Coming up this week on Breaking Badness. You’ve Got a Friend in Me, Acropalypse Now, and Gold, Guidance, and Grievances.
Here are a few highlights from each article we discussed:
You’ve Got a Friend in Me
- In the new ThreatWise TV documentary, we see what Cisco Talos has been doing to support Ukraine during the war that has just passed the one year mark.
- For those who aren’t familiar, we’ll start with a description of what ThreatWise TV is
- It’s not something you can get on your local cable system, satellite dish, or TV antenna – you need to go to the information superhighway!
- It’s a vlog of sorts, by the Cisco Talos team
- They’ve done a number of episodes on products, best practices, interviews, and so on
- What’s the history of the relationship between Cisco Talos and Ukraine?
- Cisco, for starters, has an enormous footprint around the world
- They have a long history of customer relationships in Ukraine as well as employees who live in Ukraine
- Cisco Talos wanted to help once the invasion began, which led to an internal Ukraine task unit, and can respond to future global events with cyber implications. Is this the first task unit of its kind?
- It’s the first one at Cisco, but there may have been similar task forces led by other security firms. But it’s an example of one of the best trends in infosec—the public/private partnership
- What does the task unit do on a day-to-day basis?
- If you had to distill it down, it’s a threat hunting team
- They’re looking at the landscape and keeping a close eye on Russian operations that affect enterprise, OT, or disinformation, ICS
- They are doing the usual hunting on networks and endpoints for evidence of compromise or anomalies, but they’re also doing a broader kind of hunting, with OSINT analysis and analysis of disinformation and other info warfare efforts as well.
- Cisco Talos has a pretty cool-looking graphic novel on their website describing this task unit, and they mention they’re leveraging skills outside of traditional threat hunting
- This is where OSINT threat hunting and trying to understand intent and disinformation become some of the important skills
- There’s not too much additional information on what exactly they mean by this likely for OpSec purposes
- What about if other organizations want to start a task unit? Where should they begin?
- Having that existing relationship like Cisco did is key
- It’s one thing to have the technology and the goodwill, but to really have an impact, you have to be able to work closely with authorities, and you can’t just show up and expect that; building relationships is key.
Acropalypse Now
- In ongoing news that the Internet is forever, a Google Pixel bug reveals that if screenshot info has been deleted, it can be recovered, but wait, that’s not all! The Windows 11 Snipping tool is likewise affected.
- This is an interesting one – it was found for Google Markup – the tool in Pixel for editing images if you’ve taken a screenshot
- It had been there since about 2018
- Google has since patched that
- When the screenshot is created, a file is created. The underlying process should truncate the file, and in the past, it did to make the smaller file
- At some point, the underlying API stopped truncating by default, so when it did not explicitly truncate, it left the full size there, so it left extra bits of information that was removed and still available for someone to grab and deobfuscate
- Anywhere these images were uploaded, that file exists and can be deobfuscated
- Discord is a major target for this
- This is about cropping tools, but what about blocking out information using the paint tool – is that recoverable?
- Absolutely. There’s a working POC for this at the acropalypse.app that’s open and it can show you what was there before
- And anyone can use acropalypse.app to see any of these impacted images
- What are the security ramifications?
- Extortion comes to mind
- But Google has patched quickly and going forward, it should be fixed
- Windows should be patched as well
- But someone went on VirusTotal and found about 4,000 images that were affected
- Are other products affected like Apple products or Android?
- Who knows is the tl;dr of it all
- Once is an accident, twice is a coincidence, and three times is enemy action
- If it did hit others, we would all have to think, how did we all get really bad at this at once?
- What are the mitigations?
- Microsoft and Google have patched these issues as mentioned above
- As an independent, if you want to check a file, there is a PNG file check tool if you want to test that everything is as it should be
- Ensuring you have the latest versions on your devices is important as well
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
This Week’s Hoodie/Goodie Scale
You’ve Got a Friend in Me
[Taylor]: 10/10 Goodies
[Tim]: 8/10 Goodies
Acropalypse Now
[Taylor]: 5.675/10 Hoodies
[Tim]: 5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!