Episode Transcript
Transcript is AI Generated and contains errors.
[00:00:00] Welcome to The Security of Serengeti. We're your hosts, David and Matthew. Stop what you're doing and subscribe to our podcast. Leave us an awesome five star review and follow us at SerengetiSec on Twitter.
Matthew: We're here to talk about cybersecurity and technology news headlines and hopefully provide some insight, analysis, and practical application that you can take into the office to help protect your organization.
David: The views and opinions expressed in this podcast are ours and ours alone. Do not reflect the views or opinions of our employers.
Matthew: Is a salt typhoon.
David: Sounds like something from the Urban Dictionary.
Matthew: You look it up. Tell me what it is.
David: No, you look it up.
Matthew: Not getting that in my search history. Actually, I did check this before we started and salt typhoon is not an urban dictionary. Wouldn't surprise me if it was somebody, some, some clever, clever individual added it and has something to do with telcos.
David: [00:01:00] Well, just imagine the definition of typhoon, but saltier.
Matthew: Right. Aren't typhoons kind of by definition salty? They happen over the ocean. I guess the rain is not salty, but the, the, the you know, we're going too deep to go
deep. For our first article today, we're talking about salt typhoon because everybody in the world is, and we are forced to follow suit. That's what it says in the contract. Salt Typhoon forces FCC's hand on making Telco secure their networks. And this is one of, I mean, we could have picked any number of like 20 different articles about this.
They all say much the same thing. This one's from the register.
David: And there's a half dozen links in the show notes.
Matthew: Yes, there are many, many links in there that I may or may not copy into the show notes. I mean, of course I will.
David: You will do as you're told, mister.
Matthew: It's in the contract. So, all I can think is, oh no, the leopards are eating their face. To the surprise of no one other than the bureaucrats, the backdoors that the government forced telecom operators to add into their networks have been taken advantage of by [00:02:00] malicious attackers.
David: Yeah, you have to love the way that they downplayed the fact that their wiretapping capability was taken advantage of. To quote one of the articles An FBI official said that the media reports have been incorrect in stating that the system under which the telecom companies comply with government surveillance requests, the Communications Assistance to Law Enforcement Act, CALEA, was the primary focus of the Salt Typhoon campaign.
It was only one of several targets. For these actors collection, once they got into the networks, the official said,
Matthew: oh.
David: so the fact that it wasn't the primary reason makes it all. Okay.
Matthew: Obviously.
David: False reporting, fake news,
Matthew: reporting. Fake news.
David: You know, in a light reading of, you know, that statement would make someone think the wire taps weren't used.
So it's just a matter of subterfuge there [00:03:00] on the part of the FBI
Matthew: yeah, that makes sense. That's
David: and, you know, reading these articles. And this whole thing seems to be, I would, if I were in the media, that would have been my focus is the fact that the government forced these back doors and the Chinese took advantage of it. But in all the articles I read, none of them focused on that at all. It was all just brushed over which is quite annoying for me.
Matthew: Yeah, I mean, people have been saying, I mean, I remember when I got into when I was getting into security trying to get into security around 2008, 2008, 2010. I was reading a lot of Schneier at that time and Richard Baitlik and folks like that. And I remember seeing that because I think that was when they were first talking about.
passing the laws to put the, I don't know, for some reason it come up at that point in time. And pretty much every security person I followed 15 years ago was saying, no, do not do this. This will be misused. If you have it there, someone is going to get access to [00:04:00] it that shouldn't, you cannot secure this.
David: Well, 15 years ago, up to the present, what they've been talking about is the, um, back doors and doing endpoint encryption like the iPhones and stuff like that. That's where they've been talking about the back doors. Cause the Kaliya is from 1994, which apparently was updated in 2006 for internet wiretapping.
Matthew: Interesting.
David: But this is a long lived thing, but I think it's, This then, the reason that I think this should be more highlighted than it is, is this whole talk that they're saying that, oh, well, we need to get access to the iPhone encryption and stuff like that that's been going on for several years now that they, that seems to rear its head every so often.
Matthew: It's
David: These encryption mechanisms that people are using to protect themselves are hampering law enforcement's capabilities to protect the children, right?
Matthew: always the children.
David: so I think. That one of the [00:05:00] reasons obviously that they want to gloss over this is to keep that in play for their ability to bring up that, Oh, well, the government needs this backdoor access versus this, which would highlight the fact that, yeah, we give them backdoor access to something else.
And now it's come back to bite us. But what was also strange about this, which I, it hard to wrap my mind around is, it says that eight U. S. telecom providers have been compromised by Salt Typhoon, along with organizations in dozens of countries around the world.
Matthew: It's really broad. Was that meant to try to take the attention off the US telecom providers by pointing out that other organizations had also been compromised or?
David: I don't, I don't know, because that's actually a quote from one of the government officials unfortunately don't have her name right here but the link to their original press release or the was it, maybe it was in a quote from a Reuters article. That mentioned, mentioned that but I don't know, it just the, the, the idea that this [00:06:00] is not just us telecoms.
I wonder if it goes back to, oh man, what there's an underlying protocol underneath. Standard telecom. I just thought of it as just now, otherwise I would've looked it up before, which is, which is the basis for most telecommunications, which is so old that it's, that's most likely bug ridden to this day. I wonder if that has something to do with the way that this is compromised.
They don't wanna mention that 'cause people would panic. Which is why this is such a widespread attack. Compromising multiple organizations.
Matthew: because as we'll talk about in a minute, like someone comments on, this is a weird and strange attack, a novel attack, but we'll get there. All right. On the 22nd of November, the Biden administration held a meeting of telco execs to discuss the latest news about how thoroughly they've been owned.
And the government is of course, blaming China. They're saying that the scope is thousands and thousands of switches and routers, and the compromise is so extensive, they'll need to be replaced. Switch. Actually, it does lend credence [00:07:00] to what you're talking about, where if the problem is a old protocol, and they would have to replace it with new equipment that did not support that protocol or I don't know, they didn't say whether the reason is because of upgrade concerns or compatibility concerns, or that the attacker is so entrenched that even a firmware reset wouldn't kick them out.
David: I don't know what's odd though, is the compromise of routers and switches, not servers, right? So there can have to rip and replace switches. Is that, does that mean that there's a firmware problem here? They do
Matthew: you could just reflash new firmware, right, and then boom, you're good to go.
David: yeah, well, this also could be a misdirection about something we'll talk about later also. So we'll get to that and we're jumping, we keep jumping ahead. So let's. Stick to the script, Matt.
Matthew: yeah. I'm sorry. I'm sorry. All right. So Mark Warner, the chair of the Senate Intelligence Committee, an oxymoron, much like military intelligence, said that it was likely Chinese state employees could listen to phone calls, [00:08:00] including some involving President elect Donald Trump, perhaps by using carriers wiretapping capabilities.
So I thought that was the FBI, but apparently it's the Chinese. Another article confirmed that the attackers got private communications of some government officials, law enforcement requests and access to the wiretapping portal. So I have a question for you. What would you do if you control wiretapping for a week?
Who would you listen to?
David: Probably the director of the CIA, the director of the NSA.
Matthew: Would they use the regular phone lines? You'd think that they would use like Signal or something or some
David: are talking about government employees, so not all that bright. And if I were doing it, what I would do is I'd wiretap it. I would stream it to the internet.
Matthew: Kind of like the that Panopticon idea about streaming all of the all of
David: The police body cams.
Matthew: Yeah, to the internet. Well, it's not a bad idea, just some people are watching it somewhere, and you never know if someone's watching it or not.
David: Mm hmm.
Matthew: Alright I don't know who I'd listen to. I'd probably listen, I'd probably go and start listening for Senators, and see if I could figure out which one of them are, if [00:09:00] any of them are dumb enough to talk about the bribes they're taking, or their, their future jobs when they get out of the government.
David: Well, actually, it'd be really smart to listen to Nancy Pelosi so you can
Matthew: Ooh, get those stock picks. Yes, yes.
David: But, as usual, the government's all upset that their conversations were listened to. You know, they're regular Americans, who gives a shit about that, right?
Matthew: So right. You're so right.
David: What I'm really hoping for is another Victoria Nuland phone call showing up on the internet.
Matthew: That would actually be, that would be interesting to see the
David: Well, another Victoria Nuland like phone call. I don't mean specifically her.
Matthew: yeah. Well, but I'm thinking like if they are in this and they are doing this, they probably do have a whole suite of embarrassing phone calls that they could start releasing. I
David: Hopefully they aren't using discretion as a better part of valor or something like that.
Matthew: like release it, you cowards,
David: Yeah
Matthew: due to this, the outgoing chair of the FCC is proposing rules to force telcos to take [00:10:00] security more seriously by reinterpreting a rule that was part of the, some 30 year old legislation,
the rule says that wiretapping can only occur with lawful authorization. Obviously, if you're a hacker in the system, you don't have lawful authorization. What's interesting to me about this is that, that would indicate to me that employees at the company could also use it without quote unquote lawful authorization.
David: well, presumably because they built it, that would just be baked in, right?
Matthew: I
David: But they've got a Ron Wyden senator from Washington, as, as proposed the Secure American Communications Act. And to quote the article if signed into law would require the Federal Communications Commission to issue a binding rules for telecom systems that following what Wyden calls the FCC's failure to implement security standards already required by federal law.
So there ought to be a law to force people to follow the law that already exists.[00:11:00]
Matthew: mean, the government loves to do that, right? Because that's already, it's already, you know, illegal for a criminal to rob a bank, but then they add a law that says if you rob a bank and use a gun, it's extra. If you rob a bank and use a mask, it's extra.
David: Yeah. You wear a plaid shirt while robbing a bank. That's another,
Matthew: That's another five years. Speaking of which, oh my gosh, I saw the most interesting article about jail time. And why the U. S. has so many people in jail but that's not what we're talking about today. It really kind of dived into the change in jail population over the last 60 years as mostly a function of adding new crimes and extending the sentence of people that were in there.
For example, they said that, I don't remember the exact numbers, but if you were convicted of rape in 1960, you only went to jail for like three years. You're convicted of rape in 2020, you go to jail for eight years.
David: Hmm.
Matthew: like increasing mandatory minimum sentencing and [00:12:00] increasing sentencing timelines, you can double the jail population without actually changing the number of criminals because they stay in jail twice as long.
David: Oh, did you listen to the Joe Rogan podcast with Robert Avery and Quentin Tarantino?
Matthew: No, because the dude needs an editor. I can't listen to a three hour podcast.
David: Well, in there, Robert Avery apparently went to jail for manslaughter because he was drunk driving and killed one of his passengers. Yeah. And he was talking about in that podcast how the guards would basically try to entrap them to get them to Not necessarily, it's hard to say that because these are things that I wouldn't necessarily consider crimes because I don't remember the specifics around it now.
But the guards would try to entrap them into doing things that would cause them to extend their sentences.
Matthew: Where the guard's being rewarded by
David: I don't know. He doesn't say that part, but he was talking about how they would raid his, his cell and take all, all,
Matthew: and,
David: no, his scripts. He would write [00:13:00] scripts and stuff because he was, he was a, he's a a writer in Hollywood.
So they would. confiscate that stuff. So he ended up writing these things and then sealing them in letters to his lawyer. And that's how he would, he said he wrote like several screenplays while he was in there. But for him, that's what they were doing. But he said they would try to entrap them basically into doing things or saying things that would lengthen their prison sentences.
I wish I could remember some of the examples they gave. Um, that's the kind of stuff I think you're also talking about.
Matthew: Yeah. That wouldn't surprise me. Yeah. For some sort of incentive system that they get rewarded if they catch crooks. And I mean, we can talk about the treatment of prisoners and leading to recidivism because they treat them like shit and they don't give them a chance to improve themselves in prison.
David: Well, I wonder if he was in one of those private prisons where they get paid based on the beds they
Matthew: Oh, maybe. Yeah. And then the other reason for increased number of prisoners was the increase in laws. Like there was a bunch of things in 1960 that were not [00:14:00] really illegal, or if they were legal, they were not really prosecuted.
David: Hmm.
Matthew: So anyways, I'm going to cut parts of that out. I might leave a little bit of it.
David: little bit far field there.
Matthew: Yeah. So one article said that it was understood that Verizon, Lumen technologies were compromised. Another article said that it had been revealed that they were compromised. T Mobile announced that they were hit, but they kicked them out within a single digit number of days. Which is interesting to be, because T Mobile has had something like seven breaches since 2016 or something like that.
But then
David: covered a fair amount here.
Matthew: yeah, but then again, maybe they actually are taking security seriously now and are ahead of the pack, and that's why they kicked them out.
David: I don't know. One of the articles said as of the December 3rd, anyway, telecommunication providers are still trying to evict the Chinese government linked hackers. So at least as of a little over a week ago they still had not completely gotten the the hackers out of their networks.
Matthew: Well, that makes sense, because if they said they had to completely rebuild the networks to [00:15:00] convict them, I don't think they've all rebuilt their networks in the last two weeks.
David: What are you talking about, Matt? These guys are on top of it.
Matthew: I'm curious what you think about the legal redefinition of the rule where they took a rule that meant one thing and then decided to apply it to cybersecurity. It does seem to kind of apply to one of the things that the attackers can do, but it's kind of a stretch to apply that to the rest of the security stuff.
And I mean, I don't know, trying to apply a rule that was pre internet to Stuff is definitely kind of a weird one.
David: Well, with, with the Chevron doctrine, they should not rewrite the rule. It should actually legislate if they need to legislate. It seems to me that the company should be incentivized for their own security and write no rule or law or whatever to say that you have to take security seriously is not really going to improve anything.
Matthew: Yeah. That's a, it goes to kind of one of the later points about, is there a better way to get telcos to tighten up security? Cause obviously the way that economic incentives [00:16:00] seem to be set up right now, security is just not a priority for really anybody other than banks. And,
David: Well, I think if they ripped the wiretapping shit out of the infrastructure, maybe this would not have happened in the first place.
Matthew: yeah, that would remove a lot of their target. If everything that crossed the telcos network was encrypted and inaccessible to them, there'd be, I mean, there's still stuff you can figure out from, you stuff, but. Yeah,
David: Yeah, you could do metadata
Matthew: yeah, that's what I was looking for. Metadata.
David: But I thought there was a a funny, another funny quote from old Ron Wyden quote, It was inevitable that foreign hackers would burrow deep into American telecommunication systems the moment the FCC decided to let phone companies write their own cybersecurity rules.
Matthew: Ah, that's what did it.
David: Yeah, obviously.
Matthew: them write their own rules. It has nothing to do with the information they can gather about people or the wiretapping. It's because they could write their own rules. [00:17:00] That is spoken like a person who does not understand security.
David: you can only get good security through government force, Matt.
So quote from the article going beyond the FCC proposal, the legislation would also require annual testing of the telecommunications company systems to determine whether they are susceptible to interception of communications or access to call identifying information. And Without lawful authorization by any person or entity.
So based on what I read in there, it sounds like. These telecoms have a system in place where you could type in someone's name and get their phone number and start a wiretap based on that search. So it sounds like these things are the, the, the ability to perform wiretap is like dead simple. I mean, and the cops, like I mentioned before, these, this, this, like, this has been built into the network since 1994 and then 2006 for the internet. So this is not doing the [00:18:00] average American any favors.
Matthew: Yeah, it's I mean, isn't this just Access control and auditing. I mean, it says it to determine whether they are susceptible to the interception of communications or access to the call, identifying information without lawful authorization. Isn't that basically making sure that the login is functioning the way that you think it's supposed to.
David: Well, it depends on where the the, the authentication takes place. Cause I'm not sure if what they're talking about is a system that is only accessible from inside the telco or if they have X or X externally facing. Web interfaces where you could authenticate to it and perform this kind of action.
But it also kind of leads to what you're talking about a second ago with, you know, are, is this, is access to these. Capabilities logged and monitored. And are they paying any attention to who's doing what within these capabilities about searching for people, [00:19:00] setting up wiretaps and all that kind of stuff?
Matthew: Yeah, this, this all sounds like the same conversation that every company has around high value assets or crown jewels, like the wiretapping capability needs to be considered a crown jewel, quote unquote, and watched carefully
David: Yeah. Well, I think the wrinkle around that though, calling it a crown jewel, you know, in typical organizations where you're trying to protect sensitive information, you're trying to protect that from anybody outside of the company. Right.
Matthew: here. You're trying to, you know,
David: external, you know individuals in the form of law enforcement who are being granted access to do these things in their systems.
So I think that's a lot more difficult to protect against. And then, I mean, just based on what we're reading, what we've read in these articles, that's what it sounds like is going on.
Matthew: I don't think so. I mean, I think that this is important, but I don't think this is what's going on. Cause if, if what they were doing was cracking the system, then there'd be no need to replace all those routers. Switches, because that's just a web portal somewhere, [00:20:00] which surprises me. Actually, it seems like it'd be a lot easier to break into a web portal to conduct those wiretaps than it would be to break into the entire network infrastructure.
David: Well, here's the thing. I'm going to skip ahead here for a second.
Matthew: No,
David: about this before about you know, they never fail fail to use these kinds of things as an excuse to piss away our money. So Congress is saying that there's has folded 3 billion into the annual defense policy bill to remove Chinese made telecommunications systems from the U.
S. networks.
Matthew: no, nobody's said that it's Chinese made routers and switches. That are the
David: Well, that, but that's, that's, see, I think that's the thing though. Is that those switches and routers are talking about need to be ripped and replaced are any Chinese made routers and switches, even though they are not directly rated to this issue. To, to quote Senator Ben Ray Lusion [00:21:00] one obvious thing we can do today is to get equipment manufactured by companies that collaborate with our foreign adversaries out of American networks.
Thank you very much. And we don't know or haven't heard anything about back doors in Chinese made equipment. So I think what they're talking about with that replacing routers and switches and the ripping the Chinese stuff out here is it's an excuse because they've been talking about Huawei and I
Matthew: Oh yeah. For
David: off the top of my head for years about how horrible those things are.
And I think this is an opportunity for them to force the issue to have all that equipment removed from the telcos. Don't think it had, I don't think the routers and switches that you mentioned earlier were actually part of the compromise. I
Matthew: you know, that never, never waste a crisis. Never waste a, never waste a crisis.
David: Yeah, exactly. And so I think this is a simple excuse for them to spend money and rip out the all the Chinese made equipment.
So they've been talking for years about, you know, [00:22:00] the DGI drones and anything Chinese made that's got a computer chip in it. Hey, we need to throw that out. And replace it with American made stuff. So I think this is just part of that whole overall plan. They've been talking about for a decade now.
Matthew: Gotcha. That makes a lot of sense. Cause. They've been talking about it for, like you said, like a decade, and we haven't had any actual backdoors ever.
David: No, they had that one issue. What was it? Five or six years ago where they supposedly found that grain or rice size chip on,
Matthew: And then nobody ever heard anything about it again.
David: Yeah, and every, virtually everybody refuted it but the was it the Washington Post or New York Times, where that came from, doubled down and would not backtrack on it, even though there was still no evidence, no corroboration or anything on that entire story.
Matthew: And that actually, that's funny you mentioned that, because that just sort of disappeared. Like, it was big, it was huge, a bunch of people said that it was nothing, and it just [00:23:00] disappeared. Which strongly indicates that the people who said it was nothing were correct, because nobody ever found, hmm, how quickly we forget about that, how quickly I forget about that.
David: Yeah. Not surprising.
Matthew: I have a memory like a goldfish, just on that, you know, never mind, I'm getting distracted.
David: Ooh, shiny.
Matthew: Right, so the attack technique used by the attackers is said to be quote unquote novel. T Mobile's CSO said it was a technique he'd never seen before and it's not quote well Published unquote. This implies to me that it's been discovered before, but was considered either minor or not fully explored.
David: Yeah, I really wish I would have looked up that, that, that issue with the that, that old protocol. That's the basis for all the telecoms. For some reason, the number seven sticks in my head, but can't remember exactly. So I wonder if that's what he means by it's not well published. We've known about this, but, you know, no one had taken advantage of it yet.
Matthew: Yeah, so [00:24:00] regardless of the novel intrusion technique though, I feel like this still could be discovered while moving laterally. And I think this reinforces the importance of basics. You can't anticipate when something new is going to come out, but you always know. There's always going to be a new vulnerability, a new exploit.
But you can always monitor things like new account creation, lateral movement between systems, service installation, C2 communications access to your crown jewels web gateway that people can kick off wiretaps from. Not every step is going to be a novel, novel novel step. They're all, a lot of them are going to be the same stuff as before.
We've talked about this before when we talked about content management. It's, it's not all new. The attackers reuse the same techniques over and over and over again.
David: Right. And that ties it back into what I was saying a minute ago about basic logging and monitoring. Are they, are you logging the right things and performing monitoring on those things you speak that you're logging for? Because I'm curious, I'm, in everything we read, I didn't hear anything about discovery.
Who found it [00:25:00] and how? And when we're talking about over 20 different organizations, they didn't independently discover the attacker at the same time. So maybe the indicators which were found at one organization, which they then used to identify the attacks in these other 19 or 19 or more organizations, maybe the rest of us on the internet might benefit from having access or knowledge of whatever those indicators were, because just because they used or just because they're attacking the telcos.
It doesn't mean that those telecoms were the only ones attacked. Now, if we go back to what I was talking about before, where it's the underlying telecom protocol, which was compromised, maybe that's, you know, that means it's not necessarily indicative of, or something that can be leveraged in all organizations, but kind of frustrating that we don't have more information about how it was discovered. Cause that's not helping the rest of us.
Matthew: And you have already covered the piss away the money. Yeah. I wonder if I wonder if it [00:26:00] would be useful for the rest of us. So let's, I mean, let's go back to the useful for the rest of us. If they got in using an old telco protocol, it probably wouldn't be impactful for the rest of us at all. If they got in via some sort of novel law enforcement mimicry technique.
Like maybe, maybe there is a portal that you can log in and start up a wire tap, but it requires your badge number and your name and the account that you've set up, maybe they found some novel quote unquote way to spoof that or something.
David: Well, they could have been using, you know, in the financial services industries we're starting to deal with the synthetic identities, identities where attackers use different parts of people's IDs, meld them together into a new ID. And then that's because of the uniqueness of that identity is able to fool some systems so that they're able to perform fraud on it.
They could have been doing a similar technique for the police guy. Take this guy's badge number and this guy's name and this guy's precinct
Matthew: Cause I assume that works because when it [00:27:00] checks those, it doesn't, it checks one part of them. It doesn't check all of the pieces against the record. It just checks the badge number and is like, Oh, this badge number is good. Or this name is good.
David: I mean, it really depends on how the system works because if every individual officer has to have their own account to log in,
Matthew: probably not. They probably
David: then that's not going to work versus there's some kind of. between the employment records in a, in a cop shop and the telco where they automatically federate,
Matthew: Yeah
David: That, that those identities from the cop shop into the telco or something, you just have to log in with your badge number and the warrant number or something.
Matthew: again, if that was the problem, it wouldn't be shareable to everybody else. Cause it wouldn't really impact anybody else unless you also federated with them.
David: Right. I don't know, I did, you know, what, what's also frustrating about this whole thing is I, I don't know if that we're going to actually get answers to any of these questions that we're talking about here. I think a lot of this is going to remain hidden. We're never going to find out what the [00:28:00] real underlying problem was, unless we have a whistleblower or some information has leaked.
Matthew: it's gotta be someone that's willing to leak it. Cause each one of these 20 plus companies has a security team and all, many of them know what's going on. There's gotta be someone in there that's going to post something on Reddit somewhere. Hey, you guys remember the telco thing last year? Turns out that the wiretapping portal just, you know, it was just, you put in your name and badge number and that's it, and it was novel because nobody had done that before.
David: Yeah. Well, you know, maybe we'll end up hearing about this though, because we are talking about outside the United States with foreign press. Maybe, maybe we'll hear more information in the foreign press about this.
Matthew: Yeah, I don't know. I don't know. All right. What should you do about it?
David: Well, move to encrypted platforms like Signal, obviously,
Matthew: Obviously.
David: But I thought it was weird that the government actually made that recommendation. So that, that makes me leery about how good Signal is anymore, because why would they do that? Unless they had also some backdoor in the Signal. I don't know, I'm [00:29:00] probably just paranoid, but,
Matthew: did they, did they call that signal by name?
David: yes.
Matthew: So telegram and said,
David: Well, I think they, they, I think they, they said Signal and WhatsApp, I think were two that were
Matthew: what's app is Facebook owned. So that's the, yeah, the government, Facebook cooperates with the government quite a bit. So I bet those are easily accessible. Signal surprises me. That's specifically designed so that nobody is supposed to be able to access those chats.
David: Like I said, I could be, I'm not saying it is compromised by the government. I'm just saying that makes me leery because the government states, you know, mentioned it
Matthew: It's reverse psychology.
David: and then it could be,
Matthew: All
David: throw me in the briar patch.
Matthew: Yeah, yeah. I, so it's funny, I actually installed signal. I've got signal and telegram and WhatsApp installed on my phone for these encrypted chats, but literally none of my friends use them except you. I think you use signal. And I think we've talked on it maybe a half a dozen times,
David: Yeah. Well, who knows [00:30:00] after this, maybe that'd be the way of the world. You know, your phone will come with a phone app, which you never use, but you always use signal. Who knows?
Matthew: but I remember it. Didn't they specifically call out that encrypted chats between Android and Apple were susceptible to this too. Or is that a separate thing? There's something I saw
David: don't know. They are. But I don't know that that was specifically mentioned any, I don't recall re-read that in any of the articles that we did for this one.
Matthew: and I mean that may be, that may be unrelated. There we go. FBI warning from Forbes. Stop using RCS on your iPhone and Android. The FBI warning that messages has been hacked. RCS is a new protocol. Success for the SMS. RCS has been adopted.
Messaging has never been end to end encrypted, rather than messaging directly from one phone app to another, they're routed across a patchwork quilt of cellular networks. The apps can be different as long as they use RCS protocol. Google added end to end encryption to Google messages. Apple added RCS to iPhone. [00:31:00] Oh, the problem is that Google, the Google RCS encryption only works if both ends are Google. If one end is Apple, it doesn't encrypt it.
David: yeah. It's just like
Matthew: So this is unrelated. I mean, this is sort of related in that because the attackers can wiretap you, see, they see that it's unencrypted.
David: Yeah. I mean, we've known that forever though.
Matthew: Oh, okay. I didn't know that because you're the only person I know who uses Apple. Only one that
David: Man, who the heck do you know?
Matthew: I only have like four friends, so. It turns out that in a small group
David: Well, that's triple the number that I got.
Matthew: let's triple the number. You have 1. 3. What the,
all
David: You and my cat.
Matthew: Think he counts for more than three. All right. Onto the next one.
David: All right. So Microsoft MFA off quake flaw enables unlimited brute force attempts without alerts
Matthew: No, off quick,
David: Yeah, scary. Ooh. So this comes to us from the hacker [00:32:00] news. So Oasis security researchers a lad buzz and Ted Hanson, Hasson, awesome
Matthew: I don't know.
David: have discovered a way to bypass a time based token MFA for M365. So, according to the researchers, the bypass was simple, it took around an hour to execute, required no user interaction, it did not generate any notifications or provide the account holder with any indication of trouble, and the attackers could retrieve a success rate of about 50 percent within 70 minutes.
Matthew: Seems pretty good.
David: Yeah, that's not bad. And they're saying that the lack of rate limiting and an extended time interval when providing. And validating these one time codes allowed an attacker to spawn new sessions and enumerate all possible permutations of the code, which would be about a million million different codes.
Matthew: I think that's kind of deceptive because you can't, you can enumerate all possible permutations of the code, but you could not do that all [00:33:00] within one session. So, but we will, we'll talk about that. That's
David: Well, it says spawn new sessions.
Matthew: yeah. But when you go through, they find, and I'm jumping ahead. There's a, there's a point where you have this, and I apologize for stealing this from you. But they said that there's a 3 percent chance within one of their, like. One of their time windows for you to find the code and then after that time windows up, you have to bring up another one in which there's a 3 percent chance, so you're not like, sure, you can enumerate all 1, 000, 000, but each time a new session or a new time window is brought up, it's a new code, and you can't enumerate all 1, 000, 000 during that window, so, you know, given given the way that statistics works, you know, if you try, Yeah, 3 million, a 3% chance, you know, for 70 minutes.
I think it's like a three minute time window. So I guess you do it 23 times,
David: 24.
Matthew: 24 times, then yeah, you'll, you'll build up to about a 50% chance of succeeding. But I dunno, the way that they talk about it, like, oh, [00:34:00] we can enumerate every permutation. No, not really. Yeah,
David: Yeah, exactly,
Matthew: yeah. Anyways. I'm being a, I'm being a very pedantic
David: but accurate. So I mean, I think that's, that's an important thing here because you, you know, you read these things and they often over hype the threat in order to get clicks or views or support their, the research that
Matthew: I mean, 50% chance in 70 minutes is pretty good. I don't feel like they need it to overhype it. Yeah. I bet if they can kept doing it for another hour or two, I bet you could get up to like 70%. So if you really, really needed to get in,
David: Yeah. But the reason that this is because of the potential, potential time difference between the delays between the validator and the user where the validator accepts a larger time window for the code than it should be, which is up to about three minutes when it should be 30 seconds.
Matthew: Yeah. And this, I mean, this makes sense to me. Like, you know, you log in and you type in the code and is your, and then you wait for [00:35:00] it to load there. You know, 30 seconds, strictly 30 seconds is probably too short. But I feel like it should probably be more like 40 seconds instead of 3 minutes.
David: Yeah, well, it, it, cause I've experienced this before where I just hit, you know, I'm about ready to finish typing in the code and it expires. As long as you're within that 30 seconds, you can still hit go and it's still gonna let you in. You don't have to stop and put in the new number.
But the researcher said rate limits might be enough in addition to consequent failed attempts, which should trigger an account lockout. Yeah,
Matthew: Wild. The same thing that we figured out for account lockouts for decades at this point,
David: as I say, like 30 years ago, maybe, maybe longer.
Matthew: it blows that, and that blows my mind that Microsoft who has been dealing with account logins for decades is like, well, yeah, we definitely should lock out after five failed logins. But for MFA attempts, like try that, try that as much as you want. Like just keep going. I [00:36:00] mean, they did add some rate limits into the same session,
but then they allowed you to spend up unlimited sessions.
So
David: Yeah.
Matthew: it's just weird, such a weird blind spot. We know we need to rate limit this, but spend up as many sessions as you want.
David: Yeah. So apparently they, they did fix this. So Oasis said Microsoft introduced much stricter rate limits that kicks in after a number of failed attempts. The strict limit lasts half a day.
Matthew: So
David: introduced this in October.
Matthew: yeah. And it's stupid European format. I definitely read that as September. I was like, ah, David got this wrong. And then I was like, oh, wait, no European format. Stupid.
David: I mean, the European format makes sense to me. Day, month, year. That's just logical. It's stupid month, day, year. That doesn't make any sense. It's kind of like the metric system. You know, the foreigners in this case got it right. And we're over here being idiots.
Matthew: wrong. So this. So this, but the [00:37:00] strict limit, the rate limit, I wonder how high the rate limit is. I wonder if you could still, cause I imagine for high value accounts, you really want to get into having a success chance of 3 percent per attempt. And instead of getting to 50 percent after 70 minutes, maybe you get to 50 percent after 24 or 48 hours.
That may still be worth it for them to pursue
David: Hmm. Mm hmm. Yeah, I know. But you know, what's up.
Matthew: unless they remove the concurrent session, like they only allow one session, like that seems like that's the only way to really stop this.
David: Yeah, well, what they don't mention is that the attackers have already compromised the credentials because you don't get to the MFA until you've already properly authenticated. So if this is the only place they could authenticate to that account, Which depended on AD federation and everything, you know, may or may not really keep the attackers out and make, keep them out of this, that interface.
But if they're able to authenticate somewhere else without an MFA with those same credentials, [00:38:00] then, you know, you're not helping a whole lot.
Matthew: Yeah, but that's the same problem you have with MFA anyways. You gotta have it on the systems for it to work. And I feel like these days it's not a high bar to clear having compromised the creds of an account. It seems like there's just a certain percentage of our user base that just will give out their creds like their candy on Halloween.
Just, Oh, you want my password? Here you go. It's nothing.
Or, they had that thing where, you know, give me chocolate for your, your account. Well, I think it was chocolate for your password.
I wonder how many people would do that. If you would, just like go around, like stand outside a building and be like, Hey, I'm handing out chocolate bars, if you'll give me your password. Someone would do it. Someone would
David: well, no, they, they did do that.
Matthew: Did, oh, this is a real thing that
David: Yeah. That's a real thing that happened. Yeah. But of course there's no way to check because I don't know if they ask for the account, the, the username or what that password gets access to. So it's almost like, you know, you write a password down a sticky note and you leave it on the street, you know, is [00:39:00] that really useful to anybody?
So I think there was kind of a bait and switch depending on how, how exactly they did that. That thing but that was several years ago that someone Someone tried that and was successfully able to get people to give up their password for a piece of chocolate
Matthew: yeah, I'm reading about this. They apparently didn't verify the password. So it's entirely possibly lied about their password to get free chocolate. That's what I would done. I'd have been like, oh yeah, here's my password. 1, 2, 3, 4,
David: which is like what number two or something on the it used to be number two on the most used password list
Matthew: Wiki 20. I think
David: But until I read the the security week article, I thought you know typical microsoft had half asked us But this is more like three quarters asked.
Matthew: this is just a blind spot. They thought that they were like, well, we've got limits on the logins. We've got limits on MFA. We're good. And I bet they just didn't even consider the whole, like, send up a new session.
David: Yeah Well, the thing about this though, and I'm not sure that Microsoft learned their lesson here, but I'm hoping that they did, that they should be logging stuff [00:40:00] about the MFAs, right? Not just the accounts, but the MFA tokens, you know, fail attempts, how many attempts and all that stuff. Cause I think if they, if they'd sent it up rudimentary logging and monitoring that they would have identified this right away.
Matthew: So, Microsoft does have those logs. You can get those logs via the graph API for failed MFA on there. And yeah, you could, you could probably identify this pretty easily if you had MFA brute forcing logging. I think the problem is, is that myself included, I think most people assume that you have MFA to prevent brute forcing and that you cannot brute force MFA and probably weren't monitoring it.
Cause you just assume that it's rate limit and you know, there's a 30 second time window. How many attempts can you get in in 30 seconds? But I think that there's probably gonna be a lot more people myself included. They're going to be walking in the office on Monday and saying, Hey, maybe we should have a MFA brute force rule.[00:41:00]
David: Yeah. It shouldn't trigger that often. Right. So it's not like it's going to be a high false positive rate on it. Shouldn't
Matthew: Because like you said, they have to have the credentials first. You probably need some way of like, anomaly based on the thing so you know you're not triggering on failed MFA logins from their laptop or something, but from something that's not their laptop. Cause
David: I would say turn it on and just monitor for a day and see, you know, what kinda alerts you get.
Matthew: Cause I've looked into this in the past, and MFA quite a bit.
David: Right. But if you set that to 10 or you know,
Matthew: Yeah, because in this type of attack, they trigger it hundreds or thousands of times. This is not, this is not MFA bombing where they're trying to get the user to accept it and say, yes, this is me. Yes, this is me. They're trying to do the time based password one. You're right. They're submitting it hundreds or thousands of times.
So that should be very easy to find. You're right. Yeah. The one that's tough to find is the MFA bombing one in a large company of, I don't know, 50, 000 users or so. Hypothetically it turns out that a lot of people fail MFA quite [00:42:00] a bit.
David: Mm-hmm
Matthew: So there's just, just, I don't know. Maybe they get distracted.
Maybe it times out. Maybe.
David: Well, I've typo it before myself, so.
Matthew: Yeah.
David: That's about it.
Matthew: That is about it.
David: So that's all the articles we have for today. Thank you for joining us and follow us on Twitter and subscribe on your favorite podcast app.
