Is Elon Musk a Security Expert? - ThreatWire

00:00

which is better signal or telegram this

00:03

story and more in this week's episode of

00:05

threatwire

00:08

for the JavaScript viewers two new

00:11

vulnerabilities were found in the nextjs

00:13

libraries cve 2024 34350 and cve 2024

00:19

34351 have been assigned a high severity

00:21

score of 7.5 the first vulnerability cve

00:25

2024

00:27

34350 is response CU poisoning vulnerab

00:30

ility according to portswigger response

00:33

CU poisoning is a powerful form of

00:36

request smuggling attack that causes a

00:38

front-end server to start mapping

00:40

responses from the backends to the wrong

00:43

requests in practice this means that all

00:46

users of the same front end SL backend

00:49

connection are persistently served

00:52

responses that were intended for someone

00:54

else which to be very clear is not good

00:58

the other vulnerability cve 2024

01:02

34351 is a server side request forgery

01:05

vulnerability meaning that attackers can

01:07

abuse requests to access or update

01:09

resources they don't have permissions to

01:11

according to an application security

01:13

engineer at versel cve 2024 34350 comes

01:17

about under the following inconsistent

01:20

interpretation of a crafted HTTP request

01:23

meant that requests are being treated as

01:25

both a single request and two separate

01:28

requests by nexj s leading to

01:31

desynchronized responses this led to a

01:34

response CU poisoning vulnerability in

01:36

the affected nextjs versions the

01:38

security engineer disclosed the other

01:40

cve and that it was also found by the

01:42

team at asset node the ssrf

01:45

vulnerability is able to happen when

01:46

running a self-hosted nextjs server

01:48

older than version

01:50

14.11 the server uses server actions and

01:53

the server action performs a redirect to

01:56

a relative path that starts with a slash

01:58

the solution for resolving both issues

02:00

is to update your nextjs versions to

02:03

14.11 at the minimum to resolve both

02:05

cves researchers at the Leviathan

02:08

Security Group identified a network

02:09

technique that bypasses VPN

02:12

encapsulation they say it uses

02:14

decloaking the ability to force a user's

02:16

traffic off the VPN tunnel in this case

02:19

specifically using DHCP features they're

02:22

able to Snoop targets traffic the attack

02:25

relies on DHCP option 121 in 2002 RFC

02:31

3442 introduced option 121 classless

02:35

static routes and obsolet option 33

02:38

which still should be supported

02:40

depending on who you

02:41

ask option 121 also allows

02:44

administrators to add static routes to a

02:47

client's routing table but with

02:49

classless ranges instead There's No

02:52

Limit besides packet size to how many

02:55

different routes can be installed at

02:56

once to work targets and attackers must

02:59

be on the same network essentially the

03:01

attacker will trick the target's VPN

03:03

into thinking that they are their DHCP

03:06

server attackers can snoop on traffic

03:09

using forwarding rules on the malicious

03:10

DHCP server to pass it through to a real

03:13

Gateway using option 121 to arbitrarily

03:16

set the route they're able to set a

03:18

higher priority than those of the routes

03:20

used by a VPN this also leads to all of

03:23

the targets Network traffic being sent

03:25

outside of the vpn's encrypted tunnel

03:28

this decloaking attack was given a cve

03:30

and with the help of the eff and cesa

03:32

they were able to alert over 50 vendors

03:35

prior to public disclosure now here's

03:37

where the story gets a little bit

03:38

interesting after publishing it's come

03:40

out that this isn't necessarily novel

03:42

they even acknowledge that this isn't

03:44

novel by Crossing out the word that they

03:46

used in the first paragraph of the

03:49

publishing in an update included they

03:51

came to learn that this research isn't

03:53

new and has been published across the

03:55

web as early as 2015 in a blog post

03:58

about hardening open bpn for Defcon they

04:01

do the update and say the purpose of

04:03

This research was to test this technique

04:05

against modern VPN providers to

04:06

determine their vulnerability and to

04:08

notify the wider public of this issue

04:11

this is not a story to shame researchers

04:13

in any way instead it's a story about

04:15

how we are losing history and that we

04:17

need to get more focus on the stories of

04:19

the past in order to make sure we don't

04:21

keep rediscovering the discovered if

04:23

anything I recommend reading the article

04:26

as it was a great summary about

04:28

networking VPN DHCP and more password

04:31

list authentication has been considered

04:33

highly secure against fishing session

04:35

hijacking and man-in-the-middle

04:37

attacks the phto 2 standard developed by

04:41

the phto alliance uses public key

04:43

cryptography and security keys for

04:45

authentication however Recent research

04:48

has uncovered a critical flaw that

04:49

allows attackers to perform

04:51

man-in-the-middle attacks and bypass f 2

04:54

authentication researchers from Silver

04:56

front discovered that attackers can

04:58

intercept and manipulate authentication

05:00

Communications between the user and the

05:02

relaying party this flaw allows

05:04

attackers to gain access to the user's

05:06

private info and perform malicious

05:08

activities such as removing registered

05:10

PH2 devices PH2 involves generating a

05:13

public and private key pair with the

05:15

public key sent to the relaying party

05:17

for verification during authentication

05:20

the browser communicates with the phto

05:21

security key if approved the security

05:24

key generates a signature using the

05:26

private key verified by the relaying

05:27

party researchers recommend implementing

05:30

token binding which binds security

05:32

tokens to the TLs layer preventing token

05:35

theft and man-in-the-middle attacks

05:38

application managers should enforce

05:40

token binding on the phto to

05:41

authentication developers should also

05:44

ensure session tokens are only used once

05:47

and thoroughly validate the

05:48

authentication process telegram is going

05:51

up against signal as the most secure

05:53

messaging app recently the telegram

05:55

founder paval durov posted in his

05:58

personal Channel putting the team team

05:59

behind and the product of signal on

06:01

blast an attempt to encourage fud or

06:04

sphere uncertainty and doubt it started

06:06

off with the claim that signal messages

06:08

can actually be compromised the US

06:10

government spent $3 million to build

06:12

signals encryption and today the exact

06:14

same encryption is implemented in

06:17

WhatsApp Facebook Messenger Google

06:18

messages and even Skype it looks almost

06:21

as if big Tech in the US is not allowed

06:23

to build its own encryption protocols

06:26

that would be independent of government

06:28

interference and a alarming number of

06:30

important people I've spoken to remarked

06:32

that their private signal messages had

06:35

been exploited against them in US court

06:37

or media but whenever somebody raises

06:40

doubt about their encryption Signal's

06:42

typical response is we are open source

06:45

so anyone can verify that everything is

06:47

all right that however is a trick these

06:50

claims have not been verifiable yet in

06:53

response the signal president has come

06:55

out expressing that telegram's messages

06:57

are compromised and routinely Cooper

06:59

Ates with governments the security

07:01

Community has also stepped up and very

07:03

loudly proclaimed how wrong the telegram

07:06

statements are expressing that signal

07:09

has expressed inability to give chat

07:10

logs once a peanut experts like Matthew

07:13

green a literal professor of

07:15

cryptography quickly spoke out on the

07:17

topic and the security and encryption of

07:19

signal and the weird decisions of the

07:21

telegram project signal inherently is

07:24

end to-end encrypted while telegram you

07:26

literally have to enable the secret chat

07:28

option which uses a home ruled

07:30

encryption scheme created by another

07:32

founder of telegram signal uses its

07:35

aonomus protocol which as explained

07:38

earlier is used by many companies as

07:40

their encryption protocol of choice and

07:42

uses open- Source verified hashes

07:44

agreement protocols and so on while

07:47

signal has 14 no cves telegram has 36

07:50

known

07:51

cves but how did this all start in a

07:54

tweeted response to a signal smear

07:56

article Elon Musk chimed in saying there

07:58

are known vulner abilities was signal

08:00

that are not being addressed seems odd

08:03

this has been appended with a community

08:04

note explaining that there is literally

08:06

no evidence for this statement and that

08:08

the lack of evidence is very easy to

08:10

verify this treat has over 3,000 likes

08:13

with a view count of 1.2 million but at

08:15

this rate we can't tell if this is

08:17

accurate just like elon's statement and

08:21

for context I personally say don't some

08:24

of you are right but many of you were

08:26

wrong as a reminder every story that is

08:29

included threatwire is a real story

08:31

there are real sources and many of you

08:34

said that the cisa FBI developer warning

08:36

was a fake story and written by AI sorry

08:39

to let you know that that is a real

08:40

story and it was written by me the AI

08:43

story written in last week's episode was

08:45

actually the story about the gitlab

08:47

vulnerability that was leading to

08:48

account takeovers once again there is an

08:51

AI written story in this week's episode

08:53

comment down below which story you think

08:55

it was as a reminder it is a real story

08:58

it is real news it was just written by

08:59

AI also I do see the feedback that many

09:02

of you enjoyed the off theough insert

09:04

for threatwire last week I do have a lot

09:07

of research and there's a lot of

09:09

specific numbers and definitions and

09:11

quotes that need to be included to make

09:13

each threatwire story

09:15

comprehensive it just wouldn't be

09:17

feasible to do each story off the cuff

09:19

but I do write threatwire each week live

09:22

on my twitch Channel twitch.tv/ ending

09:24

with allei if you enjoyed the other kind

09:26

of vibe feel free to head over there and

09:28

hang out I C on a regular basis there

09:31

and this month is actually mod month so

09:33

I have a lot of challenges to do that my

09:35

mods made for me and I would love to see

09:37

you there P.S I booked my tickets from

09:40

Defcon who's going to be there also it's

09:44

so sweet that some of youall are talking

09:45

about that I look very pretty but I just

09:47

want to remind yall that I am an MIT

09:49

educated software engineer who does

09:51

cyber security as a hobby and in her

09:53

free time but if you do want to pop over

09:55

to my Instagram I'm going to be starting

09:57

to post more photos over there including

09:58

memes about about tech and maybe some

10:00

reals too but I know y'all hate it so

10:03

hopefully they'll be funny thank you so

10:05

much for watching threatwire for the

10:06

week of May 1 13th 2024 don't forget to

10:09

head over to patreon.com threatwire and

10:11

support us over there thank you for

10:13

helping keep this show adree if you want

10:16

to find me online I'm @ ending withth

10:18

alley everywhere good luck have fun and

10:22

don't get caught