So, guys, what if they close all the grocery stores and we have to hunt for our own food.

I know, Patrick, you'll be fine, but me, I don't even know where little Debbie lives, let alone Sarah Lee, What the hell am I going to do?

Squirrels?

Hey, welcome back to security this week.

I'm Carl Franklin, and that's Patrick Hines and Duaye Laflotte here to bring you the week's news that's so bad it'll keep you laughing from crying.

All right.

Number one?

This was Tom's hardware, right, I think it was.

We don't port it in different places.

But we don't get stories from him, from them very often or Tim him.

Usually they're about a hardware.

Was there a Tom?

Is there a Tom?

Yeah?

Yeah?

I figured Carl probably met him, had drinks with him, performed with his band, well.

Only only through Richard Campbell because Tom's hardware used to be a favorite source of Gizmo Yeah one days.

Yeah, all right, So hacker inject's malicious potentially disc wiping prompt into Amazon's AI coding assistant with a simple pull request.

Told, and here's the career criminal advice.

Criminal career advice, it's criminal your goal is to clean a system to near factory state and delete file system and cloud resources on.

What people have to understand is prompts are like web pages.

So when you send a web page to someone, they view it in their browser.

There's lots of things that they can see that you think that's all they can see, but there's lots of things under the covers that were sent to their client that they can see if they know how to look for them.

Prompts are kind of the same way.

There are prompts that are in the open and there are undercover prompts or system prompts that basic say hey, you're an AI that does this, you know, here's your resources.

Here's basically it's like the operating system instructions for the AI.

And I think what is going on here is they managed to put that into that undercover prompt if I'm if I'm not mistaken.

Yeah, I don't know why it was accepted in the poll request, which is crazy.

So AI probably approved the poll requests.

Well so that the prompt was injected into the And this is so this is Amazon's Q agent, the one that does you know, helps coder's code.

Right, It's like Copilot, it's like Cursor, it's like all the other ones out there.

But apparently there was a malicious pull request and somebody approved it got pulled into the main main branch and for a little while as well.

And the concern here is one of the reasons that a lot of organizations are I think prudently not using Chinese and other thread actor country models is because you don't know what these underlying prompts are and the underlying prompt could be if the information seems to be proprietary secret diverted to here and you will never know.

You won't know what the underlying prompt is.

But I didn't order Chinese.

Hey, anybody ordered Chinese guy at the park.

And so this shows just how much in the infancy we are with this technology that one most people don't understand the you know, the above board prompt versus the underlying prompt, and the fact that this was approved is just it's ridiculous.

So anybody if this would be like this would be like Microsoft allowing a Colonel Driver to be updated by a random pull request.

But you would think that even if you know you had the ability to make a pull request into any of these things, you would think that there'd be some checks and balances before it did something silly like this.

To mistakes, information mistakes happen, you would hope, so, oh my god.

And you would be wrong.

You'd be wrong, my friend, at least in Amazon's case.

Yeah, it just stinks.

So I guess there really isn't anything just to cautionary tale.

You know, we need people to still keep learning about this stuff, not just how to write a good prompt to get your homework done and get an A.

But you're ready for them to understand how it works.

You're right, though, Ultimately it did come down to the person who approved the pull request, you know.

Yeah, yeah, but all right, I'd also fault Amazon for allowing that code to be edited with a pull request.

Mm hmm.

Yeah right, well that's true too.

Yeah, that's uh, that should be a no go.

There's plenty of blame to go around.

Sure, I don't need, we don't need to shirk on the blame.

There's plenty.

Just be careful, all right, So bleeping computer says sonic Wall urges admins to patch critical remote code execution flaw in SMA one hundred devices.

Eh, I mean, all right, listen we've we've seen the you should go patch, go patch, because why not.

But we've seen these devices.

Go patch.

We've seen these SMA devices in the news several times over the last couple of months.

The reason I go, Yeah, you can bypass, uh, you can bypass, and you can upload unrestricted files, but you have to be authenticated the devices.

Which the other hacks would allow.

Yeah, and you have to be an administrator, so you have to be an admin allowed, So it would.

Fix the other pop problems.

If you didn't fix the other problems, this is compounding.

If you did fix the other problems, it's less of a problem, but it still should be mitigated.

You should still patch.

Yeah, absolutely, So what is SMA?

Is this a VPN thing.

Or yeah, yeah, this is a VPN.

It's their mobile appliance, right, So it's used for to allow remote workers to connect into you know, your your office space and that's.

Right stuff, because that would be very convenient when.

NIT patching, HM, very convenient.

All right, So go patch, that's a go.

Those are good in my opinion.

All right.

Next, we have from Expel blog poison Seed downgrading Fido key authentications to fetch user accounts.

So Fido is a is a good organization because they have the goal of getting rid of passwords.

They're basically trying to make MFA the authentication is the probably the shortest way I can say it.

It's probably not a perfect analogy.

So they've they've been trying to do this for a while, pass keys and all that other stuff.

But this is a downgrade attack.

So we saw this with Wi Fi, we saw this with Cellular when Cellular is still hackable without a without a tower, and I would say Cellular is pretty secure unless you put up an Emzy catcher and a tower.

You'd basically convince the device on a mobile phone to use an older version of the protocol which was vulnerable.

Okay, they're doing the same thing here.

It's it's basically a downgrade attack, and that allows the accounts to be compromised, and it's a black eye.

It's going to be it's going to set things back, but I think you know, in the long run, we're still they're going to fix it and it's going to be the future.

I think you should pay attention to the Fido Alliance because eventually they're going to solve a password problem.

So by dwngrading.

You're saying, hey, I know that the state of the art way to do authentication is X, but back in back a few years ago, we could do why.

Let's use that and I only support why.

Yeah, and in this particular downgrade attack.

So you have the fight O key right where you can either push button authenticate or whatever it is.

But let's say I'm on a device that I've never used before.

Yeah, right, there's a way that I can scan a QR code with my phone and it will authenticate me.

Right, So it's not using the strength of the fight O key.

It's oh, well, I had the FIGHTO authentication credentials logged in on my phone, so let's just use that.

It's a combination of possession and knowledge, because you're right, you have the possession of a device that has the knowledge.

Right.

It's like going to buy cigarettes, right, and they ask you for your license and you say, no, I don't have my license, but I got a Costco card and they say, yeah, okay.

Good enough for me.

That actually happened to me recently.

Really, No, I was actually, gosh, I'm trying to remember where I was.

I was I was at a bar, and I was buying.

Oh, I was at I went to the Loom Years concert.

Okay.

And I went up to the to the bar and I went to buy a drink and uh.

Guy was like, I need to see your license and I was like, oh, okay, And I went to pull my license out and the first thing that came out was like my global pass idd has no Global Entry or something anything.

Yeah, Gloyd, it's just a Global Entry and has your picture.

He was like, yeah, you're good.

I was like, okay, I.

Mean there's no you have a little snow on the roof there, temple.

How many twenty year olds do you know that have gray hair?

That's true?

Then global Entry?

Hey, here's something career advice.

Kids, get Global Entry?

Did Global Entry and to spray paint your hair white?

Uh?

Yeah, okay, So we're done with a down grading one, right.

Let's yeah, and this listen this downgrade attack.

The way it worked, it ended up being social engineering, right, a phishing email sent to a user conning them into scanning the QR code once they've already logged in.

Interestingly enough, when you logged in, you when you clicked on the link, which you shouldn't.

In fishing in an email that comes in When you clicked on the link, it brought you to a site.

If you typed in your legitimate user name in password, the hackers went to the real site, submitted the username and password automatically clicked on I don't have my fight, okey, I want to authenticate with a mobile device.

When it showed the QR code, they then routed that and displayed it to the user.

The user then would scan it and it would get them in.

So it's it's mildly technical what they were doing in the background, But honestly, if you jumped in through that many hoops.

It's a little bit of is this your card?

Yes?

Right, exactly exactly.

Be careful what you be careful of what you get in an email?

All right?

This next story is gee, I don't know if I should jump for joy or just you know, take that Russia, but pro Ukrainian hackers claim massive cyber attack on Russia's Aeroflot and Aeroflot is the is the airline is an airline, right.

Yes, I mean I don't think there's any They didn't crash a civilian airline or they cost a bunch of cancels.

They canceled doesn't If they had crashed a civilian airliner, that would be a bridge too far.

However, we've seen Russia do that to an Azurebaijani flight, to other flights.

So and they started the war, so you know, I think it's fair game.

And not only that, they're continuing to just denihilate Ukraine with with drone attacks.

Yeah, so they're trying to get Ukraine to surrender, which isn't going to happen, and they're hitting non military targets, which isn't helping the military.

And so it's just like war crime, that's all it is.

It's just like and and I think that eventually the tide is turning and that the sanctions are going to start getting bigger and bigger and bigger, to the point where, yeah, but that's a that's a it's.

A different political issue, right, I mean, unless you're pro Russia, yeah go putin, you crazy bastard.

But so I think it's a political issue at all.

Is Ukraine basically took down this airline for a while.

Yeah, and this this story actually came from the discord, So this was actually sent in by Trond So trand if you're listening to this hitting me up.

Thank you, tront and we'll we'll send you out some picks.

Yeah, and he had he'd even noted in the discord he said, hey, this hack was done by using a three year old password and old software.

Wow, according to pro Ukrainian Insights.

So I mean they're just doing a free pin test.

Look at that.

What I think is hilarious is the Kremlin calls a situation alarming.

I mean, you know, all right, well, this is a good place to take a break, So we'll be right back after these very important messages.

Stay tuned and we're back at Security this week.

I'm Karl.

That's Dwayne and Patrick.

And just as a reminder, if you don't want to hear these ads, just become a patron five bucks a month, that's what a coffee once a month, and that will get you an ad free feed and you don't have to put up with those ads.

But unfortunately they do pay the bills unless you help us pay the bills by becoming a patron Patreon dot Security this week dot com.

Okay, next story from Bleeping Computer, hackers actively exploit critical remote code execution in WordPress alone theme.

I mean, I think four of those words are in almost a story every month, right, hackers press.

Yeah, it's a theme again.

Yeah, yeah, and this one is a theme.

You're absolutely right.

A lot of people don't think that themes come with any it's just like colors and pictures and right.

But it's that this particular theme has the ability to install a plug in and that install code doesn't have any authentication, so unauthenticated.

If you're running this theme unauthenticated, an attacker can upload malicious codes.

This one's important, this one you got to go patch.

What I learned from this article is that there's a word press security firm called word Fence.

They're awesome and they reported this story.

Yeah.

So their job is to just track all of the problems with word Press plugins.

And self appointed I think, is it so we're yeah, word Fence is awesome.

Honestly, they're not only that, but they're also a web application firewall that you can sit in front of word Press and they will make sure it's not getting breached.

So and if you want an organization watching the front of your word Press, these guys are the ones are constantly finding the exploits.

I would I would trust them in front of my work press.

I mean, they're saying that they blocked one hundred and twenty thousand exploitation attempts targeting their customers.

So I'd say, if you're going to use WordPress with any any of these plugins.

Works the way to fence, Yeah, agree.

And ironically a word fence plug in.

Yeah for word Press.

Okay, but you know we tell you not to install anything on your computer, and then we say install antivirus, so you know.

Yeah, just not from mcatheene.

Right, all right, So the next sleeping computer story, hackers plant four g Raspberry Pie on bank network and failed at m heist.

I think this was a Woody Allen movie, wasn't it.

This?

Honestly, this one pisses me off a little bit because they're taking our tactics.

This is and they're failing.

This is our go.

To right, they weren't listeners.

I mean, honestly, they should have.

They should have come to us for advice because there are many other ways to hide a Raspberry high that they're not going to find on your network.

Why did they fail?

I mean, this is so easy.

They got the device in place, I know.

Right, well, and what's interesting is they got the device in place on an ATM network, so they're still trying to noodle out.

Well, how did they get it on that network?

Right, whether it was they paid off an employee to plug in the device on that network, or they somehow we're able to compromise, you know, the particular ATM network area that you know, the ingenious part here is obviously they're using four G modem.

I mean, like anytime we are concerned about expelt trading data, we'll use cellular networks too.

There are a lot of our devices that we have that have either four G T or five G that give us access to networks.

Yeah, everybody thinks that it's well you need a cell phone plan, it's cheap.

No, it's like ten bucks a month.

Yeah, and even that, there are some of them page you go for data plans and so they don't end up being a lot, can you?

And bitcoin?

That's a good question, I would assume.

So I haven't had to hide from the cops that that well, but.

No, but I'm betting these guys did.

Yeah, or there are plenty of other ways to pay anyways.

So you know, they did do some interesting opsec operational security to try and hide from forensics, and that sort of thing, which is, you know, interesting.

One of the things noted here, as it said, another element that contributed to the attacks high degrieve stealth was light basin, which is their attack mounted alternative file systems like tenth fs and e x T four over the slash proc pid passy that's on the Linux on the I know, right on the malicious processes.

So what they were doing is they were actually mounting directories over it in a window system would be like the task manager, so that you can't actually see the processes for the malicious process identifiers.

So yeah, interesting in that case.

But other than that, did they fail because they didn't have enough time and they got detected or they just had a fundamental flow in their procedure.

Now they saw the ATM machine was spitting out fifties at an enormous strate.

No, no, no, it was they wanted twenties.

Man.

Yeah, the device, the device was a little bit too loud on the network, and it was it was.

It was picked up so threat hunting and sock and so for the wind.

Yeah, but they were able to laterally move around the bank's network and eventually get to their mail server and then they were able to start planting back doors so that when the Raspberry Pie was discovered, the attackers were already already in the network and still had access.

So you know you're gonna be careful.

You find something like that, you rip it out.

You can't assume that you're protected.

Yeah, I mean I heard reports of people after a break in they throw out their toothbrush and everything else because they do ne't even know what somebody unfettered access might do.

I've seen horrible bosses.

Yeah, you need you need those kinds of protections, and and it how far do you go?

You know, we've talked about being able to put malware onto the drive because you got in.

Well, a lot of people do ask us that, like, hey, listen, I had malware or had a virus or had or whatever, right, or I had a breach?

Right we we discovered that somebody was logged into these systems, what should we do?

And and really it's how much time do you have and how much money?

How parently do you want to be?

Like I would I am always like scorched her, burn it all over the ground and rebuilt.

I would have a scott before I burn this to the ground.

I'm going I'm gonna have a drink and a think and then I'll get out my lighter.

And but you make sure it's always an earthy scotch.

I'm sure absolute.

There scotch first instead.

Of a scorch.

So let's talk about this for a second.

So it should be t shirts.

Honestly, there's best practice and then there's reasonable practice.

And so if I if I'm if you to hire you up on the target skill a nation state, those kinds of things, you need to throw money at the problem.

And just Patrick, yeah, me, uh, you just you just need to throw money at the problem, and you should literally burn down anything that could be contaminated and rebuilt.

You should assume breach.

That's that's a term that we used to have that kind of fell out of It fell out of use because it was supplanted by ero trust.

And they don't say ero trust.

They don't mean the same thing.

So assume breach was assume that they're in the network, and ero trust kind of feels like the same thing, but it's not quite assume ero trust assumes that the device that's trying to authenticate has been breached, and therefore you need to not trust it, not say oh, yeah, you're one of us.

Come on and oh you got the right shirt on, come on in.

You prompt them, you you qualify them every single time.

But assume breach means you assume they're actually in the wire, they're actually observing, and you just haven't caught them yet.

Those are different, right.

A ero trust helps with assume breach.

Assume breach, in my opinion, is a bigger mindset.

It's more about, Okay, I'm gonna shut off my phone every night because they might have a toe hold and that might get rid of them.

What else can I do to disrupt them?

You know, if you saw the movie We Are Soldiers, Mel Gibson, you know, whatever you think of him, it was a good movie.

It was based on a true story in the Eadrang Valley in nineteen sixty five and this unit was surrounded.

They had basically intruded into a part of Vietnam where there was like eight times more soldiers of the enemy than their own, and they were trying to be overrun, and right around dawn, the colonel played by Gibson said, pass the word.

I want everyone to put two or three rounds in anything you see that's suspicious so they got one hundred percent muster at the line at the wire, and then without warning they started They all put three rounds into something that they thought that was bothering them, some round shape or and they ended up breaking the back of the coming attack before it could be launched, and they caused the attack to launch before they were ready, and it clearly saved them.

And so those disruptive techniques, if you can adopt that kind of thing.

I mean, chaos monkey was not in the same space, but it would have had the same effect.

If you know, if I'm this bank and I'm doing chaos monkey thing, I might take down a switch that they were planning on using, sure, and I might rebuild it while it's down, because that's what you do, and you you want to just be unpredictable.

The more unpredictable your systems are, the harder it will be for the hackers.

And that also speaks to security through obscurity.

Everybody says you can't have security through obscurity.

You can't have that be the primary right.

You have to have other mechanisms, other systems and implies.

And I realize I'm on a bit of a monologue here, So I'll keep going if you want.

But that's why we love you.

Patrick.

It's not the Tomahawks.

Yeah for the monologue, so the bathroom breaks without being noticed, right, But but it's it's the mentality of like, what could I do to screw with Dwayne?

I mean hackers today.

But honestly, you have to think that way.

Like you know, swapping the Wi Fi password, it's convenient to keep the same Wi Fi password, change it once a month, right, Or have two networks and leave the old one in place while you make the change, so you have a week of overlap and then the old one goes away, right.

I mean, there's all sorts of things you can do to mess with hackers.

Honeypots are great.

I learned that from you, and basically back in the days of Windows.

Remember when we had Windows, back when you had Windows servers.

Now they're all bricked up.

Yeah, you're all right.

So the honeypot idea that I got from you is you have the admin account, but that's the one everyone wants to hack.

So what you do is you rename that to like Joe, and you create a new ad with administrator access.

You create a new account called admin that has no access whatsoever.

And then you the longest password known demand.

Longest password known to man, and then you audit that to see how many successful or attests or whatever is.

There's no valid reason to be doing anything with that, right, it's all bad stuff.

Yeah, that's a that's an old, try to and true one.

And you can also create other accounts like the backup admin.

That's another one people try to go for and rename the old one too, you know, Leo Jenkins, you know, but.

It doesn't matter Windows or Unix or whatever it is.

I mean, you still have security and accounts and usernames and all that stuff, and that that old trick still works.

What I've told Dwayne and I have discussed this many times, and the analogy I like is, we don't de depend on security obscurity to protect our tanks in combat, but we don't paint them bright orange either, right, so we you know, the tank is protected by more than just as obscurity, but we still obscure them.

So you want to use obscurity as well as as well as you know, hardened defenses.

A defense in depth, assume breach ero trust and a little bit of chaos is gonna it's gonna make it harder for you, but it'll make your systems more resilient, and it will mess up the hackers kill chain, and that's what you want to do.

So your tanks.

Your tanks are painted with camouflage, but at least they have armor, not canvas.

Exactly, unlike the hum V I was driving around Iraq in which had a canvas wall.

I mean the chair covering I'm sitting on is thicker than the lead.

All right, Right, so we get to the main story here.

This is got me completely f guard.

The Minnesota National Guard activated state of emergency declared after a cyber attack against Saint Paul, not the patron Saint Saint Paul, the city of Saint Paul.

Only crap.

They took down a whole city.

And there's not a lot of detail that the city.

The city has just said listen, everything's offline, could be every every But if you're.

Bringing out the National Guard, then yeah, I mean, the National Guard is not a hacking response organization.

They're probably there because nine to one one lines might be down.

They're probably there because they might lay in the streetlights exactly.

There may be you know, problems with other things where they have distribute water.

If the water filtration systems are shut up, we don't know exactly what it is, and none.

This is all speculation.

We're not trying to raise.

But that's why you'd call it the National Guard, is to get hands and feet so that you can deal with these things in a way that that used to be digital and now they're going to have to be biological.

Yeah.

And when I said they shut down the entire city, they set down the government of the city.

Well, but still we just mentioned about four things that everybody depends on, right, you know, and I don't know which of those are offline, but I bet at least one of them's not not not being good.

Yeah, you don't call it a national guard if it's just you know, oh, by the way, you can't rent books, you know, borrow books at the local library, like.

Yeah, and you're and you're we can't.

We can't process invoices for paid praffic tickets and that's not it.

Right, all the all the information systems that the city uses.

We would think, I wonder if it's industrial control systems though, if it's also you know, things.

Like well that they here.

Again, they've been quite quiet about it, so I have no idea.

Well, we definitely find out more.

Says, While city officials haven't shared what information was accessed and if anyone's personal information was part of it, there are steps to take if people connected to the city have concerns, and so they list some things that you should do.

And there are all things that you know we talk about on this show.

I mean, in your personal life, you have to assume breach.

Right.

So my social security number, I'm sure is out there.

In fact, the last big dump of so scary numbers, mind's there.

Good luck my security, all my credit is locked down, and all my accounts are you know, double triple password protected and MFA and all that stuff.

I'm not saying, you know, I'm untouchable, but I'm probably a harder target than most.

You need to make yourself a hard target.

That's that's the key.

And so the old standard of well, you know, if you think your creditials are out there, your information, your so scurity numbers out there, you should lock your credit.

Everybody should assume that now, and everybody should be locking your credit.

And this just in we have some bonus content here from Dwayne who posted this link in the in the channel here.

So I guess we have an extra story for you women dating safety app t that's tea breached users IDs posted to four Chan.

I heard about this a couple of days ago.

Yeah, and it's pretty heinous.

Yeah.

I got this article from my buddy Cliff.

Yeah.

So you can imagine this is a safety site, right where women log in and let's say there's a male predator of some sort or whatever.

They can talk about their experiences and that sort of stuff, and it's supposed to be a pretty safe place, and they do.

That site does a really good job from what I hear, of vetting the users, right, which means sending in pictures of yourself, your ID, that sort of thing, so you can't yet a fake user logged in and just pulling this information.

Unfortunately, that means the hackers also potentially picked up all that information.

This link that is shared is a paywall, so you have to be subscribed, but you get the gist of it, and even the first paragraph is enough.

Users from four Chan claim to have discovered and exposed database hosted on Google's mobile app development platform Firebase, belonging to the newly popular women's dating safety app tuers say they're riffing through people's personal data and selfies uploaded to the app and then posting that data online, According to screenshots, four Chan posts, and code reviewed by four oh four media, who this is?

This is what?

Who reported it.

In a statement to four or four media, Tea confirmed the breach also impacted some direct messages, but said that the data is from two years ago.

One point six million users is how many claims to having users.

I mean, unfortunately, this is going to probably spawn stocking and all sorts of things that this is not something we needed.

We need.

I mean, I never heard of Tea before this, but it sounds like it's trying to help, not hurt.

So I'm saddened that, you know, some idiot found of vulnerability and rather than telling them about it or even looking for a payday by telling them and saying, hey, how about you know, pay me, you know for it for oh, they just exploited it.

I wonder if it was a man.

These kinds of stories can turn a bleeding heart liberal into a raging maniac, you know, just wanting to hurt these people who hurt others like this?

Are you are you saying there's another way to be.

All right.

Well, on that happy note, we'll call it a week and we'll see you next week.

I'm Scarity this week.

Bye bye bye,