Security Now 1022: The Windows Sandbox — Detailed Summary

Release Date: April 23, 2025

Hosts: Leo Laporte & Steve Gibson
Podcast: All TWiT.tv Shows (Audio) by TWiT

1. Introduction

Leo Laporte kicks off the episode by teasing a range of security topics, including enabling Firefox tab grouping, updates on MITRE's CVE program, the introduction of short-lived certificates by the CA Browser Forum, and the rediscovery of a valuable Windows feature: the Windows Sandbox.

2. Enabling Firefox Tab Grouping

Timestamp: 17:46

Steve Gibson introduces listeners to the newly enabled Firefox tab grouping feature in Firefox version 137. Although present in the browser, the feature was disabled by default. Steve provides a step-by-step guide on how to activate it:

1. Accessing about:config:

   • Type about:config in the Firefox address bar.
   • Search for tab groups.

2. Enabling the Feature:

   • Set BrowserTabsGroupsEnabled to true.
   • Similarly, enable BrowserTabsGroupsSmartEnabled.

Notable Quote:

Steve Gibson [18:21]: "It's in the about:config... the code is already there in everybody's Firefox 137 and later."

3. CVE Program Funding Crisis and the Launch of the CVE Foundation

Timestamp: 07:46 - 36:43

Steve discusses a potential shutdown of MITRE's Common Vulnerabilities and Exposures (CVE) program due to funding lapses. The CVE program is critical for tracking and managing cybersecurity vulnerabilities globally. Fortunately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) intervened by securing an 11-month funding extension, averting an immediate crisis.

In response to the uncertainty and to ensure long-term sustainability, CVE Board members established the CVE Foundation. This nonprofit aims to maintain the program's independence from single government funding sources, promoting neutrality and global trust.

Notable Quote:

Steve Gibson [30:37]: "Kent Landfield, an officer of the foundation, said 'CVE is a cornerstone of the global cybersecurity ecosystem. It is too important to be vulnerable itself.'"

4. CA Browser Forum's Approval of Short-Lived Certificates

Timestamp: 36:43 - 103:49

The CA Browser Forum has voted to shorten the maximum lifetime of TLS/SSL certificates from the current ~398 days to 200 days by March 2027, with a final reduction to 47 days thereafter. Steve expresses frustration over this decision, questioning its necessity and the lack of clear benefits compared to existing certificate revocation mechanisms like browser-side certificate revocation lists (CRLs) and bloom filters.

He highlights the increased administrative burden this change imposes, especially for organizations managing numerous certificates manually. Steve anticipates potential fractures in the Public Key Infrastructure (PKI) as some entities might opt to become their own certificate authorities to circumvent these restrictions.

Notable Quote:

Steve Gibson [36:43]: "It's brain dead, but it's what we're going to have."

5. Crosswalk Buttons Hacked in Silicon Valley

Timestamp: 111:35 - 116:37

A curious incident in Silicon Valley involves hackers manipulating audio-enabled crosswalk buttons to imitate the voices of tech giants like Elon Musk and Mark Zuckerberg. The breach exploited default PIN codes (1234), underscoring the vulnerabilities in Internet of Things (IoT) devices when default security settings aren't changed.

Participants speculate that the perpetrator might have neglected to update the default passwords, a common oversight in device security management.

Notable Quote:

Steve Gibson [111:37]: "They have to change the password so they can log into it and set it up. Whoever did that said, 'I'll get around to it later.'"

6. Multi-Factor Authentication Challenges and Rapid7’s Findings

Timestamp: 66:34 - 170:34

Steve delves into the critical role of Multi-Factor Authentication (MFA) in combating security threats like password spray attacks. Referencing a report by Rapid7, he highlights how MFA is essential in preventing unauthorized access:

• Password Spray Attacks: Rapid7 observed over a million unauthorized login attempts, primarily targeting accounts without MFA.
• Geographical Distribution: 70% of these attacks originated from Brazil, followed by Venezuela, Turkey, Russia, Argentina, and Mexico.
• Best Practices: Steve emphasizes implementing conditional access policies, ensuring applications don't store credentials insecurely, and regularly auditing user accounts.

Notable Quote:

Steve Gibson [66:34]: "Pass keys is a... is that absolutely."

7. Oracle Cloud Data Breach and CISA Alerts

Timestamp: 43:03 - 125:47

CISA released guidance on potential credential risks associated with a legacy Oracle Cloud compromise. The advisory cautions organizations about the possible unauthorized access to systems due to exposed credentials, urging immediate actions like password resets and enforcing MFA.

Steve criticizes Oracle for its lack of transparency and questions the company's security culture, suggesting that such oversights could erode trust in critical infrastructure providers.

Notable Quote:

Steve Gibson [43:03]: "CISA's alert, published last Wednesday, was titled 'CISA Releases Guidance on Credential Risks Associated with Potential Legacy Oracle Cloud Compromise.'"

8. Rapid7 on Password Spray Attacks and MFA Importance

Timestamp: 75:48 - 173:06

Building on the MFA discussion, Steve analyzes Rapid7's findings on the increasing sophistication of password spray attacks. He underscores the necessity of robust MFA implementations and intelligent authentication strategies to fend off these pervasive threats.

Notable Quote:

Steve Gibson [75:48]: "Imagine a scenario where your network is under fire from a worryingly high number of brute force attempts... You don't want to be that kind of victim."

9. Windows Sandbox Feature in Windows 10 and 11

Timestamp: 134:28 - 173:22

The highlight of the episode is the introduction and detailed exploration of the Windows Sandbox, a built-in feature in Windows 10 and 11 (excluding Home editions) designed for secure experimentation:

• Activation: Enabled via the "Turn Windows features on or off" dialog by checking the "Windows Sandbox" option.
• Functionality: Provides an isolated, disposable environment where users can run untrusted applications without impacting the host system. Upon closure, all activities within the Sandbox are permanently discarded.
• Efficiency: Utilizes a dynamic base image and integrated scheduler for rapid launch times and minimal resource consumption compared to traditional virtual machines.
• Use Cases: Ideal for testing software, exploring suspicious files, and accessing risky web content safely.

Steve praises Microsoft for implementing this feature efficiently, likening it to running a separate instance of Windows as a lightweight application.

Notable Quote:

Steve Gibson [134:28]: "Often ignored or unknown to most users of Windows 10 and 11, but probably of tremendous value... is a ready to use extremely robust virtual machine based full security sandbox inside of which Windows users can perform any experiments they may wish."

10. Ransomware Payments and Insurance Impact

Timestamp: 125:47 - 173:06

A study from the Netherlands reveals that companies insured against cyberattacks tend to pay higher ransoms (2.8 times) compared to uninsured counterparts. Cybercriminals exploit this by targeting insured organizations, knowing they can command larger payouts. The research emphasizes the importance of robust backup systems to mitigate the necessity of paying ransoms.

Notable Quote:

Steve Gibson [125:47]: "Ransomware victims who are insured against the cost of cybercrime incidents pay on average 2.8 times larger ransoms than those who are uninsured because the bad guys know this."

11. Conclusion

Steve wraps up the episode by reiterating the significance of the Windows Sandbox for enhancing security practices. He anticipates future discussions on how malware might exploit such sandbox environments but remains optimistic about the feature's robustness. Leo encourages listeners to explore the Sandbox feature to bolster their system's security.

Notable Quote:

Steve Gibson [169:32]: "We may see some fracturing of the public key infrastructure because it's been made too hard to use because of what amounts to a special interest group...want to have super short life certificates."

Key Takeaways

• Firefox Enhancements: Users can now enable advanced tab grouping in Firefox 137 through about:config.
• CVE Program's Future: The establishment of the CVE Foundation aims to secure the program's independence amidst funding uncertainties.
• Certificate Lifetimes: The CA Browser Forum's decision to shorten certificate lifetimes poses challenges for organizations relying on PKI.
• IoT Vulnerabilities: The Silicon Valley crosswalk hack underscores the importance of securing IoT devices beyond default configurations.
• MFA is Crucial: Implementing robust MFA is essential in defending against sophisticated credential-based attacks.
• Windows Sandbox: An invaluable tool for secure experimentation, offering a lightweight and isolated environment within Windows 10 and 11.
• Ransomware Dynamics: Insurance can inadvertently increase ransom demands; robust backups are vital in preventing payments.

This comprehensive summary encapsulates the key discussions, insights, and conclusions from "Security Now" Episode 1022, providing listeners with a clear understanding of the topics covered even if they haven't tuned in.