«Transcript of Episode #574 Page 1 of 28 Transcript of Episode #574 Routers & Micro Kernels Description: This week, Leo and I catch up with the past ...»
Security Now! Transcript of Episode #574 Page 1 of 28
Transcript of Episode #574
Routers & Micro Kernels
Description: This week, Leo and I catch up with the past week's news. Did the Shadow
Brokers hack the NSA's Equation Group? Apple's Bug Bounty gets quickly outbid. A
critical flaw is discovered in the RNG of GnuPG. The EFF weighs in on Windows 10. The
Chrome browser is frightening people unnecessarily. A Johns Hopkins team of
cryptographers, including Matthew Green, disclose a weakness in Apple's iMessage technology. We discuss surprisingly and sadly unused router hardware capabilities and then answer the question: "What's a microkernel?" High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-574.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-574-lq.mp3 SHOW TEASE: It's time for Security Now!. Steve Gibson is here. He'll talk about that leak of the NSA hack tools from the Equation Group. What does it mean? What does it mean? What could they be? He'll also give us a little insight into the microkernel, how it works, what it is. And a look at a very interesting router operating system. It's all coming up next on Security Now!.
Leo Laporte: This is Security Now! with Steve Gibson, Episode 574, recorded Tuesday, August 23rd, 2016: Routers & Micro Kernels.
It's time for Security Now!, the show where we cover the latest security, keep you safe and sound online with this guy right here. I feel like I'm sitting next to you. This is nice. Steve Gibson.
Steve Gibson: So normally that screen used to be much further behind you.
Steve: So you sort of couldn't catch me out of the corner of your eye.
Leo: No, I had to kind of turn completely. And I did a TV turn, which was cheat and look over there. It would look like I was looking at you, but I'm really looking over there.
Security Now! Transcript of Episode #574 Page 2 of 28 Steve: Ah.
Leo: We are temporarily discombobulated because we're going to be moving back into my office next time. But for now we're in the main studio because, as you know, I bet you can imagine, moving a whole studio...
Steve: I don't know how you did it, basically on the fly.
Leo: On the fly. And so I made completely impossible constraints on these guys, and I feel so bad for it, and I'm sorry, John. Because first of all they said, "Well, it's going to take us five days." I said, "I can't miss five days of shows." "Three days?" I said, "I'm not going to miss any shows. I'm not going to miss any shows." And they said, oh, okay, okay, okay. And then to add to the horror I said, "And we're not going to buy" - and they said, "Well, we can buy duplicate gear; right? Or rent it or something?" I said no.
Steve: Long cables.
Leo: No. You get one of everything. And then, not my fault, but the tenant improvements by the owner, well, first of all the building got sold in between, during the tenant improvements. So we leased it from one guy, and now it's a different guy owning it. So the tenant improvements dragged on. We were supposed to get this six weeks ago. We got it one week ago, basically. So there was little we could do ahead of time. And then most of that would have been studio building. Right? And like the bricks that are supposed to be there and all that stuff. So we could only do a barebones studio. But I said, no, don't worry. A, everybody's going to understand that for the first two weeks in a new place we're going to be, you know, it's going to be like in a new house. You're still finishing up the stuff, painting. And, B...
Steve: Stuff in boxes still.
Leo: Oh, lots. Lots. And then, but secondarily, most people just listen. And as long as - so what I said is, if we can do a show, if we do audio shows that look okay, I'll be happy. And they don't have to be - we can do everything at the round table, which we are, until the other studios are ready. And the last studio to go is mine because that was the last studio used in the Brick House. Actually, it's surprisingly complete. The desk is over, the backdrop is over, the lights are in. We just have to wire the sound. That'll be ready on Saturday for the radio show. And then after that I'll be doing this show and Windows Weekly from my office again.
Steve: So not only is this the first Security Now! in the new studio...
Steve: Ten years from now...
Leo: This show's going to be a teenager next year. Junior high school. Wow.
Steve: So lots of stuff to talk about. Our main topics that we will get to is I discovered something very surprising in the hardware of all consumer routers, almost without exception, which is, I mean, it's distressingly unused capability that just isn't - it's physically there in the hardware, but isn't surfaced to a user interface. DD-WRT is beginning to make some inroads into it. So I want to talk about that a little bit. And I wanted also to do a little bit of just a little sidestep into the topic of microkernels because we're all living on top of operating systems, and there's been a lot of microkernel discussion in the news. So I want to, toward the end of the podcast, talk about those things.
But there was a lot of news of the week, of course. The question, we'll answer the question, or look at it at least, about whether the so-called Shadow Broker Group hacked the NSA's Equation Group. Note that Apple's bug bounty was quickly outbid. A critical flaw has been discovered in the random number generator of GnuPG. The EFF has weighed in on Windows 10. Chrome browser is frightening people unnecessarily, and I've had a bunch of reports about that.
Then a Johns Hopkins team of cryptographers led by Matthew Green presented a paper at the 25th Annual USENIX Conference a couple weeks ago, disclosing a series of weaknesses in Apple's iMessage technology, which, for example, just to give you a little tease, allows for retrospective decryption of encrypted iMessages. So there's that.
And then somebody posed a question actually this morning through Twitter that I really liked. And I thought, this is a perfect puzzler of the week for our listeners. So we will finish the podcast with the question this guy asked because - and it's just something for our listeners to think about for a week, and then we'll talk about it next week. So I think lots of fun stuff.
Leo: All right, Steve. I'm listening with all ears.
our listeners will appreciate and which would confuse pretty much any normal people who would think, what? How does that make any sense? And of course we all remember the "Hundred Bottles of Beer on the Wall"...
Steve: Isn't that great? So we all remember the "Hundred Bottles of Beer on the Wall" song, where you take one down and pass it around and then there's 99. So this T-shirt reads: "99 little bugs in the code, 99 little bugs. Take one down, patch it around, 117 little bugs in the code."
Steve: So, okay. Probably the top story of the week was this whole NSA hacker group Shadow Brokers deal. I've read in as much as I can from what's available publicly. And attribution is famously difficult. You'll remember that I was reluctant for the longest time on the topic of Stuxnet to ascribe this to the U.S. and Israel, who we now - it's sort of, again, no absolute proof, but the consensus has sort of been, yeah, I mean, we're as sure as we could be that that's, you know, that it was state sponsored and probably the U.S. and Israeli intelligence groups, the cyber groups.
So what happened here in this case is that a group calling themselves the Shadow Brokers posted a bunch of data, but only a taste of what they have, 256MB of compressed stuff, predominantly batch scripts and what was regarded as unimpressively coded Python. So the people looking at it were unimpressed by it. And in fact I saw one massive compound IF statement, checking the version of the Cisco ASA software that was running. And I have to say it's not the way I would have written the code. So who's to know? But they posted this with the claim that they had hacked into the NSA's Equation Group.
Now, one of the things that immediately sort of caught my attention was that, if you actually read the posting, and I'm going to let everyone see what you think because I'm going to read the introduction paragraph exactly as it's written. Tell me if you think it's actually somebody who can't speak English, or somebody who does, who's doing a bad pretend, a bad emulation of a non-English speaker.
made by creators of Stuxnet, Duqu, Flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group.
We find many, many Equation Group cyber weapons. You see pictures. We give you some Equation Group files, you see. This is good proof, no? You enjoy? You break many things. You find many intrusions. You write many words. But not all. We are auction the best files." Now...
Leo: That's Chinese, by the way. That is almost certainly Chinese syntax.
Steve: Okay. To me it reads as fake.
Leo: Or if you were faking Chinese syntax.
Steve: Oh, exactly. But, for example...
Leo: For instance, when you say "good," you often say "hau hau." Which is too good.
Steve: Well, but, see, "We find cyber weapons made by creators of." That, to me, like...
Steve:...some correct English slipped in there when they were trying to make it seem sort of jilted and stilted. So I don't know.
Leo: You know, I was a Chinese major. My Chinese isn't great. But I do kind of recognize a Chinese-style syntax. There's not a lot of, for instance, Chinese doesn't have tenses. It feels to me a little bit like it would be either Chinese or somebody pretending, you're right. And hackers obviously want to obfuscate who they are.
Steve: I've read a lot of English by non-English speakers, and it feels different than that does.
Leo: Right, right. Feels like a fake, yeah.
Steve: It really does. And, you know, you could understand that that may be what they're [crosstalk].
Leo: It's the equivalent of a ransom note.
than 2013. So the most recent are three years old.
So that's, you know, it makes people think that this has been held for a while after it was grabbed. No one understands what that means or why. I think I heard somebody on TWiT suggest that it was like a field tool set, like an archive that may have been lost or left somewhere. That is to say, there are other feasible ways that these tools could have been obtained other than this rather romantic, "We found their IP range and hacked them." Okay, maybe.
But if in fact these are field tools, and they have sort of a feel to them of that, then it's very often the case that NSA people have to leave the Puzzle Palace and venture out in order to go to specific locations on the Internet in order to get the position on the network that they need. And if they're physically roaming around, you know, thumb drives get lost, or laptops get stolen from airports. You know, that kind of thing. So there are other ways this set of tools could have escaped.
Now, all of that notwithstanding, there is some - this was eyebrow-raising for the security industry. There was a whole bunch of previously unknown things that were contained here. So even though they were three years old, everyone on this podcast knows how lumberously - lumberously? Anyway, how slowly...
Leo: That's a good word you made up.
Steve:...we move forward with security standards. So 2013 is - especially problems that have been persistent for a long time. For example, we'll be talking a little bit later about this flaw in the random number generator of GPG. It's been there, I think, since the late 1990s. So for decades. Because if it's sort of following the logic or the wisdom of that Tshirt, if you don't know it's broken, you're really better off not messing with it because leave it well enough alone.
So, similarly, for example, the news just today is that one of these cyberweapons which was specifically aimed at the Cisco firewall, the ASA line of firewalls, and that's actually where this crazy compound IF statement was located, it was individually stepping through individual IF-THEN clauses, looking at version numbers that it had retrieved from the SNMP protocol. And it's a flaw in the SNMP protocol, Simple Network Management Protocol, which we've talked about before. It's a UDP, typically UDP-based protocol that allows you to query network gear for its status. And so things like the number of bytes received on interfaces and transmitted and, I mean, you can - if you have write privileges, you can reconfigure SNMP devices over that protocol. So it's very powerful, you know, as it sounds, Network Management Protocol.
Anyway, the point is that the code stopped checking versions at 8.something, and I didn't bother to remember to write it down, it wasn't important, which was some years ago. And if it didn't match any of the known versions, it returned an error saying "unsupported." Well, some researchers said, huh. ASA is now at 9.something. What happens if we tell it that it's compatible with that? And sure enough, it works. So, and I'm wondering, and I didn't have a chance to look, when it was that that version of the firmware was published, and if that corresponds with the date of this tool.
Because the point is they may have - that tool may have been current when it was last edited, which was when that 8.something was the most current version of the Cisco software. Because this compound IF statement does nothing except turn an SNMP short version string into a full English statement, saying this is version zum zum zum of the Cisco something-or-other firewall. Then the next line checks a different SNMP version and then says the same thing with a slightly different bit of text.