Hey guys.

So you know I run every day for twenty minutes.

I didn't know that.

Yeah, good for you.

If I miss a day, I add twenty minutes to the next day.

So this has truly been a game changer because tomorrow I'm supposed to run for four months.

That adds up.

That does add up.

Yeah, that's good.

All right.

So we got some interesting stories this week, you know, some of the usual stuff and some not so usual.

Sonic wall fixes actively exploited.

Uh CVA four oh six oh two in SMA one hundred appliances, right, what happened here?

So there's so you know what's interesting.

We've talked about these before, these Sonic walls.

These are their secure mobile access devices.

They're literally for mobile.

Well they can't say that name.

How many cvees have to be assigned before they force you to rip secure up that.

Yeah, so they used to be smad.

Now they're just mad.

Yeah mad, So we'll just call them mobile access access devices.

The vulnerability is tracked as CVE twenty twenty five forty sixty two and it is a local privilege.

I can't I can't say it.

I can't.

There a time is a charm doing it.

Here we go.

This vulnerability is tracked as CVE twenty twenty five forty sixty two, and this is a local privileged escalation that comes from insufficient authorization in the Application Management Console what they call the a MC.

So if you're tracking this, you definitely want to go and see to make sure that you're signing if you're still using the secure mobile access device, you want to make sure that this is actually out there and patched.

And it's actively being exploited.

It is actively being exploited.

It is funny.

If you reach to this article, it says the vulnerability was reported to be leveraged in combination with CV twenty twenty five twenty three double oh six, which is an unauthenticated remote code execution with root privileges.

So there's a bunch of CVEs in here.

If you haven't patched in a while, and I know we've talked about them on the show before, right, but yeah, you if you are running an SMA one hundred, uh, throw it out.

No, go patch, Go patch.

That's probably the best advice.

I mean, firewall so dangerously that if there was one thing you need to watch to patch as soon as a patch comes out it's it's a firewall, mm because I mean by definition it has to be on the outside, it has to be accessible.

Due so we yeah, we're gonna We're gonna see in a couple of these articles here where external devices were being hacked because certain things were exposed that shouldn't be.

But that's not the case with this one, so we'll leave it alone.

But I agree, right, are we at the point yet where we can subscribe to a service and tell it all the divice that we have and it will notify us when there are cvees or known exploits so that they don't have to listen to us anymore and they can just you know, get those notifications and go patch.

I'm sure there is something.

I just don't know of one that's got a reputation.

So I've seen them individually as in like you can install aigents on PCs, almost like an inventory management system.

YEA, say you're running this software whatever.

I haven't seen it as a technology stack yet.

Should we build one?

You know what, We'll create one?

Done, yeah, next week.

Honestly, I think this is a feature that should be built into our s bomb.

No, Patrick, it's done.

We're atting it.

We're creating it.

Good dude.

S bomb has not arrived yet either, so I'm not like stealing from you.

Security this Week's approved.

Yeah, so we should combine the S bomb with the patch notifier.

Great, that's what I'm saying.

I think that's what and they'll call it the Security this Week package and we'll charge exarvant amounts of money for it, and there you go.

Nobody will do on that way.

Yes, our three listeners may buy it.

Okay, moving on from help net security.

Attackers are exploiting off bypass vulnerability on forty gate firewalls.

Our old friend Fortinet.

Well we have to this is the Firewall episode.

It is so yeah.

Fortinet was originally a firewall company, right yep, and then they started adding all these things, and we were making fun of them because they were getting all these vulnerabilities and their extra stuff.

But this is actually in their main product, right yeah.

Yeah.

Attackers are exploiting the cve twenty twenty five five nine seven one eight.

We haven't broken this down in a little while.

The way the cvees work, obviously, it's a common vulnerability.

That means that it's out there and ubiquitous.

Doesn't necessarily mean it's being exploited, although sometimes we will say on this show, this is being actively exploited, which means it's been picked up by Arctic Wolf, for it's been picked up by you know, the Google tag group or whatever.

So in this particular one, we are actually active seeing this being exploited.

The beginning part of the CVE obviously CVE Common Vulnerability, but the next part, twenty twenty five, is the year it was founded.

So in some of these articles we talk about today, you're gonna like see CVE twenty double o nine and you go, okay, well this is weird.

This that means this was found it.

You know, we they found this, I don't know, like years ago, over a decade ago, and it's like, yeah they did, just nobody patched it, and it's it's being actively exploited in the field.

But this one is from this year.

And then the last number, the fifty nine to seven to one eight is literally just a sequence of numbers.

They usually grow, So beginning of the year is gonna have a smaller number, end of the year's gonna have a large number.

Right, So, just so you know how to track these things and where they came from, so this one is from this year.

But what's interesting about this is there's actually two cvees talked about in this article, fifty nine seven eighteen and fifty nine seven nineteen.

Here again, see that number is only one incremented off right, So generally these are pretty sequential numbers.

One affects forty OS.

Forty OS is the operating system that runs on the forty eight firewalls and forty switches and forty proxy and so on and so forth.

It's kind of their it's their iOS, right, it's their general operating system that runs on everything.

And then they have they have another CD that that applies to their web application of firewalls.

So we used to be standardized on forty GATE and when they first came out, they were actually pretty far ahead of things.

They seem like they're in the news way too much.

Is it that they But a lot of times it's not their firewall.

In this case, it is it's their.

Yeah that just mentioned that.

Yeah, So I'm just wondering, Well, I'm leading up to something.

What I'm what I'm wondering is whether or not we would recommend this to anybody, or whether this is starting to become very last passy.

Well, so that's a good question if you tear this exploit apart.

The way this is working is ford Net, like you had said, started off with a firewall.

They were like, yay, we do firewalls.

Great, and then they said, let's do email, and let's do remote access, and let's do et cetera, et cetera, et cetera, et cetera.

Right, and the surface area goes up because every product we hear Fordinet and it's not there.

It's not their firewall.

So right, right, absolutely.

But then then you say, okay, well, now we have a bunch of different devices that do a bunch of different things.

Wouldn't it be convenient if an administrator could log into one of them and have single sign on.

So let's do single sign on.

But let's not use Google, let's not use Microsoft.

Let's use the forty sso the four to cloud single sign on.

So you create an account with FOD to cloud, and now you can single sign on to all the Fordinet devices.

And that first stuff is not turned on by default.

You'd have to have multiple devices to have the pain of logging into each of them to go, oh my god, I wish there was a single sign on, right, But if you turn it on, that's when the CVEs come into play.

So this really is the devices themselves, in some way may be secure, but whoever implemented their single sign on implementation.

Which is like rolling your own encryption.

Did something wrong that allowed these to be.

Patrick, it is Patrick.

If you wanted to ask me how I would know if Fordnet has jumped the shark, I would look at their hires and fires for the last three years.

Oh, that's a good idea.

I would look to see who's left, who got fired, and who they hired, and I'd want to look at their cvs.

Almost as if you've been in technology for a while.

Yeah, I mean that's really the only way to get the true story.

I mean they could be hemorrhaging money and hiring interns.

They could be using AI to build stuff.

They could you know.

Oh this, oh speaking of AI.

This gets way worse when AI than vibe coding comes out.

I was talking, I was talking talking to a buddy of mine who said, you just came back from a QA conference and they had done a bunch of statistics on like obviously unit testing and all sorts of stuff, and they saw that they had announced that security vulnerabilities and applications regular developer verse vibe coding went up four hundred percent.

Yeah, I believe it.

Good for business, bad for you, good for business.

I believe it.

What if you have smart developers that use AI to do stuff they can do but just don't want to.

So, I honestly think that's the sweet spot.

Yeah, you have a really bright, experienced developer.

They will get things done faster, but they'll know the right questions to ask right right, like oh where are you where are you storing these espisodetokens, or so how are you you know?

I refer you back to the early Sequel days.

Remember when Oracle databases were run by a qualified certified administrator and Sequel was run by the receptionists.

Cool against like us, the person who is standing closest to the database when it crack.

What happened was I had visits where I'd do consulting runs and I'd be like, yeah, I just don't trust these SQL servers because that we have data and tables just go missing.

And I found out the company had four hundred scientists with essay access.

Oh yeah, to the data oh good lord.

And they're like, I don't need that data, we don't need that table, and they.

Delete a table and it would just like there was an Excel tab.

We're in those days.

Yeah, that's that's where we are right now.

Yep, you are here, and it's good.

It is good for business for us.

But what you need to do is take the best all your developers need to use AI to get better.

And one of the dangers is to only keep your best developer and get rid of all the entry level people, because then we won't have any people.

And I have a message to all the Vibe coders out there who are junior developers or who don't have a lot of experience, ask the AI to comment every line of code.

Yes, you might.

Not be able to read it, but somebody else will and it will help them catch problems.

That is a fantastic suggestion, Carl, thank you, because then even like as a junior developers, you look through the lines of code, you understand what they're doing right, and it's easy if it says, hey, this line of code will authenticate the user in store their clear text password and a cookie, and then you'll be like, like, logically, you can be like, that's a terrible idea.

Let's not do that, right, So, yeah, I agree one hundred percent.

Well, you can also take I love this idea.

You can take those comments and have them stripped out as a narrative and say another, AI, find me the problems or potential problems and.

There, and especially when you start looking at architecture, like okay, architecturally with all this reaching out to SSO and databases and whatever.

Right, and if you're really brave, you can say rate me as a secure developer from one to ten use decimals.

There a number below zero.

Ooh, I still lose sleep, and I still think that we need to address it.

We had a story on the show many months ago, it might have been even many a year ago now, where there was a vulnerability and an encryption library, and it turned out that the code was right, but the compiler made a mistake and simplified the code to put a loop in that made it vulnerable.

I think AI is going to help us with that kind of thing, and I think that thing is much more rampant than we think, but I think we're not.

We got to get over this hill, and I think that hill might take years for us to get over before we get to the benefits.

Yeah, well said, yeah, it's going to be busy.

We're going to start the other thing we're going to see, I think.

Unfortunately, you guys remember Cobol, right, yeah.

Well yeah, actually I wrote some cobyl in college.

Yeah.

So Cobol and visual Basic to a lesser extent were advertised as the business programming language.

Right.

It was like anybody can be a programmer in the eighties, you just program in Visual Basic.

Little look we drag a button of the screen and look at that, right, And we saw it in the mid nineties, late nineties, we saw a lot of code that was very bad from usage ability, but from also just a maintainability from a security sense.

And all the real programmers mock the Visual Basic programmers for being toy, you know.

And still do it to this day.

Yeah.

So, but you know, we saw that where it was like the technology to allow people to write programs had accelerated past the general populations understanding to write programs.

Right, So everybody started writing these programs that lasted I don't know, ten years before we started really taking a close look at it and saying, okay, now we need to take a look at the code, and we need to start cleaning up and that sort of stuff.

So I think we'll see AI vibe coding code out on the internet for a while.

That's my prediction.

Okay, So buckle up.

Buckle up, boys and girls.

All right, Hacker News says free pbx patches critical seql I file upload and off type bypass flaws enabling remote code execution.

All right, First of all, what's free PBX?

So for all of you who remember pots lines, oh yeah.

Telephone all the hackers, all the hackers, just right.

Uh So PBX is yeah, I know, right, Uh.

PBX is private branch exchange.

It's uh, you know, generally a way of doing voice over IP and that switching and switching and that sort of stuff.

Yep, absolutely so in this particular case, I'm astounded.

I don't remember the last time I've seen three CVEs associated with the same piece as software that are all above eight point six.

Wow.

It's yeah, like they have numerous authentication sequel injection vulnerabilities, like.

Well, obviously somebody did an analysis of this product and found out three of these things at once.

Absolutely, and they were there to find yes, yeah right, yeah, yeah, I mean, but that also means it was developed with no eye towards sequel injection right at all, especially if they found numerous in the log in field.

It's not like, well I did some sort of capture the page and change the language and blah blah blah.

With a blind sequel injection.

It was like, oh, I did my user name is one?

You know tick or one equals one dash dash and huh in right, So yeah, too simple.

And I would mention just to reiterate this is an open source project.

Yes, yeah, Well that's interesting too, being that it is an open source project.

Right, I mean, you know, nobody caught it until now, right?

Does any do they do they say when these flaws were exposed?

Ah?

So well, actually that's a great question.

What would be also interesting is if we found out who wrote them and whether they were written and placed.

In there by someone.

Well that's a good question.

I mean, maybe these aren't, but but it would be interesting to go back and look when you see a CVE in an open source project, whether it's it's foreign actors that are trying to get vulnerability in there.

You guys should be in forensics.

Oh wait a minute, you kindamar all right.

We do a lot of forensics to make sure that nobody can find us when we're hacking and anyways.

So so if we take a look at at the prior vulnerability we were talking about with Sonic Wall, that one was twenty twenty five forty sixty two.

So if you take a look at this one, these are twenty twenty five sixty one sixty seven five.

So these are a lot newer than that Sonic Wall, probably in the last month or two.

You can look them up.

They'll tell you the dates when they were issued.

Actually, I can probably click.

I want to tell you it was blah blah blah blah blah.

This was October.

These were found right and fixed in October.

And you may say to yourself, well, shoot, why were these found in October and fixed in October?

And we're just hearing about these now.

The process of disclosure to the company and or in this case an open source project, and then having a fix made, and then having a patch built and then having it I mean, it just it takes time.

Right, There's a reason that there's a ninety day disclosure window.

So yeah, that's the case.

But not only do you have SQL injection that was apparently available in eleven different parameters.

Wow.

You also had an authentic You had the ability to if you authenticated, which look at number one, I can bypass authentication.

But if you authenticated, you could arbitrarily upload and download file so I could pull down PHP sessions, I could pull down the Etsy password file.

I could do all sorts of things there they call those lfi's local file includes where I can actually pull data off of the system.

And then there was also another authentication bypass where you could manipulate the server and get off bypassed.

So there's there were several issues in here, the last one rating a nine point three wow.

Wow wow.

All right, Well, on that note, let's take a break.

We'll be right back after these very important messages.

Stick around and we're back.

It's Code with AI.

I'm Carl Franklin.

It's Twaynela Flott and Patrick Hines.

Hello boys, Hello, Hello, helloo.

All right.

Next story hacker news SISA adds actively exploited Sierra wireless router flaw enabling remote code execution attacks.

Hmmm, does not sound good.

No Sierra Wireless.

So just to reiorate the US cyber security infrastructure security Agency or SISA is a really good source of understanding what's going on.

So whenever they stop talk, it's it's worthy to listen to what they're saying.

Didn't they get defunded though?

Are they back in business?

Briefly?

They did for a little while, but then yeah they're back.

Yeah good.

Yeah.

So they keep what's called the k EV catalog, which is the known exploited vulnerability, So basically, things that we know are out there so that you should pay extra attention to them.

So that's what this is saying, is that there's a there's an eight point eight you know to nine point nine scored vulnerability that they're saying they're seeing against here.

Whiless that's actually being.

Exploited now here is what I'm going to say.

Let's come back to our CVE.

The CVE is CVE DASH twenty eighteen dash four oh sixty three.

Wow, So what does that mean.

At the end of twenty eighteen, that's when they found this.

Yeah, bugs, this has been around for nine years.

Geez, this has been patched.

This has been done for nine Like, why why at this point is.

SISSA well six years right?

Uh twenty eighteen?

Yeah, six years?

Okay, I'm already in the next year.

Well, yeah, I know, right, So two years, twenty eighteen, twenty twenty five, yeah, you know whatever, it's close enough.

Almost we spend spend seven years, spen almost seven years, yeah, call it eight.

Okay, So this is this was patched like eight years ago.

How is it not only have people Well, first off, how is it people are still using these eight years later?

Exactly, I have very little technology in my house that's over eight years old.

But secondly, that means these people haven't patched in eight years.

And thirdly, it's it's important enough where the United States Cybersecurity and Infrastructure Security Agency had to make public comment and be like, guys, seriously, health you have to take care of this.

Health care.

I'm sorry, are you okay?

Over there?

Patrick?

Do you need to see a doctor?

It's healthcare.

We've all seen I do after this story.

We've all seen Windows XP systems controlling MRIs and other mistresses, and it's like it's you know, it's part of a kit probably or it's part of But if I had to bet, if I had to put like, you know, a big wager down and uh and risk having to buy Carl wine and steak.

I would probably bet on healthcare being the zone.

You do that anyway, wouldn't you?

I do?

Speaking of which, when's our next dinner coming up?

Oh?

We got to figure that out.

Yeah, after the holidays, after the holidays.

Yeah.

So it's this is embarrassing, it really is.

I guess that's all we got to say.

Ah.

Yeah, So if you're using one of these devices, throw it out.

Don't use it, or as Dwayne would say, it's delicious.

Yeah.

So honestly, I don't hack any targets that old.

I don't.

I don't know what's going.

Yeah.

I don't allow old old sites.

I like the fresh stuff, the new, fresh stuff.

All right.

So, next story from Hacker News, Cisco warns of active attacks exploiting unpatched zero day.

That's redundant, isn't it?

Unpatched zero day?

Right?

And thank you Carl, thank you.

In ace see I can learn exploding unpatched zero day in asinc os email security appliances or insecurity appliances in this case.

Right as it as it may be.

Yeah, so there's no patch, right, and this is where people are like, well, what do I do with it?

Why are you even telling me?

So there's a couple different reasons.

One, if you read through this Cisco article, it says that the appliance this only is an issue if you have turned on Now remember this is an email security appliance.

If you turn on spam quarantining, one would think that's on by default, but it is not.

But if you turn it on, and if that spam quarantining feature is accessible to the Internet, which would be weird if you could only check your quarantine outside only in the building inside, Yeah, and couldn't check it from the internet.

But apparently those aren't defaults.

But if you got it used in and configured in a useful way, yeah, then you have issues.

But you may have to turn off that external access to the spam quarantine at least for now.

Yeah, or China will start cleaning up your spam because that's the advanced persistent threat you at nine six eighty six is in there trying to do things and stuff.

You know, after we record every episode, I want to hire Dwayne to just come to my business, my house, whatever and just unscrew my systems.

Right, And it's you're expensive, you guys.

So we should be worth it.

We should be.

Running some software for people to do this.

You really should, especially with AI now that we could probably vibe code without four increase in security business model.

Well, you're a shaper.

Me and Dwayne thought like, you know, this cybersecurity thing is interesting.

But you know, once everybody knows about sequel injection, what's left to do?

Yeah?

Yeah, yeah, this was back in two thousand.

Yeah, come on, everybody's gonna address this now.

Of course, of course it's twenty eighteen.

Of course you're going to patch your stuff.

Yep.

Yeah, right, all right, well, congratulations on a continuing business model.

All right, shall we get to the main story here.

Porn Hub I'm sorry, porn Hub extorted after hackers steal premium member activity data.

Now, let me just ask you a question.

If you're a premium member of porn hub, what's wrong with you anyway?

I mean, don't you know that porn hub is a free site.

What are you gonna get as a premium member?

I'm not sure, Carl, that isn't going to satisfy your purean intro rists from the free stuff.

Right, Actually, on second thought, don't answer that.

Don't email me, please, please don't answer that.

I don't please.

Yeah, So maybe if you're a premium member, the stuff that you're looking at is embarrassing if it actually gets.

You know, it's funny.

We were joking about this before where normally I tell people like I get these calls all the time where it's like, oh my god.

You know, I'll have somebody pull me aside at a party whereever and be like, hey, I got a cyber question for you, and I'm like, yeah, what's up.

And I'll be like, I got this email.

There's this guy who knows what I've been looking at on the internet and he wants bitcoin, what do we do?

And I was like, delete it because it's not true.

It's like, honestly, it's just it's a scam.

They do this to see what percentage of people will reply right now.

Actually, and once you reply, now they actually know that you've got something to hide, that you've been doing something.

Are you a premium member?

On I got a question for you?

So Bill, let me understand this premium member.

What's your what's your predilection?

For what you were talking about, Dwayne is kind of like going up to your doctor, like when at a doctors when the door is shut in Saint Dog, I need something for Ed said, Oh, why didn't you just tell the secretary?

Hey, why don't we just tell her?

Now?

Yeah, first off, it is crazy the things you hear is a cyber professional.

But yeah, and sometimes it's just like like, hey, at night, my TV shuts off every day at five?

Is that an Is that a hacker?

It's probably a poor teenager.

Turn it on.

It's at nine and it just times out.

It's just it's normal, all right, So tell us.

What really happened here?

I mean I kind of get it from the headline, but.

Yeah, so this but this one actually is a little bit deeper in that porn Hub actually uses third party vendors, and one of the third party vendors they use is called Mixpanel, who is not a third party vender of theirs anymore.

But they did not delete any of the customer's data.

So when mix Panel got broken into.

They kept all the data.

They stole all this old data that they found on Pornhub because which.

Is absolutely against the contract.

Any competent lawyer would have had them signed.

You would hope.

So yeah, absolutely, And this this goes back on, This goes back on both companies.

Like if porn hub had signed this contract with mix Panel, and in the contract they said we can keep your data forever, right, or there was no clause saying when you remove our data, like when we're not a customer anymore, you remove our data.

Well, then that's on porn hub, right, you know.

That sucks.

But they should have they should have been done their due diligence on the vendors that they use, or when they terminated the contract, they should have said, hey, you have to remove our data, right, it's part of us terminating.

But then it's also on mix Panel that they apparently didn't either.

In this case, it was a smishing attack.

This is social engineering.

They don't do training for their users.

They don't teach them how to, you know, not click on things and answer questions.

They shouldn't that sort of stuff.

Who knows, right, So I think both parties can be culpable.

Yeah, but yeah, this is a this is a vendor attack, thirty third party vendor attack, which kind of sucks.

So we're not really exonerating porn hub here now.

Even though it wasn't them that the data got stolen from, they still had their hand in them.

I mean, yeah, is there a chance that they got reassurances that their data was deleted by this vendor, and they.

Lied entirely possible.

Yeah, entirely possible.

The vendor was like, yeah, you know, oh yeah, we removed that and it was on some developers workstation or whatever.

You know.

I think to get to the bottom of this, we looked to have to look at the hirings and firings over the last three years.

Both companies.

There's a lot of ambers and.

Quality of porn Hub employees goes way down twenty twenty three.

On that note.

On that note, all right, well, those are all the stories from last week and we'll see you next week on security this week, Bye bye, bye, guys,