TETRA:BURST - Satellite Turla, Android tracker tech, VirusTotal 2023 report, open source in Russia

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

it's time for security Now Steve Gibson is here we're going to talk more about satellite Communications we've got some really expert listeners some fascinating insights into that we'll also talk about Russia they've actually criminalized open source contribution and then virus totals 2023 malware we've seen update plus a look at a radio solution used by law enforcement all over the world that is woefully insecure it's all coming up next on security Now podcasts you love from people you trust this is security Now with Steve Gibson episode 933 recorded Tuesday August 1st 2023 Tetra burst this episode of security Now is brought to you by the building cyber resilience podcast a show about tech and security from the perspectives of data scientist Dr Ann Irvin and career ciso Rich syerson regarding the intersection of data finance and cyber risk management search for building cyber resilience on Apple podcast Spotify or wherever you listen to podcasts and by bit Warden get the open source password manager that can help you stay safe online get started with the free teams or Enterprise plan trial or get started for free across all devices as an individual user at bitwarden.com twit and Byron Security Professionals often undergo manual tasks of collecting evidence the torada companies can complete audits monitor controls and expand security Assurance efforts to scale say goodbye to manual evidence collection and hello to automation all done at throttle speed visit drata.com twit to get a demo and 10 off implementation it's time for security Now the show we talk about your security your privacy Your Health and Welfare online with this guy right here Mr Steve Gibson of the Gibson research Corporation hi Steve hello Leo great to be with you for this first day of August yeah as we uh we have we're in the low 80s here so we're like in like paradise compared to the rest of the country is either like thunderstorms and tornadoes and my my sister posted something on Facebook with like some huge uh lightning storms she was in in Colorado yesterday or last evening and of course Arizona's breaking records is a 110 degrees or or higher for more days in a row than they've ever had and here we are it's a little humid but otherwise it's great really that's nice I didn't yeah you don't get a lot of humidity do you we're in an errand dude all this odd it's odd for us yeah some El Nino thing happening oh yeah um so uh and I'll just note that we're two weeks away from finishing our 18th year 18 years wow I think it's August 18 or yeah I think it's uh I think it is August 18th is our 18th is the end of year 18 will begin into 19. so wow very cool um so uh it turns out that advanced persistent threats have been leveraging satellite Communications for many years so before we wrap up all of our you know uh staring at the heavens discussion we're going to look at that um we should and I hope you will and I know you will talk about what it's a terrible name advanced persistent threat for what it really is I'm sure you'll explain that yeah yeah um also we're going to find out what the next iOS release will be doing to further thwart device tracking and I know you touched on that uh in your previous podcast on macbreak weekly and also what new feature Android 6 is releasing but you also cast some doubt on whether that was happening uh uh on that very quickly so I'm kind of curious to see whether that's the whether we're talking about the same thing also we've got uh some news on the latest forthcoming seventh branch of the U.S military uh and we're going to wonder why Russia suddenly criminalized contributions to open source software which is bizarre because they don't control it right yeah and what do we learn from virus totals 2023 malware we've seen update um then we're going to share we got an amazing amount of terrific podcast related feedback from our astonishing varied listeners we've got more people who know about satellite security it turns out who had some interesting stuff to add to our discussion last week which I'm going to share and then we're going to examine one of the revelations to be detailed during next week's upcoming black hat hacking conference in Las Vegas thus the title of today's podcast Tetra burst it turns out that when when Europeans design a secure radio protocol that has four different encryption algorithms which they allocate to different countries say what what why you so you everybody gets to use tea one except the European military gets to use tea2 uh don't you kind of want to wonder why you get it algorithm and you're getting an algorithm and you and you and you that's right wow and they're all secret and unpublished and that's not good and it turned out that only by leveraging some zero days in a Motorola implementation of this uh encrypted handset were a bunch of guys um in the Netherlands able researchers in the Netherlands able to crack the secure Enclave to for the first time ever get access to these proprietary encryptions algorithms and and oh my God would you believe that they're not secure so anyway we're gonna have fun today why is it that these people roll their own is I mean it's not like the Enigma machine that it's a security through obscurity right it's um it well unfortunately it's an attempt at that the only thing the only the only thing I can the only way I can give them well I would give them an out is to say that it's decades old so this exists from the 90s but I I mean I'm I'm giving away a lot of the podcast coming right but save it believe it or not they've replaced them having been caught with new proprietary secret algorithms if there's like okay now there's no excuse no if there's one thing we know about crypto it's got to be open which is exactly why Russia doesn't like open yeah um our show today this is actually a new sponsor want to welcome them to the show and I think you'll want to listen to their show uh the building cyber resilience podcast from resilience the world is hyper connected like never before this advanced technology Driven Landscape is creating smarter businesses that's good news to serve customers better that's good news but as we know the territory also comes with threats host Dr Ann Irvin Chief data scientist and VP of product management or resilience and Rich syerson Chief risk officer talk about the positive outcomes of developing risk management and utilizing data science across Industries to create a smarter business they meet with top experts and innovators in the fields of risk management cyber security data science to discuss the changing cyber landscape and it's constantly evolving risks they talk about things like how are businesses beating the bad guys that are trying to harm their bottom line they talk about how businesses are managing risk and crisis without materially impacting the value to their customers sometimes it's a trade-off right in building cyber resilience the team answers these questions and more recent episode just came out very timely talk about AI we'll chat gbt replace the underwriter that I never even thought of that the host talked to the chief strategist of AI and machine learning for the U.S Department of Defense awesome as well as the cro of symmetry Systems Incorporated and discuss AI for cyber attacks and how it affects defensive roles and security that is a heavy topic I can't wait to hear that one listen in learn how you can build a cyber resilient organization search for building cyber resilience on Apple podcasts building cyber resilience it's on Spotify Apple podcasts all the places you know the usual suspects where you listen to podcasts uh and thank you we'll put a link in the show Notes too so you can just go direct thank you to the building cyber resilience podcast for their support uh sounds really interesting I want to hear this one on an AI what a great panel for that building cyber resilience look for it uh now let's build the picture of the week shall we Steve okay this is this is just it struck me as funny I've got a killer one coming for next week but this was a repurposing an old photo with a wonderful caption that has got nothing to do with uh security but I I just got a kick out of it um okay it's gonna take me a second because I did not have it on this computer I have two different computers and I got to make sure I got the one with the picture of the week now I which the good news is I haven't seen it yet that's correct so I will you will see my genuine reaction first reaction we'll do it together okay [Music] okay never play with super glue do never play with super glue this is just just show Spock doing his Vulcan hand side you know with the two fingers they might be stuck yeah my uh my best friend at the time uh a guy named Gary Rawlings uh was my best man at in my first wedding and I said I said Rawlings do not embarrass me you know you're gonna do the best man speech whatever you do you know because I mean he knew he knew where the bodies were buried times you know to the power of infinity and I so he was very dangerous to have up there on stage and I said and he had a like a you know kind of a dry sense of humor where he could really go on too far so I I put the fear of God into him and so he he got up he was he received the microphone and he held it he held his hand up and he said Gibson you know told me I was forbidden for saying anything really that would embarrass him so I'm just gonna say live long and prosper now Gary could not do the Vulcan hand sign so he had rubber bands around his fingers in order to in order to make them do that so I could do it with one hand but not the other I could do it clearly a double I'm a double Vulcan I can uh I guess animate them and you know do whatever they need to do yeah okay okay so um before we wander away as I said at least for the time being from the topic of satellite security which turns out as a rich field I mean there's been a generated a huge amount of Interest among our listeners so I'm glad that we spent some time talking about this last couple weeks I want to talk about another aspect of the use of satellites by bad guys which is the which again I wasn't aware of but makes sense when you think about it the deliberate routing of internet connections through space this is done as a means of thwarting the persistent efforts by law enforcement to track down shut down and sometimes take over the command and control servers and infrastructure which is being used by the major advanced persistent threat groups since you know since it's another thing that we've never explicitly covered I thought that now while we're still looking Skyward would be a good time to add this to the growing list of things that we have covered so way back in September of 2015 this is not news this is eight years ago Kaspersky published an informative research piece titled Satellite turla t-u-r-l-a turla is is the name of an apt group uh and and so their title was satellite tour lla apt command and controlled in the sky what is an apt can you I mean I I know it's uh resident basically a resident infection yeah I think the first time we encountered it on the podcast was when it one was discovered at Sony Entertainment right um and so they were wandering around for months inside the Sony systems like a long time yes and so that may have been where this notion of you know so advanced persistent threat Advanced obviously means it's not some script Kitty doing you know up to nonsense this is a serious a serious organizational intro persistent meaning that you know again it wasn't something that was executed and then and then died it established a a a a a a foothold in some sort of corporate asset and from there it then was used for surveillance over some long period of time um we've seen printers for example being an un nil no one would think of a printer as being a computer but of course they are and their firmware is no more secure than anything else unfortunately these days and so we've seen apts that set up shop in Printers yeah where as I said no one thinks to look and then from there they're you know they're on the network so they're able to to go out and see what's going on so all of these things need some means of phoning home in order to report their the the things that they have found and also as we'll see to give to creative means for allowing the bad guys back in over time so Kaspersky in their write-up stopped short of explaining the the detailed Network packet flow but they did provide enough for us to fill in the rest of the technology so first um I've skipped over some of their warm-up introduction which would be redundant for you know our audience but I want to sort of create the background that they did create and then we'll figure out how the packet flow works so Kaspersky said when you are an apt group you need to deal with many different problems one of them and perhaps the biggest is the constant seizure and takedown of domains and servers used for command and control these servers are constantly appropriated by law enforcement or shut down by isps sometimes they can be used to trace the attackers back to their physical locations some of the most advanced threat actors or users of commercial hacking tools have found a solution to the takedown problem the use of satellite-based internet links and again this is in 2015 so this has only matured since then in the past Kaspersky wrote we've seen three different actors using such links to mask their operations the most interesting and unusual of them is the turla group also known as snake or your Euro Burrows names which which come from its top class root kit the tourless Cyber Espionage group has been active for more than eight years and that was more than eight years in 2015 and and there's still a name that's around so you know they've been at this for a while the Kaspersky scared several papers have been published about the group's operations but until recently little information was available about the more unusual aspects of their operations such as the first stages of infection through Watering Hole attacks what makes the turla group special is not just the complexity of its tools which include the the euroburos root kit AKA snake as well as mechanisms designed to bypass air gaps through multi-stage proxy networks inside lands but the Exquisite satellite-based command and control mechanism used in the latter stages of the attack in this blog we hope to shed more light on the satellite-based command and control mechanisms that apt groups including the turla snake group used to control their most important victims as the use of these mechanisms becomes more popular it's important for system admins to deploy the correct defense strategies to mitigate such attacks for iocs remember indications of compromise see the appendix although relatively rare since 2007 several Elite apt groups have been using and abusing satellite links to manage their operations most often their command and control infrastructure turla is one of them using this approach offers some advantages such as making it hard to identify the operators behind the attack but it also poses some risks to the attackers on the one hand it's valuable because the true location and Hardware of the command and control server cannot be easily determined or physically seized satellite-based internet receivers can be located anywhere within the area covered by a satellite and this is generally quite large the methods used by the turla group to hijack the downstream links is highly Anonymous and does not require a valid satellite internet subscription on the other hand the disadvantage comes from the fact that satellite-based Internet is slow and can be unstable in the beginning it was clear to us and other researchers whether some of the links observed were commercial internet connections via satellite purchased by the attackers or if the attackers had breached the isps and performed man-on-the-middle attacks at the router level to hijack the stream we have analyzed these mechanisms and come to the astonishing conclusion that the method used by the turla group is incredibly simple and straightforward as well as highly Anonymous and very cheap to operate and manage purchasing satellite-based internet links is one of the options apt groups can choose to secure their command and control traffic however full duplex satellite links can be very expensive a simple dupe now this is in 2015 a simple duplex one megabit up down satellite link May cost up to seven thousand dollars per week for longer term contracts this costs May decrease considerably but the bandwidth Still Remains very expensive again and again this is back in 2015 so things may have changed since another way of getting a command and control server into satellite's IP range is to hijack the network traffic between the victim and the satellite operator and to inject packets along the way this requires either exploitation of the satellite provider itself or of another ISP on the way you know in line these kinds of hijacking attacks have been observed in the past and were documented by Renaissance now part of dyn in a blog post dated in November of 2023 so two years before this one was written in September of 2015. according to renesis quote various providers bgp routes were hijacked and as a result a portion of their internet traffic was misdirected to flow through belarusin and Icelandic isps they said we've bgp routing data that show the second by second evolution of 21 Belarusian events in February and may of 2013 and 17 Icelandic events in July through August of 2013. in a more recent blog post from 2015 these researchers point out that for security analysts reviewing alert logs it is important to appreciate that the IP addresses identified as the source of incidents can and are regularly spoofed for example an attack that appeared to come from a Comcast IP located in New Jersey May really have been from a hijacker located in Eastern Europe briefly commandeering Comcast's IP space it's interesting to note that in all six cases discussed above were conducted from either Europe or Russia okay now they write obviously such incredibly apparent and large-scale attacks have little chance of surviving for long periods of time which is one of the key requirements for running an advanced persistent threat operation is therefore not feasible to perform the attack through man in the middle traffic hijacking unless the attackers have direct control over some high traffic Network points such as backbone routers and fiber optics and of course that's unusual too they said there are signs that such attacks are becoming more common but there is a much simpler way to hijack traffic-based internet traffic enter satellite link dvbs hijacking they said the saddle the hijacking of satellite dvbs links has been described a few times in the past and a presentation on hijacking satellite dvb links was delivered at black hat in 2010 in an S21 SEC researcher or by an S21 SEC researcher so to hijack satellite dvbs links one needs the following a satellite dish the size depends on the geographical position and the satellite a low noise block down converter for no typically called an lnb and that's generally part of the satellite that you you know you get mount on on your roof if you're subscribing to Dish Network or or whatever you also need a dedicated dvbs tuner which is takes the form of a pcie card these days and a PC preferably running Linux they said while the dish and the lnb are more or less standard the card is perhaps the most important component currently the best dvbs cards are made by a company called TBS Technologies the TBS hyphen 6922se is is the best entry-level card for the task and that can be had for about a hundred bucks the TBS card is particularly well suited to this task because it has dedicated Linux kernel drivers and supports a function known as Brute Force scan which allows wide frequency ranges to be tested for interesting signals of course other PCI or pcie cards might work as well while in general the P the USB base cars are relatively poor and should be avoided unlike full duplex satellite-based internet the downstream only internet links are used to accelerate internet downloads and are very inexpensive and easy to deploy they're also inherently insecure and use no encryption to obfuscate the traffic this creates the possibility for abuse Okay so Casper's article as I said did not go into any more detail about how this works they switched to providing tables of Ip ranges that have been observed in the past and noted the satellite internet service providers that were using those ranges but fortunately we have all the information we need to understand the advantage this gives to anyone who's attempting to hide their command and control server the key is that these internet communication satellites have extremely broad coverage areas coupled with the fact that just like the internet the IP packet traffic being carried is not itself encrypted as we know TCP and UDP are not encrypted protocols they're just carriers of data that today is typically encrypted that is the data they're carrying is encrypted but they themselves the actual underlying protocol is not an encrypted protocol um Okay so imagine that some Nancy uh nasty advanced persistent threat malware has been surreptitiously placed into a high value computer and that more than anything the bad guys do not want their command and control infrastructure which this malware will be reaching out to to receive instructions and updates and things to be discovered commandeered and shut down presumably this apt threat group has many such infestations which are all reusing the same infrastructure so the loss of that command and control server would the entire network that they had established okay so they have their apt malware empirically periodically send a UDP packet to the IP of a previously chosen customer probably a big stable customer of a given satellite-based internet provider having the malware send an outbound UDP packet has the effect of opening up return paths through any Nat routing and firewalls that would otherwise prevent unsolicited traffic from entering the Enterprise's Network and reaching the malware Laden machine so you want the malware to initiate Communications which actually works in favor of this whole architecture so this UDP packet is sent out to a previously selected customer of a satellite ISP so it will be received first by that ISP so this is a block of the of of that isp's IP space it comes to the ISP but unlike other isps the received packet is beamed Upstream directly at a chosen communication satellite this causes it to then be rebroadcast out across the entire coverage area of the satellite indiscriminately somewhere down on the ground is that subscriber of that of of that internet ISP but also somewhere else anywhere else within that satellite's large coverage area the malicious command and control server is silently lurking with its own satellite dish passively aimed up at the isps broadcasting satellite it patiently listens for any UDP packets addressed to that IP since the subscriber will likely have their own Nat router or firewall that will simply ignore any unsolicited nonsense as everything has to these days and since that subscriber may have been pre-selected to make sure that that's true their receipt of that incoming packet will be ignored right it's just a radio packet coming in on their satellite dish but it will be what the malicious command and control server base station has been waiting for upon receiving that UDP packet the base station can reply by sending its own UDP packet via terrestrial ground internet since there's no need for it to be returned to space right it's just an IP package so they can drop it on any IP connection and it'll find its way back to the original malware that initiated it um this allows the command and control system to send whatever commands it may wish back to the querying machine and the traffic doesn't need to only be UDP nothing just sort of easier for this example but nothing prevents the the listening command and control base station from establishing a three-way handshake and bringing up an encrypted TCP connection the key to the hack is that it's the world's largest air gap the outbound traffic is being sprayed over a huge geographic area to be picked up by a totally passive satellite dish that there's no way of locating and it could be anywhere it could even be mobile with as you know within the the range of the satellite and the command and control systems IP address being used is someone else's not theirs and so this like it's an air-gapped man in the middle traffic interception attack that uh you know is going to work and prevent the command and control server from ever being discovered so unfortunately you have to give the bad guys some credit for this hack uh it's pretty slick foreign so Apple just updated its developer program to further crack down on developers who are abusing some of its API features which are being used to collect data on user devices um and they're doing that as an underhanded means of tracking them online Apple said that even if a user has given an app permission to track their activity fingerprinting the underlying device is still not allowed yet it is still going on so with the release of iOS 17 and Mac OS Sonoma this fall developers who want to continue to have access to these features which could and have been used to enable persistent device level tracking are going to have to provide a valid reason to Apple for having that right apps that don't provide a good reason will not be accepted on the App Store uh as soon as iOS 17 rolls out and apple begins to enforce this policy and Leo I'm I'm astonished by the apparent value added by this tracking I mean I mean tracking it just it must be that it provides so much more benefit to advertisers above and beyond just you know putting their ad on a page where it makes sense for their ad to appear well I have strong opinions about this advertisers think it provides value there's a lot of evidence that uh personalized ads don't in fact work better but I agree yeah but if you're an Advertiser uh think about it you you would I mean there's a famous saying that uh I know my I know that half of my ads work I just don't know which half uh that uh they would love some idea that they're hitting a an audience that's interested in buying for instance um they haven't been able to you know on TV you really can't do that if you buy network television right that's why it's mostly brands on network television they know well we're enhancing the brand Pepsi or Budweiser and so that million dollar ad on Super Bowl is worth it but for podcasts and websites and and a lot of the digital world we have some targeting you you can Target you know Facebook and Google live on this and it makes them feel better I don't know if you know there's a there's a third category advertising which is the advertising we do which is called direct response advertising that's why we always have a URL or right you know on late night TV you'd see an 800 number or an offer code that's another way of of an Advertiser kind of reassuring themselves that they're advertising is working they're all imperfect and all the studies I've seen say that tracking is not a very effective way of uh you know that targeting your ads doesn't really make that much of a difference but advertisers believe it and maybe even if they know better the agencies need something they're grasping at space Maybe what's happened is that this is all to support a that sketchy data broker business no no I don't I think that's a wonderful side business for the companies that sell it but remember Google doesn't sell the data Brokers Facebook doesn't sell the data Brokers uh but they do so they're doing it for their own purposes they're doing it because advertisers demand it per I mean that's why we do it we do very limited tracking as you know a podcast it's impossible to know with RSS feed anything but the IP address of the visiting computer and we don't do more than that but we do use Services a variety of different Services right now we're using something called pod sites that they're an independent third party we send them the IP addresses of people who listen to security Now uh and The Advertiser sends them uh the list of IP addresses of people who visited their site the third party goes okay 32 percent of the people who heard the ad visited your site they don't give the information to the advertiser we don't get the advertiser's information so there's no matching of ips it's only done by the third party in in a private way and you know I even that I resisted but honestly we would not be able to sell advertising because and that's the thing the advertisers are spoiled right it's not even they're spoiled they just they have a faith a firmly held belief that that this information helps them and they refuse to buy they'll only buy ads where they can get that information frankly we're lucky we we have a hard time selling ads against people like Google and Facebook who will say I can give you 25 year olds to 30 year old men in Petaluma California would you like that or I can give you people with income over a hundred thousand dollars who live in the Northwest would you like that we can't do that you know all we can say so we are losing frankly we're losing out to Facebook and Google which have about 88 of all the online ad sales because they offer that kind of information so they're going to keep doing it and you know you see Google doing all sorts of you know Maneuvers to get us to trust them they don't they don't they so they've turned off cookies and we were talking the other day about this new web integrity initiative that they're proposing they're going to build into Chrome that's just one more way of them knowing who's there and advertisers insist on it so that's they think they have to do it whether they whether anybody believes in it working I don't know but they think they have to do we have to we have to do what we have to do or we would have zero advertisers as it is we lose a lot of ads because we can't give them you know people just go I'm gonna buy Facebook or I'm going to buy Google um wow okay advertising not so much on this show but some of our advertising is now direct insertion where we use uh company libson company called advertisecast we just started doing this and we pause put a sign put a little trigger in there and they stick in an ad and those advertisers like them a little bit better because they can geographically Target we you know your IP address has a rough geographic location so when they say when one of our shows airs in Spain for instance a Spanish Advertiser will buy that knowing that well I'm only because they don't want to buy U.S listeners because they're not customers right so they'll have an ad and they say we know this is these are the people listen to the show in Spain here you can have that so it's another form of targeting but you know advertisers they they demand it and if you're an ad supported Media Company you have to find a way to balance your you know your our we believe in our community and especially your listeners they don't want to be tracked no and in this case so we have apple who's trying to thwart the you know surreptitious underhanded device tracking you know they have all this ads themselves this information themselves so they have first this is what we're talking about earlier as you heard on macbreak weekly is first party tracking like Facebook and Google and apple do and of course what they're really saying is we want this to ourselves we don't want uh some app on your phone to have the information we have the relationship with the customer we have yeah they're not saying we don't want advertising we don't want to track you they're saying we don't want them to track you so we can it's our it's our advantage so I'm a little I'm cynical about this uh whole thing yeah well and there is a different form of tracking uh that you also touched on uh and that's uh uh a more deliberate form and that's uh back into the deep dive that we took a couple months ago on air tag tracking technology oh yes um the uh uh uh as we know this air tag tracking technology is Bluetooth based so it's inherently crowdsourced so this of course relates to the Apple and Google agreement it's in both parties interests Apple and Google uh to have a single common standard which they share so that both Apple and Android handsets can provide the tracking location feedback for each other's ecosystems um and you know so what they announced when we talked about this a couple months ago was a joint specification but it was really indistinguishable from what Apple had already been doing for several years with their error tags so it would appear to have actually happened was that you know Apple had opened their specification for Google and Google was happy to take it because you know they already had a an established ecosystem and then people would be able to use their Android phones as as track feedback devices as well so it's good for everybody last Thursday's news is that Google would soon be adding unknown tracking alerts to Android they said in in their announcement a known tracker alerts which we announced at i o 2023 are beginning to roll out in Android 6.0 Plus users this month and they also said unknown tracker alerts currently work with Apple Air tags and of course other third-party tags they said we'll continue to work with tag manufacturers to expand this important protection to other tracking tags over time through our joint industry specification now what you had seen was a story that said that was going to be put on hold yeah to the end of the year which I mean and I'm so I'm not sure if if unknown tracking alerts I mean that's only unknown tracking alerts is one aspect of the whole air tag tracking the other side being you know you own air tags and your device is telling you where they're located so that's that's different than being aware of an air tag that is traveling with you so maybe we're talking about two different things or maybe we're talking about everything being on hold till the end of the year now I'm not sure yeah so I was full too because the headline of the article I was reading said it's rolling out and then the last paragraph of the article is well so Google announced it at Google I O in May I mean the problem is you can have Airtex following you and around unless you've installed an app on your Android phone it doesn't know about air tags installed and it's running and it's running and by the way it doesn't work very well so it was reasonable for Google and apple to try to solve this problem by Google building it into Android and and and and so forth and so Google announced it in May that they were going to do this at Google I O they had thought they were going to put in Android uh I think it is it is Android 14 is is soon I guess 6.0 is is the kernel right uh kernel version so this article I'm reading along and they're going to do it they're gonna do and then the last paragraph of the article is Google has announced is putting this off until the end of the year because of the Apple Google Consortium they want to work it out between the two of them so I don't think it's in there now I know I was very confused by this personally so I don't they've promised it and we need it well but is it here yeah and so so what I picked up on said you know are beginning to roll out to Android 6.0 Plus users this month so I saw that too and that was the same article that then said at the end of the article well except no so except not I'm very confused by the the whole thing let me see if I can find the article I read because uh I bet it was the same as the one you read I bookmarked it in my uh in my uh thing here um and I think it was almost it was as if they had written the whole article and then did a never mind on the whole thing it was so yeah the headline of this article is just as you said Android will now warn about unknown Bluetooth trackers like air tag traveling with you Sarah Perez writing for TechCrunch July 27th Google today will begin to roll out a new safety feature unknown traffic alerts but then go down to the bottom same article today however Google says this update is on hold wow wait a minute also announced Google said it would update it's okay so I guess the alerts are there but they are not updating the find my network to work with third party I guess that's the that's what just what you said okay so I so if you read this carefully which I didn't apparently the update that's on hold is updating find my to work with third-party trackers so they are gonna but then then it says the decision was made to wait to roll out these updates because Google is now working in partnership with apple to finalize the joint unwanted tracker alert specification by year end wow really confusing I think we are getting the alerts I think it was just a poorly written article that we are getting I think I think that is right you will uh with Android 6.0 kernel you'll begin to be told if something is traveling with you the other stuff to come later yeah and it does says currently work with Apple Air tags we will continue to work with tag manufacturers to expand this important protection so I don't understand why it's not working with everybody because you know all I thought something right standard yeah but apparently not also announced Google said it would update it's find my device Network to help users locate other missing belongings which can be located by the third party Bluetooth trackers now Google doesn't sell a Tracker so anything Google works with is third party including air tags tile chipolo and I would say they don't yet sell one because boy I'm astonished by how popular Apple Air tags are yeah oh they they're done shared the numbers it was millions of them were selling and the thing I think what really there's lots of ways to track people and you know there's one fewer air tag in use now Leah after you gave me a much better hammer for next time I want to destroy something I now have a mini Sledgehammer he didn't understand fully my plan okay so uh the National Defense authorization act which successfully passed to the U.S Senate last week included a provision requiring the National Academy of public administration whatever the hell that is to conduct an assessment on the feasibility of establishing a new formal seventh branch of the U.S military which we've talked about several times the U.S cyber force so this does appear to be happening since many of our listeners have explained that wearing ridiculous camouflage clothing indoors is a bizarre requirement of the US military now that's my word bizarre not theirs you know perhaps at least the Cyber forces camo could have you know some cool cyber theme like maybe like those those green falling and fading symbols from The Matrix or maybe just do the whole thing as in in ones and zeros that would be very cool right like make camo out of ones and zeros well remember it's supposed to be camo I think why can't they just make something that makes you invisible I mean let's do it that'd be really good yeah yeah make a stealth a stealth a stealth camo that'd be good yeah anyway I I do hope that someone gives this as much thought and serious consideration as it is clearly needed because this U.S cyber force if they're gonna have to wear some ridiculous outfit let's you know let's make it techy and cool so a number of our listeners are saying including in the Discord that and somebody in the UK that they do have these alerts now on their uh on their uh Android phone so it it did rule out yeah yay good thank you thank you users listeners super use for feedback yeah now the other wrinkle is that both the Army and the Air Force you know obviously well established branches of the military have recently created their own new specialized cyber teams to support their traditional kinetic teams as we're calling them you know with cyber tasks related to intelligence gathering electronic warfare and sensors and I think that makes sense since those cyber teams which support the traditional kinetic forms of warfare are probably going to be highly targeted and specialized for their specific tasks whereas the military's new seventh Branch would be far more wide-ranging you know and not all focused upon specific current Army and Air Force military operations so anyway um uh but through all this it is quite obvious that cyber I know you love that term standing by itself Leo cyber has well and truly arrived both on the front lines and soon in dimly lit dens filled with monitors and empty caffeinated beverage cans so and pizza boxes I want to know what they're going to be wearing that's all I'm saying is you know for some reason this so for some reason this really matters to me we should explain that a couple of weeks ago Steve had a photo of the Cyber Defense command and they were all wearing bdus battledress uniforms that were camouflaged but obviously they're not in the jungle so they're in a room they're not even you can't even observe them from satellites reconnaissance we have to find some stealth uniforms for them yeah okay so meanwhile Russia continues to separate itself from the West the Russian Parliament just passed three bills which once signed into law by Putin will ban Russian citizens from participating I know in the act in the activities of foreign non-profit organizations that have not specifically registered with the Russian government and none have commentary about this over on opennet.ru notes that an unintended side effect will be that Russians using open source software would be prevented from contributing in any way to those projects even from submitting bug reports now as we know today's open source software includes Linux Firefox most major database systems and programming languages now I read the entire piece after having Google translated into English for me and it only talked about the unintended consequences I was unable to determine what the intended consequences of the three pending bills would be why would Russia think this was a good idea I know one of the reasons repressive regimes pass bills like this is for Selective prosecution so you know if they need a way to get it they want to stomp on somebody they have a long oh what's the copy of Linux doing there you're in trouble big boy that kind of thing yeah yeah I mean I don't I can't imagine they want to stop all open source I mean they're using it yeah the Russian uh official operating system is a Linux based yes and there are lots of really good Russian teams that are doing good work well maybe that's who they want to check you want to check the source code but still yeah that maybe that's what it's really about you know it's kind of retaliation for the sanctions or something we don't want you to have any of our stuff right so virustotal is out with their look at 2023 to date um it's always interesting since it you know they've got a good snapshot since everybody is submitting stuff to them you know whenever I as I've mentioned before when I download some old archive from from some sketchy looking site I immediately you know handed the virus total to see what it thinks just because you know it's better to be safe than sorry so they get a really good snapshot of this so they um they have some main takeaways from their most recent update first of all email attachments to no one's surprise continue to be the most popular way to spread malware however traditional file types Excel RTF You Know Rich text format files cab and compressed formats are becoming less popular although the use of PDFs slowly decreased for the last few months in starting in June of 2023 the biggest peak in PDF usage was observed during 2023 compared to the lat to the previous two years so PDFs are still a big deal with a like I know just a little maybe they're you know a little summer slump for some reason however the big changes are in OneNote OneNote and JavaScript both distributed through HTML are the most rapidly growing formats for malicious attachments in 2023 with one note emerging this year as a reliable alternative for attackers to the traditional use of macros in others Office Products malicious OneNote files usually embed an additional malicious file so one note is just sort of serving as a as a recognizable contain container that seems benign and I guess it's you know leave it to Microsoft their various security permissions allow OneNote to be opened when you click on something in on a web page so yeah let's have OneNote bring it in so the OneNote files usually embed an additional malicious file a VBA HTML and JavaScript Powershell or some combination of those and as happens with with malicious office attachments the attempt is then made to convince the user to allow its execution payloads vary from malware from one malware family to another but many of them access external URLs to then download a dll file which is camouflaged as a DOT PNG you know which is an old trick used to bypass simple firewall rules or just to appear less suspicious to anybody who knows to look the most usual kill chain as as it was noted and stated where one note format is involved is three steps the victim receives an email with a OneNote attachment the male body encourages the victim to click on a button to see a hidden or distorted image or document second this button executes a script vbscript A Powershell or whatever and that will launch a payload either embedded into the same script or downloaded from an external resource and then finally the external payload might be yet another OneNote file an image file renamed as a DOT bat file a dll that's loaded into memory or even a Windows executable so we have inherently dangerous capabilities mixed with social engineering attacks and only one mistake made by one curious or inattentive employee within a major organization is all that's required to invite the malware in to set up shop and who knows contact a satellite internet provider in order to say hey I made it in what do you want me to do [Music] um following behind OneNote ISO image files from malware are now a flexible alternative for both widespread and targeted attacks and their distribution as heavily compressed attachments makes them difficult to scan by some Security Solutions so it says virustotal ISO files are being disguised as legitimate installation packages for a variety of software including Windows telegram any desk and crypto notepad among others virus total said that they said quote our data shows that there was an increase in the number of malicious files attached to emails between March and April of 2023. in terms of suspicious attachments for the past two years we have observed spikes in the number of suspicious PDF files linked to malicious campaigns these files can be used for a variety of purposes such as explore vulnerabilities or phishing which is what happens most of the time and they said during 2023 so far they saw a significant increase in the use of JavaScript distributed alongside HTML um used in sophisticated sophisticated phishing attacks which were designed to steal victims credentials Excel RTF cab and compressed formats as I mentioned before and word interestingly seemed to be declining in popularity along with the others as militia's attachments compared to one node in JavaScript so that's the wrap up on on what's been happening so far in 2023 and we should have already taken a break Leo but let's do it now I'm gonna share some amazing feedback from our listeners ah I'm ready to go with amazing feedback our show today brought to you by and you know this is a a product that you use I know that and that I use and that most of our listeners I hope by now are you know what it must be It's gotta be a bit worn right the only the only open source cross platform password manager you can use anywhere anytime at home on the go at work we are moving to uh Warden Enterprise as I speak here and of course uh I've been using bit Warden the individual plan which is free forever on any device unlimited passwords uh for some years Steve uses it we all love it look I know you know that you have to have a password manager if you listen to security now and you haven't figured that out yet I you know it's funny because people can lie to themselves people do they so for instance you know that the big one of the biggest threats is maybe the biggest threat is uh reusing a password or using an insecure password because it's easier to remember uh you should be making long strong unmemorable totally random passwords and they should be unique for every place you use passwords you know that if you listen to the show you know that but you know in your head you go well I know but my birthday and my dog's maiden name is easy for me to remember and nobody's ever going to guess that you should also know never to underestimate the ability of Brute Force attackers it is mind-boggling what they can do then they are after everybody so and it's so easy to use a password manager with bit Warden it's free uh all the data in your vault is end-to-end encrypted not just your passwords that's important not all password managers do that no metadata is leaked out at all in the summer 2023 G2 Enterprise grid report bit Warden solidified its position as the highest performing password manager for Enterprise leaving competitors in the dust I might add bit Warden protects your data and privacy by adding strong randomly generated passwords for every account and most importantly by making it easy to do that easy to generate them easy to use them easy to protect yourself and now they've added new features which are even better this is one of the advantages of Open Source we've talked about the key derivative function which makes it harder to brute force your password Vault everybody's been using pbk df2 sometimes with too few iterations I turn my iterations up to 2 million to give it the most protection but there are better algorithms is the memory hard argon2 algorithm uh there's the B Crypt algorithm well interestingly I think he was one of our users actually question one of our listeners Steve who wrote These because it's open source and did a pull request and and offered implementations of these memory hard algorithms to Bill Warden bit Warden looked at him worked with question and ended up saying we're going to do we're going to implement our your version of argon2 within a few months it was available everybody who's using bit Warden 2023.2 or later which should be Everybody by now can use it I turn it on immediately makes no difference in the speed or usability of bit Warden but it makes a huge difference for an attacker who wants to Brute Force you know it's just it's and and the default settings by the way those are the ones to use they put in some extra stuff which is interesting someday we'll talk about that but just know the default settings are exactly right they also now have a username generator so not only do you have a unique password for every site but you can have a unique username in fact they work with five email services including our sponsor FastMail so you can still get email at that address which is really cool there are five different integrated email address services that you can use to create aliases unique to every account so that makes it you know you get the bad guy gotta get the password they got to get your new unique email address it's not your real email address uh and of course if you're using two-factor you should be they got to get that too uh because it's open source you can see all of bit warden's code it's on GitHub you can look at it if you want now I know most people when when I say that go well I'm not going to know what to look at but here's the good news not only is it open to experts and anybody wants to view it they yearly go through a professional third-party audit and publish the results on the website so you can be assured go look bitwarden.com you can be assured that uh you are DOT twit don't forget the slash twit by the way bitward.com Twitter use that address if you will that it's all secure and open source uh they have some really nice features in the teams and Enterprise organization plans that let you share data with co-workers across departments there's a teams organization option three dollars per month per user Enterprise organization the one we're going to use is five dollars per seat per user and of course the individual basic free account always free free forever I asked them is it free forever you're ever going to charge that they say we can't it's open source we can't if we did somebody to Fork it and it'd still be free forever so they have this is not our business model they say they do offer a premium account which allows you to use two Factor 10 bucks a year a year I did that before I even knew what the benefits were just because I wanted to support them because I believe in what they're doing there is a family plan as well six users they don't have to be in your family uh all of them get premium features for 3.33 a month about 50 cents per user what is it 54 cents per user or something 56. bit ward has launched its new bit Warden Secrets manager this is coming out of beta soon this might be something as a developer you might want to take a look at it lets you keep developer Secrets out of the source code so you don't actually commit them uh and but it keeps them secure in the vault okay right now our friends at bit Warden are having a little a little fun contest they want to hear about you and why you love your password manager they do have cash prizes it's a short video contest uh but you're gonna have to check them for the rules and the details if you go to bitwarden.com talent because you've Got Talent you can learn how to enter and win examples rules submission instructions all of that you got two weeks August 13th is the deadline bitwarden.com Talent that's fun look I shouldn't have to tell you you need a password manager if you don't want to use one it's on your head fine tell your family and friends though bit Warden do them a favor at least get started with bit warden's free trial of a team or Enterprise plan at work get started for free for yourself with your personal account bitwarden.com twit they're just the best that's all there is to it and we you know I've been using them and and recommending them long before they became a sponsor I was just very glad that they became a sponsor so that uh you know we could really tell you about bit Warden uh and they could help support what we're doing here with Steve and security now I did want to mention Steve I got a email from somebody who says oh my VPN I think he's using Nord nordvpn is one of the vpns that I think blocks cash fly of all things I can't download your podcast and uh and it may also be the trackers you could whitelist The Trackers a lot of AD you block origin for instance makes it hard to download you can whitelist them but what I would suggest is you pay for the podcast you can get it individually just if it's just secured now 299 a month 2.99 a month iTunes offers that uh I think Spotify might as well or get a club to it membership for seven bucks a month get everything ad free with no trackers nothing so we were talking earlier about trackers we have to do trackers for advertisers but if there's no ads we don't so if you want ad-free versions and tracker free versions of all the shows we offer that for people who want it but we've got to pay for it somehow so either you give us some money or an Advertiser gives us money it's your choice but if you haven't yet joined please twit.tv Club twit get Steve's show by itself or get all of our shows for just a little bit more okay Steve on with us when when you're talking about uh password managers I I just I can't imagine life without one it's so much easier once you're used to it right well and I think that yes that and maybe 10 years ago 20 years ago well I mean you know people had four or five online accounts you know me gets they weren't there wasn't that much to do yeah there wasn't that much going on online now our lives are online and you know I mean you know that all of our utilities we have accounts for and and all of our various Services we have accounts and and you know if you want uh to grab a car and drive somewhere or I mean I just just you know all of the airlines you have account I mean everything and so if they're gonna all have their own password you just have Choice even if it were memorable you have to but I can't tell you how many people I know in my own personal family even who know better but you know it's just fine I don't know yeah I don't care Patrick engineer says his dad who was a U.S attorney had a little black book of passwords the problem is yeah you can do that but then you have to generate unique passwords each time it's just easier to use a password manager and let it do the heavy lifting yeah I think easier than putting in a notebook you'd have to write it down you'd have to remember you'd have to look it up it just does it anyway okay so some feedback uh Jeff Parish he said thank you for another great episode I am I.T for a health care facility and this episode referring to last week made me review the HTML of our EHR provider I've now contacted them about the Google analytics tracking they have on their site after we are logged in so that was cool and useful too uh at least one of our religions actually another one Robert C Covington he's a long time listener I oversee cyber security for a large Children's Hospital System your podcast transcripts are frequently on my screen during team meetings wow that's awesome he's yeah he said regarding website tracking and the recent OCR notice referenced in episode 932 last week there is a side consequence I've not heard mentioned cyber insurance companies are now declining to cover any legal actions arising out of website tracking and collection of personal health information this is sending many Health Care orgs scrambling to get tracking tools off their websites keep up the excellent work Robert Covington he says oh he's at PS you fell into the classic trap on 9 32 it's HIPAA h-i-p-a-a not h-i-p-p-a so thank you for the correction Robert and very interesting that will certainly remove tracking from health care if they know that they're not going to get any insurance coverage from their providers uh if they do that and anyone gets called out for having you know personal health information disclosed if there's trackers on there it's it's you know sorry your insurance won't cover that wow John Daigle said hi Steve thanks for the shout out on the 25th July episode that was last week he said I am the quote neat guy unquote who you saw on twiss this week in space talking about orbital debris and he said he was joking he said I'm fairly sure you weren't referring to Jeff and I'm really sure you weren't referring to Rod haha so he said thank you for your kind mention he said I've been a security Now listener since episode one proud spin right owner he says and somewhere I have a certificate for a twit brick he said pretty sure I've not missed a single episode at least not a whole one at the beginning I was in the U.S Air Force I stuck around for hobbyist purposes and with a plan to go into cyber security but I made a detour into space policy orbital debris is a clear and present concern if not actual Danger he said the space advocacy organization where I work considers this one of a handful of high priorities where there are a number of public sources for tracking objects in orbit they don't all agree according to orbit.ing hyphen now.com a relatively approachable source um using that as a reference and he said a high level summary is available here and I have a link to it it's a long URL uh uh Nano avionics.com blog slash how many satellites are in space and that's all hyphenated how hyphen many hyphen satellites hyphen orange and I think I clicked that and it showed a picture of the Earth and if that's an accurate depiction it's it is a little sobering and I think it may be accurate because it actually shows some of elon's satellite trains 4500 uh SpaceX satellites which is half of all satellites are SpaceX this is not SpaceX um starlink which is from SpaceX yes I thought starlink oh I was so happy when I you know oh we're gonna have low cost internet coverage every corner of the globe first of all it's not low cost it's very expensive and second uh he's gonna put 42 000 satellites up this is almost one-tenth it's it's going to be star junk instead of star link I mean this is terrific so so so John said there were about 7 700 to 8 400 active human-made satellites in orbit around our planet the vast majority 90 percent are in low earth orbit and so that that's less than a thousand kilometers up about one-third of these have been added in the past few years mainly by Space X starlink about seven percent of the total are in geostationary orbit uh though where where these are Leo satellites we were just talking about the Geo or or our Geo geostationary he said with the remainder in medium earth orbit very few of those he said almost 2 300 inactive satellites meaning they're up there but you know they they died or they're dead or their battery ran down or something and he said thanks for the shout out and the he's had the brush with greatness Jonathan Washington DC he's the policy chair for the National Space Society and and yeah you had that on on the picture that beautiful picture of the Earth and I think I can't see it there but there it showed like elon's you know starlings there's lines yeah yes New York Times this Sunday had an article about uh the concern the political geopolitical concern uh that Elon who has let us say seemingly slightly erratic controls the starlink system and the Ukrainian military relies on it yeah for military Communications and they're concerned uh they asked to in May the times reported they asked the federal government what's the deal with this Elon on government basically went we don't know well and we're also in bed with him right because now we're Contracting with him to launch our major space payloads I bet they're regretting it a little bit right now I mean he just seems quite erratic and uh I'll find this New York Times picture because it's it's actually animated and it's quite good it's really really it looks like similar data because yeah you can see this these starlink trains in it yeah yeah so we have another listener another listener John Sutherland who's whose Twitter handle is at John Orion which I got a kick out of he said I wanted to offer a bit of knowledge I had about U.S military satellites I was active duty and what is now space force for 11 years and I'm currently a contractor still supporting space I flew satcom for four years then taught for seven that's cool he says I what an audience we have amazing people in the office we have amazing listeners blows me away that is great he said I taught both classified and unclassified classes so I'm very familiar with where the line is for what's classified I can go right up to that line having just finished the second part of of satellite insecurity meaning last week's podcast I can share that luckily most of the problems you talked about are not as true for us DOD satellites yeah we're well protected I bet yeah yeah he said the preconceptions that attackers would not have the equipment was never the case China and Russia have always had similar ground station capabilities as we have the oldest satellites I've worked with were developed in the late 80s and they were highly encrypted and rolled Keys constantly for communication satellites the data is just routed so encryption is as good as it could be on earth and not subject to the satellite's age controlling the satellites I.E moving them changing configuration is done with separate antennas that are monitored and any communication with them is watched in real time if someone did break this encryption it would quickly be learned as for physical attacks huh this gets a little interesting with his with his choice of words as for physical attacks the arms of attacking satellites is only a start when we table topped attacks and planned responses ttps tactics techniques and procedures we looked at jamming asats which he'll explain in a second mechanical arms and lasers jamming being the most common and ones we have actually seen happen most Jammers are big ground-based semi trucks or ships that just try to overpower the Uplink so they're just no they're just blasting the same satellite Target hoping that that it won't be able to receive the actual signal he said most Jammers oh yeah yeah so he said he said we have many mitigations to this and I taught a class on RF attack and defense as part of operators Advanced Training asats as he uses the term as you talked about with blowing up satellites from the ground are extremely unlikely at this point we're much more concerned with small Satellites with explosives the idea being that an adversary would place and leave something small on a foreign satellite that could be triggered on demand at any time in the future whoa so they're like they're they're plant they're mining satellites without the satellites knowledge they creep up stick something sticky on the side that's a bomb with a radio and then leave and that that can then be detonated in the future so I mean what a mess Leo can you imagine like everybody's satellites or have all these bombs stuck to them by from other from other hostile Nations I really want I want to ask these by the way here's the New York Times animation this is 10 minutes of starlink satellites uh in uh wait in the future no no this is July it launched as of July 10th this is current look at all of them yes yes oh my Lord I'm wondering if we're having second thoughts about letting Elon launch all of these this is crazy wow this is half of the entire satellite load and they're only in a train before they've distributed from the train but if you look right it looks like there's groups of two and three in some places uh it's a really interest there's definitely method to the madness yeah those trains you see are not yet deployed they launch that right and then they slowly deploy isn't that why Wow I want our satellite experts though to tell me if I should worry about the Kessler syndrome Kessler effect or not right so if you blow up a satellite and then debris from the satellite then blows up five more satellites and the briefing those satellites blows up 25 more satellites and on and on and on could you occlude the the night sky uh this has been demonstrated with dominoes and it's starting to work not good I know there are missions that we running missions and uh I think China is running emissions to uh snarf up satellites like the Moonraker thing we were talking about but uh why I just I mean what happens I mean I guess you when they've reached the end of their life they just uh go through the atmosphere all I can say is we should hold on to our DVD collection because we do not want to become too dependent on the on on the on Space yeah on space on space-based internet yeah crazy so he uh he finished saying I cannot talk to the mechanical arms as the line Beyond which I cannot talk is around this but it's safe to uh-huh but it's safe to say that this has been looked at and is in some level of development by both sides huh he said lasers are not a threat to all types of satellites but China and Russia have used lasers to Blind sensors of low flying spy satellites this is hard to guard against but we do equip Satellites with shutters now and for satellites lacking shutters we only need to spin them around you see any finish there's more that cannot be talked about um but with your level of technical knowledge and a little imagination you could get close to guessing what's going on I can tell you I've never been surprised when I got a security briefing so very cool Christmas all right thank you we have wonderful listeners we thank you all uh it's really fascinating and another one Michael Falk vid Michael is on the board of O wasp in Gothenburg Sweden he's the guy who invited you to present squirrel to their group well it turns out that Michael knows more than a little bit about satellite software he said regarding authenticated telecommands to satellites now we talked about this last week right the the idea being that telecommands are ways you tell satellites to do things but but what the guys who reverse the firmware found was there was a surprising lack of Authentication he's so Michael said what satellite programmers are most afraid of is bit flips caused by single event upset what what is termed an seu a single event upset you mean cosmic rays yes he says which happened due to radiation in space he said imagine that an seu flips a bit in the key used to authenticate the Delica man right authentication would fail and guessing which bit or bits flipped could take some time that's why you have ECC I mean that I mean we have ways he said he says there are of course mitigations for example using error correction codes or storing the key in multiple places but complexity is the enemy of reliability and resources compute flash Ram onboard satellites have been very scarce historically and people want reliable satellites so they are hesitant to introduce new features flight proven he has in quotes is the mantra so the old ways live on the risk of losing the satellite because of an seu a spontaneous a single event upset has been deemed higher than the risk that the satellite is hacked not an excuse today but that's how the industry is and then he finished saying parents I have written the software for two satellites and he said s-e yeah like like you said Leo our listeners are amazing wow seus are also one of the reasons telecommands exist to write to any memory location NASA used this feature to restore a bit flip on Voyager 2 in 2010. major 33 years after its launch so Michael also provided a link to a summary from JPL you know are the jet propulsion laboratory in Pasadena which documented events surrounding exactly this happening back in May of 2010. some would astonishingly Voyager 2 remains alive and functioning to this day though something happened with it just last week which I'll get to in a second we last checked in on Voyager 2 nearly five years ago when on November 5th of 2018 it became only the second spacecraft to ever exit our Solar System's heliosphere and remember Leo we considered whether this event might break the simulation that Leah that Elon among others uh appear to be convinced we're all living within but so far the simulation appears to be your holding we were wondering if the if Voyager 2 exited the heliosphere was there a maximum radius at which the simulation you know would you still be functioning and whether you know Voyager 2 might just spontaneously disappear because it it got too far away anyway let's turn the calendar back 13 years to May 6th of 2010. when JPL wrote they said Engineers have shifted NASA's Voyager 2 spacecraft into a mode that transmits only spacecraft health and Status data while they diagnose an unexpected change in the pattern of returning data preliminary engineering data received on May 1st this would be May 1st of 2010 show the spacecraft is basically healthy and that the source of the issue is the flight data system which is responsible for formatting the data to send back to Earth the change in the data return pattern has prevented Mission Managers from decoding science data the first changes in the return of data packets from Voyager 2 which is near the edge of our solar system appeared on April 22nd mission team members have been working to troubleshoot and resume the regular flow of science data because of a planned role maneuver and moratorium on sending commands Engineers got their first chance to send commands to the spacecraft on a on April 30th it takes nearly 13 hours for signals to reach the spacecraft and nearly 13 hours for signals to come down to NASA's deep space Network on Earth Voyager 2 launched on August 20 1977 so wow he said about two weeks before its twin spacecraft Voyager 1. the two spacecraft are the most distant human-made objects out at the edge of the heliosphere the bubble of the sun creates around the solar system Mission managers expect Voyager 1 to leave our solar system an inner Interstellar space in the next five years or so with Voyager 2 on track to enter Interstellar space shortly afterward Voyager 1 is in good health and Performing normally Ed Stone Voyager project scientist at the California Institute of Technology in Pasadena said Voyager 2's initial mission was a four-year journey to Saturn but it is still returning data 33 years later it has already given us remarkable views of Uranus and Neptune planets we had never seen up close before we will know soon what it will take for it to continue its epic journey of Discovery meaning at that with the point where he's talking about this something broke and it's and Voyager 2 was no longer sending data back you know the the science data that they wanted and he said the original goals of the two Voyager spacecraft were to explore Jupiter and Saturn part of a mission extension as part of a mission extension Voyager 2 also flew to Uranus in 1986 and Neptune in 1989 taking advantage of a once in a 176-year alignment to take a grand tour of the outer planets I just love this it is just so cool you know real science among its many findings Voyager 2 discovered Neptune's Great Dark Spot a 450 meter per second and 450 meter per second one thousand mile per hour winds it also detected geysers erupting from the pinkish Shield nitrogen ice that forms the polar cap of Neptune's moon Triton working in concert with Voyager 1 it also helped discover actively erupting volcanoes on Jupiter's moon IO and waves and kinks in Saturn's icy Rings created by tugs of nearby moons Voyager 2 is about 13.8 billion kilometers 8.6 billion miles from Earth Voyager 1 is about 16.9 billion kilometers 10 and a half billion miles from Earth The Voyage were built by GPL by by JPL which continues to operate both spacecraft Caltech manages JPL for NASA okay so May 6 2010 and something is broken and has gone wrong with Voyager 2 such that the spacecraft science data is no longer being properly formatted 11 days later on May 17 2010 we learned what went wrong engineers at NASA's JPL said Monday May 17th that one flip of a bit in the memory of an onboard computer appears to have caused the change in the science data pattern returning from Voyager 2. a value in a single memory location was changed from a zero to a one on May 12th so that was yeah so on so on May 12th Engineers received a full memory readout from the flight data system computer which formats the data to send back to Earth they isolated the one bit in the memory that had changed and they recreated the effect on a clone computer at JPL they found the effect agrees with the data coming down from the spacecraft they're planning to reset the bit to its Norm to its normal State on Wednesday May 19th and then three three days later on May 20th we have the report of the conclusion of this high-stakes drama Engineers have successfully corrected the memory on NASA's Voyager 2 spacecraft by resetting a computer bit that had flipped reset commands were beamed up to the spacecraft yesterday Wednesday May 19th an engineering data received today confirmed that the reset was successful the Voyager team will continue monitoring the engineering data and if the bit remains properly reset commands to switch to the science data mode will be beamed up to Voyager 2 on Saturday May 22nd receipt of science data would then resume on Sunday May 23rd and all of that did happen on schedule but I also noted that something else happened just last week NASA's blog posting Friday July 28th of this year red a series of planned commands sent to NASA's Voyager 2 spacecraft right still going strong on July 21st so the uh toward the end of just a couple weeks ago toward the end of last month inadvertently caused the antenna to 0.2 degrees away from Earth now when you're billions of miles away two degrees baby you know I mean you might as well be looking in the other direction so as a result Voyager 2 is currently unable to receive commands whoops or transmit data whoops back to Earth Voyager 2 is currently located almost 12.4 billion miles from Earth and this change has interrupted Communications no kidding between Voyager 2 and the ground antennas of the deep space network data being sent by the spacecraft is no longer reaching the deep space Network and the spacecraft is not receiving commands from ground controllers right it's it's ooh Voyager 2 however is programmed to reset its orientation multiple times each year to keep its antenna pointed at Earth the next reset will occur on October 15th which should enable communication to resume the mission team expects Voyager 2 to remain on its planned trajectory during the quiet period Voyager 1 which is almost 15 billion miles from Earth continues to operate normally and finally a couple of interesting tidbits about the Voyager probes Uplink Communications to the voyagers is via s-band at 16 bits per second while an x-band transmitter provides downlink Telemetry at 160 bits per second normally and 1.4 kilobits per playback of high rate plasma wave data although I think that I saw that the plasma wave science equipment has been turned off due to power consumption all data are transmitted from and received at the spacecraft via the 3.7 meter High Gain antenna so that's the big High Gain dish and obviously being a dish it's pointy so you got to point it in the right direction electrical power is supplied by three radioisotope thermoelectric generators rtgs the current power levels are about 249 Watts for each spacecraft as the electrical power decreases power loads on the spacecraft must be turned off in order to avoid having demand exceed Supply or otherwise the voltage would drop as loads are turned off some spacecraft capabilities are eliminated so and that NASA maintains an extremely cool real-time Voyager status page which which continuously shows the location of both spacecraft and other other interesting tidbits such as which science modules are currently turned on and off given the amount of available power so I I created a shortcut grc.sc Voyager because the page is so cool we haven't looked at it since we last talked about uh the the Voyager probes grc.sc Voyager or you can just Google Voyager mission status and that will bring up as the first link that page where I mean and as updating as you watch it on the Fly how far both of these probes are and also which science modules are turned on and off so anyway big thanks to our SAT our satellite informed listings for their for their listening uh and we won't we won't lose Voyager uh because it's going to reorient so that's great yeah right um I don't I do want to correct myself it's not feature uh I was looking it up I thought well which one was veger Voyager One or Voyager two neither oh feature I is this a spoiler now no don't I won't tell you what I'm talking about if you know then you know veger was Voyager 6 which was which was remember this is a movie that came out in 1979 which was to be launched in 1999. ah so we and of course there is no future voice it's a future if we haven't launched yet yeah of course which explains how it got so smart because by 1999 AI was happening how we thought how we thought all this stuff would be uh Happening by now anyway oh Leo everyone wants to know where their flying cars are yeah yeah you know yep no and I now I know that would be a very bad idea so Voyager 2 has been out there for 45 years unblazing that is really that is yeah so John David schober he said hey Steve on sn932 I heard you talking about how you're keeping the rack of servers at level three and not moving to the cloud in case you wanted some interesting reading here's a blog post from David Hansen founder of 37 signals and base camp and creator of Ruby on Rails DHS David hennemeyer Hanson yes yes David and ghh yep yes he discusses how they regret moving their business to AWS and how expensive everything was and how much better life is being back on their own Hardware so first of all John thanks very much for the pointer since this topic is quite near and dear to my heart and since I think it might also be extremely interesting to a large number of our listeners I want to share the blog post that John pointed to as John said this was written by David H Hansen and it was posted just last October 19 2022 titled why we're leaving the cloud David wrote base camp has had one foot in the cloud for well over a decade and hey h-e-y has been running there exclusively since it was launched two years ago we've run extensive we've run extensively in both Amazon's cloud and Google's Cloud we've run on bare metal virtual machines we run on kubernetes we've seen all the cloud has to offer and tried most of it it's finally time to conclude renting computers is mostly he has in friends a bad deal for medium-sized companies like ours with stable growth the savings promised in reduced complexity never materialized so we're making our plans to leave he continues the cloud excels at two ends of the spectrum where only one end was ever relevant to us the first end is when your application is so small and low traffic that you really do save on complexity by starting with fully managed services this is The Shining path that hiroku forged and one that has since been paved by render and others it remains a fabulous way to get started when you have no customers and it'll carry you quite far even once you start having some he says parents then you'll later be faced with a good problem once the bills grow into the stratosphere as usage picks up but that's a reasonable trade-off he says the second meaning that the Second Use the uh useful uh use case is when your load is highly irregular when you have wild swings or towering peaks in usage when the Baseline is is a sliver of your largest needs or when you have no idea whether you need 10 servers or a hundred there's nothing like the cloud when that happens like we learned when we launched he and suddenly 300 000 users signed up to try our service in three weeks instead of our forecast of thirty thousand in six months but neither of those conditions apply to us today and I would say neither of them apply to me GRC and actually probably to twit he says they never did for base camp yet by continuing to operate in the cloud we're paying and at times almost absurd premium for the possibility that it could it's like paying a quarter of your House's value for earthquake insurance when you don't live anywhere near a fault line yeah sure if somehow a quake two states over opens the Earth so wide it cracks your foundation you might be happy to have it but it doesn't feel proportional does it let's take hay as an example we're paying over half a million dollars per year for database he says RDS you know related relational database and search elasticsearch services from Amazon yes when you're processing email for many tens of thousands of customers there's a lot of data to analyze and store but they'll strike this still strikes me as rather absurd do you know how many insanely beefy servers you could purchase on a budget of half a million dollars per year now the argument always goes sure but you have to manage these machines the cloud is so much simpler the savings will will all be there we'll all be there in labor costs except no he says anyone who thinks running a major service like hay or base camp in the cloud is simple has clearly never tried some things are simple others are more complex but on the whole I've yet to hear of organizations that at our scale being able to materially shrink their operations team just because they move to the cloud it was a wonderful marketing coup though sold with analogies like well you don't run your own power plant either do you or our new infrastructure Services really your core competency then lathered up with a thick coat of new new new paint and the cloud in K as in caps as beamed so brightly only the luddites would consider running their own servers in its shadow meanwhile Amazon in particular is printing profits renting out servers at obscene margins AWS profit margin is almost 30 percent and he says 18 and a half billion dollars in profits on 6 62.2 billion in Revenue despite huge investments in future capacity and new services this margin is bound to soar now that the firm said it plans to extend the useful life of its servers from four years to five and as networking equipment from five years to six in the future which is fine of course it's expensive to rent your computers from someone else but it's never presented in those terms the cloud is sold as Computing on demand which sounds futuristic and cool and very much not like something as mundane as renting computers even though that's mostly what it is but this isn't just about cost it's also about what kind of Internet we want to operate in the future it strikes me as downright tragic that this decentralized wonder of the of the world is now largely operating on computers owned only by a handful of Mega corporations if one of the primary AWS regions goes down seemingly half the internet is offline along with it this is not what DARPA designed thus I consider it a duty that we at 37 signals do our part to swim against the stream we have a business model that's incredibly compatible with owning hardware and writing it off over many years growth trajectories are mostly predictable expert staff who might as well employ their talents operating our own machines as those belonging to Amazon or Google and I think there are plenty of other companies in similar boats but before we can more broadly set sail back toward lower cost and decentralized Shores we need to turn the runner of our Collective conversation away from the cloud-serving marketing nonsense about running your own power plant up until very recently everyone ran their own servers and much of the progress in tooling that enabled the cloud is available for your own machines as well don't let the entrenched Cloud interests Dazzle you into believing they're running your own setup is too complicated everyone and their dog did it to get the internet off the ground in the first place it has only gotten easier since it's time to part the clouds and let the internet Sunshine through so it's kind of anyway he's a crack butt but okay yes as you say there's a lot of reasons you'd want a cloud what's uh you know for AI training for instance you're not going to go out and buy a thousand uh cards from Nvidia and a bunch of servers and stuff just for the training and then what and then just let them sit in the basement well you just gave a perfect use case for the cloud and I've heard that suggested you would use the cloud to train the model and then run the model yeah lots of people yes uh yeah I mean I think it's very common you say you're not in the cloud but level three isn't on Prem aren't you in the cloud well everybody has some tier one service provider I mean so you haven't I you you have your servers are in your house no no my servers are a short drive away in a data center but that's not the cloud because you own the hardware correct okay all right I mean my website is right down the hall it literally is on-prem here but uh except you've talked about how expensive Mastodon is Mastodon is running in the cloud yeah no matter how big it gets well so there's an example I wanted to run Mastodon in the cloud because I didn't want to maintain it and uh and run it off the servers here and because we don't have enough local bandwidth to run I mean obviously uh 37 signals can afford to buy uh many many gigabits of uh bandwidth ah right I mean come on he's kind of a crackpot he's a well-known crackpot but you know they are all the cloud now yeah we'll see I'd like to see what his bills are for running it locally the problem really is that he doesn't see those bills because it comes in form of rent and electricity and air conditioning and things that he doesn't consider well I pay about a grand a month and I for all of GRC and all of my servers and all of my bandages it's kind of a cloud because you're running in a network operations center you're not running on-prem well no he's talking about renting rent oh he's talking about the same thing yeah yeah a Colo is going backwards a little bit I think but okay fine it's whatever you know there's a lot I mean there are a lot of businesses who will and that and that of course was the whole point of his blog post post was that it is saying to go backwards okay that that you know the cloud the the promise of the cloud did not materialize anyway I wanted to share with our listeners it is my position it is what I'm doing and I have fixed costs I could run Mastodon servers till the cows came home right and it wouldn't cost me anything more right uh no how no no well I mean I I I maybe visit level three annually my servers are typically up for three or four years at a time right so right yeah I mean it's just not it's not a problem for me yeah but you know I I built the stuff right once so I don't have to be you know continually nursing them and Leo we're an hour and a half in and we haven't even got to our main topic let's take our third break okay about catch reverse you didn't want to play okay that's fine that's fine let's talk about drata and then we're gonna get to the tetraverse only Steve knows why I played that Steve is is well aware however our show today uh brought to you by drata if your organization is finding it difficult to collect manual evidence and Achieve continuous compliance as you grow as you scale you may want to know about drada a leader in Cloud compliance software G2 said that I didn't make it up drada streamlines your sock 2 your ISO 27001 your PCI DSS your gdpr your HIPAA and other compliance Frameworks providing 24-hour continuous control monitoring so you can focus on scaling securely with a suite of more than 75 Integrations Dorada easily integrates through applications like AWS Azure GitHub OCTA cloudflare countless Security Professionals from companies including lemonade and notion and bamboo HR have shared how crucial it has been to have drata as a trusted partner in the compliance process you can expand your security Assurance efforts using the droughta platform which means you can see all your controls easily map them to compliance Frameworks and gain immediate insight into things like framework overlap drada's automated Dynamic policy templates support companies new to compliance using Integrated Security awareness training programs and automated reminders to make sure you're going to have smooth employee onboarding and as the only player in the industry to build and you like this Steve on a private database architecture your data can never be accessed by anyone outside your organization all customers receive a team of compliance experts including a designated customer success manager and brought his team of former Auditors they've conducted more than 500 audits between them means your drawdata team keeps you on track to ensure there are no surprises no barriers you'll love droughta's pre-audit calls so you can prepare for when the audits begin and then when it's time for the audit Toronto's audit Hub is fantastic it's the solution of faster more efficient audits Save hours of back and forth communication you'll never misplace crucial evidence you can share documentation with your Auditors instantly all interactions all data Gathering can occur in drata between you and your auditor so you don't have to switch between different tools or say wait a minute let me see if I can find that or different correspondence strategies with drata's risk management solution you can manage end-to-end risk assessment and treatment workflows you can flag risks you can score them and then decide whether to accept to mitigate and transfer or avoid them drata Maps appropriate controls to risks simplifying risk management and automating the process strata's trust Center provides real-time transparency into security and compliance postures which improve sales security reviews gives you better relationships with customers and partners say goodbye to manual evidence collection say hello to automated compliance go to drata d-r-a-t-a-durata.com slash twit drada bringing automation to compliance at Trotta speed that's d-r-a-t-a-drata.com slash twit and by the way if you ask for a demo you get 10 off at that website drata.com slash twit and now back to City security now we we do need to explain the danger Will Robinson okay sound effect go ahead I gotta uh Stephen Perry he sent a note he said hi Steve he's a regular by the way in our Discord we love Stephen ah yeah he said I was listening to yesterday's security Now episode and wondered if anyone had ever shared with you and Leo a little bit of trivia about the show Lost in Space which of course we both cut our teeth on uh you know as kids everyone knows and uses the catchphrase danger Will Robinson of course one of our faves he says but did you know that it was only ever said once in the entire run of the show wow it was season three episode 11 when it happened it was never said it never said again yeah but that is the phrase we all know and love about the show thought I'd pass it along have a good day well I'm I was astonished by that um I did a little bit of looking around uh the internet agrees with Stephen and apparently one of the reason is that the robot was always waving his arms around saying danger danger that's what he said because danger danger we add the Will Robinson so you know what it means if I just said danger danger you wouldn't know but yeah anyway you think what I am sorry Will Robinson I afraid I goofed I have many by the way many robotic quotes by flyer to keep my tapes in balance little do we know the future they're going to still use tapes yeah actually it's funny how how that the use of that term has has hung on I mean we were people are still saying did you tape it danger Okay so by far the news that was most forwarded to me this past week was that the encrypted security of a globally used secure in air quotes radio communications system whose security has been trusted and relied upon worldwide turns out not to be as secure as everyone hoped and was led to believe and moreover the system's insecurity was well known and kept secret by those whose commercial interests depended upon the the system being trusted when it was not trustworthy wired did a beautiful job of describing the situation and their story last week titled code kept secret for years reveals its flaw a back door and they followed that with a secret encryption Cipher baked into Radio Systems used by critical infrastructure workers police and others meaning lots of lots of military around the world is finally seeing sunlight researchers researchers say it isn't pretty now I'm going to share wired's coverage of this while liberally interjecting my own commentary uh so here's what wire described they said for more than 25 years a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities now okay anybody if you've listened to this podcast for only one of our almost 18 years you know that anytime you hear the uh the the the technology was was was kept private to prevent anyone from scrutinizing scrutinizing its security properties for vulnerabilities is not good news um anyway but wired said now it's finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its um who got their hands uh on it and found serious flaws including a deliberate back door the back door known for years by vendors that sold the technology but not necessarily by customers exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure it's used to transmit encrypted data and commands in pipelines Railways the electric grid mass transit and freight trains it would allow someone to Snoop on Communications to learn how a system works then potentially send commands to the radios that could trigger blackouts halt gas pipeline flows or reroute trains researchers found a second vulnerability in a different part of the same radio technology that is used in more specialized systems sold exclusively to police forces prison Personnel Military Intelligence agencies and emergency services such as the c2000 communication system used by Dutch police fire brigades ambulance services then Ministry of defense for Mission critical voice and data Communications the flaw would let someone decrypt encrypted voice and data Communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times three Dutch security analysts discovered the vulnerabilities five vulnerabilities in total in a European radio standard called Tetra which stands for terrestrial trunked radio which is used in radios made by Motorola Dam d-a-m-m itera and others the standard has been used in radio since the 90s but the flaws remain unknown remained unknown because encryption algorithms used in Tetra were kept secret until now the technology is not widely used in the U.S well not widely but it is here where other radio standards are more commonly deployed but Caleb Mathis a consultant with ampere industrial security conducted open source research for Wired and uncovered contracts press releases and other documentation showing tetra-based radios are used in at least two dozen critical infrastructures in the U.S because Tetra is embedded in radios supplied through resellers and system integrators like power trunk it's difficult to identify who might be using them and for what but Mathis helped wired identify several electric utilities a state border control agency an oil refinery chemical plants a major mass transit system on the East Coast three international airports that use them for communications among security and ground crew personnel and the U.S army training base the researchers with midnight blue in the Netherlands discovered the Tetra vulnerabilities which they're calling Tetra burst in 2021 okay so three years for two years ago they discovered this but agreed not to disclose them publicly until radio manufacturers could create patches and mitigations and we know how that typically goes not all of the issues can be fixed with a patch however and it's not clear which manufacturers have prepared them for customers Motorola one of the largest radio vendors did not respond to repeated inquiries from wired the Dutch national cyber security Center assumed the responsibility of notifying radio vendors and computer emergency response teams around the world about the problems and a coordinating a time frame for when the researchers should publicly disclose the issues and as I said at the top of the show next week is black hat and all will be revealed there in a brief email ncsc spokesperson naral Sheffer called Tetra a crucial foundation for Mission critical communication in the Netherlands and around the world and emphasize the need for such Communications to always be reliable and secure quote especially during crisis situations she confirmed the vulnerabilities would let an attacker in the vicinity of impacted radios intercept manipulate or disturb Communications and said the ncsc had informed various organizations and governments including Germany Denmark Belgium and England advising them how to proceed a spokesperson for dhs's sisa here said they are aware of the vulnerabilities but would not comment further the researchers say anyone using radio Technologies should check with their manufacturer to determine if their devices are using Tetra and what fixes or mitigations are available the researchers plan to present their findings at the black hat security conference in Las Vegas when they will release detailed technical analysis as well as the secret Tetra encryption algorithms that have been unavailable to the public until now they hope others with more expertise will dig will dig into the algorithms to see if they can find other issues so Tetra was developed in the 90s by the European telecommunications Standard Institute or Etsy etsi the standards include four encryption algorithms tea a one tea two three and four so I'll just call them t one two three and four that can be used by radio manufacturers in different products depending on their intended use and customer okay so as I said wait what the four different encrypted encryption algorithms can be used by radio manufacturers in different products depending upon their intended use and customer so if that doesn't smell fishy I don't know what does so wired explains this wired says tea one is for commercial uses for radios used in critical infrastructure in Europe and the rest of the world though it is also designed for use by Public Safety agencies and Military according to an Etsy document and the researchers found police agencies that use it T2 is restricted for years in Europe by police emergency services military and intelligence agencies okay so T1 is for commercial uses whereas T2 is restricted for use in Europe by police emergency service military and intelligence agencies what's the difference T3 wired rights is available for police and Emergency Services outside Europe in countries deemed friendly to the EU like Mexico and India those not considered friendly such as Iran only had the option to use T1 T4 another commercial algorithm is hardly used the researchers said the vast majority of police forces around the world aside from the U.S use tetra-based radio technology after conducting open source research Tetra is used by police forces in Belgium and the Scandinavian countries East European countries like Serbia Moldova Bulgaria and Macedonia as well as in the Middle East in Iran Iraq Lebanon and Syria Additionally the ministries of Defense in Bulgaria Kazakhstan and Syria use it the Polish military counterintelligence agency uses it as do the Finnish Defense Forces and Lebanon and Saudi Arabia's intelligence service to name a few critical infrastructure in the U.S and other countries use Tetra for machine to machine Communication in scada and other industrial control system settings especially in widely distributed pipelines Railways and electric grids where wired and Cellular Communications may not be available and now get a load of this blast from the past although the standard itself is publicly available for review the meaning you know the the paper printed standard saying this is what we're going to offer you for your radio to use the encryption algorithms are only available under assigned NDA to trusted parties such as radio manufacturers the vendors have to include Protections in their products to make it difficult for anyone to extract the algorithms and analyze them oh boy to obtain the algorithms the researchers purchased an off-the-shelf Motorola MTM 5400 radio and spent four months locating and extracting the algorithms from the secure Enclave in the radio's firmware they had to use a number of zero day exploits to defeat Motorola protections which they reported to Motorola to fix once they reverse engineered the algorithms the first vulnerability they found was a back door in T1 okay so first of all huge props to these guys no one made it easy for them to obtain the information they needed in fact their efforts were deliberately being thwarted at every turn by the use of you know requiring a son assigned NDA which they were not able to agree to because they wanted to disclose it and a secure enclave and they needed to find zero day exploits brand new zero day exploits and then use them to crack the lid off the code and let's also just pause for a moment to thank our lucky stars that this reverse engineering conduct has been deemed legal if white hat hackers like these guys could be jailed for conducting research in the interest of improving the security of the products they're examining even when doing so is not in the interest of those who are working hard to keep those secrets the world would be far less secure and only the bad guys would be pursuing such reverse engineering they would not be agreeing to keep their secrets quiet they would never be disclosing them because they would then be turning around and leveraging them and all of the stuff that we talk about on this podcast constantly which is being reverse engineered at significant effort and cost by by good guy researchers none of that would be happening because doing so would be illegal thank goodness that decision was made uh making it so that this this kind of research is safe so here's what they found all four Tetra encryption algorithms use 8080 bit keys which the researchers say and I would agree even more than two two decades after their release still provides sufficient security to prevent someone from cracking them and I'll note that the keys are rotated and they're dynamically changing so it's not like they're just fixed 80-bit Keys they're they don't they're they're ephemeral so they're not around long enough for that to be a problem but they are around a lot they are around for a while um T1 has a feature in quotes that reduces its encryption key length to just 32 bits which the researchers were able to crack in less than a minute using a standard laptop and samples of just four ciphertexts which of course you get by by you know putting a radio up in the air and receiving some some of this encrypted communication Brian Murgatroyd the chair of the technical body at Etsy you know the people behind this responsible for the Tetra standard objects to calling this a back door he says when they developed the standard they needed an algorithm for commercial use they could meet export requirements now remember this is more than two decades ago to be used outside Europe and that in 1995 a 32-bit key still provided security although he acknowledges that with today's computing power that's no longer the case remember these guys the researchers cracked the key in less than a minute Matthew green our well-known Johns Hopkins University cryptographer and Professor calls the weekend key quote a disaster unquote he said quote I wouldn't say it's equivalent to using no encryption but it's really really bad Gregor um Linder a professor of computer science and cryptographer with the security research team known as Casa at rurer University bottom in Germany says it would be quote stupid unquote not missing any words for critical infrastructure to use T1 especially without adding end-to-end encryption on top of it he said nobody should rely on this unquote Murgatroyd insists that most of that most the most anyone can do with a back door is decrypt an eavesdrop on data and conversations Tetra has strong authentication he says that would prevent anyone from injecting false communication that's not true says wetzel's one of the researchers Tetra only requires that devices authenticate themselves to the network but days and days and voice communication between radios are not visually signed or authenticated the radios and base stations trust that any device that has the proper encryption key is authenticated so someone who can crack the key as the researchers did can encrypt their own messages with it and send them to base stations and other radios while the T1 weak weakness has been withheld from the public it's apparently widely known in the industry and governments in a 2006 U.S state Department cable leaked to WikiLeaks the U.S embassy in Rome describes an Italian radio manufacturer asked asking about exporting Tetra Radio Systems to Municipal police forces in Iran the U.S pushed back on the plan so the company representative reminded the U.S that encryption in the tetra-based radio system they plan to sell to Iran is less than 40 bits indeed 256 times less than 40 bits because it's 32 bits implying that the U.S should not object to the sale because the system isn't using a strong key the second major vulnerability the researchers found isn't in one of the secret algorithms but it affects all of them all of them the issue lies in the standard itself and how Tetra handles time sinking and key stream generation when a Tetra radio contacts a base station they initiate communication with a Time sync the network broadcasts the time and the radio establishes that it's in sync then they both generate the same key stream which is tied that which is tied to that time stamp to encrypt the subsequent communication Wetzel says the problem is that the network broadcasts the time in packets that are unauthenticated and unencrypted as a result you can time spoof an attacker can use a simple device and ask you Leo you probably have one in your pocket to intercept No I gave it to Father Robert to take the black hat oh yeah that's good you'll get some use out of it to intercept and collect encrypted communication passing between a radio and base station while noting that the time stamp that's initiated the communication then he can use a rogue base station to contact the same radio or a different one in the same network and broadcast the time that matches the time associated with the intercepted communication basically for you know resetting them to the key that he already has the from that was decrypted earlier the radio is dumb and believes the correct correct time is whatever the base station says it is so it will generate the key stream that was used at the time to encrypt the communication the attacker collected the attacker recovers the key stream and could use it to decrypt the communication collected earlier to inject false messages he would use his base station to tell a radio that the time is tomorrow noon and ask the radio to generate the key stream associated with that future time once the attacker has it he can use the key stream to encrypt his Rogue messages and the next day at noon send them to a target radio using the correct key stream for that time in other words it was really badly designed even in 1995 there were all kinds of holes in the system not just secret algorithms for encryption wetzel's imagines Mexican drug cartels could use this to intercept police Communications to eavesdrop on investigations and operations or deceive police with false messages sent to radios the attacker needs to be near a Target radio but the proximity Is Only dependent on the strength of the Rogue base station signal and the terrain he says quote you can do this with a within a distance of tens of meters the Rogue base station would cost less than five thousand dollars or less so etsy's Murgatroyd downplays the attack saying tetra's strong authentication requirements oh boy would prevent a non-authenticated base station from injecting messages Wetzel disagrees saying Tetra only requires devices to authenticate to the network not to each other the researchers didn't find any weaknesses in the t2 algorithm used by police military and emergency services in Europe but they did initially think they found another back door in T3 given that T3 is the exportable version of T2 there was good reason to believe it might also have a back door to meet export requirements anyway um we basically have a system which is full of holes has been used for what 28 years since 1995 has is known to be insecure never received the upgrading that it should have received but as I said that never happened so as I and wired noted uh in eight days all the wraps will be coming off of this when the research team presents their work in findings during black hat in Las Vegas with Tetra we have a legacy encrypted radio communication system being widely used today throughout the entire world including in the U.S and it not only contained multiple really exploitable flaws that were only fixed after security researchers cracked it open and shamed its creators with the threat of disclosure and even now they're not actually saying uh okay yeah you got us you're right it also contained deliberately weakened encryption which most of the world was given to use while some agencies knew of the weakness and were apparently leveraging that knowledge for eavesdropping and now we learn that the Etsy group who did all of this has replaced their earlier flawed work work with more of the same keeping their encryption secret after uh after rotating the the original T1 through four ciphers out there are now new ones and they too are kept secret even though we have you know well vetted well-tested well-functioning lightweight high performance encryption nobody should be rolling their own any longer it's just crazy why would anyone ever trust these people so true this reminds me of ss7 although ss7 is still around the sideband that is totally hackable in every phone it's still around just because you can't it's too hard to change right right well we do have the requirement for for encryption inter system but that's what has not happened right in trust system encryption has happened and they're supposed to be doing inter-system but the problem is um apparently they're making too much money out of spam right there you go they really don't want a limit there you go they don't want to limit it yeah that's just the way it is even the robot has an opinion on that one well that concludes this thrilling gripping edition of security now as we Edge into our 19th year a couple more weeks wow only 66 episodes left I guess we're counting down too uh Steve Gibson's at grc.com which is proudly not in the cloud [Music] all you have to do is go to grc.com uh and then you will see all sorts of good stuff including spin right the world's best mass storage maintenance recovery utility you you need this if you've got hard drives or solid state drives version 6.0 is still there but it is soon to be replaced by six one you will get a free upgrade when six one comes out if you buy today grc.com you can also get the show there Steve has the canonical 64 kilbit audio version but he's got two unique versions as well a handwritten human transcribed version of it by the great Elaine Ferris so you can read along uh and as as one of our correspondents said just put it on your screen whenever you're leading a meeting so you can point to it uh you can you can also get 16 kilobit audio if bandwidth is an issue we have 64 kilobit audio and even video that's our unique format at gr uh sorry twit.tv slash S N uh you can also subscribe in your favorite podcast player or watch it on YouTube there's lots of ways to uh to come every week but please do visit us every week if you'd like to watch us live the absolute freshest version uh as it emerges from the mouth of Steve Gibson you can go to live.twit.tv every Tuesday times vary it should be supposed to be 1 30 Pacific 4 30 Eastern 2030 UTC often it's more like two o'clock 5 p.m 2100 UTC but if you know what the heck turn in a little bit early that that stream's running all day and all night there's always something good there live.twit.tv you can also ask your Amazon Echo your Google Assistant to uh to listen to twit live sometimes you say twit live because they're dumb and uh and you might have to say on YouTube or tune in or something but if you fiddle around with it you'll be able to get it to play and that's nice you can listen all the time uh Steve thank you so much have a wonderful evening wonderful weekend we'll see you next time on security Now Rado bye hey I'm Rod Pyle editor-in-chief of adaster magazine and each week I joined with my co-host to bring you this week in Space the latest and greatest news from the final frontier we talked to NASA Chief space scientists engineers Educators and artists and sometimes we just shoot the breeze over what's hot and what's not in space books and TV and we do it all for you our fellow True Believers so whether you're an armchair Adventurer or waiting for your turn to grab a slot in elon's Mars rocket join us on this week in space and be part of the greatest adventure of all time yeah security Now [Music]

Info

Channel: Security Now

Views: 13,693

Rating: undefined out of 5

Keywords: TWiT, Technology, Steve Gibson, Leo Laporte, security, spyware, malware, hacking, cyber crime, encryption, Security Now, steve gibson, satellite turla, ios 17 fingerprinting, ios 17 device fingerprinting, android unknown trackers, android trackers android 14, russia open source criminalization, virustotal 2023 report, virustotal malware we've seen report, apt command and control in the sky, kaspersky apt satellite report, android unknown airtag tracker, national defense authorization

Id: ALGCkZsrjII

Channel Id: undefined

Length: 144min 48sec (8688 seconds)

Published: Wed Aug 02 2023