‘Trojan Source’ Bug Threatens the Security of All Code

Virtually all compilers — programs that transform human-readable source code into computer-executable machine code — are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns. The vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness.

Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis).

Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right).

But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the “Bidi override,” which can be used to make left-to-right text read right-to-left, and vice versa.

“In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient,” the Cambridge researchers wrote. “For these cases, Bidi override control characters enable switching the display ordering of groups of characters.”

Bidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email.

Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text — including control characters — is ignored by compilers and interpreters. Also, it’s bad because most programming languages allow string literals that may contain arbitrary characters, including control characters.

“So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty,” said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. “That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything.”

The research paper, which dubbed the vulnerability “Trojan Source,” notes that while both comments and strings will have syntax-specific semantics indicating their start and end, these bounds are not respected by Bidi overrides. From the paper:

“Therefore, by placing Bidi override characters exclusively within comments and strings, we can smuggle them into source code in a manner that most compilers will accept. Our key insight is that we can reorder source code characters in such a way that the resulting display order also represents syntactically valid source code.”

“Bringing all this together, we arrive at a novel supply-chain attack on source code. By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in most modern languages for which the display order of characters presents logic that diverges from the real logic. In effect, we anagram program A into program B.”

Anderson said such an attack could be challenging for a human code reviewer to detect, as the rendered source code looks perfectly acceptable.

“If the change in logic is subtle enough to go undetected in subsequent testing, an adversary could introduce targeted vulnerabilities without being detected,” he said.

Equally concerning is that Bidi override characters persist through the copy-and-paste functions on most modern browsers, editors, and operating systems.

“Any developer who copies code from an untrusted source into a protected code base may inadvertently introduce an invisible vulnerability,” Anderson told KrebsOnSecurity. “Such code copying is a significant source of real-world security exploits.”

Image: XKCD.com/2347/

Matthew Green, an associate professor at the Johns Hopkins Information Security Institute, said the Cambridge research clearly shows that most compilers can be tricked with Unicode into processing code in a different way than a reader would expect it to be processed.

“Before reading this paper, the idea that Unicode could be exploited in some way wouldn’t have surprised me,” Green told KrebsOnSecurity. “What does surprise me is how many compilers will happily parse Unicode without any defenses, and how effective their right-to-left encoding technique is at sneaking code into codebases. That’s a really clever trick I didn’t even know was possible. Yikes.”

Green said the good news is that the researchers conducted a widespread vulnerability scan, but were unable to find evidence that anyone was exploiting this. Yet.

“The bad news is that there were no defenses to it, and now that people know about it they might start exploiting it,” Green said. “Hopefully compiler and code editor developers will patch this quickly! But since some people don’t update their development tools regularly there will be some risk for a while at least.”

Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said the Cambridge research presents “a very simple, elegant set of attacks that could make supply chain attacks much, much worse.”

“It is already hard for humans to tell ‘this is OK’ from ‘this is evil’ in source code,” Weaver said. “With this attack, you can use the shift in directionality to change how things render with comments and strings so that, for example ‘This is okay” is how it renders, but ‘This is’ okay is how it exists in the code. This fortunately has a very easy signature to scan for, so compilers can [detect] it if they encounter it in the future.”

The latter half of the Cambridge paper is a fascinating case study on the complexities of orchestrating vulnerability disclosure with so many affected programming languages and software firms. The researchers said they offered a 99-day embargo period following their initial disclosure to allow affected products to be repaired with software updates.

“We met a variety of responses ranging from patching commitments and bug bounties to quick dismissal and references to legal policies,” the researchers wrote. “Of the nineteen software suppliers with whom we engaged, seven used an outsourced platform for receiving vulnerability disclosures, six had dedicated web portals for vulnerability disclosures, four accepted disclosures via PGP-encrypted email, and two accepted disclosures only via non-PGP email. They all confirmed receipt of our disclosure, and ultimately nine of them committed to releasing a patch.”

Eleven of the recipients had bug bounty programs offering payment for vulnerability disclosures. But of these, only five paid bounties, with an average payment of $2,246 and a range of $4,475, the researchers reported.

Anderson said so far about half of the organizations maintaining the affected computer programming languages contacted have promised patches. Others are dragging their feet.

“We’ll monitor their deployment over the next few days,” Anderson said. “We also expect action from Github, Gitlab and Atlassian, so their tools should detect attacks on code in languages that still lack bidi character filtering.”

As for what needs to be done about Trojan Source, the researchers urge governments and firms that rely on critical software to identify their suppliers’ posture, exert pressure on them to implement adequate defenses, and ensure that any gaps are covered by controls elsewhere in their toolchain.

“The fact that the Trojan Source vulnerability affects almost all computer languages makes it a rare opportunity for a system-wide and ecologically valid cross-platform and cross-vendor comparison of responses,” the paper concludes. “As powerful supply-chain attacks can be launched easily using these techniques, it is essential for organizations that participate in a software supply chain to implement defenses.”

Weaver called the research “really good work at stopping something before it becomes a problem.”

“The coordinated disclosure lessons are an excellent study in what it takes to fix these problems,” he said. “The vulnerability is real but also highlights the even larger vulnerability of the shifting stand of dependencies and packages that our modern code relies on.”

Rust has released a security advisory for this security weakness, which is being tracked as CVE-2021-42574 and CVE-2021-42694. Additional security advisories from other affected languages will be added as updates here.

The Trojan Source research paper is available here (PDF).

The Good, the Bad and the Ugly in Cybersecurity – Week 44

The Good

We have another satisfying victory for cyber crimefighters to highlight this week. It feels like these wins are getting more frequent, so let’s continue to tip our hats to these complex efforts from law enforcement. This week’s criminal round-up comes courtesy of “Operation DarkHunTOR”.

This global effort combined agencies from the United States, United Kingdom, Switzerland, Italy, the Netherlands, Bulgaria, France, and Germany among others, and was directed by Europol and JCODE (Joint Criminal Opioid and Darknet Enforcement team).

The effort targeted around 150 individuals, all of whom were involved in the sale and trafficking of illegal products, including weapons, drugs, stolen data, malware and other contraband. The individuals apprehended were all considered to be “high-value” targets in the eyes of law enforcement.

Authorities reportedly seized nearly $26 million in combined cash and cryptocurrencies along with various troves of drugs and guns. In addition, the popular Dark Web marketplaces “DeepSea” and “Berlusconi” were shut down and seized as well. Those markets now join the likes of Dream, Aurora, WallStreet and others as part of a long list of defunct (yet once mighty) traders of illicit goods.

According to the official release from the Justice Department:

“Operation Dark HunTor led to 65 arrests in the United States, one in Bulgaria, three in France, 47 in Germany, four in the Netherlands, 24 in the United Kingdom, four in Italy, and two in Switzerland. A number of investigations are still ongoing.”

All in all, a great victory, culminating from a very well-executed effort.

The Bad

Rising to the top of this week’s bunch of bad is an apparent rebrand from Haron ransomware, who this week pushed out a new leaks site that’s clearly linked to the ‘Midas’ ransomware group. Along with a few fresh victims, the ‘new’ site also listed all of the same victims that had previously appeared in the Haron victim blog. There is also strong evidence to suggest some shared infrastructure between the two, along with shared post-infection TTPs.

Haron and Midas blogs side by side

The group’s updated manifesto continues to lay out their ‘ground rules’ for attacks, as well as some ‘rules of engagement’. The Midas/Haron gang claim to be “a group of pentesters who use (their) skills to audit the security of corporate networks”. The act of encrypting files in the target network is, they would have us all believe, merely “confirmation” of the fact that the target has “problems in the network”. It goes without saying that their claim falls a bit short of accuracy. The group claim to have no specific political affiliations or connection to any terrorist or extremist organizations. We are, presumably, to believe they are ‘the good guys’.

Unconvinced by these protestations of innocence? We are, too. This kind of “rebranding” is somewhat en vogue these days as a means (amongst other things) to circumvent government regulations and lower visibility. SentinelLabs continues to monitor this and similar threat actors.

The Ugly

A particularly nasty combo attack, involving typo-squatting, ransomware and malicious NPM packages was observed this past week.

It was discovered that two particular packages were present in a popular NPM library, noblox.js-proxy and noblox.js-proxies. Both were masquerading as a common, legitimate package with a very similar name. As the typo-squatting names indicate, the intended targets were those seeking to customize or augment their Roblox experience.

NoBlox NPM package

The malicious packages essentially function as scripts which reach out to a remote server to download and execute additional malicious components. Payloads included the GoldenEye and MBRLocker variants, both of which are commodity-level threats.

Further, both of these ransomware variants are either now or once were open-source, meaning they are trivial to weaponize and distribute. Some readers will remember that GoldenEye was a later-stage evolution of the Petya/Mischa RaaS, while MBRLocker has a variety of free or leaked builder applications.

The silver lining here is that attacks of this nature–evil scripts downloading outdated ransomware–are well-understood and can easily be thwarted with well maintained, modern, endpoint security controls.


Stokke Tripp Trapp vs. Stokke Steps: Which Chair To Choose

Parents are faced with many choices when the baby first arrives. There are so many baby products available. One of the most important baby products is baby chairs. This is where the newborn baby will eat, play and relax. The first few months he spends a lot of time in this type of chair that means that you have to choose a good one.

Parents want their children to feel comfortable and secure while they feed them at home. These chairs need to have an ergonomic design, which would be the parents’ main criterion when choosing one. The Stokke company is known worldwide because of its high-quality products that provide comfort and safety to children.

Stokke has some of the most innovative seats on the market, which are considered iconic: Tripp Trapp and Steps.

But when compared, which one to choose? Here is an overview to help you decide between the Stokke Tripp Trapp vs. Stokke Steps.

Stokke Steps vs Stokke Tripp Trapp

Both the Stokke Tripp Trapp and the Stokke Steps are made in Europe, where safety standards for children’s products are incredibly high. Tripp Trapp is Made in Denmark. It has been designed and manufactured under strict quality control at Stokke’s factory since 1972, whereas the Stokke Steps are designed and manufactured at Stokke AS in Norway.

The design, materials, and durability are comparable between the two chairs. Both seats support your baby when he needs it most: when he is learning to sit up independently. Each of these chairs is easy to clean and move around for convenience.

Let’s have a closer look at these two baby chairs.

Stokke Tripp Trapp

(Sponsored)

The Stokke Tripp Trapp is the #1 best-selling high chair in the United States, which speaks for itself. Tripp Trapp is a timeless, sophisticated chair that blends in with both modern and traditional interiors. It comes in a range of beautiful colors to suit any taste. It has everything you need to make mealtime easier, and it is guaranteed to last through your child’s growing years.

The Stokke Tripp Trapp has been designed in collaboration with child development experts and pediatricians. The unique design encourages safe seating based on ergonomic theory; the backrest supports the child’s posture while the feet are free to rest comfortably on the footrest. The chair can be easily adjusted to suit a growing child.

The legs are lockable, so you can feel safe knowing that the chair will not topple over on little hands exploring around it. It has a sleek Scandinavian design and is made of beechwood with a strong, durable veneer. The Tripp Trapp will hold up to 300 pounds – it can be used even by adults!

Tripp Trapp Features

The Stokke Tripp Trapp has the following features:

  • The seat is 18 inches from the ground, which means that even a toddler can climb into it easily.
  • The seat (sold separately) is machine washable.
  • The seat can hold up to 300 pounds, which means you will get years of use out of it.
  • There are six different height adjustments for the seat back, so your baby can sit comfortably while playing with his toys or watching you at the dinner table.
  • There are two footrest positions; the lower position accommodates infants who are learning to sit up.

Tripp Trapp Pros

  • It is well-made, strong, durable, and very safe for children to use. There are also many reasons parents choose this high chair over other high chairs in the market, including:
  • The Tripp Trapp is made of beechwood, which has a natural protective layer that makes it easy to maintain and clean.
  • The Tripp Trapp comes with a 10-year warranty on the frame.
  • The Stokke Tripp Trapp takes up very little room in your kitchen.
  • There are so many design options, and you are sure to find one that fits your sense of style.
  • Adults can also use it

Tripp Trapp Cons

The Stokke Tripp Trapp is a solid investment for growing babies and toddlers. It has back support that offers more safety and support than most highchairs. If there is something that keeps this chair from getting a perfect score, it would be the price. It is much more expensive than other high chairs on the market.

Stokke Steps

(Sponsored)

Stokke Steps is a good choice for families who prefer a slightly smaller chair. The seat is lower than on the Tripp Trapp and therefore better adapted to younger age groups than the Tripp Trapp (designed for children from 18 months and up).

The Stokke Steps has an excellent, clean design ideal for newborns and children up to 3 years. This chair can be used as a first booster seat and then converted into a regular-sized adult chair. The legs fold under the chair when not in use, which makes it easy to store or take with you if needed.

The Stokke Steps is made of a strong, durable plastic that can quickly be taken apart and put back together if needed. It has a steel frame for added strength and stability.

The Stokke Steps can hold up to 110 pounds of weight. Locking casters on the legs make it easy to move around for cleaning or if you need to take it outdoors.

Stokke Steps Features

  • The Stokke Steps is lightweight, at just seven pounds. It’s easy to clean, with a plastic seat that wipes clean without much effort.
  • The Stokke Steps support your baby as he learns to sit up on his own.
  • The chair does not take up too much space in the kitchen or living room.

Stokke Steps Pros

  • The Stokke Steps is a more affordable option at $200.
  • The chair is a good size for a small baby and can also accommodate a bigger child.
  • The Stokke Steps is beautiful and does not look like a typical baby highchair.

Stokke Steps Cons

The Stokke Steps do not come in as many colors or fabrics as the Tripp Trapp. Luckily, all available color variations are classic, so there is a very high chance it will match your home decor, even after many years.

The Stokke Steps does not come with any safety straps for when your baby learns to stand up and walk around in the chair; you will need to purchase this accessory separately.

Conclusion

Both the Tripp Trapp and Stokke Steps are great options for parents who want to invest in a high chair that will last for years. Parents usually prefer these well-engineered chairs over cheaper ones because they are not only safer but also more comfortable and stylish.

Choosing between the two is dependent on your budget and personal preferences. The Tripp Trapp is more expensive than the Stokke Steps, but it also can accommodate a larger age group and has more features and accessories available for purchase. Parents who prefer high wooden chairs should opt for this model because you can buy replacement parts in different colors to match your home décor.

The Stokke Steps costs about $200, which is much less than the Tripp Trapp. It is a good option for newborns and small children because it can hold up to 110 pounds. The chair does not take up too much space in your living area or kitchen.

If you prefer a more affordable high chair that still has all the features you need, then go for the Stokke Steps. It has a sleek, modern design that will look great in any home and the seat cover is machine washable for easy clean-up. The Tripp Trapp may be a better choice if you have a bigger budget to spend on a high chair, as it comes with more features and options for customization.

However, Tripp Trapp’s price tag is justified by its ability to grow with your baby from a small infant into an older child.

The post Stokke Tripp Trapp vs. Stokke Steps: Which Chair To Choose appeared first on Comfy Bummy.

Zales.com Leaked Customer Data, Just Like Sister Firms Jared, Kay Jewelers Did in 2018

In December 2018, bling vendor Signet Jewelers fixed a weakness in their Kay Jewelers and Jared websites that exposed the order information for all of their online customers. This week, Signet subsidiary Zales.com updated its website to remediate a nearly identical customer data exposure.

Last week, KrebsOnSecurity heard from a reader who was browsing Zales.com and suddenly found they were looking at someone else’s order information on the website, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.

The reader noticed that the link for the order information she’d stumbled on included a lengthy numeric combination that — when altered — would produce yet another customer’s order information.

When the reader failed to get an immediate response from Signet, KrebsOnSecurity contacted the company. In a written response, Signet said, “A concern was brought to our attention by an IT professional. We addressed it swiftly, and upon review we found no misuse or negative impact to any systems or customer data.”

Their statement continues:

“As a business principle we make consumer information protection the highest priority, and proactively initiate independent and industry-leading security testing. As a result, we exceed industry benchmarks on data protection maturity. We always appreciate it when consumers reach out to us with feedback, and have committed to further our efforts on data protection maturity.”

When Signet fixed similar weaknesses with its Jared and Kay websites back in 2018, the reader who found and reported that data exposure said his mind quickly turned to the various ways crooks might exploit access to customer order information.

“My first thought was they could track a package of jewelry to someone’s door and swipe it off their doorstep,” said Brandon Sheehy, a Dallas-based Web developer. “My second thought was that someone could call Jared’s customers and pretend to be Jared, reading the last four digits of the customer’s card and saying there’d been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks.”

In the grand scheme of many other, far more horrible things going on in information security right now, this Zales customer data exposure is small potatoes. And this type of data exposure is unbelievably common today: KrebsOnSecurity could probably run one story each day for several months just based on examples I’ve seen at dozens of other places online.

But I do think one key reason we continue to see companies make these easily avoidable mistakes with their customer data is that there are hardly ever any real consequences for organizations that fail to take more care. Meanwhile, their customers’ data is free to be hoovered up by anyone or anything that cares to look for it.

“Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,” Sheehy said. “This isn’t novel stuff, it’s basic Web site security.”

Podcast: “Roided-out Sitting Duck, Part 1” with Juan Andres Guerrero-Saade

Principal Threat Researcher at SentinelLabs, Juan Andres Guerrero-Saade (aka JAG-S) talks to Rachel Lyon and Eric Trexler in the first of a two-part To the Point – Cybersecurity podcast.

JAG-S recounts the fascinating case of Moonlight Maze, one of the first ever cyber espionage campaigns, tells how he came to be featured in the International Spy Museum in Washington, D.C., and talks us through his recent research into Meteor Express, a wiper attack and “epic trolling endeavor” on an Iranian railway.

JAG-S also reveals some of his personal history including how he went from Philosophy graduate to cybersecurity researcher and APT hunter and much more.

Click ‘play’ and enjoy the ride!

“Roided-out Sitting Duck” – Part One : Audio automatically transcribed by Sonix

“Roided-out Sitting Duck” – Part One : this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Intro:
Welcome to the Point Cybersecurity podcast. Each week, join Eric Trexler and Rachel Lyon to explore the latest in global cybersecurity news, trending topics and industry transformation initiatives impacting governments, enterprises and our way of life. Now let’s get to the point.

Rachael Lyon:
Hello, everyone, welcome to to the Point podcast. I’m Rachel Lyon here as ever with co-host Eric Trexler. Eric, how are you doing?

Eric Trexler:
I am great, Rachel. It’s a great day. We’re recording on a Friday for the first time in a long Typekit. I like it a lot. I do so, so I have to tell something. I have to announce something to our audience. Aside from our Fed Fed Top 30 Federal Influencers Award three years in a row, by the way. Subscribe, tell your friends and please leave us some feedback. We get so little feedback through the podcast platform and the mechanisms provided. So leave us some feedback. Only good feedback. If you have bad feedback, put it on a cooking show or something. But Rachel, you’re an actress. Rachel, if we go to Rachel Lyon, no Lyon, Lyon, Rachel Lyon on IMDb, we can look up your profile. Yes, you are a SAG card carrying actress

Rachael Lyon:
Card carrying SAG. Yes, yes. I couldn’t have done the show with you. Had I known that a long time ago, I would have been too nervous. It would have been awesome. No, no. Well, I mean, it’s you know, you could probably get your SAG card, too. I mean, this mini-podcast, surely you qualify?

Eric Trexler:
Yeah, I don’t think it’s video, though. So what were you on?

Rachael Lyon:
Well, I did some soaps, so days of our lives. As the world turns, I met Susan Lucci. She was fantastic. It was an episode where she went off to Las Vegas and she was pretending to be this person called Desiree. It was a lot of fun. It was Las Vegas casino.

Eric Trexler:
Fabulous. Now you’re on to the point cybersecurity.

Rachael Lyon:
Right now, I’m on to the Point Security podcast, Baby.

Eric Trexler:
Ok, so I’m you don’t have to call me baby. It’s OK. This is a professional show, so I’m going to lead us into our excellent, amazing guest who’s been doing this longer than all of us today by saying, You know, we have a guest from SentinelOne one. My wife works at SentinelOne, as some people may know, and she was nominated, which you shared with me for this cyber scoop 50, recently. So she’s a nomination. And she was put in as most inspiring up and comer. And my wife, you know, I’m looking for some credit here, I’m like, Hey, this is amazing, Patty, she goes, I’m fifty-three. I’ve been doing this. I’m not a young leader anymore. I’m like, Look, you look young. It’s everybody’s going to love it. You look great. So I thought that was very funny since we were on the topic of SentinelOne one today. But who do we have today from SentinelOne?

Speaker2:
Well, we have Juan Andres…last name.

Juan Andres Guerrero-Saade :
You can do it almost there.

Juan Andres Guerrero-Saade :
Guerrero Saad.

Juan Andres Guerrero-Saade :
All right. Well close enough.

Eric Trexler:
Juan, can you. Can you help us there Juan? Yeah. And then we’ll finish the.

Juan Andres Guerrero-Saade :
So it’s Juan Andres Guerrero-Saade, and it’s so complicated that most of the people I know in the industry have just decided to go by Jags because somehow that’s initials are better, at this point.

Eric Trexler:
Jags, it is. So tell us about Jags, Rachel.

Rachael Lyon:
Well, Jags, which is like the coolest name ever, by the way, is principal threat researcher at SentinelOne. He’s also an adjunct professor of strategic studies at Johns Hopkins School of Advanced International Studies. He’s worked as senior cybersecurity and National Security Advisor to the Government of Ecuador, and his joint work on Moonlight Maze is now featured in the International Spy Museum’s permanent exhibit in Washington, D.C..

Eric Trexler:
Wow. So Jags, you’re in the Spy Museum.

Juan Andres Guerrero-Saade :
Uh, yeah, and Thomas Rid, a couple of other folks, we’re actually holograms in the Spy Museum, somehow just trying to explain like code similarity and all this attribution stuff. It’s they did a great job. It’s very cool, Rachel.

Eric Trexler:
I was working with a co-worker years ago and there’s a cyber infosec guy out there called Jester. Why are you with me? Jags? Yeah. So he had to transport jester’s laptop to the Spy Museum because it was so like, nobody knows who he is. It’s fascinating. Wow. Yeah. So he is there. So it’s a big thing.

Rachael Lyon:
I follow him on Twitter. It’s hilarious that you just said that.

Eric Trexler:
Yeah. Yes, TR. But it’s a big thing to be in the Spy Museum, and they just redid it in D.C. It is awesome.

Juan Andres Guerrero-Saade :
Yeah. If you haven’t visit the new building is fantastic. Yeah.

Rachael Lyon:
You know, I admittedly, I had to look up Moonlight Maze. I’m embarrassed to say, but I thought it was like 1996, first widely known cyber espionage campaign in world history. The value of the information stolen. I guess, according to congressional testimony, was in the tens or hundreds of millions of dollars. And if you were to print out and stack all of the information that had been taken, that paper stack would be three times the height of the Washington Monument. So this is a big

Eric Trexler:
Deal and nowhere close to OPM or Sunburst or the like. But go on.

Juan Andres Guerrero-Saade :
Right, right? I mean, well, it’s a different era, right? The internet of the nineties is a very different landscape, right?

Eric Trexler:
But let’s go back to the Cold War of the eighties. I mean, what would it take a let’s just pick on an American spy to carry that type of content out of Russia. Like how many? How many? What was it, Rachel? Oh, you mean the height of the stack of paper?

Rachael Lyon:
Oh, sorry, it’s three times the height of the Washington Monument, and the Washington Monument is five hundred and fifty-five feet tall.

Eric Trexler:
Ok, so we’re talking almost eighteen hundred feet of paper, eight and a half and eleven, I’m assuming stacked up. I mean, think about how long it would take a spy organization to walk that out of a building. That’s a lot of content

Juan Andres Guerrero-Saade :
In a similar example, I think the closest thing would have been the Mitre att&ck archive, which one of it’s an interesting story totally unrelated to this, but one of the guys that worked at the KGB archives was taking notes of everything that he was transcribing and saved it all for 20 years until they finally got him out of Russia. Really? Wow. Very interesting. But yeah, there’s no corollary. As far as cyber goes, you know, the amount of information that you can steal in one go is just a click of a button. Yeah. And well, in the nineties, it was a little more involved. It was really interesting to go kind of anachronistic early in the research, right? Like, we work on all these APT’s all these cyber espionage campaigns, all this recent stuff, and you get used to a certain level of automation. You get used to all the facility that comes with the modern internet and then you’re looking at an operation that’s, you know, evolving from its infancy in the late nineties. And it looked very different. You’re talking about a hands-on keyboard. There’s no command and control servers sort of orchestrating the whole thing. They’re trying to code their way through this. You see broken tools, getting deployed all the time, then sort of trying to grow as they go along. So it was like watching the birth of a threat actor, right?

Eric Trexler:
Yeah, yeah. And I bet most of our listeners have no idea what Moonlight Maze was. They weren’t. They weren’t in infosec at the time, and I’m betting a good percentage of our listeners may not have even been alive at the time. I mean, it’s like nine eleven or how long we’ve been in Afghanistan. I mean, you go back and it’s a generation, at least at this point, right? Wow.

Juan Andres Guerrero-Saade :
Right. I mean, with your set award, I think you might actually have a good amount of the people that dealt with moonlight maize from the Air Force and NSA and whatnot. But for the most part, it is. It is sort of a forgotten phase of cyberwar. The beginning? Yeah. Right.

Eric Trexler:
So if anybody wants to understand the time period and Jags, I don’t know if you’ve ever read the book, but there’s a book The Cuckoo’s Egg by

Juan Andres Guerrero-Saade :
Absolutely

Eric Trexler:
Clifford Stoll, DOE IT person. Essentially, I think I’ve talked about it on the show, but it just takes you back to, I think the Cuckoo’s Egg was the late 80s, early 90s, like when Clifford wrote the book, I don’t even know what he’s doing. He might be retired at this point, but yes. Yeah. So I mean, but it’ll give you some framework for the time, which is very different than now. These types of attacks were, I mean, massive and not expected like they’re almost expected every month. At this point, we’re recording the week that I mean, I don’t even know what T-Mobile lost. Rachel was like 50 million personnel records or something around that. Yeah, yeah, whatever. Who cares? Nobody even cares anymore. I mean, like, nobody cares machine learning customer.

Rachael Lyon:
And I’m T-Mobile customer, Yeah, yeah, whatever.

Eric Trexler:
What are you going to do? Right, so. So can you put us in that time frame? Like most of our listeners, I don’t think we’ll know what this was, but can you like put us in the time frame? Obviously, you were a little younger back then. The world was different. The, you know, infosec I.T, you name it. I mean, there wasn’t really much of cybersecurity out of NSA and in a couple of companies, right?

Juan Andres Guerrero-Saade :
Yeah, it’s a really interesting landscape. So there are two ways to approach this that are kind of foreign to most of us. One of them is the state of the internet at the time, right? You’re talking about mostly university research centers, military computers, that kind of stuff, and then some early adopters trying to get into the scene. But it’s not at all like what the internet looks like now in its proliferation and its number of users nor and its uses right. For the most part, you’re storing research and databases and government stuff. So in itself, it’s a very different target environment and from the espionage side, from the cyber espionage side, it is entirely undeveloped. I mean, we have rumors of maybe early Israeli operations. We believe the NSA was already operating at that time. I like to call it the League of Titans, right? Like we’ve got the folks that were doing Moonlight Maze, which has a connection to a modern threat actor called Tirla. Yeah. And then you’ve got the folks from the Equation Group, which we’ve come to know us as some function within NSA that we’re also around in nineteen ninety-five around there. So you basically have a drastically underpopulated threat actor menagerie, right? You don’t have your. When did this

Eric Trexler:
Start? Like what year, really? I mean, I know ninety-eight’s like the big ninety eight and ninety-nine is the big year, right?

Rachael Lyon:
Wikipedia said Ninety six, but I don’t know if that’s accurate.

Juan Andres Guerrero-Saade :
Yeah, so moonlight maze starts somewhere in ninety-six. As far as we can tell, so

Eric Trexler:
Windows 95 is out. Most people are still on Windows three one, maybe. Maybe we’re talking like ninety-four and three, three, five, I mean, most of our users haven’t heard of this stuff or listeners,

Juan Andres Guerrero-Saade :
So that was our initial assumption. It gets more obscure, right? So our ability to do this research, I kind of have to tell a bit of a back story comes mostly from the doggedness of Thomas Rid, who is another he is a full time professor over it at Sice and a brilliant researcher, a fantastic author. And he and I talked years back and he was very much focused on this idea of, you know, what the hell happened with like Maze? Why have we never seen anything technical come out about Moonlight Maze? And he started filing FOIA requests and trying to follow up with everybody involved and just kept pressing and pressing and pressing until he found a bit of a redaction error. One of the documents basically, I believe, redacted the name of a company that had been compromised but didn’t redact the name of the person managing it. It’s one of those two. It’s either the company or the person or is his name. And Thomas was able to contact this man. Older gentleman called David Hedges super nice guy who had been managing this system for a UK company that got compromised and was being used to root part of the attack to the United States. And as luck would have it, he had the machine. He still had the machine under his desk. So it was basically his his his willingness to kind of hold on to all this stuff allowed us to do all this research. He had been asked by the FBI at the time whether he would be willing to kind of let the hack continue and essentially watch everything that went through there. And he did, but he also didn’t get rid of any of it afterwards. So once we nobody thought

Eric Trexler:
To ask him.

Juan Andres Guerrero-Saade :
Well, yeah, I guess, you know, the FBI didn’t do their homework on that one because one of the tragic things of this is the there’s a notice that Thomas uncovered first that says, you know, as part of standard procedures we have destroyed after a certain amount of time, we have destroyed all of the evidence that we had collected. So we kind of it was a gut punch for us in the early days of our research because we were like, OK, we’re just, you know, unless you’re in the NSA or GCHQ, we’re not going to get anything. And then, you know, Thomas stumbles upon David, who was just sitting on this treasure trove of fossils that we could essentially reconstruct a good portion of the attack from.

Eric Trexler:
And when were you doing this reconstruction piece?

Juan Andres Guerrero-Saade :
So I’m going to have to think back. I’m like, all of time has sort of blended into one giant ever day. But I believe we were doing the research around twenty sixteen, twenty seventeen. I might actually have to google it myself.

Eric Trexler:
Yeah, no worries. But this is I mean, this is all happening after the wall fell five years after the Cold War ended. Right? It’s still underway. And I I suspect Jags that most people in government weren’t weren’t thinking about cybersecurity back then. We’ve got to protect this. People can walk through our our walls and just get in here from keyboard strokes.

Juan Andres Guerrero-Saade :
Yeah, it was. It was a rude awakening on a variety of levels, but for one, it essentially kicks off. Establishing things like JTF and other functions within the U.S. government to respond to this like this is kind of the big wake up, call it also because someone eventually decides to brief Congress. Of course it leaks and it becomes the, you know, the first rally cry, including, I believe, a Newsweek article that said, you know, we are in a cyberwar. It was like the beginning of that, that kind of Cyber Pearl Harbor hyperbole style of taking on these things. But it’s also a really interesting time. I mean, you mentioned Cliff Stoll and what Cliff was onto, and he’s kind of like the patron saint of threat hunters because he was, you know, it’s the late eighties, I believe, or early nineties. And more than anything, he doesn’t have any of the tools available that were used. You don’t you’re not talking about firewall logs or sims or a V or EDR.

Eric Trexler:
And if you read the book, he’s got like CIA involved, but they really don’t care or aren’t doing anything, they’re not sharing with them. He’s a government employee. He’s a Department of Energy. Was he had Lawrence Livermore, I think, in Berkeley. He was in that area and he had nowhere to go. But he’s watching this behavior. It’s never explained. It’s I mean, that was a pretty good pull, I have to admit, but it’s a decent read. It’s a little detailed, but yeah, it’s a different time.

Juan Andres Guerrero-Saade :
It’s really interesting. I mean, for folks who have not been exposed to it or even for big fans of the music, I would actually point you to a more recent talk sans CTI in 2015-2016. Sorry, my cat is waking up, 2015-2016. Cliff Stoll came back and he did a keynote talk for this conference, and I had the pleasure of being in the crowd. He’s an incredibly animated speaker to the point where he was jumping around. He basically disconnected the projector, but he shows

Eric Trexler:
That he’s back then when he can’t get anybody to listen to the fact that there’s people inside energy,

Juan Andres Guerrero-Saade :
The amount of energy this man has, you know, at his age, which is fantastic. And he literally showed up with the same slides like the old timey projector slides that he used to explain to NSA what was happening, and he just looked at the projector slides. Yeah, it was like it was. I don’t even know what you call them, but yeah, it was fantastic.

Rachael Lyon:
What was it called Rachel? The overhead projectors. Remember, you would put the the film-based slides on them with the right markers.

Juan Andres Guerrero-Saade :
He still has them. We I don’t know where they source this projector for him, but so I would point to that as a must see. It’s probably like the best keynote talk I’ve ever seen. And where is it again?

Eric Trexler:
It was SANS?

Juan Andres Guerrero-Saade :
SANS CTI in D.C. I can’t remember the year, but if you look for sand and Cliff Stoll, you Stoll.

Eric Trexler:
Your boom. Ok, we’ll link to that if we can find it. So back to Moonlight Mays, you’re doing all this work. You hit the mother lode.

Juan Andres Guerrero-Saade :
Yeah, so some something to feel.

Eric Trexler:
Where do you go from there?

Juan Andres Guerrero-Saade :
Yeah. Well, so to close off the thing with Cliff, right, the reason I brought it up is what we didn’t understand at the time is he was seeing these German hackers who were stealing American documents to sell them to the KGB for some combination of, you know, drugs and money. And at the time, we just were not really cognizant that this could happen with Moonlight Maze. I think it comes at a time when the U.S. is already in a very covert fashion, taking on that same activity and someone in the U.S. in Russia figures out, you know, why not go for this ourselves? So what we see and you asked, you know, what do we feel at the time? The idea of getting our hands on this material was if there is such a thing as a miracle and threat intel, I think this is it, right? We found more detailed information for that incident than we usually get for most modern investigations. I mean, you had on keyboard logs, all kinds of tools, you could see how they were deploying things, their different victims. Danny Moore, who worked with us on this, he’s over at Facebook now. He he actually was able to reconstruct this whole cloud of all the IPS connecting to each other and figuring out sort of how they were routing themselves through these different systems and coasts. And Ryu and I spent our time reversing the reverse engineering the different samples. I told you that it was a little more obscure than Windows, NT and whatnot because these were actually SPARC stations, Solaris systems, iris systems from back in the day.

Eric Trexler:
So it was I can hang Rachel. See?

Juan Andres Guerrero-Saade :
Well, I’ll tell you what, when I was seven years old, when this stuff was being coded, it was entirely new assembly seven using

Eric Trexler:
Be in this one. So how do you take Solaris? Like what is that? Back then, it’s probably Solaris 7 or Solaris 8. How do you take Iris and actually even do anything with it?

Juan Andres Guerrero-Saade :
Well, I mean, thanksfully.AIDAPRO will battle anything you throw at it, but I think the bigger issue was that’s a

Eric Trexler:
That’s a tool you’re using for reverse engineering,

Juan Andres Guerrero-Saade :
Right? I mean, that’s sort of the tool, you know, until Ghidorah came out, it was the tool, and I think that it still is. But essentially the harder issue was not disassembling these things, but rather that I mean, I was entirely foreign to this type of assembly. Like I had to sit down and basically learn a whole new right form of assembly to understand these different binaries and try to figure out what the hell it is that they’re doing. And thankfully, I had Caussin Rai, who’s always been a mentor, and he’s he’s much more experienced in that in these sorts of things. To help guide me, but we had a ton of stuff to reverse. So it took us at least six months just to deal with the samples and figure out how that toolkit was being iteratively developed, what it was that they were trying to do, what was going on. And I think the greatest finding of the whole moonlight mais parallel construction that we got to do was realizing that these guys who for all intents and purposes, were skittish. They were script kiddies at the time and they were just, you know, kind of testing out different tools and what they could get their hands on. They eventually start to kind of catch their stride and develop, you know, one set of tools that really work for them and, you know, develop it better and get closer to what we now would think of as a malware family. And the interesting thing was they they built on top of a publicly available backdoor called Loki, too. And we saw them start to iterate on that strip aspects of it, improve on certain aspects of it, build, build, build, build and then our visibility ends. There’s you know, there’s a period when when this leaks out of Congress and the Newsweek story comes out, they freak out and burn all of their infrastructure, including the server that we’d gotten access to. So at that point, we kind of.

Eric Trexler:
So they reach into the server, which is in somebody’s house.

Juan Andres Guerrero-Saade :
It was in a company in the UK. It was like a guitar company in the UK.

Eric Trexler:
Right. Ok, so it’s part of their infrastructure, though, and they basically burn

Juan Andres Guerrero-Saade :
It all down. They burned everything they stopped using.

Eric Trexler:
We think the Russians.

Juan Andres Guerrero-Saade :
Yeah. I mean, for all intents and purposes, I mean, we we had these connections going back to like City Line, which was like a Russian ISP at the time. Like everything pointed. You know, they tried using proxies. That’s what this company in the UK was right. They hacked this company and used it to route themselves so that the attacks would look like they were coming from the UK rather than Russia. But eventually, that mask kind of falls apart, right? Where it gets interesting is that that tool that we were watching get developed doesn’t disappear. As a testament to sort of the compatibility of POSTECH systems and Linux and still kind of working on the same elements. It looks like they continue to use that same source code up to now.

Juan Andres Guerrero-Saade :
Why would you recreate it if you don’t need to, right?

Eric Trexler:
Well, yeah, but again, I mean, that was. It. I was in disbelief to consider that you could have a malware family work 20 years later and in Windows, it would be impossible, but in Linux, you know, they took the same source code that they had continued to develop over the years for these Solaris systems and recompiled it for Linux eventually. And we had already seen it. We just didn’t know what it was. We didn’t know how to connect it. It’s something that researchers at Kaspersky had discovered around 20 15 called Penguin Turlock. And you might know Twirla Twirla is a really well-known cyberespionage actor, Russian actor. They’ve been behind a lot of very notable attacks, including, you know, DOD systems, military, a lot of government, a lot of governments. I mean, they are very much an old-school, proper espionage organization. You know, you’ve got sort of the the the bears that, you know, come around like bulls in a China shop like Sophia C APT twenty-eight, fancy bear, whatever you want to call them. And then you’ve got the kind of the pros that are actually just stealthily watching embassies, watching, you know, different ministries of state and so on.

Eric Trexler:
That sense a little respect there.

Juan Andres Guerrero-Saade :
Oh, definitely. I mean, I my blog is named after them like, I love these guys. They do, you know, they just do fascinating work, but they use something called Penguin Tala around twenty fifteen and they continue to use it sparingly over the years. And what we figured out was when they were having a hard time with an intrusion. Whenever somebody was starting to clean them out of a network, they would grab like a Linux server somewhere on that enterprise and hide this little backdoor and they would get cleaned out and they would wait three months or whatever. And then they would just come right back in through that Linux back door that most folks didn’t catch and they would just repopulate. That Linux backdoor was compiled from the same source code that we were seeing develop from Moonlight. So you have this perfect connection of 20 some years, from moonlight, mace to the modern twirla that we continue to deal with, which is just mind blowing.

Eric Trexler:
So JAGS, I’m going to ask you a question because if you look at like MacOS, it comes from next OS, which is, you know, comes from Unix. Hmm. Right. If you look at Windows, what are we up to now? Windows 11, I think? Well, I can still see, right? Ok, so I can still see in Windows 10, which I don’t do a lot of remnants of dos and early Windows 95 and Windows 3.1. And you know, the operating systems that we work with still go back 20, 30 plus years. In the case of Unix, we’re talking. I mean, what are we talking? We’re probably talking close to what, 50, 60 years now? I think Unix was late sixties if I had to take a guess. So it works. The code still works. I don’t know. I mean, you don’t hear about this often, but why wouldn’t you just keep using it if it works? If nobody’s shut you down, why not keep using it? We do it on the operating system.

Juan Andres Guerrero-Saade :
Yeah, I mean, it’s kind of fascinating. I say that this is more possible in Linux, where, you know, pop standards are much more important than folks are continuing to maintain. The same open SSL has been around for a billion years, and you just kind of iterate on it, which is why it’s a frigging mess. But you know, it continues to work. You couldn’t do that on Windows. I mean, Windows has a lot of things that continue to look like their old versions. But if I took malware from the early two thousands and tried to run it on like Windows 10, chances are it’s just going to crap out, right? Like the of the DHL’s aren’t going to work the same way. The services don’t work the same way the crowd.

Eric Trexler:
But when I go to edit the registry, it’s like back in the day when I was an I see on Windows NT 3.5, 3.5.1. I mean, it’s it’s still the registry, right? Terminal Command control is still there a lot. I’ve got Mac OS x Unix books downstairs. That still works, surprisingly or not, because I forgot everything. You can still run by. I forgot it all, Rachel. I forgot It all. This is fascinating.

Juan Andres Guerrero-Saade :
Well, another version of that, right? Speaking more to the security industry in the way that it’s evolved over the past 10, 15 years, there’s been a lot more of a cat and mouse game in on Windows. Right? You know, viruses were a thing that became there was a greater consciousness about viruses on windows. And then the antivirus industry started to evolve from the great figures that we’ve known from back in the day, whether it’s Eugene, Kaspersky was there and the folks from McAfee, you know, I won’t say that, John, kind of rest in peace. You know, as a figure, he didn’t sort of withstanding the test of time, but we have these sort of like luminaries that started the AV industry and it was all about kind of, you know, a new viruses come out and all these different folks around the world are doing their best to kind of best it. And that evolves into the industry that we know now where you have hundreds of thousands of unique samples coming in all the time. And we’ve tried to. Develop more automated systems that deal with them. All of that is largely rooted in the Windows Battlefield and Linux and Mac OS have kind of flown under the radar, not because there aren’t threats for either of them, but rather from a lack of visibility, from a lack of adoption. Honestly, some snobbery on the part of Linux administrators who seem to think that these things can’t affect them, even though it’s quite clear that they do so. In a sense, the evolution of security tooling under the hood of Windows is it’s been battle-tested and it’s been sort of this natural evolution that’s happened between predator and prey, whereas I think Linux is really lagging behind. In that sense, they adopt security measures just sort of like, you know,

Eric Trexler:
They want seeing on the defensive side, the white hat side. But really, the bad guys, the adversary, they don’t care. They’ll pick whatever platform works for them, right?

Juan Andres Guerrero-Saade :
I mean, whichever they have to write, like if I if I know that I want to target you and you’ve got an iPhone, then you know, we know what the stakes are now, right? I’m going to go to NSO, I’m going to pay them a million dollars and boom. You know, we’ve got Eric. I’m not going to spend all my time trying to figure out Windows malware if you don’t use it, right? Right?

Eric Trexler:
Yeah. Now I’ve been in the industry 20 years and it’s like, well, Linux doesn’t have a big enough footprint. There’s not enough, you know, the addressable market is too small. We’re not going to have a Linux client capability. It’s like, Well, wait a minute here. Every server that’s like leaving, it’s like leaving two windows in a house open, but everything else is totally bolted down. I mean, come on. Well, I’ve always heard that there’s like an 18 percent number, which is where a lot of the adversaries look for mass attacks, when a platform, whatever it may be great goes above like 18 percent. I’m sure that number changes. It becomes attractive from a monetization perspective. That’s not nation-state. That’s like, you know, hacktivists, people out there for money.

Juan Andres Guerrero-Saade :
So it’s a very outdated way of thinking about things, right? Like every server and cloud system on Earth essentially is built on Linux in some form or another. And the idea of monetization has changed drastically, right? Like what has fueled the ransomware epidemic, but the ability to exchange value through cryptocurrency and you can mine cryptocurrency. The only reason that you shouldn’t mind cryptocurrency at home is that it’s inefficient because you don’t want to pay the light bill. But if I can deploy crypto miners to a bunch of instances, then you know, what do I care? Right? So there’s definitely a whole side of that that we’re ignoring, and that’s the large scale on the smallest scale. It’s like, well, my router runs Linux and there’s these Mirai botnets that at times have taken down entire swaths of the internet because of the lack of security on those things. So yeah, we we treat them like edge cases, but it’s kind of ridiculous because I agree it’s our whole infrastructure.

Eric Trexler:
Right, right. But from corporate America’s perspective, it’s hard to monetize in many cases because there just aren’t as many nodes out there, if you will. Systems?

Juan Andres Guerrero-Saade :
Yeah, I mean, I think I think some folks are kind of getting ahead of that, I think. I would also expect or hope that customers get a little more savvy in what they ask of their vendors. Like, I try to kind of egg customers on to be like, you know, ask for this, ask for something better. Look at the DNC. I mean, it’s such a contentious issue to talk about what happened in the summer of SOPA. Twenty sixteen. But the DNC, if you read the CrowdStrike report carefully, they realize that APT28 is their fancy bear or whatever SA team, whatever you want to call him, a million names. They realized they put twenty eight is there and they clean all the Windows machines. They don’t realize that there’s an X agent sample on a Linux machine, and they repopulate exactly the same way that we were talking about with Twirla. And you know, it’s not let’s not knock CrowdStrike in particular. I think most folks in the industry just aren’t paying attention to Linux the same way that they should. And it’s it’s situations like that where you see the chink in the armor where it’s like just one machine sitting there is enough to keep that beachhead going, keep that infection going for way longer. And then we see the effects that that has sort of in horrible ways, right?

Eric Trexler:
Yeah, you can be 99% perfect, but that one percent that one machine, I mean, you have to have perfection in many cases. Ok, so you’re doing Moonlight Maze, you’ve done the research. Where does it end up? Well, how do you end the story because we have another amazing story coming?

Juan Andres Guerrero-Saade :
Yeah, well, there are quite a few. I mean, I’ve had a very I’ve had the privilege to work on a lot of interesting cases in my career. And, you know, we can talk about them for as long as you want. Moonlight Maze. I was really happy to see how it ended up. I mean, I got to, first of all, go on stage at SAS, which was one of my favorite conferences with my friends, my co-researchers at the time, Thomas rid that Danny Moore and Coson Ryu. We got on stage there together how to drink together over the machine and got to tell the story. But better yet, the Spy Museum, as they were doing this sort of redesign and they got that brand new building amazing site in D.C. they dedicated a whole section to the cyber espionage and cyberwar, sort of the development of things in the cyber domain. And apart from giving us an opportunity to explain some difficult concepts as wonky holograms. They actually took the server. David Hedges was kind enough to ship them the original command and control server from like Maze. And, you know, it’s up there in the exhibit. So if folks ever get to escape COVID madness, I definitely recommend you go see this machine that field a thousand hacks, right? Awesome. That is amazing.

Rachael Lyon:
So now where do you go from there, I mean, gosh, I

Eric Trexler:
Think we go to trains, trains and planes and automobiles, but let’s go to trains, Rachel.

Eric Trexler:
Wow, what a great story. Eric, I think with that, let’s let’s call it the end of part one and bring people back next week for part two.

Eric Trexler:
But I don’t want to wait a week. And the inside story, Rachel is we don’t get the raw copy, so we have to wait to hear the second part also.

Rachael Lyon:
I know, I know I hate it, but that’s what makes it so much fun. How often do you wait for anything anymore? I just binge-watch like 11 seasons of The X-Files.

Eric Trexler:
I get so angry when they drip them out week by week. I Ted Lasso right now is killing me.

Rachael Lyon:
It’s excruciating. Excruciating.

Eric Trexler:
Ok, so Jags Part two next week.

Rachael Lyon:
Jags Part two next week? Yes. So can’t don’t want to miss it. Yeah, exactly. Tuesday bribe. You get direct in your email box. That’s right. On Tuesday.

Eric Trexler:
Talk to you then. All right.

Intro:
Thanks for joining us on the to the Point cybersecurity podcast brought to you by Force Point. For more information and show notes from today’s episode, please visit W-w-what four gov podcast. And don’t forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.

<

(function(s,o,n,i,x) {
if(s[n])return;s[n]=true;
var j=o.createElement(‘script’);j.type=’text/javascript’,j.async=true,j.src=i,o.head.appendChild(j);
var css=o.createElement(“link”);css.type=”text/css”,css.rel=”stylesheet”,css.href=x,o.head.appendChild(css)
})(window,document, “__sonix”,”//sonix.ai/widget.js”,”//sonix.ai/widget.css”);

Why it’s important to choose kids’ chairs with memory foam?

Memory foam was first produced in 1966 by NASA, looking to create material that would protect the astronauts during take-off. They were working on isolating space ships from shock waves. And it was hard to develop because the material needed to have the perfect balance between firmness and elasticity.

The first memory foam mattresses appeared on the market in 1987, but it took years before consumers accepted them. Today this type of mattress is one of the most preferred types, especially good for people with back problems.

More and more parents choose memory foam for their children’s furniture. If you are interested in this type of chair, we recommend you to keep on reading the article – it will explain why this material is so great and where to buy memory foam chairs for kids.

What is memory foam, and why it’s so popular?

Unlike low or middle-density foams, high-quality memory foam perfectly molds the body contours, offering good support to muscles and the spine. This material is widely used in different kinds of orthopedic equipment because it has many advantages over other materials. Furthermore, this type of foam is hypoallergenic, antibacterial, can reduce pressure points and prevent overheating.

Benefits of children’s chairs with memory foam:

  • Ergonomic design helps to maintain your child’s correct posture.
  • Memory foam perfectly absorbs shocks reducing the risk of injuries during different activities.
  • It prevents spine curvature and other spine problems.
  • High-density memory foam is breathable, has antibacterial and hypoallergenic properties.

As a result, children’s chairs with memory foam of the highest quality will help your kid grow healthy and active!

Tips on choosing kids’ chairs with memory foam

  1. Look at the size of the chair! Make sure that your kid will have enough space to sit in it comfortably, and his legs won’t touch the bottom of the seat.
  2. Make sure that there are no sharp corners or any other parts capable of causing injury on the chair!
  3. Finally, it’s better to have a removable cover, so you’ll be able to wash it after your kid had an accident or got any other stain, just in case!

What are the best kids’ chairs with memory foam?

  • Delta Children iComfort Memory Foam Chair (Sponsored)– This supremely comfy chair has a memory foam seat for added comfort and a luxurious quilted slipcover. The cover is detachable and machine washable for simple cleaning. This kids’ foam chair will go with them anywhere they go – the lightweight design with a top handle is simple to transport from room to room. For ages 18 months+.
  • Comfy Sacks Kids Memory Foam Bean Bag Chair (Sponsored) – Children who like to watch cartoons on TV for hours on end or simply love curling up in front of the PlayStation will enjoy this comfy seat. Comfy sacks are filled with a long-lasting shredded memory foam that is soft and resists permanent compression. For years, your Comfy Sack will retain its unique squishy feel.
  • Delta Children Cozee Fluffy Chair (Sponsored) – The comfy, supportive back and plush faux fur cover make this chair ideal for reading, playing, or snuggling. Its lightweight makes it portable enough to take with your child wherever they go. The foam construction’s innovative design will preserve its form for years of use that adjust to your child’s requirements.
  • FOME HOME Kids Floor Chair (Sponsored) – The excellent flexibility and comfort children need to sit and play for hours. It’s the best choice for kids who love to watch TV or spend the evening on the floor playing games on tablets, laptops, or phones.

The post Why it’s important to choose kids’ chairs with memory foam? appeared first on Comfy Bummy.

Apple’s macOS Monterey | 6 Security Changes That May Have Passed You By

As widely expected after last week’s announcement, Apple released macOS 12.01 Monterey, the latest version of its Desktop operating system, on October 25th. We did a round up of the main security features in Monterey back in June, and while much of what we said there remains true with the first public release, there’s a few security-related differences between the initial beta and this week’s public release. In this post, we’ll review the hardware specs for Monterey and then get into some of the changes in the release version that haven’t been widely reported and which should be of interest to Mac security and admin teams.

System Requirements | Intel and Apple silicon

Before we jump in, let’s just recap what hardware you’ll need to run macOS 12 Monterey. For existing devices, nothing has changed on that front since we reported on this back in June. Here, for convenience, is the list of older Macs that can run Monterey:

  • Mac Pro (Late 2013 and later)
  • Mac mini (Late 2014 and later)
  • ‌MacBook Air‌ (Early 2015 and later)
  • MacBook Pro (Early 2015 and later)
  • ‌iMac‌ (Late 2015 and later)
  • MacBook (Early 2016 and later)
  • ‌iMac‌ Pro (2017 and later)

In addition, the newly-announced M1 Pro and M1 Max devices will all ship with macOS Monterey from October 26th onwards.

Size Matters | Updating or Upgrading?

As well as the right device, you’ll need space for your new OS if you’re updating or upgrading an older install. The new version of macOS comes in at a hefty 11GB full update if you are installing from scratch, or as a delta update of between 1 and 2GB if you’re updating from a beta version (the delta size will vary depending on what version you’re updating from). If you’re adding Xcode 13 to that (see below), that’s another 12GB or so on top.

We didn’t notice any install problems on either M1 or Intel Macs, but as always with downloading huge files and installing something as complex as an entire operating system, experiences can vary widely. The absolute must-have before you embark on any such “operating system surgery” like this is a full, restorable backup solution.

1. Python 2.7 – The Lights Are Almost Out

The first change to be aware of, and not before time many will say, is that Apple are finally pushing people (and themselves) off Python 2.

In Monterey, an app that uses Python 2.7 now triggers a UI alert indicating that the developer must update the app to ensure it will work in future versions of macOS. We saw this same general ‘scare’ tactic work quite successfully when Apple wanted to push developers away from kexts in macOS Catalina.

Throwing alerts at users and having users moan at developers worked very well in that case, and we’re sure it will do in this. There will inevitably be some complaints from both users and devs, but really, Python 2.7 has stayed up well past its bedtime.

2. Xcode 12’s Race Is Run

Apple has taken a far more ruthless approach to its own development environment, Xcode, and insisted that Monterey users upgrade to Xcode 13 if they haven’t already. Xcode 12.5.1 simply won’t launch on macOS Monterey at all, so if you have reasons for not wanting to move to Xcode 13, be sure to stay off Monterey until you’re ready to do so.

The Xcode 13.1 installer is available for free from the App Store, but in terms of space it will set you back the princely sum of 12.4GB of disk space (and bandwidth).

3. TCC Extends to PAM.d

In every iteration of macOS since 10.9 Mavericks back in October 2013, Apple has extended the scope of its troubled User Privacy controls, aka TCC. Ostensibly meant to prevent applications accessing personal data without consent, TCC in fact covers a lot more than that and can really be thought of as an extension of System Integrity Protection (SIP) within the realms of userland.

In Monterey, a little-reported change is that TCC now protects the contents of the /etc/pam.d folder. Apps and services that require the installation of PAM modules must now request user authorization. As with most of TCC, this can be sidestepped by sys admins either by means of a Privacy Preferences Policy Control (PPPC) profile from MDM or by granting the modifying process the Full Disk Access entitlement.

4. macOS VM Guests Come to M1 Macs

One of the most welcome changes since we saw the initial beta of Monterey is that it’s now possible to run macOS virtual machines on Apple silicon thanks to Monterey’s built in Virtualization framework.

This will be hugely significant for developers, security researchers, admins and any number of other users who need a macOS test environment or ‘playground’ for the M1 architecture.


Source

There’s still no sign of a robust Intel emulation that’ll allow you to do something like run an x86_64 macOS VM guest on your Apple silicon machine, but there are some encouraging early signs that such a thing could be possible at some point in the future.

5. Live Text Lives On Intel Macs, Too

When we first reviewed the macOS Monterey beta, the Live Text feature was only supported on M1 Macs. However, with the release version, Live Text now works across all Mac computers that support macOS Monterey.

Live Text, which allows you to select and copy text from images, has a lot of possible applications and it’s great to see such a useful feature not being limited to the newer Apple silicon architecture. You can read what else we had to say about Live Text and its security implications here.

6. Private Relay Still in Beta

One of the security-related features that we previewed back in June did not make it out of the beta phase: iCloud Private Relay. While the feature is available, it remains off by default and requires a paid for iCloud subscription. The feature is also unavailable in certain countries and regions.

We were lukewarm about this feature in our original review as it neither allows you to change or hide your geolocation from censors nor does it provide robust anonymity. The use case for this feature seems largely to be as another layer to thwart advertising tracking.

Given that Apple says this is still a ‘beta’ feature – presumably indicating it may not work reliably – we can’t help feeling that at this point it has very little utility for those with genuine privacy concerns.

More Security Features in macOS Monterey

Aside from those mentioned above, we also covered the following in our original review of Monterey. As nothing much has changed here, please check out the earlier post for details on these in macOS 12:

  • Mail Privacy Protections
  • Safari’s New Security Smarts (including ‘HTTPS upgrade’)
  • New Password Management and 2FA
  • Audio recording indicator (‘Mic Alert’)
  • FaceTime Links
  • Erase All Contents
  • Automation via Shortcuts

SentinelOne Supports macOS Monterey

Whether you’re running macOS Monterey on Intel or Apple silicon, you can be sure that your SentinelOne agent will continue to protect your device, built to run natively on the host’s architecture to offer best-in-class protection against macOS threats.

Aside from ensuring that you upgrade the agent to one of versions 21.5SP1 (21.5.4.5860) or 21.7SP1 (21.7.4.5853) before installing Monterey, there are no other upgrade requirements or steps needed.

For more information about macOS Monterey support, see our support article here and FAQ on Monterey Support here. If you’re not protecting your Macs with SentinelOne yet,  you can request a free demo or contact us for more information.


Junior Fishing Chair For Kids

Want to give your kids memories they will cherish for life? Then it would help if you tried bringing them on a fishing trip. You can make it a family trip or go fishing alone with your children. Either way, you will be able to relax and enjoy the beautiful sights of nature.

Plus, you’ll also be teaching them valuable lessons about life. But what if they are too old to sit on your lap while fishing? You might want to invest in a junior fishing chair for kids.

Imagine the joy on their face when they can sit with you while fishing. They will have a great time bonding with you through this activity. Of course, it wouldn’t hurt if you brought them a comfortable chair for kids.

Tips When Buying a Kids’ Fishing Chair

Here are some tips on how to choose the right junior fishing chair for kids:

Tip #1: Size and Weight

The first thing that you should consider is the size of the junior fishing chair. You should be able to find a chair that fits your child perfectly. After all, their comfort will have a significant impact on how they enjoy the trip. Make sure that it can hold your child’s weight, too.

Tip #2: Age and Weight Limit

The next thing that you should do is look into the age limit of the junior fishing chair. You don’t want to bring a chair that’s made for older children on a family trip with younger kids. This can be very dangerous as one child may not have the capacity to sit on a chair.

Tip #3: Material Used

It’s also important to look into the material used for junior fishing chairs. After all, you want to be sure that it can bear your child’s weight. You may want to get a plastic or metal chair if you plan to bring your kids along with you on family trips.

Tip #4: Price

The price of junior fishing chairs will also depend on their weight limit and features. You may want to get a chair that will last for many years, so it’s best to choose the most durable one out there.

Recommended Fishing Chairs for Kids

We have visited Amazon.com and found some fishing chairs for kids we can recommend. One for girls, one for boys, and one for both.

Please note that the prices displayed on Amazon.com are subject to change at any time. If you want to know the price, you have to click the links attached to that paragraph.

For Girls: Ultralight Backpack Cooler Chair – Compact Lightweight and Portable Folding Stool for Kids

This is a lightweight fishing chair for girls. You can carry it anywhere you go, and its backpack design makes it easy to bring along. It only weighs 3 pounds, so even young children can carry it around with ease. In addition, the compact size means that this chair won’t take up too much space inside your car or house.

Check the price on Amazon.com (Sponsored)

For Boys: Backpack Cooler Chair, Portable Fishing Chair for Outdoor Activities

A fishing chair for boys should be sturdy, comfortable, and easy to carry around. This is exactly what this chair offers! It is lightweight, so your boy will have no trouble carrying it on his back. Plus, its size won’t take up too much space inside your car or home.

Check the price on Amazon.com (Sponsored)

For Both: Kelsyus Kids Outdoor Canopy Chair

Why not get a fishing chair for kids that they can enjoy with you? Kelsyus Kids Outdoor Canopy Chair is designed to fit children of all ages, and it has a canopy where your child can put his drink and snacks. The frame is made from steel, making it sturdy enough to endure the outdoor environment. It also folds up quickly, so you won’t have any trouble bringing it along on family trips.

Check the price on Amazon.com (Sponsored)

Where Can I Find Fishing Chairs for Kids?

You can find fishing chairs for kids at major department stores, sporting goods retailers, and even grocery stores. You may also want to check out Amazon.com as they offer some of the best deals online.

Final Thoughts

What better way to bond with your child than fishing? The right junior fishing chair can make all the difference, so you need to choose carefully. Follow our tips above, and you’re sure to find the perfect one for your family!

The post Junior Fishing Chair For Kids appeared first on Comfy Bummy.

FBI Raids Chinese Point-of-Sale Giant PAX Technology

U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.

FBI agents entering PAX Technology offices in Jacksonville today. Source: WOKV.com.

Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based WOKV.com reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.

In an official statement, investigators told WOKV only that they were executing a court-authorized search at the warehouse as a part of a federal investigation, and that the inquiry included the Department of Customs and Border Protection and the Naval Criminal Investigative Services (NCIS). The FBI has not responded to requests for comment.

Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.

According to that source, the payment processor found that the PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information.

“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”

KrebsOnSecurity reached out to PAX Technology’s CEO on Sunday. The company has not yet responded to requests for comment.

The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.

“My sources say that there is tech proof of the way that the terminals were used in attack ops,” the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”

The source was unable to share specific details about the strange network activity that prompted the FBI’s investigation. But it should be noted that point-of-sale terminals and the technology that supports them are perennial targets of cybercriminals.

It is not uncommon for payment terminals to be compromised remotely by malicious software and made to collect and transmit stolen information. Indeed, some of history’s largest cyberheists involved point-of-sale malware, including the 2008 breach at Heartland Payment Systems that exposed 100 million payment cards, and the 2013-2014 string of breaches at Target, Home Depot and elsewhere that led to the theft of roughly another 100 million cards.

Even if it were publicly proven today that the company’s technology was in fact a security risk, my guess is few retailers would be quick to do much about it in the short run. The investigation into PAX Technology comes at a dicey time for retailers, many of whom are gearing up for the busy holiday shopping season. What’s more, global computer chip shortages are causing lengthy delays in procuring new electronics.

CISO Quick Wins | Harnessing the Power of Automation and AI

Staying ahead of attackers has become an increasingly complex game as threat actors exploit new and more sophisticated attack vectors. From human-operated ransomware gangs to sophisticated supply chain attacks like SUNBURST, the threats we face today are nothing like those of the past. Attacks can consist of a complex series of actions in which the initial infection is just the first step, complicating the security team’s efforts at detection and response.

Across every sector, there is now a clear shift in the mindset of security professionals. This has moved from ‘if’ hackers target us to ‘when.’ Smart organizations understand that they need to assume that they will be compromised and develop defences accordingly.

It’s not just the direct threat to an organization’s data that is at stake here, either. As the threats increase, so does the media’s appetite for reporting on them, with security incidents regularly making mainstream headlines. Now, even if an attack is out of a CISO’s and her organization’s hands, the general public is nevertheless quick to lay the blame at their door.

The cost of a successful data breach is more than just financial: attacks not only pose a threat to the security of data but the reputation of the company as a whole, while breaches inevitably have a knock-on effect on the broader value chain.

Context is Key

There are many questions to be answered to understand the nature of attacks. There are also many questions about how to prevent them. For example,

  • How did the attack occur?
  • Why was it successful?
  • Who is to blame?
  • How can the effects be remediated?

The investigation of a potential incident begins with the entry point — the endpoint that a cybercriminal has used as a gateway to gain access to a network. Legacy endpoint detection response (EDR) tools then try to link an isolated activity to another and then another to build a picture of the incident as a whole in an effort to understand how far-reaching the breach is.

However, solving the mystery and understanding the context within a flood of corporate data is a task to burdensome for a human-powered approach. Legacy detection and response tools provide a complicated and overwhelming amount of data across a vast range of endpoints. Security teams are already overloaded with long incident queues, leaving them with no time to analyze incidents and threats in-depth.

What’s more, incident response teams — unsurprisingly — want to shoot down a virtual missile before it hits its target instead of figuring out what went wrong after it happened.

The Role of Automation

It’s become clear that a manual alert triage is no longer enough — it’s nearly impossible to monitor every endpoint manually, and the scale and sophistication of attacks is too much for a strictly human-powered approach. Instead, contextualization of all data points into a single action thread is key to a comprehensive defence against modern threats. For example, successfully resisting a ransomware attack such as SolarWinds requires a solution that can neutralize the full range of threats from various attack vectors. The only way to achieve this is through solutions founded in artificial intelligence and automation.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

A Technological Advantage

Threat actors leverage the latest innovations in technique and technology to perpetrate their attacks, and robust enterprise cybersecurity teams need to do the same, fighting fire with fire in order to get one step ahead of attacks and proactively prevent them. It can take just seconds to breach an organization. By leveraging AI, businesses can detect, respond and remediate, all in real-time.

When performing real-time threat modeling, incident correlation and tactics, techniques and procedures (TTP) analysis, AI delivers enriched intelligence around the context of an attack.

Custom detection rules can be written that address new or targeted threats, such as those specific to industries or organizations, so that an appropriate response occurs immediately while security professionals nevertheless maintain complete control over the process.

In fact, one of the only solutions to protect organizations against SUNBURST variants during the SolarWinds attack leveraged autonomous AI and robust anti-tampering that together delivered complete protection at the point of attack.

Proactive Defense

Using AI and automation makes cybersecurity proactive rather than reactive by automatically detecting threats and blocking unwanted processes, disconnecting an endpoint from the network and even performing a selective rollback of the system to a point before the attack occurs. This helps organizations and SOC analysts prevent attacks before they can occur and remediates the effects of a successful breach.

In this way, recovery is enabled as part of the automatic response in addition to purely preventative protection. Plus, such a solution can work without reliance on a cloud connection to detect activity or make decisions. Instead, it can all happen on the endpoint itself, both online and offline.

While there is no such thing as a catch-all in IT security, AI allows organizations to get ahead in cybersecurity’s arms race finally. A human analyst needs years of experience and training to develop the skills necessary to detect and isolate threats. Automating the incident detection and response process is the equivalent of having a digital SOC analyst on every endpoint at all times — something every organization could use in their cyber defense arsenal.

If you would like to learn more about how the SentinelOne Singularity Platform can protect your organization, contact us or request a free demo.