Podcast Summary: Security Now 1031: How Salt Typhoon Gets In

Release Date: June 25, 2025

Hosts: Leo Laporte and Steve Gibson

1. Introduction and Episode Overview

The episode kicks off with the hosts, Leo Laporte and Steve Gibson, setting the stage for a comprehensive discussion on pressing security issues in the digital landscape. They outline the primary topics, including the notorious Salt Typhoon cyber espionage group, vulnerabilities in state healthcare portals, advancements in passkey technology, and the ongoing challenges surrounding TikTok's operations.

2. Deep Dive into Salt Typhoon Cyber Attacks

Overview of Salt Typhoon: Salt Typhoon, a highly sophisticated and state-sponsored cyber group from China, has been actively targeting major telecommunications providers globally. Their operations have been particularly impactful in 2024 and early 2025, compromising companies like Verizon, AT&T, T-Mobile, and Digital Realty.

Exploitation of Cisco Vulnerabilities: A critical factor in Salt Typhoon's success has been their exploitation of longstanding vulnerabilities in Cisco's IOS XE software. Notably, CVE-2018-0171, a vulnerability with a CVSS score of 9.8, remained unpatched in numerous Cisco devices for six years, providing an extensive window for exploitation.

Persistent Access and Advanced Techniques: Salt Typhoon demonstrated remarkable persistence, maintaining access within compromised networks for over three years in some cases. They employed advanced techniques such as:

• Configuration Exfiltration: Stealing device configurations to gather sensitive authentication material.

• Infrastructure Pivoting: Moving laterally across networks using compromised devices as gateways.

• Shell Access Modifications: Establishing persistent SSH access through high-numbered ports and modifying authentication settings.

Quotes:

• Steve Gibson ([24:38]): "There's so much inertia."

• Steve Gibson ([34:00]): "It should not be possible to allow any IP to access the management interface. What possible need is there?"

3. State Healthcare Portals and Data Leakage

Findings by The Markup: Recent investigations by The Markup revealed alarming privacy breaches within state-run healthcare websites established under the Affordable Care Act. Sensitive health information, including prescription drug names, dosages, and personal details, was inadvertently shared with major tech companies like Google, LinkedIn, and Snapchat.

Affected States: The most affected states included:

• California: 63 trackers
• Nevada: 49 trackers
• Maryland: 31 trackers
• Massachusetts: 28 trackers
• Rhode Island and Maine: 10 trackers each

Responses from State Exchanges: Upon discovery, several states promptly disabled the offending trackers. For instance:

• Steve Gibson ([49:46]): "So if this spokesperson in Massachusetts believes what he's saying about no IP addresses, he just may not understand how trackers operate."

Legal and Ethical Implications: These breaches have sparked class-action lawsuits and heightened scrutiny from federal lawmakers, raising serious concerns about HIPAA compliance and the ethical use of web trackers on platforms handling sensitive data.

Quotes:

• Steve Gibson ([50:48]): "Showed that kind of request for patches was more of the annoyance than anything, but they have a legal obligation to maintain security and integrity."

4. Advancements in Passkey Technology

Apple's Adoption of FIDO Passkeys: Apple announced significant strides in passkey technology during the Worldwide Developer Conference. The new feature allows seamless and secure import and export of passkeys across different platforms, addressing previous limitations that bound passkeys to specific ecosystems.

Industry-Wide Implications: Passkeys, part of the FIDO Alliance's initiatives, represent a shift towards eliminating traditional passwords, enhancing security against phishing and credential theft. Apple’s move is expected to encourage broader adoption across other tech giants.

Facebook's Integration of Passkeys: Following Apple, Facebook also committed to integrating passkey login options, further solidifying the transition towards passwordless authentication methods.

Quotes:

• Steve Gibson ([68:21]): "That is super welcome news."

• Leo Laporte ([70:35]): "It's the only thing that really bugged me. I can't remember what it was."

5. Ongoing Challenges with TikTok

Extended Ban Discussions: Despite repeated extensions, the possibility of banning TikTok in the U.S. remains contentious. Efforts to negotiate a sale to a U.S. consortium have stalled, with political and diplomatic tensions influencing outcomes.

Security Concerns: The primary concern revolves around TikTok's potential as a conduit for Chinese influence and data access, posing national security risks. Discussions highlighted the difficulty in restricting access without hindering legitimate user engagement.

Quotes:

• Steve Gibson ([75:20]): "Because that's what's being explicitly allowed whenever unfiltered remote access is is enabled."

• Leo Laporte ([76:12]): "They have a huge social media platform in the U.S. in the U.S. huge influence operation."

6. AI and the Nature of Intelligence

Steve's Interaction with ChatGPT: Steve Gibson recounts an interaction with the latest ChatGPT model, where he inquired about establishing TLS 1.3 connections using Windows 10's native APIs. The AI provided a detailed and accurate response, clarifying longstanding confusions about TLS support in Windows 10 versus Windows 11.

Philosophical Insights on AI: The discussion delves into the distinction between AI as a linguistic simulator and true intelligent entities. Steve posits that while AI can mimic intelligent conversation convincingly, it lacks genuine understanding or consciousness.

Quotes:

• Steve Gibson ([105:23]): “I think it's going to give cognitive scientists an entire new realm to explore.”

• Steve Gibson ([120:42]): "Simulated intelligence solves this problem of, you know, well, is it an artificial intelligence?"

7. Austria's Plan to Monitor Secure Messaging

New Legislative Measures: Austria's coalition government has agreed to implement a system allowing police to monitor secure messaging platforms like WhatsApp. This move aims to prevent militant attacks but raises significant privacy and mass surveillance concerns.

Implementation Details: Under the new framework, monitoring requires approval from a three-judge panel and is limited to 25-30 individuals per year. Exceeding this number mandates reporting to a parliamentary committee, attempting to balance security needs with privacy rights.

Quotes:

• Steve Gibson ([95:10]): "It's like turn on process. They mean a purchasing process."

8. Microsoft’s Initiative to Remove Legacy Drivers

Driver Cleanup Efforts: Microsoft announced a strategic initiative to remove legacy and potentially insecure drivers from Windows Update. This proactive measure aims to enhance security by ensuring only up-to-date and necessary drivers are available, reducing vulnerabilities exploited by cyber threats like Salt Typhoon.

Potential Impacts: While the cleanup is intended to bolster security, concerns were raised about legacy hardware that may become unsupported, leading to compatibility issues for organizations relying on outdated equipment.

Quotes:

• Steve Gibson ([86:44]): "As a consequence, we can’t rely on it [current maintenance model]."

9. Conclusion and Final Thoughts

Steve Gibson emphasizes the critical failures in the current cybersecurity framework, particularly highlighting the challenges posed by legacy systems and the inertia in updating crucial infrastructure. He advocates for a paradigm shift towards deploying inherently secure hardware free from exploitable vulnerabilities from the outset.

Final Reflections: The hosts reiterate the importance of vigilance, proactive security measures, and the role of public awareness in combating sophisticated cyber threats. They also acknowledge the advancements in authentication technologies as a positive step towards enhancing digital security.

Quotes:

• Steve Gibson ([174:05]): "I'm a fan because the technology is so simple and it offers so much leverage."

• Leo Laporte ([174:34]): "Steve, you've done it again. You've raised awareness."

Key Takeaways

• Salt Typhoon's Exploits: Highlighting the dangers of unpatched vulnerabilities in critical infrastructure, especially within telecommunications.

• Data Privacy Concerns: State healthcare portals inadvertently leaking sensitive health information underscore the need for stringent data protection measures.

• Move Towards Passwordless Authentication: Adoption of passkeys by major tech companies signifies a shift towards more secure and user-friendly authentication methods.

• AI's Dual Role: While AI offers significant advancements and efficiencies, it also presents new challenges in security and ethical considerations.

• Regulatory Measures: Austria's legislative efforts reflect the ongoing tension between national security and individual privacy rights.

Notable Quotes with Timestamps

• Steve Gibson ([24:38]): "There's so much inertia."

• Steve Gibson ([34:00]): "It should not be possible to allow any IP to access the management interface. What possible need is there?"

• Steve Gibson ([49:46]): "So if this spokesperson in Massachusetts believes what he's saying about no IP addresses, he just may not understand how trackers operate."

• Steve Gibson ([68:21]): "That is super welcome news."

• Leo Laporte ([70:35]): "It's the only thing that really bugged me. I can't remember what it was."

Recommendations for Listeners

• Stay Informed: Regularly update and patch all network devices to mitigate vulnerabilities.

• Evaluate Data Sharing Practices: Ensure that state-run and organizational websites do not inadvertently share sensitive user data with third parties.

• Adopt Advanced Authentication: Transition to passkey-based authentication systems to enhance security and user experience.

• Advocate for Better Policies: Support initiatives and policies that prioritize cybersecurity and data privacy at all organizational levels.

By meticulously examining the intricate web of cyber threats and the evolving landscape of digital security, this episode of Security Now equips listeners with the knowledge to navigate and safeguard their digital environments effectively.