK has launched a legal salvo at an innocent security researcher just because they can. Also in, in addition we have the old data breach which we all witnessed, which just keeps on giving and many people will be glad they're no longer using that particular password manager. We also have as I some, some additional by bit forensic news, a lesson to learn from a clever and effective ransomware attack. And then finally, what about that Bluetooth backdoor discovery that everyone's talking about? So I think a lot of interesting stuff for this week's podcast and a picture of the week that is difficult to believe, but it's not one of those that was blindly posted to the Internet where people have sent it to me. This was from a listener in the state of Minnesota who said he took this screenshot himself. He said, I took this screenshot and thought of you. Oh, I can't wait.

Leo Laporte (7:56)

I haven't looked at it yet. We'll do as we always do. I will scroll up, absorb it and then you'll all have a chance to see our picture of the week. All that coming up on Security Now. It's going to be a great show. I know which password manager you're talking about and in some ways I feel like we should apologize because for so many years we told everybody to use it when you used it. I used it. We loved it. You had interviewed the guy who created it. But as often happens, private equity got involved. Yep. And the bottom line became more important than actual security.

Steve Gibson (8:32)

I vetted that tech, the, the, the technology and Joe had done everything right. The design was immaculate.

Leo Laporte (8:39)

So sad, but so sad. Well, our sponsor for this segment is another company that is doing everything right. 1Password. Very happy to have 1Password on the show. They, you know, I know you know them as a password manager, but they also have another product that extends what the password manager does to a lot more of what's going on in your business. It's called 1Password's Extended Access Management. Now the question that I always ask is, do your end users always work on company provided devices, right, that you've got locked down and only use the apps that your IT department has vetted, has verified, is kept up to date? Of course they don't. We live in a BYOD bring your own device universe. People bring in their phones, their laptops, and by the way, they're running all sorts of weird software, much of it not patched. Old browsers, old operating systems. So how do you keep your company data safe when it's sitting on all those unmanaged apps and devices? This is the answer 1Password has come up with. And it's great. It's called Extended Access Management. 1Password Extended Access Management. So helps you secure every sign in for every app on every device. I mean, One Password is the king on that, right? Because it solves the problems traditional IAM and MDM can't touch. But let me say that again, not just every sign in, but every app, every device. Imagine your company security like the quad of a college campus. Let's kind of put this in a metaphorical way. You have this, you know you can see it and you close your eyes. Unless you're driving and you can see, you can probably imagine it even if you don't close your eyes. You know, the brick buildings with the ivy covered brick buildings and you know, and then of course the beautiful quad with a perfect lawn and brick, little brick paths winding their way through the quad. It all looks so nice and pretty. That's the company owned devices, that's the IT approved apps, that's the managed employee identities on your network. But no college quad stays that way for very long because the students are going to wear paths, shortcuts through the grass, the shortest distances from, you know, Econ 101 to the English department and those muddy paths, those are the unmanaged devices, the shadow IT apps, the non employee identities like contractors on your network. The problem is that most security tools just assume, oh yes, it's all those perfect brick paths, that's all we have to worry about. And all the security problems, they happen, or they often anyway, on the little, you know, muddy shortcuts that are inevitably going to be everywhere in your network. So 1Password Extended Access Management is the first security solution that takes those unmanaged devices, those shadow IT apps, the identities under, you know, on your network and puts them under your control. It ensures that every user credential is strong and protected. Every device is known and healthy and Every app is visible. 1Password is ISO 27001 certified with regular third party audits. So it exceeds the standards set by various authorities. It's a leader in security and what Extended Access Management does. It's a security for the way we really work today, not some imaginary universe for the real world. It's now generally available to companies with Okta and Microsoft Entra and it's in beta for Google Workspace customers. I think you should find out more about this. Secure every app, every device, every identity, even and especially the unmanaged ones@1Password.com SecurityNow that's all lowercase SecurityNow1Pass.W.com SecurityNow Security for the way we really work today. 1Password Extended Access Management 1Password.com SecurityNow we thank him so much for supporting the vital work Steve is doing here especially. And this is the most vital of all, the picture of the week. I like it that you start with the comedy. You always end with the big one.

Steve Gibson (13:00)

Sometimes the somber. Yes, we end on a somber note like, well, good luck.

Leo Laporte (13:07)

What could possibly go wrong? Actually, sometimes these pictures have what's good. So tell me about this picture.

Steve Gibson (13:13)

Okay. This was actually what a listener of ours found when he went to the Minnesota. The state of Minnesota.

Leo Laporte (13:21)

Oh, my God. Okay.

Steve Gibson (13:24)

Like he found it today.

Leo Laporte (13:26)

Like, this is appalling.

Steve Gibson (13:28)

It's unbelievable. The caption I gave it was, what year is this? And I said, it seems we still have a ways to go. So this is the login page for the state of Minnesota Unemployment Insurance agency there. And he's tried to put in a what looks like a reasonable length password, if you count. We know, we know that the dots that it shows when you're blanking a password don't always correspond to the length of the password. That's for additional security. Right. But we're seeing 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, maybe about 16 to 20 dots. He gets it shows an X on the right side of that attempt. And then the page is updated saying validation errors. And we have then an enumeration of what's wrong with this password. Password must not be more than six characters. And as if that wasn't bad enough, password must not contain any special characters.

Leo Laporte (14:42)

What, so it's six alphabetic characters.

Steve Gibson (14:46)

Yeah. Alphanumeric, presumably.

Leo Laporte (14:48)

Oh, maybe alphanumeric.

Steve Gibson (14:50)

So you have an Alphabet of what.

Leo Laporte (14:53)

26 letters and then 10 more.

Steve Gibson (14:57)

62. Or no.

Leo Laporte (14:59)

Oh, yeah. Lower and uppercase 66. Although I bet they don't care about case if they're doing, oh, my God.

Steve Gibson (15:06)

And then it's a little confusing because the standard guidance here, underneath the validation error screen, is password must be at least six characters, but it cannot be more than six. Password must not be more than six characters.

Leo Laporte (15:25)

Exactly six characters.

Steve Gibson (15:26)

Must be exactly six characters. I mean, Leo, if this didn't come from a listener who said, steve, I had to share this with you and took a screenshot for me, I wouldn't believe it. And that's today, 2025.

Leo Laporte (15:44)

Well, it also tells you that they aren't hashing the passwords. Right. Because the length wouldn't matter if they were hashing them.

Steve Gibson (15:50)

One would hope. I mean, again, if they're telling you, first of all, if it must be at least six characters and must not be more than six characters. It actually says that on two successive lines. Yeah, you could simplify that by saying, obviously, password must be exactly six characters, but that would seem a little too extreme. So they're going to make it a little more mysterious, apparently, by saying, must be at least six characters. Must not be more than six characters. Do the math.

Leo Laporte (16:24)

Have you. Did you ever play the Password, that guy's password game? Do you know what I'm talking about?

Steve Gibson (16:31)

You mean mastermind?

Leo Laporte (16:32)

No, no, no, no. There's a fun little game making fun of.

Steve Gibson (16:37)

Oh, right, right, right.

Leo Laporte (16:39)

I do this whole. This whole rules thing where it tells you the rules and you have to adjust the password as you go. So say monkey, 1, 2, 3. And then it tells you. Nope, you got to have an uppercase character. Okay, so let's put an uppercase character. And now it says it has to include a special character. So let me have a special character. The digits must add up to 25, three, six. That means I need to put nine and then another nine and a one. Oh, there we go. Your password must include a month of the year. Oh, well, let's fix that. Here we make key. It must include one of our sponsors. Okay. And it goes from there. There's actually 36 rules. It gets harder and harder. It's hysterical. This is at. Neal. Neal. Fun. It's a great kind of take on what we just saw here, which is absurd. Password.

Steve Gibson (17:33)

Yeah. So, you know, we've wondered how it is, Leo, that states keep getting themselves infected with malware and being hit with ransomware, but when you see a page like this which says, you know your six character passwords and we don't know about special characters, it's like, there is really, like, what. What explains this. And this is the unemployment insurance site. Which, you know, it'd be nice to have some security there anyway. Wow. Okay. Listeners of this podcast know how I feel about age verification. In the same way that we need to make peace with the thorny issues surrounding the abuse of the absolute privacy offered by modern encryption, I believe we must also squarely address the problem of verifying someone's biological age in cyberspace, even if that means deciding not to. That is. I'm not saying we have to know. I'm saying this is an issue that we just need to stop punting because we have so far. Unfortunately, having given this issue a great deal of thought, this feels to me like another of those thorny and intractable problems. But, okay, let's explore this a bit. And I want to do that because, boy, is this of interest to our listeners. So I'm old enough, and I think you are too, Leo, to be able to collect Social Security.

Leo Laporte (19:09)

I am, yes.

Steve Gibson (19:10)

So I have the legal right, as do you, to sit at my desktop PC and do anything and go anywhere someone my age can legally do, which is pretty much anywhere and anything.

Leo Laporte (19:25)

Yeah.

Steve Gibson (19:26)

But I also want my privacy preserved while I'm wandering around now. I understand, Leo, you've pretty much given up that battle.

Leo Laporte (19:33)

Yeah, I don't care anymore.

Steve Gibson (19:34)

A lot of our listeners, you know, our listeners are like, no, no, no.

Leo Laporte (19:38)

I don't even recommend it. Everybody should care about privacy. I just, I don't get to, because I spend so many time hours on the day of on the air, and I have no filter and everybody knows everything about me, so.

Steve Gibson (19:50)

And Leo, your email address. Come on.

Leo Laporte (19:53)

And I just gave out my email address. So that just tells you right there. I gave up a long time ago, but I don't recommend it. That's just, you know.

Steve Gibson (20:01)

Okay. Okay, good. In the interest of preserving as much privacy as possible and only disclosing the bare minimum necessary and when necessary, I would argue there is never any need to share an exact date of birth. After all, none of the proposed legislation anywhere says we need to know your birthday. They just want to know your how, you know, how many years you've been around. Round up the, you know, to an integer number, the number of, around down the number of years completed. That should be sufficient. So. Okay. But I also don't like the idea of having my age sprayed indiscriminately everywhere I go. So, you know, it should be on an as needed basis. I'm just sort of talking about a theoretical framework here. Like, if we were going to try to solve this problem, what would that solution look like, you know, if I go to a website that has a reasonable need to verify my age, and if I agree with its need and elect to provide that, then I should have the option of in some way releasing my integer age to that site one time and that one time only. Now another consideration is that age restrictions vary by region, right? So in the United States, we do not yet have any uniformity across our individual and independent state legislations. They all just kind of make crap up as they go. And internationally restrictions often vary by country, so it would likely be necessary to be able to assert our country and state of residence as part of this voluntary age and jurisdiction disclosure. Right? Because it matters where we are. This state says you have to be this old. That state says oh no, you can drink when you're 12. Whatever. Alternatively, perhaps I'm a gen zer who just doesn't care at all about having their age sprayed across the Internet. In that case, this, this theoretical age verifier could be left unlocked with any querying website being informed of such a user's age and jurisdiction on the fly. Hey, I'm Gen Z. I don't care if I'm in a household with younger kids. I could both lock and password or pin protect this feature so that something I know would need to be provided anytime I wish to assert my age in cyberspace. So if something like this were to happen, this would be another Internet specification for the W3C, the World Wide Web Consortium to design and standardize, and it would be implemented in and dispensed by our web browsers the way they do all this other stuff for us already. Once this was standardized, any website that was legally obligated to verify its visitor's age, or actually any website that wanted to know because after all, they could ask, we don't have to tell them. Rather than presenting that ridiculous yes I'm at least 16 years or older or 18 years or whatever it is or older button, that site would have returned an HTTP reply header when displaying the site's initial homepage. In the gen zer case where their browser was set to permanently disclose or permanently unlocked, their browser would return a query making the proper assertion, and the site's content would automatically be available if they qualified. But in the typical case where a web user wants to exercise some control over the disclosure of this information, the receipt of this reply header would cause the user's browser to display its own uniform pop up prompt saying that the site being visited requires the user to verify their age and location either or, or maybe it is requesting that that information as opposed to requiring it. That pop up would contain a button labeled Please verify my age and send my location to this website. If the user agreed, the browser would generate a query containing this information and the website would open its doors. Now, in that regard, the model would be very much like the cookie pop ups that we're all now plagued with, but it would be implemented by the browser, not by the website. So that's where the uniformity in its display would come from and it would be displayed in the center of the screen and only when sites required verification. Now, of course, by this time everyone is thinking, yeah, okay, fine, but how can any user's web browser possibly know their date of birth and location in any way that cannot be spoofed at will. And of course everyone's thinking is 100% correct. That's the big problem. And it's not a problem that can be sidestepped since it's the essential problem. But I wanted to first lay out the rest of this required framework to show that if that essential problem could be solved, it could be the basis for a workable solution. Okay, so now let's switch to the news from last week which triggered this re exploration. Though it received wide coverage, the Verge's headline was Utah becomes the first state to pass an App Store Age verification bill. And they followed that with a note that Meta, Snap and X are applauding this. So the Verge wrote, utah became the first state in the country to pass age to pass legislation requiring App Store operators. And you know, that's, you know, Apple and Google right to verify users ages and require parental consent for minors to download apps. The App Store Accountability act, as it's named, is the latest kids online safety bill to head to the governor's desk as states across the country and the federal legislature have tried to impose a variety of design regulations and age gating requirements to protect minors from online harms. Much of the legislation that has advanced through the states has been blocked in the courts, and the leading bill in Congress failed to pass last year amid concerns that it could limit free expression on the Internet. Right. Our First Amendment is like what always gets marched out in order to say, no, no, no, you can't do any filtering. Putting the onus on more on mobile app store operators to verify ages rather than individual website providers is something that Meta and other social media sites have pushed in recent months as legislatures consider a variety of bills that could impose more liability for kids safety across the tech industry. Apple reportedly lobbied against a Louisiana bill that would have required it to help enforce edge age restrictions. You know they don't. Apple doesn't want any involvement in this if they can possibly avoid it, but recently voluntarily opted to let parents share their kids age ranges with apps. And we talked about the first phase of that. We're about to talk about the update to that. Meta spokesperson Jamie Raddus called that quote a positive first step at the time, but noted that developers can only apply these age appropriate protections with a teen's approval. After Utah passed its age verification bill, Meta, Snap and X applauded the move in a joint statement and urged Congress to follow suit. Meaning let's make this go national saying quote, parents want a one stop shop to verify their child's age and grant permission for them to download apps in a privacy preserving way. They said the App Store is the best place for it. And I disagree with that. But okay, we'll get there.

Leo Laporte (29:06)

Parents are going to be very surprised when they asked the parents age as well, by the way.

Steve Gibson (29:10)

But okay, go ahead, continue precisely because right, you have to, you have to everybody, the App Store is the best place for it. And more than a quarter of states have introduced. A quarter of states have introduced bills recognizing the central role app stores play. Apple spokesperson Peter Ajima pointed to a white paper the company released last month which emphasizes the importance of minimizing the amount of sensitive data collected on users. Google, which runs the Play Store on Android, did not immediately provide comment on the bill. But others, including the Chamber of Progress. I love that name.

Leo Laporte (29:54)

Okay, it's the Chamber of Progress. We don't want to talk.

Steve Gibson (29:58)

That's right. Which counts. Meta's European arm as well as Apple and Google among among its corporate backers, warn that the bill could put all users privacy and rights at risk. Again, this is why I think this is like a big deal. This is one of these things, one of these sticky wickets that you know, that cyberspace brings with it that up to now we just kind of wanting to like let's not let this.

Leo Laporte (30:27)

But you know what you're seeing, this is all something that Meta wanted. This is all something the social. They didn't want to do the age verification so they lobbied hard and of course probably brought big black bags of cash to members of Congress and the state assembly saying, well really the App Store should be responsible. They're the central authority. Well, there's not us.

Steve Gibson (30:49)

Yeah. And I actually do agree with the notion. I think it should go deeper than that. I think it should be on the platform but because then everybody gets it.

Leo Laporte (30:59)

And you could keep it locally if it were just the phone. Right? The phone could just say yes or no.

Steve Gibson (31:04)

Yes, the phone. Well, in fact, we will be talking about. Apple has finally capitulated with an API. That is what I've been talking about us needing for quite a while. So the Supreme Court has long recognized that age verification requirements, like those in SB 142, chill access to protected speech for everyone and are therefore inconsistent with the First Amendment. And again, yes, we. This is a problem, right? I mean, this is not a small thing. This doesn't have an easy answer. There, there isn't. There is a. It's clear that this runs up against the legislation to restrict access to the Internet, runs up against this notion of unrestricted free speech. Because we're talking about restricting, based on age, some people's access. But we'd actually do that now, right? Just not in cyberspace. So this chamber of progress, this legal advocacy council, they have a person, Carrie Maeve Sheehan wrote in a blog post. SCOTUS is set to weigh in on age verification this year. But in a case, the deal. The deal specifically with its application to accessing porn sites. Okay, better that than nothing, I'd say. This is the way. Maybe we're going to have to chip away at this in order to get where we need to go. Quote, as privacy experts have explained, strict age verification, confirming a user's age without requiring additional personally identifiable information is not technically feasible in a manner that respects users rights, privacy and security. And that of course gets back to the point I was making earlier. That is like, yes, we can invent a framework and a system for doing this, but that last piece is the problem. How do we do it in a way that, that cannot be easily bypassed and spoofed? So once again we have political legislators imagining that they're able to dictate the way reality should operate. You know, much as they've been wanting to with encryption. Well, we want everything encrypted, except we need to be able to see things. What? What? But Apple, apparently cognizant of the direction things are going, last month in February, published a short eight page document titled Helping Protect Kids Online. I have a link to it in the show notes for anyone who wants to see it, but I'm going to cover it here. It appears that Apple is grudgingly moving in the direction they need to go, which is to allow their platform to be used as an age verifier, much as they would clearly rather not their helping Protect Kids Online document addressed this under the topic Making it easier to set up and manage accounts for kids, Apple wrote. For years, Apple has supported specialized Apple accounts for kids called Child Accounts that enable parents to manage the many parental controls we offer and help provide an age appropriate experience for children under the age of 13. These accounts are the bedrock of all the child safety tools we offer today. To help more parents take advantage of child accounts and parental controls, we're making two important changes. First, we're introducing a new setup process that will streamline the steps parents need to take to set up a child account for a kid in their family. And they keep using the word kid. I guess that's okay, but it just strikes me as odd. Kids. And if parents.

Leo Laporte (35:08)

My folks always said, you say children, not kids.

Steve Gibson (35:11)

Yeah, exactly. It seems too informal to me, but.

Leo Laporte (35:15)

Okay, it's marketing material. That's why.

Steve Gibson (35:18)

And if parents prefer to wait until later to finish setting up a child account. Child. This was very interesting to me. Child appropriate default settings will still be enabled on the device. So even if you don't, if a parent just sort of flips a switch to say, yeah, we want, we want this for. We want a child account, it defaults to safe. So they said this way a child can immediately begin to use their iPhone or iPad safely and parents can be assured that child safety features will be active in the meantime.

Leo Laporte (35:53)

That's because they know parents will do the least possible.

Steve Gibson (35:57)

Exactly. Okay, here you go. Get out of my hair.

Leo Laporte (35:59)

Yeah, so it fails into a safe state. Which it should. That's right.

Steve Gibson (36:03)

It absolutely should. This means even more kids, they wrote, will end up using devices configured to maximize child safety with parental controls. Second, starting later this year. And that. This is annoying to me. This thing is full of coming soon. And you know, later this year is like, what, what's the problem here? Just do hard.

Leo Laporte (36:26)

Could it be.

Steve Gibson (36:27)

Yeah, you. I know you've had endless hand wringing meetings in your ivory tower up there in your golden donut, so get it done. Anyway, starting later this year, parents will be able to easily correct the age that is associated with their kids account if they previously did not set it up correctly. What? Okay, now this is one of my hobby horses. Why set the age? Just set the date of birth. Do it once and Leo.

Leo Laporte (37:03)

Oh, that's a good point. It automatically updates.

Steve Gibson (37:06)

It's. It's a miracle. It's amazing. It's as if you had a computer that was able to do division.

Leo Laporte (37:19)

Well, never mind.

Steve Gibson (37:20)

I don't understand. And then Apple. This is the big revelation, once they do, parents of kids under 13 will be prompted to connect their kids account to their family group. If they're not already connected, the account will be converted to a child account and parents will be able to utilize Apple's parental control options with Apple's default age appropriate settings applied as a backstop. Okay, so under the topic. Okay, so for example, it could be, it could default to underage, right? And then what the parent does is then insert their child's date of birth instead of their child's age because that's not as they would say, it's not going to age well. But date of birth, it's automatic. It's a miracle. Anyway, under the topic then a new privacy protective way for parents to share their kids age Raid age range. Apple said again because you know Leo, this is good. This kind of had to be thoroughly vetted. We have to make sure that the slide switches are the right size. Later this year button is just later this year. We're wait for it. It's coming. Yes. Apple will be giving parents a new way to provide developers with information about the age range of their kids. Age range. We're not giving them. We're not, we're not gonna, we're really. You're just gonna pry this information from us?

Leo Laporte (38:59)

It could be under 13. Over 13. That's sufficient, right?

Steve Gibson (39:03)

Yeah. Enabling parents to help developers deliver an age appropriate experience in their apps while protecting kids privacy. They said through this new feature coming soon, parents can allow their kids, it says kids to share the age range associated with their child accounts with app developers. It's a miracle. If they do, developers will be able to utilize a declared age range API to request this information from the platform, which can serve as an additional resource to provide age appropriate content for their users. How long do you think it took them to come up with this? Leo, as with everything we do, the feature will be designed around privacy and users will be in control of their data. The age range will will be shared with developers if and only if parents decide to allow this information to be shared. And they can also disable sharing if they change their mind. That's got to be another slide switch and probably it's bigger, you know. So I changed my mind. That's right. Flashing red. And it won't provide kids actual birth dates. Ah, wow, what a concept. As I've noted before, a declared age range API is exactly the right solution. Kids use specific iPhones and iPads and Apple will even have a default in the direction of enforcing safe content so it makes sense for the device's platform to know the age of its user and for that platform to. To be able to disclose that information with proper controls. I still think it makes the most sense for, as I've said, for parents to set their child's date of birth internally. And as I've noted, they would be free to fudge it either way, depending upon their individual child's emotional maturity.

Leo Laporte (41:19)

That's right.

Steve Gibson (41:20)

And the level of protection they feel most comfortable. Comfortable enforcing.

Leo Laporte (41:25)

Exactly right. This is such a good solution. You know what, it's, this is what should happen. And I think it's only happening now because it's either this or the App Store and they don't want to do that.

Steve Gibson (41:35)

Right. And of course the App Store can get this from the platform.

Leo Laporte (41:40)

Right.

Steve Gibson (41:40)

So it's a win win if Apple. So then if Apple insists upon calculating the user's age within large privacy protecting ranges, while that seems unnecessarily restrictive to me, fine. Apple has already needed to amend those dumb ranges because, well, they're dumb. Okay, they had to add another one, but okay, if that's what they want to do, then they could do that. And it does serve to give some additional impression of increased privacy. So in this document, Apple explained their thoughts about all this under the heading age assurance. Striking the right balance between platforms and developers to best serve the needs of our users. They said at Apple we believe in data minimization, collecting and use it. We know that. God do we know that. Collecting and using only the minimum amount of data required to deliver what you need. This is especially important for. For the issue of age assurance, which covers a variety of methods that establish a user's age with some level of confidence. Some apps may find it appropriate or even legally required to use age verification, which confirms users age with a high level of certainty, often through collecting a user's sensitive personal information like a government issued id to keep kids away from inappropriate content. But most apps don't. That's why the right place to address the dangers of age restricted content online is the limited set of websites and apps that host that kind of content. After all, we ask merchants who sell alcohol in a mall to verify a buyer's age by checking IDs. We don't ask everyone to turn their date of birth over to the mall if they just want to go to the food court.

Leo Laporte (43:49)

There you go.

Steve Gibson (43:50)

There you go. Good analytics. Requiring age. Yeah, requiring age verification at the app marketplace level. Here's their point. Is not data minimization. While only a Fraction of apps on the App Store may require age verification. All users would have to hand over their sensitive personally identifying information to us, regardless of whether they actually want to use one of these limited set of apps. That means giving us data like a driver's license, passport or national identification number, such as a Social Security number, even if we don't need it. And because many kids in the US don't have government issued IDs, parents in the US will have to provide even more sensitive documentation just to allow their child to access apps meant for children. That's not in the interest of user safety or privacy. Requiring users to overshare their sensitive personal data would also undermine the vibrant online ecosystem that benefits developers and users. Many users might resort to less safe alternatives like the unrestricted web, or simply opt out of the ecosystem entirely because they can't or won't provide app marketplaces like the App Store with sensitive information just to access apps that are appropriate for all ages. By contrast, the declared Age Range API is a narrowly tailored data minimizing privacy protecting tool to assist app developers who can benefit from it, allowing everyone to play their appropriate part in this ecosystem. It gives kids the ability to share their confirmed age range with developers, but only with the approval of their parents. This protects privacy by keeping parents in control of of their kids sensitive personal information, while minimizing the amount of information that's shared with third parties. And the limited subset of developers who actually need to collect a government issued ID or other additionally sensitive personal information from users in order to meet their age verification obligations can still do so too. All in all, it gives developers a helpful addition to the set of resources that they can choose from, including other third party tools to fulfill their responsibility to deliver age appropriate experiences in their apps. With this new feature, parents will even more firmly be in the driver's seat and developers will have a way to help identify and keep kids safe in their apps. So anyway, Apple is going to need to get, you know, like over themselves to some degree I think, and accept that, you know, what they've built in is an Internet portal that is, you know, with these iPads and iPhones are Internet portals and they're going to have to have some way of filtering the content that children are able to see. I think this does that. You know, they do still have this notion of dividing ages up into segments. I think they have five of them now. I have it here somewhere in my notes. I'm not seeing it right now and.

Leo Laporte (47:30)

Maybe that's why they don't do birth Dates, because they don't want to even know that much. They just.

Steve Gibson (47:34)

I think you're right. I think, I think you're right. In the same way that they don't want to have the decryption keys for their advanced data protection. They, they don't want their phone to know the person. I think you're exactly right. That, that explains it. It was a mystery to me. It's like it seems so obvious. But you're right. They don't want anyone. They don't even want that, even want the.

Leo Laporte (47:55)

They want this vaguest thing that they can get away with and that would be age range. That makes sense. Yep, yep.

Steve Gibson (48:02)

It really does.

Leo Laporte (48:02)

Yeah. And this is a great solution. Frankly, I don't know why they didn't do this right away. This is. Yeah, perfect.

Steve Gibson (48:09)

Yeah. And they can simply, they can simply not show the, the apps which require an age that the viewer doesn't qualify for right in the App Store. They're just not there for those viewers. They, you know, they shouldn't see them. They can't get them anyway. So just don't show them. It just doesn't show up in the phone.

Leo Laporte (48:30)

Yeah. And it gives. And the other thing I like about it, it gives parents the ultimate authority because only the, I mean, the parent knows what a kid is mature enough to do or not. And if the kid is a 12 year old but has the maturity of a 16 year old, the parents can say that he's 16. And Apple doesn't get involved. Nobody gets involved. The parent is the right person to decide. And if there's a parent who's, you know, doesn't care, let's hope they care enough to set a button that says it's a kid's phone. And that would do, you know, the closest thing to the right thing.

Steve Gibson (49:04)

Right.

Leo Laporte (49:05)

I like this. You know what? I suspect Apple. This sounds like something Apple came up with but hadn't implemented at all. And they know it's going to take some time.

Steve Gibson (49:13)

They just wanted to push back as long as and hard as they could.

Leo Laporte (49:17)

Right.

Steve Gibson (49:18)

And now it's like, okay, fine, if we're going to start having legislation, then guess what? Here's the solution we propose.

Leo Laporte (49:24)

It's probably an iOS 19 feature. And that's what they're saying in the coming. It's like September, we'll have it for you. I hope so anyway, because this would completely short circuit the whole thing. It would make it doable.

Steve Gibson (49:38)

Now what this does though then is solve the problem here. It does not solve the problem for pornhub, where if Congress weighs in or if the Supreme Court weighs in and says, you know, you must absolutely protect minors from having access to this content, then the only way to do that is for people who do want access to lose their anonymity.

Leo Laporte (50:06)

Well, you know, the state of Texas did in fact create a law which a federal judge put on hold and the Supreme Court heard arguments last month on and will decide upon. And one hopes that the Supreme Court decides in favor of the First Amendment. That's what that federal judge, the district judge in Texas said. This violates the First Amendment. So there are, I think, at least 20 states that have these porn laws. And what happens, what pornhub has done is just withdraw from the state. Right, but that just means there's a lot other. Plenty of other porn sites or use a VPN or. I mean, there's all sorts of ways around it. Your phone solution is actually much more bulletproof. And you could say that the phone has to say, you're over 21. I mean, you could, you could say that.

Steve Gibson (50:52)

Yeah.

Leo Laporte (50:52)

I mean, that's. I mean, an 18 year old probably has their own phone, maybe even a 16 year old without parental supervision. So. But if at that point they should be able to do whatever. If the parents aren't going to get involved, then they could be able to do what they want. Right?

Steve Gibson (51:07)

Yeah. I mean, we, so, so again, we're.

Leo Laporte (51:11)

Great solution.

Steve Gibson (51:12)

We're looking at this because we're in cyberspace and this is something that we've been just sort of like not wanting to deal with. So, so, so far. And I think that, you know, we're finally facing the fact that we've got to answer some of these hard questions.

Leo Laporte (51:27)

Yeah, yeah, I agree.

Steve Gibson (51:29)

We have an easy question, Leo, which.

Leo Laporte (51:31)

Is who's the next sponsor?

Steve Gibson (51:33)

That's the one I was thinking of.

Leo Laporte (51:37)

I know you so well. All right, let's take a little break. We have lots more to talk about. Steve's coming back in just a second.

Steve Gibson (51:42)

Oh, we got a North Korean job interview.

Leo Laporte (51:45)

What are you talking about, North Korea? I'm from Lubbock. We'll talk about that in just a little bit. Steve Gibson, you're watching Security Now. So glad you're here. Our sponsor for this segment of Security now is a little company that I've gotten to know pretty well over the last few months, US Cloud. When I first heard about him, and I said, let's get on the horn with these guys because what do they do? Are they a cloud company? I didn't know from the name? Well, I, I got schooled. They are the number one Microsoft Unified support replacement now. We've been talking about them ever since, for the last few months about US Cloud. They are the global leader in third party Microsoft support for enterprises. They support 50 of the Fortune 500 and people switch to US Cloud because they get better support, they get faster support and they pay up to 30 to 50% less than they would pay Microsoft for Unified or Premier support. Let me say that again. Switching to US Cloud, save your business 30 to 50% and you're not settling for less, you're getting more, it's faster, twice as fast in average time to resolution as Microsoft. They do things Microsoft is never going to do. For instance, how's your Azure spend? Do you know? I mean we know what the bill is, but do you know what you're getting for that? Do you know? I mean, do you have Azure that you bought maybe months or years ago and you don't really know what it's. Well, now you could find out. US Cloud is a great new offering, something I know Microsoft will never do. It's an Azure cost optimization service. If you've been using Azure for a little while, you undoubtedly have what we call Azure Sprawl, you know, spend creep, right? It's easy and it's tempting, but you can save money. And that's the great thing. US Cloud isn't there to make money on your Azure spend, they're there to save you. And it's easier than you think. US Cloud offers an eight week Azure engagement powered by VBox that identifies key opportunities to reduce costs across your entire Azure environment. And by the way, you're going to get access during this to expert guidance from US Cloud senior engineers. These guys have an average of over 16 years with Microsoft products doing break fix, doing the stuff that you really need them to do. They know Microsoft inside and out, often better than Microsoft does. Now, at the end of this eight week Azure engagement, you're going to get an interactive dashboard that will identify, rebuild and downscale opportunities, unused resources. You can reallocate those precious it. There's never enough, right? Those precious IT dollars towards needed resources. Or you could do it. A lot of US Cloud's other customers have done increase the savings by getting off Microsoft support and moving to US Cloud. Ultimately you can eliminate your unified spend and save even more. Here's a review we got from Sam, who is operations manager at Bead gaming. He gave us Cloud 5 stars. He said, and I quote, we found some things that have been running for three years, which no one was checking. These VMs were, I don't know, 10 grand a month. Not a massive chunk in the grand scheme of how much we spent on Azure, but once you get to 40 or $50,000 a month, it really starts to add up. Yeah, it does, doesn't it? This is stuff Microsoft's not going to tell you, right? They don't want you to spend less. But usCloud's on your side. It's simple. Stop overpaying for Azure, identify and eliminate Azure creep, and boost your performance all in eight weeks with US Cloud. Visit uscloud.com There are so many reasons why this is the right choice. Book a call today. Find out how much your team can save us Cloud better, faster Microsoft support for less. I mean, this is. This is great. Visit uscloud.com to find out more. Make sure if they ask you, you say, oh, yeah, I heard about it on Security. Now, that Steve Gibson fella, he's a. He's a good guy. He's a. Just because that helps us. Uscloud.com call him. Get up, get a. Book a call today. I think you'll be impressed. All right, Steve, your. Your rest is over. Back to work.

Steve Gibson (56:18)

Okay, so, thanks to a listener of ours, I was made aware of one employer's experience with North Koreans faking their identities for the purpose of attaining employment in the U.S. as we'll see at one point toward the end of his description, Roger Grimes, whose security industry work we've covered before, says, I've now spoken with many dozens of other employers who have either almost hired a North Korean fake employee or hired them. It is not rare. So here's what Roger himself experienced. He said, you would think with all the global press we've received because of our public announcement of how we mistakenly hired a North Korean fake employee in July of 2024, followed by our multiple public presentations and a white paper on the subject that the North Korean fake employees would avoid applying for jobs at Know before, you would be wrong. It is apparently not in their workflow to look up the company they're trying to fool.

Leo Laporte (57:33)

How funny.

Steve Gibson (57:34)

Along with the words North Korea fake employees before they apply for jobs, we get North Korean fake employees applying for our remote programmer, slash developer jobs all the time. Wow. Sometimes they're the bulk of the applications we receive. This is not unusual these days. This is the same with many companies and recruiter agencies I talk with. If you are hiring remote only programmers, pay attention a little bit more than you usually would. North Korea has thousands of North Korean employees deployed in a nation state level industrial scheme to get North Koreans hired in foreign countries to collect paychecks until they're discovered and fired. Note that due to UN sanctions, it is illegal to knowingly hire a North Korean employee throughout much of the world. To accomplish this scheme, North Korean citizens apply for remote only programming jobs offered by companies around the world. The North Koreans apply using all the normal job seeking sites and tools that a regular applicant would avail, such as the company's own job hiring website and dedicated job sites like indeed.com the North Koreans work as part of larger teams, often consisting of dozens to over a hundred fake applicants. They're usually located in countries outside of North Korea that are friendly to North Koreans, such as China, Russia and Malaysia. This is because North Korea does not have a good enough infrastructure, in other words Internet and electricity to best sustain the program. And it is easy for adversarial countries to detect and block North Korean Internet traffic. The North Korean fake employees work in teams with a controlling manager. They often live in dormitory style housing, eat together and work in very controlled conditions. They do not have much individual freedom. Their families back home are used as hostages to keep the North Korean applicants in line and working. Basically, they're slaves.

Leo Laporte (60:07)

That's so awful.

Steve Gibson (60:10)

They get jobs and earn paychecks, but the bulk of the earnings is sent back to North Korea's government, often to fund sanctioned weapons of mass destruction work. The scheme is much like an assembly line workflow. The North Korean fake employee and their helpers apply for the job interview, supply identity documents, get the job, get the related company equipment and collect a paycheck. The North Korean applicant may do all the steps in this process or farm it off to other participants, depending upon the language skills of the applicant and the requirements of the job application process. They will often use made up synthetic identities, use stolen identity credentials of real people in the targeted country, or actually pay real people of Asian ancestry who live in the target country to participate. It turns out there's a burgeoning sub industry of college aged males of Asian ancestry who cannot wait to get paid for participating in these schemes. There are discord channels all around the world just for this. They make a few hundred to a few thousand dollars for allowing their identity to be misused or participating in the scheme. That way they can interview in person or take drug tests if the job requires that. Wow. So they're like subcontractors of this North Korean scheme. Sometimes the North Korean instigator does all the steps of the application process. Sometimes they just get the job interview and hand it off to others with better language skills for the interview. And sometimes they hand off the job to someone who can actually do the job and collect a kickback percentage. How the North Korean fake employee accomplishes the hiring and job process runs the spectrum of possibilities. We have seen it all. If they actually win the job, they will have another participant in the targeted country pick up the computing equipment sent by the employer and set it up. They're known as laptop farmers. These laptop farmers have rooms full of computing equipment sitting on tables marked with an identifier of what computer belongs to what company. To keep them straight, they power on the laptops and give the fake North Korean employees remote access to the laptop. Using this scheme, North Korea has illegally earned, he has in air quotes hundreds of millions of dollars to fund its illegal weapons programs over the last few years. There have been North Korean fake employee part time contractors for over a decade. But the fake full time remote employees took off when COVID 19 created a ton more of fully remote work from home jobs. There is far more money to be made if your company offers high paying remote only programmer developer jobs, you are likely receiving fake job applications from North Koreans. It is rampant. Hundreds to thousands of companies around the world likely have North Korean fake employees working for them right now. It is common. We regularly get applications from North Korean fake employees. We routinely reject most of them. Occasionally we accept a few and interview the fake employees to learn more about them.

Leo Laporte (64:12)

Wow.

Steve Gibson (64:12)

And like deliberately right?

Leo Laporte (64:15)

That's wild.

Steve Gibson (64:16)

And to keep up on any possible developing trends. Luckily so far, North Korea does not seem to be changing their tactics that much. From our original postings, the signs and symptoms of a North Korean fake employee we described last year still apply today. They're apparently still having great success using them. If you and your hiring team are educated about these schemes, it's fairly easy to recognize and mitigate them. You just have to know and look for the signs and symptoms. We recently interviewed Mario and he has that in quotes. Mario supposedly from Dallas, Texas. Here's part of his resume. I have it in the show notes on page nine. So it shows Dallas, Texas and then a 754 phone number and they blocked out the rest. Mario somethingmail.com black dialogue I'm a Mario that's right, GCP at the very top line. GCP, Python, C sharp, Rust, microservices cloud he said and it has in parens, AWS and Azure. Then all of the counseling about how to prepare like a one page resume so it says. Experienced senior software engineer with 8 plus years of experience in Python C, Sharp, Rust, Microservices, REST, Graphic, QL API development, cloud infrastructure, AWS and Azure and containerized application deployment. Specialized in cloud native architectures, high availability systems and secure coding practices. Passionate about building scalable, reliable and high performance applications for cybersecurity and enterprise solutions.

Leo Laporte (66:18)

I'd hire him. This guy looks good.

Steve Gibson (66:22)

Where do you sign?

Leo Laporte (66:23)

Yeah.

Steve Gibson (66:23)

Then under experience from 0722 through 1220 24, a senior software engineer with cloud native microservices and security, Amazon Web Services, AWS and remote designed and during this time he Mario designed and developed cloud native microservices in Python C and Rust. Ensuring high availability and fault. That's what you want. Built secure and scalable. REST and graphic QL APIs enabling seamless interoperability between cloud services and enterprise applications. Check that box. Buzzword Festival Led cloud infrastructure development on aws using Lambda EC2S3rds and DynamoDB and Azure AKs, Cosmos, DBs Key Vault and Event Grid. Implemented Zero Trust security models incorporating OAuth 2.0 JWT authentication and end to end encryption. Developed containerized application. And this goes on and on and on. But you know, one full page of this is what I can do for you.

Leo Laporte (67:40)

Patrick said he wouldn't hire him because of the use of what looks like Comic Sans in the header. That right there, that's. He's out. He's out.

Steve Gibson (67:50)

That is a bad choice.

Leo Laporte (67:51)

Tekton or one of those architectural fonts. But yeah, probably not very professional. I know.

Steve Gibson (67:56)

So Roger wrote we have hidden Mario's last name and contact information because it is the name of a real American.

Leo Laporte (68:05)

Oh, interesting.

Steve Gibson (68:06)

Who is likely unaware that that his identity has been hijacked.

Leo Laporte (68:11)

Interesting.

Steve Gibson (68:11)

And used. So like when people go and check him out and Google him and look him up, oh look, there he is. He's a real guy, just like the Jackal did.

Leo Laporte (68:20)

You go to the cemetery, you get the get a child that's died young and then go to the get the birth certificate and then you get the passport in their name, right? Well, no, this is TV show. But anyway, same idea.

Steve Gibson (68:31)

And he said so who is likely unaware and his identity that his identity has been hijacked and used in this scheme. And we don't want hiring companies to accidentally be given the rogue contact information information and think they have a real employee candidate. He said Mario in quotes claimed that he was an American citizen who was born and raised in Dallas. Despite this, he had a fairly strong Asian accent. Yee haw, Likely North Korean. The Mario who showed up for the our Zoom interview had the same voice as the Mario we interviewed over the phone during the first stage of the application process.

Leo Laporte (69:19)

Now we should say they're in on this, right? I mean they know this. They're. They're just playing with this guy because they want to learn about this.

Steve Gibson (69:25)

Yeah. Yes.

Leo Laporte (69:27)

So they're ready.

Steve Gibson (69:28)

As he said, occasionally they go ahead and do an interview even though they are highly suspicious from the get go because they want to, they want to like stay up to date on, on what North Korea is doing. So he, but so, so he said, in this case, he said, I love this. The Mario who showed up for our Zoom interview had the same voice as the Mario we interviewed over the phone during the first stage of the application process. But sometimes they're different.

Leo Laporte (69:59)

I have a cold today. I.

Steve Gibson (70:05)

Wow.

Leo Laporte (70:06)

Sometimes it's the American who they're using as a patsy who's doing the interview.

Steve Gibson (70:10)

Probably right?

Leo Laporte (70:11)

Yeah.

Steve Gibson (70:11)

Right. So he said we had three know before people on the Zoom call, including myself, which as we'll see comes in here in a minute. He said, over the next 45 minutes we asked all sorts of questions that we that would be asked of any real developer candidate. Whenever we asked a question, Mario would hesitate, spend 5 to 15 seconds repeating our question and then come back with the perfect answer. Most of the time it was clear that Mario or someone participating with him was typing the question subject into a Google search or AI engine and repeating the results. Mario started off by saying how he had a special interest in social engineering. And Roger here writes, no kidding, because of course this whole thing is social engineering.

Leo Laporte (71:11)

Yeah, yeah.

Steve Gibson (71:12)

And security culture. He mentioned security culture over and over. He said, I soon realized that if you go to our main website, we say security culture all over the place. He was repeating phrases he found on our website, but he was very friendly and smiling and his English was heavily accented but not super hard to understand most of the time. Although born and bred in Dallas, he said, I would say that based solely on this first part of the interview, if we were unaware of what was going on, we would all have liked what he said and how he responded. He was friendly and smiley and we liked him. Mario claimed on his resume and in person to have programmed for Amazon, Salesforce and IBM. He supposedly has the exact advanced programming skills we had advertised. I wish all job applicants knew as well how to best match what we advertised in a job ad with what they responded. Of course it was all fake, but still during his initial statements, he said he had a personal interest in cryptography and security. When it came time for me to ask technical questions, I used his mentioned interests as the basis for my questions. I started off by asking if he'd ever done post quantum cryptography and if he had implemented it in his past projects. He hesitated, repeated the question, and then gave me an excellent dissertation on post quantum cryptography, including mentioning nist. You know, nist, which is probably the top search result you get when researching post quantum cryptography, and a list of the various post quantum cryptography standards.

Leo Laporte (73:17)

Maybe he listens to security now. You know, maybe he. Yeah.

Steve Gibson (73:21)

I asked him if his previous projects were all using post quantum cryptography. He said, yes, no. Which is absolutely untrue.

Leo Laporte (73:30)

Right?

Steve Gibson (73:30)

Almost no American company is currently implementing post quantum cryptography. Strike one. I asked what post quantum encryption standard he liked the most. He said crystals. Dilithium. It is a digital signature algorithm, not encryption. Oh. He frequently mixed up encryption algorithms like AES with hashes like SH2 and digital signatures like Diffie Hellman. Strike two. For someone who is really into cryptography and regularly does post quantum crypto, he.

Leo Laporte (74:10)

Should have listened to the show better. He obviously was drifting off at some point.

Steve Gibson (74:13)

I asked what? Yeah, he was. He was like wasn't paying close attention. He was fascinated by the sponsors. I asked what size an AES cipher key would need to be to be considered post quantum strength. This seemed to throw him for a loop and he wasted more time than usual. Finally, he replied, 128 bits. That's wrong. AES keys have to be 256 bits or longer to be considered resilient against quantum cryptography. Strike three on the technical questions. He wrongly answered every technical question I asked. At this point, I decided to throw out a random bad fact that any normal US candidate should be able to spot and correct. I said, bill Gates, CEO of Microsoft, says that all future programming will be done by AI agents. What do you think? Okay. Now, Bill Gates has not been the CEO of Microsoft since 08. But most people outside the industry would likely think Bill Gates was still the CEO because that's how the media often references him as the former CEO of Microsoft. He's still a cultural icon associated with Microsoft. This is the type of mistake that a North Korean employee who does not have great access to the Internet would make. Aha.

Leo Laporte (75:41)

Gotcha.

Steve Gibson (75:42)

And sure enough, Mario repeated the fact that Bill Gates was the CEO of Microsoft instead of the current CEO. Satyam Nadella Mario did give a great answer on Agenic AI and programming using AI agents. If he were a real employee, I would give his answer. Top points. Well, except for not noticing my CEO switcheroo. Finally, with the technical part of the interview over, we switch to the personal questions. If you're concerned that you may have a North Korean fake employee candidate on your hands, it cannot hurt to ask of and ask for cultural references that anyone in your country or region should readily know. But that would be harder for a foreigner with limited knowledge of the culture to understand. One of my co interviewers asked him what he did in his free time. This seemed to surprise him. My co worker asked if he liked any sports. He said he loved badminton.

Leo Laporte (76:51)

Okay.

Steve Gibson (76:52)

Okay. Which he probably did not realize that although super popular in Asian cultures is not among the top sports if you grew up in Dallas, Texas or nearly anywhere in America. Sure, there are plenty of people who play badminton, especially Americans of Asian American ancestry, but it is an unlikely response. Out of all the possible responses you could offer. I asked how excited he was that the Cowboys won the afc. I figured he would not know that the Dallas Cowboys got creamed and did not win the afc. For one, they're in the NFC and not the AFC Conference division.

Leo Laporte (77:37)

I would have missed that one. So I don't. I don't know.

Steve Gibson (77:40)

He again hesitated, but then seemed to get that I was mentioning the Dallas Cowboys and that they had been eliminated from contention. I was surprised this one did not trip him up as much as I thought it would.

Leo Laporte (77:52)

See, the right answer is I don't follow sportball.

Steve Gibson (77:56)

Right.

Leo Laporte (77:56)

If you really were a geek, right.

Steve Gibson (77:58)

Ask me a question about badminton, then I got you.

Leo Laporte (78:01)

Yeah. I don't think badminton's such so disqualifying to be honest. Yeah.

Steve Gibson (78:06)

My co worker said he was going to visit Dallas soon. And did the candidate have any favorite food spots? Mario said his mother's cooking.

Leo Laporte (78:16)

Oh, good answer.

Steve Gibson (78:17)

He said. I thought that was a great response. So he did not have to look up any restaurants in Dallas. So my my co worker persisted, asking the candidate if they had any restaurants to recommend. Mario did not. I offered up the Book Repository, one of the most famous tourist sites in Dallas where people are dying to eat their Nashville Hot chicken.

Leo Laporte (78:41)

No.

Steve Gibson (78:41)

Mario wholeheartedly agreed with my recommendation.

Leo Laporte (78:45)

Oopsies.

Steve Gibson (78:47)

My co worker asked the candidate if there was anywhere in the world he would want to travel in our Hidden Slack channel. My coworker said that when he asked this question of North Korean candidates, their eyes always lit up and they got excited. Yeah. Sure enough, Mario began to excitedly describe his dreams of Visiting Paris and South Africa.

Leo Laporte (79:15)

That's sad.

Steve Gibson (79:16)

And Roger said, I think it was at this point that we all began to have some empathy. Yes, we were dealing with a fake job candidate who was trying to steal our money or worse. But in reality, this was a young man likely forced to do what he was doing.

Leo Laporte (79:36)

Yep.

Steve Gibson (79:37)

Destined never to receive any big salary or visit those dreamed of vacation destinations. It's strange, but I think we started to feel a little ashamed at conducting a fake interview. So we stopped and asked if he had any questions. The normal job candidate would likely ask more about the job, the tools used, the benefits and things like that. Mari had no. Mario had no questions other than how many other people we were interviewing and how he was doing in the job interview. We ended the job interview. We had not picked up any new tactics or information other than noticing that a lot of the North Korean fake employee candidates lately had been claiming to have been born and raised in Dallas, Texas and all with very heavy accents. However, the last fake employee interview switched from. From a heavy Asian accent from the initial phone interview to a savvy Pakistani person whom we interviewed on Zoom. And then they said he must have been hired to hand off the interview. I've now spoken with many dozens of other employers who have either almost hired a North Korean fake employee or actually hired them. It is not rare and sometimes the fake employees, when discovered, switch to a ransomware encryption scheme or steal your company's confidential data and ask for a ransom. So it is not always just about getting a paycheck. Employers beware.

Leo Laporte (81:20)

I think though, it's really interesting to say he felt some sympathy for the guy because I feel the same way. You know, when you kind of punk people are trying to scam you on the phone, often they're as much the victim as you would be. Right.

Steve Gibson (81:34)

There is a big farm just. And. And some robo dialer is connecting them to you and. And unfortunately they're being rated on. On that their success percentage.

Leo Laporte (81:45)

Right. Wow, what a story. Wow, that's just. That's fascinating.

Steve Gibson (81:50)

So I wanted to be sure that the employers and interviewers among our listeners were fully aware and appreciated the degree to which these fake North Korean employee farm scams are real. I have a link on page 12 of the show, notes to Roger's far more detailed 21 page report on this, which also has. It is heavily linked to other resources. It's knowbefore.com and then the, the. The URL has the title North Korean fake employees are everywhere. So anyway, I just, I wanted to put this on our listeners radar because it's really not something you want to do. And of course it is the case that the moment they start to feel that they might be found out that the jig might be up for them. There is a serious danger of them switching their use of the, of the, of, of the, of your network to ransomware and exfiltration and, and extortion. So you know, it also needs to be taken seriously.

Leo Laporte (83:06)

And next time say Billy Bob's, Texas if they asked you what restaurant you like in Dallas.

Steve Gibson (83:11)

And the other thing that needs to be taken seriously, Leo.

Leo Laporte (83:13)

Yes, our fine sponsors.

Steve Gibson (83:15)

That's right.

Leo Laporte (83:17)

You are getting really good at this, Steve. It's scaring me a little bit.

Steve Gibson (83:22)

Your job is secure, my friend. Don't worry.

Leo Laporte (83:25)

No, no, I like doing these ads. This one actually I have a little personal connection to. We're going to talk about our sponsor for this segment of security now. Delete Me. And we use Delete me. And we use it for a very good reason. DeleteMe has accounts for individuals, for families and for businesses. We use the business account. And I realize it's really important to do this because. Well, let me put it this way. If you ever search for your name online, and I mean, I don't recommend it, but if you don't believe me, do you will not like how much of your personal information is available? Worse, almost all the sites will say, and for a little bit, a few dollars more, we can give you the Leo's prison record. We can tell you, you know, anything you want to know about him. Because these data brokers online have been collecting this information. There's hundreds of them. They make money selling it to the highest bidder, whether it's a marketing company, that's the least of your worries or a government they sell it on. They don't care. They don't care. And the reason it's personal for us is because, and I mentioned this before, but briefly, you know, when Lisa got spearfished and all her employees got a text purporting to be from her, it wasn't. We immediately signed her up for Delete me. And you remember this, Steve, when the national public data broker breach happened, we had a website at the time you could search to see if you're in it. You were in it, I was in it. Our Social Security numbers were in. And then I said, well, let's search for Lisa. She wasn't. And that's because we use Delete me. And, and I think every business should absolutely use Delete Me for their management. Because spearfishers are looking for management so they can target your employees with the right name, the right phone number, the right information. Maintaining privacy is not just an individual thing. It's a. It's a business thing. It's a family thing. Delete Me has plans for everybody. In fact, they've. Yes, they have family plans so you can ensure everyone in the family feels safe online. Delete Me reduces risk from, yes, cybersecurity threats, spear phishing, but also identity theft. That's why you want it for your family. You know, every. Everybody needs to get this stuff off the Internet for harassment. I mean, that is a plague right now in the Internet era. And I gotta tell you, it works. We know it works. We did that. I didn't even know what would happen when I did it live on the show a few months ago. And I was. At first I thought, why isn't Lisa in there? And then I remembered we hired Delete Me. Their experts will find and remove your information. They removed her information from hundreds of data brokers. If you're doing it in a family, you can actually assign a unique data sheet to each member that's tailored to them. You have easy to use controls so the account owner can manage privacy settings for the whole family. Delete Me then. And this is really important. They'll make the first, you know, initial deletion, but then they continue to scan and remove your information regularly. That's important because there's new data brokers all the time. And that's their job. That's what they focus on 100% of the time. They're always looking, who's the new guy. And it's such a profitable business for data brokers. There's more springing up every single day. It's also true that these data brokers, yes, they're required to have a delete page, but there's, you know, there's nothing to stop them from collecting more information about you after the fact. Oh, the middle name's different or, oh, it's a different address. And they start. Just start all over again. That's why DeleteMe will continue to scan and remove everything they can find. Addresses, photos, emails, relatives, phone numbers, social media, property value, and a whole lot more, including Social Security numbers. It was a shock to me to learn that there is no law. You think this would be a federal law against selling somebody's Social Security number? It's completely legal. That's what these guys do is completely legal. Look, if the law's not going to Stop them. We got to do it. Protect yourself. Reclaim your privacy. Visit joindeleteme.com TWiT Use the offer code TWiT. It's in our hands and it's really important for your business and for your family as well as for you. Joindeleteme.com TWIT by the way, when you get there, use the offer code twit. That does two things. One, it lets them know you saw it here. That's really important to us. Two, it gets you 20% off. I think that's gonna be important to you. Join DeleteMe.com TWiT the offer code is TWiT for 20% off. And we thank him so much for sponsoring the good works Steve is doing here. Back to you, Steve.

Steve Gibson (88:15)

Okay, so before I share the latest news on the movement of US$1.5 billion worth of stolen Ethereum tokens, I should Note that the 10% bounty on that $1.5 billion is not $150,000. As I apparently mistakenly said, it's a.

Leo Laporte (88:39)

Little more than that.

Steve Gibson (88:40)

Last week, yeah, several of our listeners politely wrote to say, Steve, that would be $150 million, a little more, not 150,000. So indeed I am happy to share that correction and thank you listeners who are paying attention. Okay, so what do we know today? Crypto news reports under the headline Nearly 20% of Bybit's 1.46 billion in stolen funds gone dark, said Bybit's CEO. His CEO Ben Cho says now now says nearly 20% of the funds are now untraceable. Less than two weeks after the exchange lost over 1.4 billion in a highly sophisticated attack by North Korea backed hackers. In a March 4 post on X, Cho shared an update on the ongoing investigation into the cyber attack, revealing that around 77% of the stolen funds remain traceable, but that nearly 20% has gone dark. Through mixing services, the hacker primarily used Thor chain, a cross chain liquidity protocol, which came under scrutiny for unwillingness to prevent DPRK hackers from laundering the funds to convert stolen Ethereum into Bitcoin. Approximately 83% of the funds, or around 1 billion, were swapped into Bitcoin across nearly 7,000. That's actually 6,954 individual wallets. So as I said, this was that dispersion that I talked about where it just they scattered it to the four corners, you know, in order to make it in, you know, much more difficult to track and to chop this huge amount into smaller, less suspicious sized chunks as crypto News reported earlier. They wrote, while other protocols took steps to prevent the movement of stolen funds, Thor Chain validators failed to take meaningful action. Pluto, a core contributor, resigned in protest after Nodes rejected a governance proposal to halt ETH transactions. Of the stolen funds, 72% 900 million passed through Thor Chain, which remains traceable, says cho. However, around 16% of the funds, totaling just shy of 80,000 Ethereum, valued at around 160 million, have now gone dark through Exch, a centralized crypto mixing service. Cho mentioned that the exchange is still waiting for an update on these transactions. Another portion of the funds, around 65 million, also remains untraceable. As Cho says, more information is needed from OKEx's Web3 wallet. In addition, the Bybit CEO revealed that 11 parties, including Mantle Paraswap and blockchain sleuth Zach XBT, have helped freeze some of the funds, resulting in over 2.1 million in bounty payouts so far.

Leo Laporte (92:13)

So that's 2.1 billion in saved money, right? Yeah, that's pretty good. That's a good start.

Steve Gibson (92:19)

So Bybit is recovering some of their stolen money in return for those 10% bounty payouts, which, you know, allows them to keep those monies legally, which, you know, is certainly the way to do it.

Leo Laporte (92:33)

And I would check Mario and Dallas if I were, if I were them. I just, I don't know. I think that's one's possible place to look.

Steve Gibson (92:43)

Well, you know, maybe one of his cousins is part of the Lazarus group. Wow. And just listen, as I'm just, as I'm sharing, what Crypto News wrote is like, this is clearly just a, a world unto itself.

Leo Laporte (93:01)

Yes.

Steve Gibson (93:01)

When you talk about all this stuff moving back and forth and sloshing around and it's just, it's, it's a wild west.

Leo Laporte (93:08)

Absolutely.

Steve Gibson (93:09)

Yeah.

Leo Laporte (93:10)

And while there were for a while some attempts to regulate it with the sec, I think that's, that's, that, that that horse has left the barn.

Steve Gibson (93:18)

Doesn't seem to be much interest at the top.

Leo Laporte (93:20)

Not anymore on doing that.

Steve Gibson (93:21)

So. Yep. Okay. Also, meanwhile, what of the Safe Wallet service, whose malicious infiltration was the proximate cause of this very expensive breach in the first place? Crypto News also reports under their headline, Safe Wallet responds to Bybit hack with major security improvements, which is what you call, you know, closing the door after the horses have all left the barn. They wrote Ethereum based Crypto Wallet protocol Safe implemented, quote, immediate security improvements unquote to its multi sig solution following a cyber attack on Dubai based Exchange. Bybit On February 21, North Korea's Lazarus stole, as we know, over 1.4 billion in ether from Bybit's Ethereum wallet by exploiting vulnerabilities in safe wallets UI. The infamous hacking group injected hostile JavaScript code specifically targeting Bybit, siphoning more than 400,000 ETH to prevent further attacks Again, Whoops, Safe placed its wallet in lockdown mode before announcing a phased rollout and a reconfigured infrastructure right? Martin Koppelman, co founder of Safe, said in a March 3 x.com post that their team had developed and shipped 10 changes to the UI. The protocol's Gibhub repository showed updates to show full raw transaction data now on the UI and quote, remove specific direct hardware wallet support that raised security concerns, among other upgrades. Bybit CEO Ben Cho discussed the incident on the When Shift Happens podcast, with host Kevin Folnier explaining that the attack occurred shortly after he signed a transaction to transfer 13,000 ETH. CHO mentioned using a ledger hardware wallet, but noted that he couldn't fully verify the transaction details. The issue is known as blind signing, a common vulnerability in multi sig crypto transactions. SAFE's latest updates aim to provide signers with more detailed transaction data, according to Koppelman. In response to a post from Kyber Network CEO Victor Tran regarding industry wide security efforts, Koppelman emphasized the importance of collaboration but noted that immediate damage control remains the priority, writing quote, we're still in the putting out fire mode, but once we have that behind us, we need to come together and improve overall front end and transaction verification security, koppelman stated, adding that this will take involvement of many parties to solve it for good. Okay, so it does sound as though in the longer term, broader sense, some good will eventually come from all this, though it certainly was expensive, an expensive lesson. There is so much liquidity sloshing around in this crypto world, it still boggles my mind. You know, I mean we're just like oh yeah, we lost 1.2 billion. Well maybe one and a half billion dollars. But yeah, we got that covered.

Leo Laporte (97:18)

It's almost as if they built a technology designed to be easily anonymously transfer funds from one party to another. It's almost as if it was designed to do that.

Steve Gibson (97:31)

Wow. And that there's a lot of interest in having that done. You know, like, oh hey, I got some application for anonymous big dollar transactions.

Leo Laporte (97:42)

Used to be you had a big bring a big suitcase to hold all the cash. No, it's this little tiny wallet and it can hold billions and you have.

Steve Gibson (97:54)

To have Mario, who is a big guy, able to, you know, because those wall, the, those luggages are heavy when they.

Leo Laporte (98:00)

Yeah, I just watched, I was just watching an old heist show called Heat where it was back in the days when you had to.

Steve Gibson (98:08)

Classic movie.

Leo Laporte (98:09)

Yeah. Al Pacino, Robert De Niro, and you had to rob, you know, armored trucks to get cash or rob banks. And they brought these big bags in to carry the cash out. And it's like, no, no one, you know what, no one was any brains robs banks or armored trucks anymore. That's not the way to get it. You just need a little thumb drive.

Steve Gibson (98:32)

And a computer and hire some geeks.

Leo Laporte (98:35)

And a few geeks named Mario.

Steve Gibson (98:37)

That's right. Okay. So meanwhile, back on the encryption front. Last week the BBC reported under the headline Apple Takes Legal Action in UK Data Privacy Row. This of course, would be in response to a legal demand whose very existence Apple is prohibited from divulging. But it seems that particular cat is well out of the bag. So the BBC wrote Apple is taking legal action to try to overturn a demand made by the UK government to view its customers private data if required. The BBC understands that the US technology giant has appealed to the Investigatory Powers Tribunal, an independent court with the power to investigate claims against the security service. It is the latest development in an unprecedented row between one of the world's biggest tech firms and the UK government over data privacy. In January, Apple was issued a secret order by the Home Office to share encrypted data belonging to Apple users around the world with UK law enforcement in the event of a potential national security threat. Data protected by Apple's standard level of encryption is still accessible by the company if a warrant is issued, but the firm cannot view or share data encrypted using its toughest privacy tool, Advanced Data Protection. Last week, Apple chose to remove ADP from the UK market rather than comply with the notice, which would involve creating a backdoor in the tool to create access. Apple said at the time it would never compromise its security features and said it was disappointed at having to take the action in the UK. The UK's order also angered the US administration, with President Donald Trump describing it to the Spectator as, quote, something that you hear about with China, unquote. Tulsi Gabbard, US head of intelligence, said she had not been informed in advance about the UK's demand. She wrote in a letter that it was an egregious violation of US citizens rights to privacy and added that she intended to determine whether it breached the terms of. Of a legal data agreement between the US and the uk. The Financial Times, which first revealed Apple's legal action, reports that the tribunal case could be heard in the next few weeks but may not be made public. The Home Office refused to confirm or deny that the notice issued in January even exists. Legally, this order cannot be made public. But a spokesperson said, more broadly, the UK has a long standing position of protecting our citizens from the very worst crimes such as child sex abuse and terrorism, at the same time. Wait, at the same time as protecting people's privacy? The uk, because we want both. The UK has robust safeguards and independent oversight to protect privacy and. And privacy is only impacted on an exceptional basis in relation to the most serious crimes and only when it is necessary and proportionate to do so. Unquote.

Leo Laporte (102:08)

Yeah, I believe that for now, the intent.

Steve Gibson (102:11)

The intent.

Leo Laporte (102:12)

Intent is good.

Steve Gibson (102:13)

Yes. I don't deny that now, myself being a glass half full sort.

Leo Laporte (102:21)

Yeah.

Steve Gibson (102:21)

I'm still holding out hope that Apple's initial move will have shaken up the UK's legislators sufficiently for them to allow Apple's appeal to succeed and for Apple's very public shot across the bow threat to pull their strongest encryption entirely from the UK will be sufficient to put this troublesome issue back to bed for a while. We'll see. The unresolved question is, given that we now have the technology to create and enforce absolute privacy of communications and data storage in a modern democracy which is designed to be by the people and for the people with elected representation in government, do the benefits of this absolute privacy obtained by the overwhelming law abiding majority outweigh the costs and risks to society created by its abuse by a small criminal, criminal minority? Don't know. The trouble is that individual governments may decide these issues differently. Yet the Internet is global and has always promised to be unifying. When we stand back to look at these issues surrounding privacy through encryption and the challenges presented by the biological ages of Internet users and the perceived need to filter their access to this global network. What becomes clear is that up to this point, these fundamental issues and concerns created by cyberspace having very different rules from physical space, have largely been ignored. Until now. It feels as if this has all happened so quickly that society has been busy catching its breath, you know, waiting for the dust to settle, waiting for services to be developed and to mature, waiting for those who govern us to catch up. It appears that our societies are finally gearing up to deal with these issues. We've had a really interesting first 50 years of this Leo, what are the next 50 going to look like?

Leo Laporte (104:45)

Yeah, well, that's a question we're all asking in a variety of ways. You know, listening to this makes me think that Apple is probably the party that leaked. You know, they're not supposed to reveal that they've received this request, but now that I think about it, they probably leaked this off the record to a couple of news agencies who took it and run. And that gave Apple the COVID then to continue to do what they did, which is pull Advanced Data Protection and appeal. The appeal is, is kind of like our FISA court. The field appeal is to a secret court.

Steve Gibson (105:24)

Right. A tribunal in this case.

Leo Laporte (105:25)

And you may never know. You'll never hear the arguments pro or con, and you may not even know the result. The only way we'll know is the canary that Apple has put out now, which is pulling ADP from England.

Steve Gibson (105:38)

Yep.

Leo Laporte (105:39)

It's very interesting.

Steve Gibson (105:40)

Very, very interesting.

Leo Laporte (105:41)

You know what? We're really on the cusp. We could go either way in all of this.

Steve Gibson (105:45)

Yes. It feels to me like, you know, the pressure has been mounting and it's like, as they say, it's going to blow. It's gonna blow.

Leo Laporte (105:57)

Let's just hope it blows in the right direction.

Steve Gibson (106:00)

Well, and, you know, whichever way it goes, I mean, it may be that we had a decade or so of privacy. Remember those ridiculous days when you couldn't export a cipher? You couldn't export a key greater than 128 bits or, you know, 56.

Leo Laporte (106:20)

It was 56.

Steve Gibson (106:21)

It was 40 bits.

Leo Laporte (106:22)

40. That's right. It was really low.

Steve Gibson (106:24)

It was. The limits.

Leo Laporte (106:25)

So they could crack it. Basically.

Steve Gibson (106:27)

Basically, yes. So. So because it was like. Oh, and it was, it was. And cryptography was. Was classified as a munition, legally, it was a munition because you were unable to support. To export munitions to. To, you know, to foreign. For foreign hostile countries. So, I mean, maybe it's going to be that. That crypto is outlawed.

Leo Laporte (106:51)

Yeah.

Steve Gibson (106:52)

Or maybe some compromise will be made. Maybe it will be necessary for anyone who wants to offer it to offer it selectively and for there to be a master key. Or maybe governments will just say, okay, it's more important to have it than not. You know, more benefit is derived from it than harm is created from it.

Leo Laporte (107:16)

Well, ultimately, I think if you care, you probably should now act to secure strong encryption. The good news is it's. It's fairly easy to implement locally. You can do it.

Steve Gibson (107:29)

That's exactly it. And, and that is ultimately the argument is if, if it is outlawed. Only the bad guys will use it.

Leo Laporte (107:35)

Only outlaws will use it.

Steve Gibson (107:36)

Yeah, yeah.

Leo Laporte (107:37)

And people who care about their privacy. And I think this is, you know, why everybody should just learn a little bit of crypto.

Steve Gibson (107:44)

Well, and of course, we've been advocating tno Trust no one encryption or PI. Pre Internet encryption. The idea is if you encrypt it yourself, then it doesn't matter what happens after it leaves your control.

Leo Laporte (107:58)

Yeah, that's the key. Don't put it on icloud. Encrypt it and then put it on icloud and you're fine. Right. They don't have the key to it. Now then, of course people come to your house, but that's a trouble for another day. All right. Sorry, I didn't.

Steve Gibson (108:17)

I think we should take a break. Oh, we can do more small things to talk about and then our big topic, so.

Leo Laporte (108:22)

Oh, yeah. Well, this would be a good time then.

Steve Gibson (108:23)

All right.

Leo Laporte (108:24)

Yeah.

Steve Gibson (108:24)

Glad you're here.

Leo Laporte (108:25)

We're watching security now we're listening to the Master. I. I feel like I should be sitting on the floor with my legs crossed just listening to the Master. As we, as we, as we learn about all of this stuff. And it's great, isn't it? We're learning so much. Thank you, Steve. I don't say thank you enough, but thank you for what you do. It's really, really valuable for all of us. We appreciate it. And for Mario in Dallas, who learned everything he knows about AES from this show.

Steve Gibson (108:53)

Mario, listen to those post Quantum post show episodes again. You're missing out on a few of those questions.

Leo Laporte (109:00)

Get that down. Right? Yeah. Practice, our sponsor for this segment of security now, Zscaler, the leader in cloud security. It's a way to protect yourself in a way that unfortunately current security tools have not. Enterprises have spent over the last years billions of dollars on perimeter defenses. Right. Firewalls and VPNs. Has that worked? Has it. Everything's fine now, right?

Steve Gibson (109:32)

No.

Leo Laporte (109:34)

No, it's not. Breaches continue to rise. There's an 18% year over year increase in ransomware attacks. That was last year. Get ready. This is going to be worse, much worse in 2025. Last year, record $75 million payout. I'm sure that's just the tip of the iceberg. And it's going to get worse. So what do you do to protect yourself? Traditional security tools are kind of almost the opposite of protecting. They give you public facing IPs and the bad guys, now that's something they can hang their Hat on, by the way. They're black. Black hat. So I'll put on a black hat for that. This is now the bad guys. They've got your IP addresses. They can use AI. They can attack you better than ever before with these tools, faster than you can protect yourself. And then what happens? Mr. Black Hat gets into your network. He can wander at will because these tools assume, well, we have such good perimeter protection. If anybody's in the network, they must work for us, right? So what do they do? They go around, they find, read your emails. They find your customer information. They exfiltrate it using, you know, encrypted traffic, which your firewalls struggle to understand. They've got complete control of your system. Hackers are exploiting our traditional security infrastructure using AI to outpace your defenses. It's time to rethink your security. Don't let the black hats win. They're innovating and exploiting your defenses. You need.

Steve Gibson (111:06)

Ta da.

Leo Laporte (111:08)

No, not Mario and Dallas. You need Zscaler Zero Trust plus AI. So this is, this is such a good solution. It hides your attack surface so your apps and your IP addresses are invisible right there. That's a huge gain. It also, if somebody does get into the network, eliminates lateral movement because users can only connect to the apps they're approved to use to specific apps, not the entire network. And Zscaler continuously verifies every request based on identity and context. It simplifies security management with AI powered automation, so your life is easier. And they can detect threats using AI. They analyze over half a trillion daily transactions, almost all of which are, are, you know, fine. To find those few that are really a threat to you and protect you from. It's, it's just, it's simple. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust plus AI. So hacker getting into your network, wandering at random. Mario in Dallas getting his. His way with you or. Zscaler.com Security Check it out. Zscaler.com Security Seriously? Zero trust is the answer. Zscaler is the hero you're looking for. Zscaler.com Security we thank him so much for supporting security now and putting up with my hijinks. And we thank you for going to that address because then they know you saw it here. Z. You could say that guy with the hats. Zscaler.com Security thank you, Steve. Getting a little silly here.

Steve Gibson (113:02)

I have a feeling that Zscaler knows exactly what they're getting.

Leo Laporte (113:05)

I know. I hope so.

Steve Gibson (113:06)

When they put their advertising dollars here.

Leo Laporte (113:09)

I'm going to keep the black hat though. This is good. I'm ready. All right, on we go with the show, Steve.

Steve Gibson (113:18)

So I wanted to let our listeners know that if they encounter reports claiming that there's a flaw that's been found in pass keys, the truth is somewhat more nuanced.

Leo Laporte (113:30)

Oh, I hope so, because this is scary.

Steve Gibson (113:32)

It wasn't a flaw in passkeys, but there was a problem found. It was a very specific and difficult to perpetrate account takeover flaw that was only possible due to URL link navigation mistakes which had been made in Mobile, Chrome and Edge. They fixed it back in October of last year, Mobile Safari fixed it in January of this year and Firefox patched the problem last month in February. At one point in the passkeys Fido flow mobile browsers are given a link with the scheme Fido colon unfortunately that they were all allowed to navigate with that URL but once and that that's where this really subtle, very difficult to implement, but still possible sort of end around was created. But once the three browsers all started blocking this Fido scheme from being navigable, then that small loophole which a researcher had discovered very clever guy was closed and Passkey's returns to being what we want the extremely robust network authentication solution that the world needs it to be. Okay, so I don't know what's going on in the UK first of course.

Leo Laporte (115:15)

As we know, I think they don't.

Steve Gibson (115:17)

Know either as they order Apple to accomplish the impossible by decrypting data for which the UK knows Apple does not hold the keys. Then I read that a court in the UK had demanded that a US based security researcher remove their reporting of an embarrassing cyber attack and data breach which occurred at hcrg, which was formerly known as Virgin Care, one of the largest independent healthcare providers in the uk. So seeing that made me curious. So I first found a nice summary of the situation which TechCrunch reported. They wrote a US based independent cybersecurity journalist has declined to comply with a UK court ordered injunction that was sought following their reporting. That is the cybersecurity journalist reporting on a recent cyber attack at UK private health care giant HCRG law firm Pin Cent Masons, which is the UK firm. So the UK law firm Pincent Masons, which served the February 28 court order on behalf of HCRG, demanded that Data Breaches.net take down two articles that referenced the ransomware attack on HCRG. The law firm's notice to Data Breaches.net which TechCrunch has seen, stated that the accompanying injunction was, quote, obtained by HCRG at the High Court of Justice in London to, quote, prevent the publication or disclosure of confidential data stolen during a recent ransomware attack. What you know, it was they wanted to report. They wanted to prevent the the, the reporting of the attack, which is not at all the same as preventing the disclosure of confidential data. They apparently felt, well, the fact that we were attacked should be confidential.

Leo Laporte (117:34)

No one should know about that.

Steve Gibson (117:36)

That's no, that would embarrass us.

Leo Laporte (117:39)

Yes.

Steve Gibson (117:40)

What would our shareholders think? And all of those people, you won't be believe how much data was stolen anyway. The firm's letter states that if Data Breaches.net disobeys the injunction, the site may be found in contempt of court, which may result in imprisonment, a criminal fine or having their assets seized, unquote. Data breaches.net writes TechCrunch, run by a journalist who operates under the pseudonym Dissent. Doe declined to remove the posts and also published the details of the injunction. In a blog post Wednesday Dissent, citing a letter from their law firm, Covington and Burling, said they would not comply with the order on grounds that data breaches.net is not subject to the jurisdiction of the UK injunction. No kidding. And that the reporting is lawful under the First Amendment in the United States where data breaches.net is based. Descent also noted that the text of the court order does not specifically name data breaches.net nor reference the specific articles in question. Just says you're bad. So TechCrunch says legal threats and demands are not uncommon in cybersecurity journalism, since the reporting often involves uncovering information that companies do not want to be made public. But injunctions and legal demands are seldom published over risks or fears of legal repercussions. The details of the injunction offer a rare insight into how UK law can be used to issue legal demands to remove published stories that are critical or embarrassing to companies. The law firm's letter also confirms that HCRG was hit by a ransomware cyber attack. So now they've even admitted that as a consequence of this. Okay, so that made me interested enough to go to the source where I discovered some additional head shaking detail which picks up where TechCrunch left off. Remember that the site is being represented by Covington and Burling and in the UK we have the firm Pincent Masons. So on his site the subject of this injunction Descent Doe wrote when Jason Chris of Covington and Burling, his firm sent an email to Pincent Masons informing them that data breaches.net is a US entity with no connection to the UK and that neither the UK nor the high Court of Justice has any jurisdiction over this site. That should have been the end of the matter, right? But it wasn't. And that's partly why Data Breaches is reporting on this. Yesterday morning, Databreaches.net received an email from its domain registrar that it had been served with the injunction by Pincent Masons and that if Data Breaches did not remove the two posts in question within 24 hours, this website would be suspended. The two posts were not even particularly exciting. They mainly summarized some of suspect files. Great reporting and linked to those posts. For those who would like to see what HCRG or the court demand that I remove the posts can be seen at. And in his posting he provided two links which I've duplicated here. One is UK colon More details emerge about ransomware attack on HCRG by Medusa and the second link is Medusa unveils get this, another 55, 050 terabytes of stolen data from HCRG Care Group, giving greater insight into the scope of the breach. He said Data Breaches informed the registrar that is their domain registrar that the injunction was not valid and that data breaches.net is not under the jurisdiction of the High Court of Justice or of the United Kingdom. Jason Chris of Covington and Burling also notified the registrar that not only was data breaches.net a US entity, but as the site's domain registrar for many years, they could see for themselves that the site was registered to a US person at a US postal address with a US telephone number. Later yesterday, the registrar responded. Since your lawyer has already sent notice to the complainant Pinsent and Masons, we confirm that we will not be taking any action on your domain data breaches.net good. Yes. Additionally, we will be informing Pinsent and Masons to contact your lawyer directly should they have any further issues. This ticket is now closed. Pincet Masons did not respond to Monday's email notification by Jason Criss that this site was not under UK or High Court jurisdiction and at no time yesterday did Pinsett Masons contact the domain registrar to say that it was withdrawing the demand for the removal of the posts. That too was surprising. Is it over or will there be more data breaches? Hopes it is over.

Leo Laporte (123:41)

There's a little twit connection with this. It was Ian Thompson at the Register who our regular on our shows who revealed this in the Register and even has the Screenshot of the site and the ransomware notification on it. So it was pretty hard to deny it at this point. And it's out there and, you know, thank you, Ian. Doing, doing good work as always.

Steve Gibson (124:08)

So, you know, a major firm like Pinsent and Masons must be fully aware of the first amendment free speech protections.

Leo Laporte (124:17)

There's no first amendment in the uk.

Steve Gibson (124:20)

But you know that we're here, right?

Leo Laporte (124:23)

Yeah.

Steve Gibson (124:23)

And they certainly knew that Data Breaches.net was a US based website registered in the US so it had to be pure baseless intimidation.

Leo Laporte (124:33)

Yeah.

Steve Gibson (124:33)

You know, of course, somewhere some stuffed shirt at the healthcare at the UK healthcare provider was annoyed by the fact that this embarrassingly massive 50 terabyte data breach of their systems was being reported on and decided to aim their law firm at the reporter. You know, just sort of, you know, maybe we can make it go away. Wow. Okay, get a load of this one. Everyone's gonna hear a very familiar name pop out of this little piece of news, which reads, the FBI has recovered 23 million worth of crypto stolen from Chris Larson, the co founder and executive chairman of the Ripple cryptocurrency, which trades under XRP or is, you know, named xrp. The recovered funds are just a small part of the tokens stolen from Larson in January of last year. The funds were estimated at over 110 million last year, but are now worth over 700 million. And here it comes. Hackers stole the Larson funds by first stealing password stores from password manager LastPass in 2022. Oh, since the attack, the hackers have been slowly cracking passwords and emptying crypto wallets. As of May 2024, over $250 million worth of crypto assets had been stolen using the data obtained from LastPass. Okay, now remember at the time we talked about this, bad guys largely don't care, could not care less about random people's laundry. They want one thing, which is money. So they're known to be targeting any crypto passwords suspected of being stored in LastPass vaults. With LastPass's failure to increase the repetition counts of their PBKDF system. Accounts, which have been created in the early days of LastPass, were left with very low, or even in some cases, zero iteration counts of their hashing algorithm. This made cracking the passwords protecting those early adopters extra easy. Our advice at the time for anyone who had stored crypto access passwords in LastPass was to immediately create a new wallet and transfer the assets from the now unsafe wallet into the newly created wallet and we can see why that advice when taken could help to protect people from exactly this problem. And this was the great problem was that this massive blob of data was everybody's vaults which were encrypted, but in some cases not strongly enough encrypted. And so over time you can do offline decryption in order to obtain people's data in the clear. Wow. Also in more post postmortem news, we're still learning more about the early genesis of that attack which ultimately affected Bybit. The North Korean hackers compromised we know the multi signature wallet provider Safe Wallet. It turns out this was conducted through a social engineering attack which targeted one of its developers. And remember, social engineering is now the way these things are happening more and more pretty much, you know, a lot of the other infrastructure has, has been shored up and tightened up. Social engineering, the human factor is still has, has now become the weakest link. According to a new post mortem report, the point of entry appears to have been a malicious Docker file that was executed on one of the employees computers. The docker file deployed malware that then stole his local credentials. The attackers then use the developer's AWS account to add malicious code to the Safe Wallet infrastructure which targeted a specific multi sig wallet which was used by the Bybit cryptocurrency exchange. And so that's the chain of events social engineering attack. Guy downloaded and installed a malware containing Docker file, ran it on his machine, it deployed malware on his computer. That malware grabbed his AWS credentials, sent that back to the bad guys. They used that to get into Safe Wallets infrastructure, make the changes and then infect the Bybit transaction. The change that has been that safe has made is to now display, prominently display the transaction details which they hadn't been fully bothering to display until now. So they're just trying to make the transaction event more transparent in the hope that that will help people catch any further problem. It's a little bit like, you know how right now everyone kind of glazes over when, when they look at a Bitcoin wallet id it's just like gibberish. And so you just copy and paste it. Well, if you can make it somehow more obvious that wait, what you pasted is not what you copied then that would help you catch clipboard attacks. So that I wanted to share a terrific look at how a Windows centric network that is a. Okay, a network, a an enterprise using secured Windows systems nevertheless was hit by by ransomware. Even though they had strong and effective malware protections in place. A security research group has been tracking the Akira ransomware group that we've referred to a few times. What they found as they dug into a forensic reverse engineering of a distressingly successful attack was interesting, and it was surprising even to them. Here's what they shared, they wrote. Until the compromise, this incident had followed Akira's typical modus operandi. After compromising the victim's network via an externally facing remote access solution.

Leo Laporte (132:10)

Oh, I was just talking about that. Yeah.

Steve Gibson (132:16)

The group deployed any desk, a remote management and monitoring tool to retain access to the network before exfiltrating data. During the latter stages of the attack, the attacker moved to a server on the victim's network via remote desktop Protocol. You know, rdp. Once again, Akira commonly uses rdp, Akira being the bad guys, right? The ransomware group, as it enables them to interact with endpoints and blend in with system administrators who use RDP legitimately. The threat actor initially attempted to deploy the ransomware on one of the Windows servers as a password protected zip file win zip that contained the ransomware binary win.exe. however, the victim's Endpoint Detection and Response EDR tool immediately identified and quarantined the compressed file before it was unzipped and deployed.

Leo Laporte (133:29)

Oh, see, you're fine. You're safe. Everything's good.

Steve Gibson (133:32)

It works, right?

Leo Laporte (133:33)

Yeah.

Steve Gibson (133:33)

At this point, the threat actor likely realized they had alerted the EDR tool and would not be able to evade its defenses. They therefore pivoted their approach. Prior to the ransomware deployment attempt to this Windows server, the attacker had conducted an internal network scan to identify ports, services, and devices.

Leo Laporte (134:01)

First thing you do. Yep.

Steve Gibson (134:03)

This network scan identified several Internet of things IoT devices on the victim's network, including webcams and a fingerprint scanner. These devices presented an opportunity to the threat actor to evade the EDR tool and deploy the ransomware successfully. The threat actor likely identified a webcam as a suitable target device for deploying ransomware for three reasons. First, the webcam had several known critical vulnerabilities, including remote shell capabilities and unauthorized remote viewing of the camera. Second, it was running a lightweight Linux operating system that supported command execution as if it were a standard. A standard Linux device. The camera was the can't. Well, that's. Everyone builds. I mean, Linux is what could possibly go wrong. That's right. Got Linux in your camera. Making the device a perfect candidate for Akira's Linux ransomware variant. Wow. Third, the device did not have any EDR tools installed on it. Why would it. That Left it unprotected. In fact, due to the limited storage capacity it, it's doubtful that any EDR could be installed on it. But the ransomware could. After identifying the webcam as a suitable target, the threat actor began deploying their Linux based ransomware with little delay. As the device was not being monitored. The victim organization security team were unaware of the increase in malicious server message block SMB traffic to and from the webcam to the impacted server.

Leo Laporte (135:58)

Oh my God.

Steve Gibson (135:59)

And the webcam successfully fully encrypted the servers on the victim's network.

Leo Laporte (136:06)

Oh my God.

Steve Gibson (136:08)

Akira was thus able to encrypt files across the victim's network.

Leo Laporte (136:13)

Boy, I mean, this answers the question when you say, you know, protect your IoT devices. Oh, so they could get into my camera. What's the big deal? Are my light bulbs? Well, they can actually launch ransomware from these devices?

Steve Gibson (136:30)

Yes. Oh my God, yes. Wow, I thought this was a super interesting case here. As you said, the vulnerable IoT device was not the initial entry point. The honor belonged to some unspecified remote access solution running on a Windows machine.

Leo Laporte (136:49)

As it often does.

Steve Gibson (136:50)

But Even though the IoT device wasn't in their way. No, it wasn't their way in.

Leo Laporte (136:58)

That's not how they got in.

Steve Gibson (136:59)

It wasn't their way in. Exactly. It was not their way in. The attackers needed an unprotected host for their malware. They were unable to run their ransomware on any of the Windows systems or servers on the network because all of those systems were being protected by effective real time EDR endpoint detection and response security. But their network scan had discovered some Linux based webcams and that's all they needed. And the security of those cams was quite lacking, which made their jobs even easier. So they loaded their malware on into the cams RAM and it reached out over the network using Windows file and printer sharing SMB server message blocks protocol to read and write back the encrypted files. Under the prevention and remediation section of their report, the security firm wrote preventing and remediating novel attacks like this one can be challenging. At a minimum, organizations should monitor network traffic from their IoT devices and detect anomalies. They should also consider adopting the following security practices. And what do you think their number one first recommendation was? They wrote network restriction or segmentation, zero trust. Place IoT devices on a segmented network that cannot be accessed from servers or user workstations or restrict the devices communication with specific ports and IP addresses.

Leo Laporte (138:42)

And all it needs is three routers. Actually A VLAN would do it, right? To segment it.

Steve Gibson (138:49)

Yeah, A VLAN would do it.

Leo Laporte (138:50)

Yeah.

Steve Gibson (138:51)

Yep. You know, it takes more work and it can limit functionality. And it means you cannot just randomly plug anything in anywhere you like.

Leo Laporte (138:59)

Yeah.

Steve Gibson (138:59)

So some ongoing network management discipline will be needed too, always. But this company learned that lesson the hard way.

Leo Laporte (139:09)

Put your IoT devices on a separate VLAN.

Steve Gibson (139:12)

Yeah.

Leo Laporte (139:13)

And don't give them access to the secure VLAN.

Steve Gibson (139:16)

Yeah.

Leo Laporte (139:17)

Wow, that's, that's a great story.

Steve Gibson (139:21)

Isn't that really?

Leo Laporte (139:21)

I can't believe that there's enough RAM and memory in a, in a webcam running Linux. I mean, obviously memory's cheap now, right? So you're going to run Linux on this. I Wonder how many IoT devices are running some little Linux kernel in the background. Why not? It's a free operating system. Why not? Wow, great story. You know what else would have helped them? A thin canary. Right? A little honey pot. You want me to do a little break here and then we'll talk about the Bluetooth back door that wasn't.

Steve Gibson (139:57)

Yep, we're ready for that.

Leo Laporte (139:59)

This is brought to you today by thinkst Canary, our sponsor for this segment on security. Now, another great security solution. These guys get in, they're in the network, they're wandering around. So what do you do to protect yourself? For one zing. Just like this company, often these, you know, once the bad guy gets into your network, you don't know you've been breached. In fact, on average, takes 91 days for a company that has been breached to find out. Three months. That's three months. A hacker can wander your network, install stuff, look for security flaws like that webcam. You don't want them in your, in your network at all. So what's the best way to find out if somebody's in your network or maybe even a malicious insider going where they shouldn't? The Thinks Canary, it's a honeypot that can be deployed in minutes. And it can impersonate anything. A SCADA device, a server, a Linux box, an IAS server. I mean, really, there's dozens and dozens of personalities and these things. By the way, the folks who do the Thinks Canary are very accomplished white hat hackers. I mean, they teach governments and businesses how to breach networks. They know about this stuff and they've, they've created something that is very secure, rock solid, but can easily impersonate anything else. And when I say impersonate, it's a perfect impersonation. I have a Thinks Canary that is impersonating a Synology, nas and it's down at the Mac address. Bad guys aren't going to look at it and go, oh yeah, that's fake. It looks like in every respect, like a unprotected NAS, including the DSM 7 login and everything. But as soon as. Oh, the other thing I think Canary can do. I should mention this is really cool. Not only are they hardware devices that can assume any personality easily, they can also create files that are like tripwires you can put out throughout your network. They look like spreadsheets or PDFs or DocX's or whatever you want. I have spreadsheets that are called employee information, things like that on my network. XSLX files. And that's another thing. A bad guy goes, oh, I've been looking for that. But the minute they touch it, the minute they attack the Synology and try to log in, the minute they try to brute force my fake SSH server, that's a think scenario. And they're going to immediately tell you you have a problem. No false alerts, just alerts that tell you there's something going on. We've had a thing scenario for many years now. They've been with us for eight years and only once has it gone off. Although I'm really glad to have one even at my home home network here. And that was when Megan got, I won't name the name of the company, but got an external USB drive and it for some reason decided I'm going to go out and look for all the IP addresses and see what's on the other side. They were spying on us basically. And I got the alert. You can get it as a text message, an email, Slack Syslog, it supports web hooks, so they have an API, I mean, any way you want it. Immediately I got the message, I said, It's a 10.it's inside the network. And I went and I found it, I ripped it from the wall and that was that. It's the other thing. It's really fun to choose the profile for your things to Canary device because it can be anything. You could change. It's so easy to change. You can change it every day if you want. You pick the profile, register it with a hosted console for monitoring and notifications, and then you just go, okay, I'm done. Then you wait. Attackers who breach your network, malicious insiders, other adversaries, they cannot resist. You know, they may say, I'm going to find a webcam that has Linux running on it. Maybe they're going to do that, but before they do that, they're going to go, but, but first let's open this Excel spreadsheet with all the employees Social Security numbers on it. I think I want to download that sucker, right? Even in this attack you talked about, they didn't go for the webcam first. So the minute they hit your thinks Canary, you're going to know. And that's the key, is to know they're in the network. Now we just have one here. A small operation might have a handful, a bank might have hundreds. It really depends on your operation. But as an example, go to Canary Tools Twit. 7,500 bucks a year will get you five of them. That's enough for a pretty good sized business. Spread them around. You want them in every segment, right on every vlan. You want them in the places the bad guys are going to go. For that money, you get Things canaries, but you also get your own hosted console. You get upgrades, you get support, you get maintenance. This is such a good security solution. Of course it's not the whole thing. Security is a layer thing, but you got to have that layer that tells you there's somebody in the network. By the way, if you use the offer code, twit, twit. And the how did you hear about us box. 10% off the things canary. Not just for the first year, for forever, for as long as you own it. Also, if you're at all, you know, like, well, I don't know, here's. Or the boss says, oh, I don't know, here's the thing to tell the boss. It's a. There's a two month money back guarantee, 60 day money back guarantee for a full refund. I have to tell you, in all the years, eight years now that Twitter has been doing these ads, partnered with Things Canary, we've mentioned the refund. No one has ever claimed it. Because once you get it, once you see it, first of all, you fall in love with it. It's so cool. All you have to do is go to Canary Tools love, and you'll see what I mean. It's such a great idea. But also because it works. It does exactly what I just told you. Exactly what I said. It's exactly what you need. Visit Canary Tools slash Twit. Don't forget to use Twitter, the offer code. Put it in the how did you hear about us? Box. Just say twit, bing, bingo, bango, bongo. 10% off. I think this is the greatest solution. I love this. I remember when we talked to. I Think was Steve Bellavin, right, In Boston, Steve, at our event, LastPass event, Steve wrote the first commonly known honeypot in. You know, he wrote that book about In Search of the Wild Hacker or the Wily Hacker, and along with Bruce Cheswick. Oh, maybe it was Cheswick. I think it was Cheswick, actually.

Steve Gibson (146:11)

Yeah.

Leo Laporte (146:12)

And he said this was really hard to write a good honeypot. Now you don't have to. You just plug it in. Canary Tools twit. We thank them very much for their support of security. Now, all right, I am proud of myself, Steve, because I saw this Bluetooth Backdoor story. I read it and I decided not to do it on Twitter on Sunday. There was just something fishy about it. Tell us what happened. Tell us all about it.

Steve Gibson (146:42)

You got it exactly right, my friend. Okay, so I deliberately titled today's podcast the Bluetooth Backdoor because that's what nearly all of the tech press has been calling it. But in this instance, it does feel like the appropriate use of that loaded term if it was right. So, okay, last Saturday, bleeping computers headline was Undocumented backdoor found in Bluetooth chip used by a billion devices. And in fact, probably the reason it's made so much news was that there are so many of these things. It is the, the most popular chip used by radio connected Bluetooth and wi fi connected IoT devices. A Chinese firm, Espressif. It's the ESP32 which is like, it's the go to chip. It costs nothing. It's €2 for one of these things. They're just amazing little 32 bit processors. So there's more than a billion of them. Actually it was a billion as of two years ago, 20, 23. They, the Chinese site was saying, yeah, we've made more than a billion of these things. So it's a lot more than that now. Anyway, so last Saturday, bleeping computer said undocumented Backdoor found in Bluetooth chip used by billion devices. Then the next day on Sunday, they softened that headline saying undocumented commands found in Bluetooth chip used by a billion devices. And to explain the change they wrote, after receiving concerns about the use of the term backdoor to refer to these undocumented commands, we've updated our title and story. Our original story can be found here. And in that, here was a link and I got a kick out of the fact that they actually linked to the, to the Internet Archive for a copy of their own previous page. So, okay, this podcast has spent some time, you know, batting this issue of when is A backdoor? Not a backdoor. Right. You know, would forcing Apple to deliberately and publicly redesign their advanced data protection icloud synchronization and backup to incorporate a master key be adding a backdoor? You know, in this instance, I would say no, because this feature of adp, which would then be added to adp, the master key would be neither secret nor malicious, whereas the classic definition and use of the term backdoor is both. You know, it definitely needs to be secret, and if it's not secret, it cannot be a backdoor. So that leaves us with a question of malice. In Apple's case, there's clearly no malice anywhere. Thus the term backdoor fails to qualify for what Apple has apparently been asked for by the UK on both of those counts. So what about today's news of what nearly everyone is calling a backdoor? We know for sure that what a pair of Spanish security researchers discovered lurking in an astonishingly widely used Chinese microcontroller chip was at least undocumented and also maybe powerful and prone to abuse if it were to become known by a malicious party. But that part is not even clear. All the reporting said, oh my God. But I'll explain to you what I did and what happened, the intent of why these, These instructions, these commands, 29 of them were left undocumented, will never be known. My guess is it's just because they're not that important, not because they were meant to be super secret and, and, you know, allow something to be done. Okay, so, so here's what we know. And this is from bleeping Computers updated coverage after they toned down the language and backed away from the use of the term backdoor, which was the right thing to do, they said. The ubiquitous ESP32 microchip, made by Chinese manufacturer Espressif and used by over a billion units as of 2023, contains undocumented commands that could be leveraged for attacks. The undocumented commands allow spoofing of trusted devices. Okay, and I'll get back to that later. Unauthorized data access, maybe pivoting to other devices on the network. That's a variation of the first case. And potentially establishing long term presence. Okay, because it has flash ram. This was discovered by two Spanish researchers with a security firm, Tar Logic, who presented their findings at Rooted Con in Madrid. This was last week. A tarlogic announcement shared with bleeping computer reads, quote, tar Logic Security has detected a backdoor in the ESP32, a microcontroller that enables WI Fi and Bluetooth connection and is present in millions of mass market IoT devices. Okay, so that's where everyone got the idea that there was a back door, right? The big, you know, the firm themselves, the discoverers of this, clearly labeled it a backdoor in their presentation. They said exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls. Okay, okay, again, we'll come back to that. But the researchers warned, wrote bleeping computer, that ESP32 is one of the world's most widely used chips for WI fi and Bluetooth connectivity in Internet of things IoT devices. So the risk is significant. In their Rooted Conversations presentation, the Tar Logic researchers explained that interest in Bluetooth security research has waned, but not because the protocol or its implementation has become more secure. Instead, most attacks presented last year did not have working tools, did not work with generic hardware, and used outdated or unmaintained tools largely incompatible with modern systems. Now I should explain that they're taking this position because that's the thing that they created. What they actually did was create a new set of tools which are modern, which are multi platform and which offer the ability to explore Bluetooth connectivity. So their main thing was that they're solving the problem for researchers and then they used it to do some research. And that's what led them to this discovery, they said. Tarlogic first developed a new C based USB Bluetooth driver that is hardware independent and cross platform. This provided direct access to the hardware without relying on OS specific APIs. Armed with this new tool which enables raw access to Bluetooth traffic, TAR Logic discovered hidden vendor specific commands. Opcode 3F. Ooh. In the ESP32 Bluetooth firmware that allowed low level control over Bluetooth functions. Now again, Bleeping Computer got it exactly right. Armed with this new tool which was written in C, which was a hardware level driver that did not rely on OS specific APIs. So it was direct to the hardware. They discovered Opcode 3F in the ESP32 Bluetooth firmware that allowed low level control over Bluetooth functions. So oh, and Ghidra was also involved the the famous NSA sponsored reverse engineering tool that reverse that helps to reverse engineer firmware. So they were looking at the firmware in the ESP32 and had a tool that let them poke at the hardware. Bleeping Computer said in total they found 29 undocumented hardware commands collectively characterized as a backdoor. And now they have now Bleeping Computer has that in quotes.

Leo Laporte (156:03)

Oh good.

Steve Gibson (156:04)

That could. That, yeah, that could be used for memory manipulation, to read or write RAM and flash, Mac address spoofing for device impersonation and packet injection. Espressif has not publicly documented these commands. So either they are not meant to be accessible or they were left in by mistake. I think the third. There's a third option. They didn't think it was necessary. They're not all powerful OZ commands, they just actually don't matter. You don't need them. So they didn't bother mentioning them.

Leo Laporte (156:44)

Right, Right. They're there for their internal use.

Steve Gibson (156:46)

Well, no, they're actually there. Okay. Okay. So they're there. Okay, go ahead.

Leo Laporte (156:54)

Yeah, sorry. I'll shut up.

Steve Gibson (156:56)

So. So they have. We have a CVE issued 20, 25, 27, 8 40. So bleeping computer said the risks enabled by these commands include malicious implementations on the OEM level and supply chain attacks. Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the commands might be possible via malicious firmware or rogue Bluetooth connections. Well, not rogue Bluetooth connections. And if you've got malicious firmware, then you're already on the device with malicious firmware, so who cares? They said this is especially the case if an attacker already has root access. Again, if you already have root access, you're already on the device, planted malware or pushed a malicious update on the device. Again, already on the device. That opens up low level access. In general though, physical access to the device's USB or UART interface would be far riskier and a more realistic scenario. Actually, it's the only possible scenario, the researchers explained, in a context where you can compromise an IoT device. With an ESP32, you will be able to conceal an advanced persistent threat inside the ESP memory and perform Bluetooth or WI FI attacks against other devices. Yeah, rogue rogue device while controlling the device over WI Fi or Bluetooth. Sure. If you're using your own firmware on your ROG device or findings would allow the full takeover of ESP32's chips and the gaining of persistence in the chip via commands that allow for RAM or flash modification. Okay, sure. Also with persistence in the chip, it may be possible to spread to other devices. Because ESP32 allows for the execution of advanced Bluetooth attacks. You would need those other devices to be vulnerable and no one says they are. Okay, so. Bleeping computer said that they had contacted Expressif for a statement on the researchers findings, but they had not received any comment. And I think that's because the Chinese people said what? Who cares? Yeah. Okay, so next we need to look at what the researchers have explained about their own technology. I've edited it down somewhat to remove the market speak and the redundancy. They said the ESP 30. Now, you know, I'm going to skip this because it turns out it doesn't matter, bottom line. The rest of their posting talks about the broader scope of their mission, which is to create a platform to support Bluetooth security audits, which is certainly a variable, worthwhile endeavor. So what have we got here? Okay, the Bluetooth hci. Hci, it defines the boundary between and I should. I've. I should have said that. What they talk about in their presentation is this. Oh, we found undocumented commands in the Bluetooth hci. Over and over and over. They say that that defines the boundary between the host processor and the Bluetooth hardware controller. That's what that is. HCI is the abbreviation for host controller interface, and the jargon has become standardized. Our listeners will have often heard me talking about adding AHCI Support to Spinrite 6.1. AHCI is the advanced host controller interface that was created to manage SATA connected mass storage devices. So HCI host controller interface is a generic reference describing the hardware boundary, the register set, between a peripheral device and its processor. The processor talks to the peripheral by writing into these registers. So the Spanish security group designed and developed a technology, created a new capability that will allow them to audit the operation of Bluetooth registers in devices. And what did they discover? They discovered that by far the most widely used microprocessor that lives at the heart of by far most IoT devices contains an array of undocumented HCL register commands that they implied could be received over the chip's Bluetooth radio, but it can't. I deliberately chose to use the word undocumented because it's less freighted with intent than the word secret. I have a picture in the show notes of these commands from their slide, which they presented in Spain. It was conducted in Spanish and the slide set is all Spanish except, as we often see in code, English appears, you know, in code snippets. But staring at the portions of their 46 slide deck, you know, those portions that were understandable to me in English, which and also chunks of reverse engineered and disassembled code, I began to get the sneaking suspicion that while these commands might indeed be undocumented HCI commands which would be executed by Bluetooth hardware, it wasn't clear to me that they were remotely accessible they appeared to be running their own the researchers appeared to be running their own code on the ESP32 hardware and also reverse engineering pieces of its firmware. Nowhere did they ever talk about remotely connecting to a generic ESP32 and executing an attack. Since in this era of helpful AI you can do translation now, I uploaded the Spanish slide deck to ChatGPT's latest 4.5 model and which was overkill, and asked for a translation into English. It did a beautiful job for me and my suspicions were confirmed. Now I could read the entire slide deck, beautifully translated. The TAR log at the TAR Logic posting ended by writing over the coming weeks we will publish further technical details on this matter. It may be that they have more than they're saying, but I don't think so. The only thing I believe they've discovered is that the ESP32's Bluetooth HCI controller, the Bluetooth hardware in this Espresso 32 chip contains some commands that are undocumented because documenting them was not important. Discovering that an HCI controller contains a command which the host CPU issues to it that allows the controller to write to main memory could hardly be considered earth shattering. The host which issues the command is just as able to write to main memory if it wants to. So big deal if an unauthorized external Bluetooth radio were able to issue such a command remotely to an ESP32 based device, while presumably providing the data to be written into the system's main memory. And if this discovery existed in more than a billion of the devices we're all using, well then that would indeed be the end of the world as we know it. But the world is still here, and I haven't seen any evidence of that capability in their presentation. I just really think they have made a big mountain out of a little tiny molehill. And in fact it now seems clear that this amounts to a host side access to an HCI controller, and that the threat that this poses is more like a mouse hole than a backdoor.

Leo Laporte (166:12)

You have a convenient illustration of what that just might look at. Did you generate this with AI?

Steve Gibson (166:19)

I think you did.

Leo Laporte (166:20)

I think you did.

Steve Gibson (166:21)

I did indeed.

Leo Laporte (166:22)

It's very good. It's cute.

Steve Gibson (166:25)

Bleeping Computer noted that Espressif, the creator of more than a billion of these amazing little chips, had not replied to their inquiry. That's likely because they also know that this is nothing. At one point in the presentation, the security researcher mentioned cloning another device's Mac address. Whoopee doo. Sure enough, One of the 29 undocumented commands was change Mac address. Well, that's got to be there somewhere because you're obviously able to set the Mac address of the device when it comes out of the assembly line. You know, that's certainly neither a back nor, nor big news. So anyway, I'm strongly inclined to come away from all this with a conclusion exactly as you did, Leo. It's what you sniffed from the beginning that there's really not much here. It made some attention grabbing headline news. But nothing I have seen has suggested that the ESP chip is not still completely secure from external attack. You know, they talk about being able to establish persistence, but if you're running code in a Flash enabled chip, persistence is not difficult to obtain. So you know, among the undocumented commands is write to Flash, but I'm sure you can write to Flash from the native instruction set of the chip. So who cares if the hardware blue chip controller can also do. It just doesn't. It just seems crazy to me. Maybe something more will be revealed in the future. It seems unlikely because they would have gone for it in their main security presentation. I think they just found. Oh my God, some undocumented commands in the hardware of the chip. Who cares? Doesn't look like they're.

Leo Laporte (168:09)

And most importantly that you need hardware access to the chip to get to them.

Steve Gibson (168:13)

Yeah, they're registers. The registers on the blue chip controller. That's the Bluetooth controller. That's all they found, registers on the Bluetooth controller.

Leo Laporte (168:24)

There's a whole category of hair on fire attacks that require somebody sitting down at the device. This one is even more ridiculous because you have to actually connect something to the device so that you can write to it and so forth. But I even think that hardware attacks that require somebody on your machine really don't deserve the attention they often get. They should be fixed, of course, because if somebody's on your machine, all bets are off anyway by that time. It doesn't matter what. Right, they're in. Yeah, this is. Yeah, so I kind of got that. It's just, I mean they should have been documented, I guess. Right? They're just development tools.

Steve Gibson (169:12)

Yeah, I don't even see any reason to document them. They are not necessary for programming Bluetooth. They're useful for managing the chips deployment, like setting the Mac address so that they all have different Mac addresses.

Leo Laporte (169:26)

Right.

Steve Gibson (169:26)

And you know, whoopee doo. So we discovered how they did that.

Leo Laporte (169:29)

Pretty much every chip you can change your Mac address will do this, right?

Steve Gibson (169:33)

Yes, yes.

Leo Laporte (169:35)

If it's got Flash, you're going to be able to write to it. Yeah, I think.

Steve Gibson (169:40)

Oh, gee. Persistence. Well, that's what flashes for. Persistence.

Leo Laporte (169:44)

Why would it have flash otherwise?

Steve Gibson (169:46)

Right, right.

Leo Laporte (169:49)

Okay.

Steve Gibson (169:50)

So mostly this is a case of the press picking up a headline from a conference and saying, oh, my God, you know, ESP32. More than a billion devices. And these guys says it has. These guys says it have backdoor, and it's in Spanish, so not really sure what they said.

Leo Laporte (170:08)

Well, and it's a great thing in putting the headline used by a billion devices. That's always a good bit of link. But it did get a CVE number. But that's not a big deal to get a CVE number.

Steve Gibson (170:22)

No. And you're able to just request one. And the cve, when you look it up, and I did. Under nist, it says undocumented functions.

Leo Laporte (170:33)

Right.

Steve Gibson (170:33)

That's what the CVE is. It's like, oh, boy, we got. Unless scroll down and you'll see it. That it shows undocumented functions.

Leo Laporte (170:44)

Yeah.

Steve Gibson (170:44)

Is the. There.

Leo Laporte (170:46)

It's maybe a little higher here somewhere.

Steve Gibson (170:48)

I saw it somewhere.

Leo Laporte (170:50)

Yeah. So that's important, too, that just because something's in the National Vulnerability Database doesn't buy it itself.

Steve Gibson (170:58)

Oh, there it is.

Leo Laporte (170:58)

Hidden function, hidden functionality. That's the CVE name or the CWE name. Yeah. All right, good. Well, I'm reassured.

Steve Gibson (171:08)

And again, that there. There's. Yeah, it can't be that there that you're able to remotely change the programming of an unsuspecting ESP32 chip, or it would be the end of civilization as we know it.

Leo Laporte (171:27)

That would be a bad thing.

Steve Gibson (171:28)

And we're here. We're still here talking. Leo.

Leo Laporte (171:30)

If you could do it via Bluetooth, that would be a bad thing.

Steve Gibson (171:33)

That it la. Yeah.

Leo Laporte (171:35)

I mean, we've talked. This is one of the kind of regular topics on the show about Bluetooth vulnerabilities. There are plenty. Right.

Steve Gibson (171:43)

Yes. It is a very complex protocol for the first half of this podcast. Nearly 20 years. Yeah, they were happening all the time.

Leo Laporte (171:53)

I remember Bluetooth snarfing.

Steve Gibson (171:55)

Oh, yeah, it was. And you notice it's sort of slow. It's gone now.

Leo Laporte (171:59)

We don't hear about it.

Steve Gibson (172:00)

We got that stuff settled down, you know. Yeah.

Leo Laporte (172:04)

Steve Gibson is@grc.com. that is a great place to go just to browse. If you got an afternoon, just go to grc dot com. I'll give you a couple of places you want to check. Of course, first place would be to go get Spinrite, the world's Finest mass storage maintenance recovery and performance enhancing utility. Not just for spinning hard drives for SSDs as well. If you have storage you need. Spinrite 6.1 is the current version. It's Steve's bread and butter. It's there, you can get it and there's, you know, it's just, it's a must. But there's a lot of other stuff there. There's of course if you want to email Steve there's a comment page but really go to the GRC.com email and get. All you're doing is getting approved. You're getting wait lists so you can email Steve but when you do give him the address you can see two boxes unchecked. They're opt in for the Security now regular Security now weekly newsletter and for a very irregular from time to time update on what Steve's doing newsletter and that is all@grc.com email he has the show there as well. Steve has two unique, three unique, four unique. He's got, it's all unique. Everything he's got there is unique. He's got a 16 kilobit version if you have very limited bandwidth. He's got a 64 kilobit version which used to be the standard but it's not anymore. We've gone to 128. But he continues as long. I guess as long as you run an ffmpeg you might as well make a 64 and a 16. He also has the show notes which are a great thing to have for the links to read while you're listening, that kind of thing. But even even better, a couple of days after the show comes out he'll have a complete human crafted transcript from Elaine Ferris so you can use it for searching. You can, I think if you're gonna download a show, you should also download the transcript in the show notes so you have the complete set, you know, the full thing. What else is there? There's shields up, there's all sorts of free stuff. He's great about that. He's just all sorts of wonderful utilities. There's information about vitamins and sleeping and all sorts of things. Grc.com youm can also come to our website Twitt TV SN for security now. And that's where you'll find a copy of the 128 kilobit audio and the video. You can watch Steve's mustache at work, all of that twit TV SN. There's also a link there to the video on YouTube. Great way to share clips. I Know, a lot of times people listen to the show and say, I got to tell my boss, my friend, my wife about this. You could do that with the YouTube very easily. You can do clips. Best thing, of course, is to subscribe to the podcast. That way you'll get it automatically the minute we're done. Audio or video available in your favorite podcast client. You can even watch us do this live. I, I should mention that we do the show right after Mac break, weekly, Tuesday afternoons, usually around 1:30 to 2pm Pacific. That would be 5pm Eastern Time, 2100 UTC. Now that we're on summertime, 2100 UTC. And the live streams are if you're in the club. And of course, all the best people are in the club, in the Discord. But there's also YouTube, which is open to everyone. Twitch, there's Kik, there's X dot com, there's TikTok, there's Facebook, there's LinkedIn. We stream on all those platforms. There are chats from all those platforms. And I see, see all of the chats and I have a unified chat interface. Sometimes I mention people's comments, but I'm always reading them. Sometimes I even respond. Steve does not. There was somebody saying, steve, Steve. And I said, no, Steve's not, he's got, he's busy. He's busy. He's doing a show, my friends. So don't expect Steve to respond. But I will. I will respond if I can. And do join the club. We'd love to have you in the Discord chatting along with us. The club is seven bucks a month, the best benefit. I think what I'm told is ad free versions of all the shows. All the shows. But there's a lot of other stuff, including special stuff we don't own. You know, we don't put out in, in the public. We just do in the club, that kind of thing. You'll, you'll see a lot of activity in the club, not just about the shows, but about everything geeks care about. Twit TV club, Twit. If you're not yet Steve, I will see you next Tuesday for another thrilling, gripping edition of Security Now.

Steve Gibson (176:31)

I'll be right here on March 18th, my friend. See you then.

Leo Laporte (176:37)

Security now.

Steve Gibson (176:46)

Check engine light on. Take the guesswork out of your Check engine light with O'Reilly Variscan. It's free.

Leo Laporte (176:52)

Ask her.

Steve Gibson (176:53)

O'REILLY VARISCAN Today, auto parts.