Hey, you guys, hear about that hitchhiker the other day.

He got a ride and he decided to be a little, you know, sarcastic, and he said, what makes you think I'm not a serial killer?

And the driver said, there'd never be two of us in the same.

Car on the odds, and Dwayne was driving.

So for those who are watching on YouTube, this is our first YouTube video.

Uh.

For those who are listening to the podcast, check out the links on our show notes and we should have a link to the YouTube video in there.

I don't know.

We haven't made it yet, so we are.

We're just testing the waters here to see if people actually want to see our faces that are otherwise radio.

And to those who are listening, congratulations on making the right choice.

So there's probably gonna be some jump cuts in here.

Oologize for that, but you know we have to edit for audio first.

So yeah, all right, guys, let's look at these stories.

The first one is win raar.

You know what RAR is if you've been around for a while.

Win ra is a Windows version of RAR, which is like ZIP.

It's a compression thing.

So win rars ero day exploited to plant malware on archive extraction.

I mean we haven't been trying.

We haven't been trusting archival ips or ras or anything like that for a long time.

Yeah, so this is just this adds to that legacy.

I'm more likely to trust Windows built in ip compression than I am in you know, seven ip or any of those external products.

What do you think?

Yeah, yeah, I mean I use seven ip only because it supports formats sometimes that wind ip.

Windows native ip doesn't.

So if you've done you know, U gunn ip, guitar ball, you know what, right what un guns ip, Yeah, you're probably not finding that in the normal native game.

It is it is the gun ip dar ball.

That's my uh, that's my fighting names, gun apall something.

We play in the woods with Patrick with the tar ball guns right, all right, So.

It can be useful to have other tools.

I don't particularly use wind roar, but it's been around forever.

Yeah.

So a lot of this is a directory traversal vulnerability.

Right, So CD eighty eighty eight a direct reach reversal vulnerability affecting Windows wind versions, blah blah blah.

What a directory traversal exploit can be.

There was another one that was very similar called slip ip, where when you ip a file up into an archive, it actually keeps track of the path that the file was ipped up from, and sometimes it's a relative path.

It's like, oh, well, you know, I took all of the security this week episodes, and I threw in a directory called STW, and I ipped up the STW directory.

So when I unzip it, it will create the STW directory.

Well what you usually unzip it to an existing directory and then it will create STW underneath that exactly.

So now what if I go into the metadata in the ip and I say, oh, it's not you know, dot slash STW slash you know episode one dot MP four, it's dot dot slash, dot dot slash, dot dot slash, dot dot slash, Windows slash, System thirty two slash, you know whatever, right path.

So that's directory traversal.

I'm actually moving outside of the directory you told it to unzip in and then deploying other things, whether it's executables or files or overwritingtonfigs or whatever.

And it would be foiled if the user unzipping it doesn't have access to that directory, but that never happens.

Right, Or if the unzipped software notice that it was a traversal and said, no, this is.

None less than what I just said, right exactly.

He's looking for that.

So can you do this with ip files too?

You used to be able to.

Yeah, And a lot of this has been fixed in different archival tools.

I know, we've seen it with seven ip, We've seen it with Windows Zip.

We've seen it actually prety much every archiving tool has had some form of ZIP slip issue.

Director, I remember us talking about some of these things that were patched.

Yep.

But I guess wind rar is just the latest to be vulnerable to that.

Yeah.

And sometimes it's you know, an attacker finds an innovative way to re implement, you know, something that's already been patched.

So it is what it is.

But if you are running wind rar, I believe, let's take a lot of the versions, if you're running anything prior to seven dot twelve or earlier, So seven dot twelve or earlier, you need to go patch because if somebody, I mean, here's the risk, right, It's not like, oh my god, I have seven to twelve on my computer and now it's compromised.

Somebody still has to send you an archive.

Somebody has to send you a Z and.

They definitely will.

Yeah, and nobody will at some point.

Hold on, you still need to open it.

It's not like a ero click like somebody's going to send you an email with a ZIP that says it's, uh, your invoice for your Best Buy extended warranty or something stupid like that, and you're gonna unzip it and it's going to ip to the wrong location.

Yeah, and they're going to send you a RAR.

They're not going to send you a ZIP.

Yeah, you're using ZIP like the word cleanux.

Exactly right, just in the generic.

They're going to send you a compression archive format that's supported by win wrong.

I would think that if you're downloading a RAR file from a website that it's in that website's interest to understand that the RAR is secure.

Sure.

Yeah, but that's no protection because it's also in their interest to make sure there's no cross site scripting, and because it affects the client not the web hoster, it's a very low priority thing.

Okay, all right, if.

You found out that your car might cause someone to slip and fall, it's not going to affect you.

You might if you're a really good person, you'll fix it.

But if you're busy, you might never get around to it.

You know.

Usually I love your analogies.

Today a little I'm not.

So sure that's the rough one.

All right?

Moving on from windwar wim Rock.

I can't even say it win.

And we're from New England, I know, right, we've been saving raw rah, We've been saving the ass up just for that sentence, all right.

So this one.

AOL will end dial up internet service in September, thirty four years after its debut.

Al shield browser and a dialer software be shuttered the same day.

What I know, why?

Why?

Now I've been I thought that was gone long.

This is like an announcement that the mammoth has gone next.

Thing, So I guess to be fair, there are places in the world that don't have internet service Wi Fi and dial up is their only option.

There are there, Yeah, satellite I don't know, man like all right, but the poor places first of Saharan Africa for example.

First, is there really an I SP down?

There is there a dial up?

It's hard to get satellites, good question.

I don't even know what to do with this.

This is I don't know all of us on this on this podcast are old enough to remember, well, hold on, are old enough to remember pre Internet, Yes, before we were all boarded, which is horrifying.

But we're also old enough to remember that your when your primary connection to the outside world was you took your computer.

Yeah, yeah, you can.

We we'll find that audio clip.

And you connected your computer to the phone line.

Whether it was you plugged it in the back of your computer for fancy people, or you took literally the phone and put it on these cups and got.

I remember my friend, an old friend who ran a BBS in Norwich, Connecticut, I'm sorry on board system ran ran and then he moved it to uh an is SP changed to an I s P because he had all the motems.

He had racks of US Robotics modems and and he became the dial up service for our local area.

Hey do you guys, do you guys alternative?

Do you guys remember the like the Holy War between US Robotics and Hayes come on in the day, Like Hayes were the big boys in the market and us R they were the they were the new people on the block.

I jumped in the game when it was three hundred modems.

Yeah, all right, it was amazing.

So back to this story, it says, but there remain a few options to plug in your fifty six K or slower screeching modem into so so apparently there there are other options.

But this somehow, you know, waited all this time to AOL, waited all this time to get rid of it.

But if anybody out there knows of somebody who is going to be I don't know, upset about this, please let us know.

We doubt they're watching video on YouTube if they have a motim.

Yeah, they probably won't get this podcast for a while.

Now, if you know of somebody who's going to be upset, like you know, if your grandmother or whatever, your elderly.

Parents shout on the discord, give us.

A shout on discord.

Let us know.

I'm just really curious to know, all right.

Oh AOL, Okay, we used to I know, right, A wait, that was that was?

That was the service you've got mail?

Right?

Yeah, yeah, that's right, Yeah, it was AOL.

You're right, that was AOL.

I actually knew the lady.

I was in a training class I think with you Patrick, and there was a lady taking the class that her husband is the one who voiced that wave wave a long long time ago.

Yeah.

Wow.

I was like, oh that's neat, it's.

Fame, and he bought bought two cups of coffee with the money.

Yeah, all right.

So the next one is from Security Week, not Security this week.

Flaws exposed one hundred Dell laptop models to implants Windows login bypass.

So this does require physical access, which is a theme this week.

Yeah, it's a recurring theme, and.

So it's it's a it's a big deal, but it's not not a crushing deal.

It's not like you know, suddenly you're at your vulnerable at an internet cafe.

But if you're going through a security checkpoint in a dicey country, if somebody does steal a laptop and you find it, it adds some risk.

I didn't know Dell had one hundred models of laptop.

That seems crazy.

Probably, I mean, if you look at the ones that are under support, that's probably true.

Like there's probably some that they just don't like older Dell model laptops that still have support, but that are aren't sold on their website and.

They've bought, they've acquired companies yeah, you do.

Well, and that's true.

You have the Alienware series too, which is also Dell just sold under anywhere.

Maybe, but just what they say is one hundred Dell laptop models.

Does that mean there's any laptop models that aren't affected by this?

I would say no, probably not, maybe maybe super discontinued ones.

Yeah, yeah.

So according according to this, according to Tallos, an attacker that does not have administrative privileges could interact with control Vault via the associated APIs and execute arbitrary code on the firmware, leaking sensitive information affecting the security of the device, which could allow them to modify the firmware.

So there's actually there's the several cvs associated with this one.

This is twenty twenty five, twenty four to three one one, twenty five, twenty one five, twenty four nine to two two, twenty fifty fifty, and twenty twenty four nine to one nine.

So there's there's several issues with this.

It's not just oh there's one thing we forgot to look at.

It's we see in here.

There's an out of bounds read and write, there's a stack buffer overflows.

There's all sorts of different issues with different parts of this safe get Yeah.

And when they're talking about models, they're talking about like a latitude.

I don't even know if these are real numbers, but like a fifty five to twenty and a fifty five to thirty.

Those are two different.

Models, right, Oh, I see, so they're different.

Yeah, yep, they're.

Different configurations of the same model.

Probably we have different same family, I say, yeah, same family, different model.

Yeah, yep.

Okay, all right, well that makes sense.

Now, so this again, the risk here is if you lose physical control of laptop, which you shouldn't, but if you did, then somebody and it's a pretty high tech it's not the average thing.

A script kit is not going to be able to do this.

The average the average you know, person who's just dealing with networking and stuff like that, it isn't going to be doing this.

This is this is customer the eye controls.

Yeah, and it's definitely it's custom firmware as well, which there are people who know how to do this type of thing.

But you're absolutely right, the barrier to terror is higher.

But if you you know, continuing looking at some of these CBS, it says another interesting consequence of this scenario is that the system affected, let's say it was able to be unlocked by a user's fingerprint.

It's actually possible to tamper with the firmware so that it will accept any fingerprint and say it's a legitimate user.

So you know this.

This then means you could boot up a laptop without BitLocker or with BitLocker, who knows, we'll talk about that later, and then be able to log in just using your fingerprint.

I think the biggest risk here is your you're traveling with a laptop, it leaves your custody and goes into a special room, a room as we say from England.

And you know they they execute this because of you know who you are, what your job is that?

But I wonder too, is you see a lot of the Hey, I can't you know, my fingerprint scanner's not working on my laptop.

What should I do?

Right?

You search Google?

On the first site that comes up is some random you know, Joe's awesome patches dot com and he's like, oh, just applt his patch and it'll fix your you know.

Yeah, reader, I never do that.

I always go to the source.

So it's possible that might be a vector as well, where it's like, oh, we just you know, will give you this firmware that's going to update and it's going to allow any fingerprint and it'll look like it works for you, but it'll work for everybody else to.

Yeah, but if you've got that level of control, you could just steal everything.

Well that's true too, right on the computer.

Why well, speaking of updates, Dell has issued patches for these laptops.

All of them Windows patches their firmware, right, so you've got to go into the firmware and update the firmware, which most people never do.

No, No, The only time you do it is usually when that device stops working and you go, gosh, maybe I'll go find the firmware.

But that's pretty much.

I do that by logging onto Dell.

And you know, if you've already gotten account, right, if you don't, you can look it up by the model and there will be listed there for downloads, firmware, Yeah, patches, So go do that.

If you had a del laptop, dude, dude, you got hacked.

Yeah, but I just want to make clear, and I'm being a stickler here was baked all the time.

Yeah, I'm being a Stickler.

Here is this isn't Windows Update, correct, right, You're right.

You have to go into the biosend patch the firmware, and that is not a process that is like, oh, I'm just going to do Windows Update.

You've got to actually go through the process that you've probably never done before.

Probably.

Yeah.

And also make sure you're at Dell dot com, like, don't don't go to Bob's you know, discount sharkcages dot com.

All right, so forty that, oh my god, we can't get rid of these guys.

Fort net warrens of forty SIAM pre off r C flaw with exploit in the wild.

So it seems like this was in the news last week.

So first thing is, this is a sim AND and we don't the E Security Information and Events Management.

Even though we want to pronounce the E.

Yeah I pronounced the SIAM because how we.

Tell hey, we tell the outsiders, Yeah, it's how's your SEAM And you're like, no, sorry, SIM SIM.

So for sim AND, basically this is where you'd gather up information and logs and things like that to see to catch the hacker.

Threat hunting kind of thing.

Okay, here's what I want to say.

Though Fortinet, what happened?

Yeah, honestly, you've been We're really good.

You were really good.

It's funny.

I was.

There's actually a couple of listeners of the podcast from Germany I was talking to this week, and we were we were we were lamenting.

We were like, you know what Fortinet used to be good?

Right, we used to meet me over a camera throw right exactly.

So it's you know, it's OK, exactly Do we need an intervention at this point?

Ye know, we do.

Do I need to bring my buddies ubiquity?

Yeah, no, it's it's amazing how far they've they've fallen.

They were the cutting edge of you know, firewalls and protection and whatnot.

I think they grew too fast, possibly in this particular case, if we if we dig into this, So this is like like Patrick and Carl had said, this is the four to sim right, So this is gathering logs and understanding what's going on in your network.

So generally something you want up and running to know if somebody is attacking your network.

But the exploit here is an improper neutralization of special elements used in an OS command injection.

Vulnerability may allow attackers blubblah blah whatever.

So what does that mean?

What's an OS demanded injection vulnerability.

Most of these tools have the ability to say, oh, I want to Let's say I want to write my logs out to Splunk, right, and do you go to the Splunk configuration screen and you say, what's the name of the host the IP dress where Spunk is and you type it in and I don't know if it can it can talk to that server.

So I click test and it goes out and it pings it and it comes back and says, yes, that host is alive.

I can see it.

Okay, that type in the user name and password or whatever.

A host injection or as command injection is where I might type in, okay, I'm going to type in the name of the Spunk server, and then I'm going to use the A symbol who am I right?

And what happens is when you click test, not only does it run an OS command ping name because that and symbol is in there, it goes oh, by the way, I want to run another command, which is who am I right?

So not sanitizing that input means that I can stack my commands.

It's like sequel injection exactly and in some cases sometimes easier than SQL sequel injection because it's literally I just need to put another command there, and then put another command in there, and then tell it to reach back out to me with the shell so that I can do things.

The words that make it the most unsettling are remote unauthenticated.

Yes, I think that means it's it's a much bigger deal if this thing is connected to the Internet, which I assume in many cases it is.

And here's a warning, kids, If you put in that splunk RL and you get back a picture of a cave, you probably misspelled.

Splunk wrong wrong spelunking.

That would be spulunk.

There's an ex j E in there just that that'll give you.

You're not going to get a four or four.

You're just going to get a picture of a cave, all right.

So patch patches, it's got a nine eight, nine point eight rating, and I think the words remote unauthenticated, yeah, merits that it's up in that range because a lot of times, for the who are new to the show, we we take a little bit of a reality check on those numbers from the CVA to see whether we think it's really measures.

I think it's definitely above a nine because of that.

Yes, but is it is there a patch?

Let me check I think it.

Yes, Yes, there's a bit of update to the latest version six dot seven ten seven ero one seven one eight seven two six seven three two.

Right now, we'll put the link.

We'll put the link in the notes.

But yeah, there is a patch work if you're running seven seven dot three or six dot six earlier year in drouble.

The shame about these things is this, these are people who using this product, who are trying to do the right thing by trying to use a sim to find the bad stuff, and the and the thing that they were using to find the bad stuff open them up to worse stuff.

Right, well, this is about the time when we need to take a break, so we'll be right back after these very important messages.

Don't you go away, and we're back.

It's security this week.

I'm Carl Franklin.

That's Patrick Kyin and Dwayne Laflott here for your terrifying and realgy jocularity.

Okay, next story, seventeen thousand plus VMware.

How do you say this?

Es x I esxies sexy.

That's how he's sexy should Yeah, I'm running now, sexy.

Hey you heard it here first, that's.

Gonna be right.

Makes some very awkward conversations with customers.

Are you running, You're gonna be like what did you just say?

Seventeen thousand plus VMware ESXi servers vulnerable to critical integer overflow vulnerability.

Yikes?

Yeah, what happened?

So this this is an interesting one.

Now, this vulnerability can allow all sorts of takeover and control and it is rated pretty high.

If I remember correctly, this is nine point three.

Yeah, this is a nine point three security researchers warn it's been around for a little while.

The biggest problem right now is the Shadow Server Foundation has found that seventeen and thirty eight of these ESXi boxes are sitting on the internet.

And oh right, so that's a fair surface of attack to be able to hit.

Honestly, I'm not entirely sure why you'd put an esxibox on the internet, but it's yeah, it is what it is.

I mean, I can say hosting a VM on the internet, but it's kind of that's kind of reckless, I.

Think, right, And at this point it says it permits unauthenticated remote attackers to execute arbitrary code, escalate privileges, or deliver ransomware to the virtual environment.

So VMware ESXi obviously is like what on something that sits on top of VMware is a brand of view.

It's a hypervisor that lets you run vms.

Yeah, okay, yeah, So you would install this usually bar metal, you know, instead of installing Windows or Linux on your computer, you would install ESXi as an operating system.

I see, and then you could Then it allows you, as a hypervisor to use all of the hardware on that bar metal to spin up virtual machines.

So I could spin up a Windows server, I could spin up three Windows servers.

I could spin up the Linux server, all on the same hardware.

So get this.

This critical vulnerability, first flagged in July, has prompted urgent calls for patching, but the latest scan results suggest progress remains slow, with thousands of systems still unpacked.

Because this is like the firmware on a laptop or or computer system.

This is under the covers of what most people deal with.

And you know, it's it's it's it's closer to hardware than it is to software in most propless minds.

Yeah, so July nineteenth, there was seventeen thou two hundred and thirty eight vulnerable hosts on the internet.

It's as of August tenth, there's sixteen three hundred, so less than a hundred have been or less than a thousand have been patched.

So is this something where you have to create a USB stick or a portable hard drive and boot from that to update?

Generally this is something where you need to go into You can go in and click update, but usually you have to have keyboard and monitor to the ESXi box.

You can do it through an administrative interface as well, so it's a couple of ways to do the update.

It's not super painful, but it's to Patrick's point, it's not as easy as Windows updates.

It's so like just go click on somewhere out.

We have no inside information on this, but it's possible that this is very localized to like one large wet cloud provider who decided their default configuration was on the web and they've only gotten ten percent or eight percent of their servers done.

Yeah, it could certainly be that.

I wann't look at the showdown or the shadowt Foundation results to know, but I don't think we can get that detail.

But you said this is just for the box, not for each individual VM.

The VM them selves don't need to be patched or do that.

No, they don't.

Good, No, but they might have to be offline.

Yeah.

Sure, so if they're there a mission critical you might need to migrate them and their software solutions like VEM that will allow you to move a VM while it's running to another system, So that that's not a great excuse unless you don't have those solutions in place.

Well, yeah, you should have a backup anyway.

Well, imagine a provider with this scenario and you've got a server with like twenty vms from different clients, from twenty different clients, You're gonna have to notify all those clients and give them enough time to understand the outage window.

And if it's high enough priority, you're going to have to give that get them to agree to the outage window.

Yeah, and that card, like you said, you could use VEM if you have another server standing by as a backup, use VEM after you have installed the latest version of the SxI exactly, and then use VAM and then switch it over.

Yeah, but that that would kind of speak to why it's a slower process, or just maybe that this message isn't getting out and people aren't checking.

Yeah, could be that they're not listening to security this week.

Uncool.

Uncool.

I didn't think that was possible.

Right, Okay, As we get closer and closer to our top story new Windows ero click nt landman credential leakage vulnerability bypasses Microsoft's patch, that can't be good.

Well, so this is part of the whole the arms race that we're seeing.

So there's a there's a term called a one day, So a ero day, most people understand, is is a vulnerability that's not known to the general public that a hacking group or the NSA could use to infiltrate organizations and do what they want until it becomes public knowledge.

Then it's no longer ero day once it gets patched.

What's happening now is the hackers and in organizations like us are going and reverse engineering the patch to figure out what the vulnerability was so that they can then exploit it before people get a chance to patch.

So this is I don't it's not the same thing, but it's part and parcel.

I think because Microsoft put out a patch and someone looked at the patch, reversed, engineered and said, oh, they missed a trick.

I can get around this patch.

So even a patch system, I can get around.

Yeah.

And so backing up a little bit, though, people might be like, well, why does it matter?

Right?

What's going on here?

Like we we threw out a lot of acronyms and new Windows ero click and TLM credential leaking vulnerability bypass Microsoft's patch.

Like that's a there's a lot going on there we can unpack.

So credential stealing.

Right when we break into a network, the first thing we're looking to do, especially if we don't have a user account.

There's plenty of times we're working with customers where we'll send them an implant, like you know, just a device at the plug into the network.

We don't have any user accounts, so our first goal is go find user accounts.

Right how now I thought it was to find the ATM network and spit out a bunch of.

I means, yeah, you got to do that first.

But then the second goal is three step three make money.

So we need a user account to do anything.

Well, easy way for us to get user accounts is to compromise lower end devices, whether that's like a printer that may have a user count on it, and then we can grab credentials there.

But another way for us to do that is for us to take a link file and LNK file in Windows and put it somewhere that's publicly accessible by everyone.

So we found shares that everybody can write to.

Right, So what do I do to in everyone's share?

I can't put an executable in EXE because nobody's going to run it, right, but I can put an LNK file.

And if I put an LNK file, what a link file does is it's a short cut to another file.

So we've all done this before, right, you have your documents.

You might have an Excel document in there and you want a link to it on your desktop so you can always double click on it.

So you would drag it to your desktop and it would say do you want to make a copy here or do you just want a short cut a link?

Right?

And we'd say, oh, shortcut, And now it's a link file.

If you dissect that file inside, it's going to be the path to the original file.

Well, what if I change that path?

Instead of saying, you know, c com backslash, you know users backslash deal the flap, backslash documents, backslash my XL document.

What if I change it to backslash, backslash some computer name, backslash some share, backslash some fake file.

When you double click on that link file, it will try to go out to the network and authenticate against that share with your user account, which you're logged into your computer with automatically.

Okay, so that's not a big deal.

You go, who cares now, because somebody, somebody had a double r right, they had to do something.

So how do you make this ero click?

Well?

Windows Explorer has a really interesting feature.

When you open up Windows Explorer, which is the my computer and you're surfing your hard drive, you'll notice all the files have icons on them.

Right, Oh, this is the word and you can identify it by the fact that it's a word document.

Yeah.

What Windows Explorer does is it interrogates the file to see what the icon should be.

When it does that, it has to reach out to the original file to do it.

Of course, it's okay.

You put a link file out there and you reference a remote word doc that's not really a word doc, and when a user opens that share up Windows Explorer automatically reaches out to us and gives us credentials for the user.

And they're not credentials, they're hashes.

We could go into a lot of how you replay them and all the other good stuff, but moral of the story is some form of credential comes back out to us, and that's really cool.

But Microsoft has tried to stop it.

In this particular case.

What they're doing is they're taking that link file.

They're referencing an executable that's on a remote location, and in that executable is the icon for the executable.

So they're like, oh, well, what I need to do.

This is what Microsoft is saying is I need to take that executable from the remote location.

I need to pull it down to the local computer.

I need to open it up and find the icon so I can display it.

Well, now what I've done is that executable is now local to the Windows computer.

It's already there.

So it's a ero click deploy of executable.

So it's in some cash files.

You've got to use it to do yeah, and you didn't, And they didn't even notice it.

All they were doing was surfing a hard drive or opening up the public Share looking at their home drive.

Right, they didn't click on anything, They didn't do anything other than just open up that explorer.

So it's important.

But we're going to because this system of how you know, NTLM works and Windows Sharing and that sort of stuff has been around for thirty five forty years, we're going to see a lot of these sort of bypasses.

It's an interesting one.

Actually, well, I'm sure use it on all of our attacks.

We love the length file.

I honestly we do use link files all the time on our attacks because it's just super easy for us to grab credentials that way.

And for those who haven't heard it, convenience is the enemy of security, right and link files are hell convenient.

Oh yeah, all right, so we know this is a vulnerability.

Is there a patch?

Not particularly?

No works designed, I think is what we're doing right now.

It's works as designed.

I could see Microsoft going out and being more stringent in how they reach out and look for icons and files and saying, well, if it's a remote executable, maybe we won't do this anymore, or maybe we'll pull down the executable, pull out the you know, the icon, and then delete the executable or whatever.

But currently there's a Hey, this is kind of how it was designed.

Well, there was a patch.

There was a patch that attempted to fix a lot of this stuff, so I could see Microsoft adding more logic to that patch.

But it's a rabbit hole exactly.

It's it's an arms race that you always talk.

About, the aable to break as much as they fix.

Yeah, well, the document says Microsoft the website, Microsoft is expected to release a comprehensive security update to address the bypass technique completely.

So is that still true?

Yeah, absolutely, But there again, it's an arms race.

The last time they released a patch, it was a comprehensive update to stop them bypass and tire last.

The hash is.

It's not the same attack, but it's it's in the same family, I would say, And they said that was you know, absolutely designed.

Right, and I think it's like, shoot, almost ten years ago now, maybe seven years ago.

Now, Microsoft's like past the hash is dead.

And we saw tons of pen testing articles out there saying past the hash is dead.

Long lived past the hash because there's you could still do it right even though Microsoft had patched and tried to catch it.

It's this arms race of oh.

Yeah, but they told people not to.

So I mean, that's all you have to do, That's all you really have to do.

Just let them know.

I mean, like, this isn't cool.

The scouts are my bad.

I'm bad.

So I think I think this will be the same thing, Carl.

This will be an arms race.

We're going to see attackers find a way around this comprehensive patch and it's just going to keep going and.

An ongoing good news for Microsoft.

Yeah, so we're ready for the big one here in cybersecurity news.

Bit unlocker multiple ero days to bypass BitLocker and extract all protected data.

So we've talked about BitLocker in the past, the feature of Windows and when you turn it on for a particular folder or hard drive, it encrypts everything in that folding hard drive and encryption at rest, so that if you make a copy of it and copy it somewhere, you cannot access it unless you've got the key, which is online and you can find those keys.

And we talked about this because I had this issue where I had some music that I had recorded on one PC and apparently BitLocker was on it and realize it and I went to copy that off and give it to the artists that I recorded it for, and they couldn't open it, and so I had to go get the key and turn it all off.

But encryption at rest is very important because it means that if somebody steals the laptop or the computer, or just gets the hard drive because you threw it away without wiping effectively wiping it, which is a big no no, they can read the data.

And we have people I won't mention names who will just go to a pawn shop and buy old hard drives for fun and see what's on them.

Yeah, you know, and they're mostly people in our industry and they're you know, for a laugh, and they'll take a look at what's on there, more so that they can tell war stories when they speak at conferences, not so that they can steal data.

But there could be somebody, you know, you could buy a hard drive, probably an old terabied hard drive nowadays, where three hundred and fifty gigabyte hard drive you probably get for three to five bucks, and it could be the hell your old bitcoin could be on there that you were looking at.

So Staples, in case you don't know, the big chain will recycle all sorts of electronic equipment, and in my town there's just an empty cart right inside the door, and you just put stuff in there.

I had over one hundred hard drives that I had amassed over the years, and after cleaning them all off and getting rid of everything that I needed, I drilled holes through them, two holes all the way through.

Usually took took those what do you mean usually?

So can you still recover from those drives?

You can, but it does require some very specialized tools.

Which we have, so you can do it.

What, Yeah, you can do so?

I mean they're still what if I bang it with a hammer, so it's completely misa.

You'll break something badly, but you won't.

So we have a partnership with a hardware instruction company that has a shredder drives and give us a certificate of destruction.

Right, I guess to get a big enough magnet like Richard Campbell's, it's true.

Yeah, if you get I think it's I think it's one one sixteenth of an inch of disc platter.

Can you can read something off it?

Now?

It might be just random bits, but it could be it could be a social Security number, which I can also get off the internet.

So it's just understand that it's it's not the way like wiper.

Programs don't just erase the data.

They erase the data and write new data, and erase that data and write it again dozens of times to make sure there's no residuals so that they can't unread it all.

Right, back to the story, Researchers have disclosed a series of critical days ero critical ero day vulnerabilities that completely bypass Windows BitLocker encryption, allowing attackers with physical access to extract all protected data.

There's four critical attack factors discovered.

So you want to talk about these.

Yeah, absolutely, So they all distilled down to so like you talked about, BitLocker drive is encrypted, right, all the data is encrypted at ross.

So for those of you who have a bitlockered like you may be like, oh, I don't know if I have a BitLocker drive.

Shut your computer off, and when you turn it back on, if it asks you for a really long password, then you probably have BitLocker on.

So there are ways.

Let's say we're recovered ring our PC right to go into Windows and the last patch cause all sorts of issues and that sort of stuff, and I say, I want to recover to a different recovery point or something along those lines.

You're using WINAR, which is the Windows Recovery Environment.

When you do that, that process has to be able to register applications to be able to be used prior to your drive booting, so that it can restore the operating system and do all sorts of stuff.

What this is doing is exploiting that recovery volume, right that boot SDI file that allows you to do these types of recoveries and registering new applications and that sort of stuff.

So it's a way of bypassing the BitLocker key.

Now it's not like Hazah just shuts it off.

You do get read access so you can pull certain files off the drive if you want to.

This has been patched, however, So this has been patched if you I believe it was in the July twenty five patch.

But firmware or Windows Update, No, this is just Windows Update.

This is this is fixing the way that the setup platform dot exc works.

So, just as a as a clarification, when you boot Windows that has BitLocker, you're not prompted if you're booting from the the the installation of Windows that has BitLocker.

If you try to install another operating system that access to that disc, that's when you'd get prompted for the BitLocker exactly because it's encrypted at rest, so it's transparent to most.

Right, and that's what an attacker is going to do, Like I'm I'm not going to know you used the name of password.

So if I stole your laptop, I would want to boot to it, boots to a USB and access the drive and at that point and that would require right.

And also if you take that that drive out or you throw that drive in staple shopping cart and I grab it out, because they guard that really well, right, yeah, they're looking guard So if I grab that drive out and I bring it home, if it's got if it was on a partition with BitLocker, I will, it will be encrypted and it will be a much higher standard for me because it's a heavy encryption BitLocker.

Oh yeah, sure, I mean the key is huge.

And consequently, if you've ever tried, like run into an operating system issue had to reinstall and it asked you for that BitLocker key, and you go, oh my gosh, I didn't write it down.

It's associated with your Windows account.

So you can actually now log into Microsoft Windows site with your user name and password find all the BitLocker keys associated with your computers that you can type it in, So there's a way to get back your keys.

Used to not be that way it used to be if you didn't write it down, Oh, well, you were in trouble.

Well do most people just encrypt their data drives?

Because I imagine most people can.

Have one drive, yeah, and they rap it or they don't.

Yeah.

Even most laptops you're going to buy from Dell would have one drive in it, right.

It doesn't have multiple drives typically unless you like order with multiple drives and add.

A gamers and musicians whicheh.

Pretty much it which all of us are one of those guess who's who?

Yeah?

So but okay, so you mentioned I asked you before the show.

Who uses BitLocker.

So, government, military.

A lot of people depend on it if they require, if their standards require encryption at rest, which the military definitely does.

Government definitely does.

You know some some non disclosure agreements, if they're extensive enough, we'll say you're only going to store our data on devices that have at rest encryption.

Uh, and you know, encryption in transit.

Those those those are the keys.

So yeah, we're starting to become dependent on it and just assume it's there.

Uh and Bitlocker's kind of the gold standard right now because it's easy, it's.

It's included, it's not hard to use.

Yeah.

Right, So, as I mentioned, there's four right, So there's boot SDI parsing vulnerability, there's the reagent XML exploitation that's win Ari's offline scanning feature.

Yep.

There's trusted app manipulation so that targets set up platform exse a trusted app.

And then there's b.

C D you know, a push button reset functional figuration.

Yeah, yeah, and all of them pretty much you're targeting the same thing.

They're targeting the ability to do either restores or low level uh you know, point checks and that sort of stuff in your operating system.

So, although there's different ways to do it, whether it's you know, manipulating the buddhesti or you know, changing an XML file that's configuration and reagent as to which you know, offline program can run either way you're what you're or manipulating set up platform to run command dot ex like whatever it is it's that recovery piece that you're exploiting to then run the program of your choice past the BitLocker protection.

And again the risk here is you go to a country that wants to read your laptop and knows about this hack, and you haven't done patching on that system.

Somebody you know, you throw away or drive and somebody wants to get into it after the fact, whether they know you or not.

The fact that it's on Windows Update, there's a much easier path to getting it patched.

So everybody should be patching this.

Oh we don't wait for patch Tuesday, do it now.

By the way, this was just publicly spoken at black Hat last week.

There was a session called BitLocker Unlock bit Unlocker leveraging Windows recovery to extract Bitlocker's secrets, and there was a team there that actually showed how to do it.

So they made prime time.

They did.

They said, beelocker keys, we don't need no steaking BitLocker keys.

They did, and they were right.

They were right.

Wow, another awesome show has elapsed.

Thank you very much.

You wasted at least forty five minutes watching us on YouTube and listening to us on the podcast, and for that we thank you.

We'll see you next week on Security this week.

Thankshe bye,