Transcript of Episode #1036

Inside the SharePoint 0-day RCE Description: Brave randomizes its fingerprints. The next Brave will block Microsoft Recall by default. Clorox sues its IT provider for $380 million in damages. Six-month Win10 ESU offers are beginning to appear. Warfare has significantly become cyber. Allianz Life loses control of 125 million customers' data. The CIA's Acquisition Research Center website was hacked. The Pentagon says the SharePoint RCE didn't get them. A look at a DPRK "laptop farm" to impersonate Americans. FIDO's passkey was NOT bypassed by a MITM after all. Is our data safe anywhere? The UK is trying to backpedal out of the Apple ADP mess. Meanwhile, the EU resumes its push for "Chat Control." Microsoft fumbled the patch of a powerful Pwn2Own exploit. High quality  (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-1036.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-1036-lq.mp3

SHOW TEASE: It's time for Security Now!. Steve Gibson is here. He's decided to change his browser of choice. He'll explain why. We'll also talk of a little retraction. Passkeys are still secure. FIDO's passkey was not bypassed by a man in the middle. And then we're going to take a look, a deeper look at that SharePoint Zero-Day. What a nightmare. All that and more coming up next on Security Now!.

Leo Laporte: This is Security Now! with Steve Gibson, Episode 1036, recorded Tuesday, July 29th, 2025: Inside the SharePoint Zero-Day. It's time for Security Now!. Oh, I know you're so excited. I see people jumping up and down. We wait all week for Tuesday and the arrival of - it's the Santa Claus of Security, Mr. Steve Gibson. No beard, but a very nice moustache. Hello, Steve.

Steve Gibson: I don't think people are jumping up and down. I think that's the vertical hold. Remember those days, Leo?

Leo: Oh, yeah, you'd try to see between the lines on the encoded channels.

Steve: Well, you had knobs on your TV, and those tweaked the frequency of oscillators which caused the cathode ray tube beam sweep frequency to change so that it had to line up with what was being sent from central headquarters.

Leo: Can you imagine being married to Steve Gibson, and you're trying to get the TV to work, and he says, well, you know, it's the oscillator that needs to line up, and oy, oy, oy. You know, it's funny, somebody's been uploading, I'm thrilled, these old Screen Saver shows that you and I did back 25 years ago.

Steve: I have every one of them.

Leo: Maybe it's you. You have them - oh, the ones that you were on you have, but there are literally hundreds and hundreds of them.

Steve: Yeah.

Leo: Somebody must have put them on VHS. I know, because I'll watch them on YouTube, and you see the...

Steve: Or the bottom of the screen white blocking in more. Yeah, yeah.

Leo: You know immediately, oh, yeah, I remember that from the old, the bad old days. All right. What's coming up on Security Now! today?

Steve: So for Episode 1036 for this last podcast of July of 2025, we're going to talk about a mess.

Leo: Of course. What else?

Steve: And it's a complicated mess which most of the press hasn't quite locked onto. They haven't grokked it fully because this actually is a descendent of something we talked about in May. Remember that in May was the first relocated Pwn2Own competition. Normally it has traditionally been held in Toronto every year. This was the first time that Pwn2Own had moved to Berlin. One of the winners who earned himself $100,000 in Berlin's Pwn2Own in May revealed a remote code execution exploit in Microsoft's SharePoint servers. Which, oh my god, you know, there's 38,000 of them, I think, online at the moment. And so this is not SharePoint in the cloud, where Microsoft is trying to push everyone because of course they would love to have a subscription from everybody. But these are people who have previously, before Microsoft decided they wanted to get everyone to subscribe to everything, would sell you a server. And so their SharePoint 2013 and 15 and 16 and 19. And they're just doing fine installed in enterprises everywhere. Unfortunately, it turns out they all have a very bad bug. Which Microsoft tried and failed to fix in this month's Patch Tuesday.

Leo: Oh, boy.

Steve: They bungled the update, once again patching the symptom, not the cause. And...

Leo: That's an AI thing. I bet they did an AI patch. That's exactly what AI would do.

Steve: Well, it wouldn't take AI because we know they were doing this years ago, before AI. They just don't really care is what it really looks like. It's like, oh, look, you do this, and this happens. So let's...

Leo: Now it's all better.

Steve: Let's put a little jump instruction in there or something. It's like, so they're not fixing the underlying problem. They're just making what the security guy showed them in the proof of concept could happen stop happening. Anyway, oh, Leo, what a mess. At least 400 enterprises have been compromised.

Leo: Oh, it's got to be more than that. Some of them government, even, yeah.

Steve: Yes. Anyway, so the good news is, much as I've just said, there's a lot more to say. So we'll be getting to that. We're going to talk about the Brave browser randomizing fingerprints, the next version of the Brave browser blocking Microsoft Recall by default.

Leo: Yeah, I saw that.

Steve: In keeping with its, you know, its approach. Clorox, you know, the famous bleach company, they are suing their IT provider for - whoa - $380 million in damages.

Leo: What?

Steve: Uh-huh. And we're going to talk about like the back story there. We also have that six-month offer for Windows 10 users to extend their security patches. Those offers are beginning to appear. Some interesting stories demonstrating that warfare has really significantly turned to cyber. The Allianz insurance company, Allianz Life, has lost control of 125 million of its customers' data.

Leo: That's almost all of them. And by the way, I'm one of their customers. So I'm thrilled about this, yeah.

Steve: Uh-huh. And was it they who waited a year? I don't know. We've got a lot to talk about here. We also have the CIA's Acquisition Research Center website being hacked, and I think I know how. But the Pentagon says that the SharePoint RCE didn't get them, although again the gal, Katie I think her name is, didn't seem to quite understand what exactly happened here because she's like, oh, don't worry about it. Also we actually get a photo of a DPRK - you know, North Korea - laptop farm which is being used to impersonate Americans. Turns out that FIDO's passkey was not bypassed by a man in the middle.

Leo: Excellent.

Steve: As we reported it was last week.

Leo: Good news. All right.

Steve: And I raise the question, is our data safe anywhere?

Leo: No.

Steve: I'm coming to think no. It's just, you know, I don't want to give up, but still. The UK is now trying to backpedal out of Apple's ADP mess that it got itself into. Meanwhile, the EU resumes its push for what's called Chat Control. And then we're going to take a deep dive into what happened after Microsoft fumbled its patch of this very powerful Pwn2Own discovered exploit. So lots to talk about, and we've got I think a Picture of the Week that a lot of our listeners are going to get a kick out of. I know that it rang true for me. So I think maybe Leo this time we've finally got the hang of how to do this podcast thing.

Leo: 1036 episodes later, we've finally figured it out.

Steve: Maybe we're going to have a good one, yeah.

Leo: I'll tell you. I have not looked at the Picture of the Week. You will get my raw, unadulterated reaction.

Steve: You're going to - this is going to - you're going to go, uh-huh. You're going to get it.

Leo: Hey, thanks to Adam Puckett, who just shared a little bit of filthy lucre, 10 bucks. Thank you, Adam. I appreciate it. In our YouTube chat we are streaming live, as Adam knows, on YouTube and X.com and TikTok and Facebook and LinkedIn and Kick, your favorite Kick. And of course in our Club TWiT Discord. So if you're watching live, we'll see you in the chatroom. We're glad you're here. We appreciate it. Okay, Mr. G. I'm ready. I will scroll up the Picture of the Week.

Steve: So I gave this picture the caption "How many times have we witnessed exactly this behavior?"

Leo: Okay. I'm going to scroll up. And this will be me seeing it for the first time.

Steve: I'll let you read it silently to yourself, and then I'll tell everybody.

Leo: It's like a tweet or something. Okay.

Steve: Yeah.

Leo: That's brilliant.

Steve: Isn't it?

Leo: All right. I'll let you describe it.

Steve: And it's so true.

Leo: That is so brilliant.

Steve: This is a snapshot of a tweet from Annie, whose handle is @soychotic.

Leo: Which is a great handle, by the way. She obviously is very creative.

Steve: Soychotic. So Annie posts: "Every time I have a programming question and I really need help, I post it on Reddit and then log into another account and reply to it with an obscenely incorrect answer. People don't care about helping others, but they LOVE correcting others."

Leo: Oh, they do.

Steve: She said: "Works 100% of the time." And I've seen this happen, too. Somebody, there'll just be like this lonely posting on some programming forum that nobody replies to. It's just there.

Leo: It's hysterical.

Steve: You know, useful question, but nothing happened because people, you know, they just look at it and go, yeah. But oh, boy. You post a wrong answer, and everybody piles on. It's a feeding frenzy correcting this person who doesn't know what they're talking about.

Leo: You're going to get the reply guys in spades, yes.

Steve: So a little bit of brilliant reverse psychology there is, like, here's the answer. It's like, no, that's not right. Here's what's right. It's like, okay.

Leo: Okay, you're right. Thank you.

Steve: So anyway, I already got some great - the email went out to 18,121 people yesterday.

Leo: Jiminy.

Steve: Around this time. And a bunch of our listeners replied saying, yup, seen that myself. And I think several of them are going to adopt it now as their standard practice when they're looking for a reply. So, okay. Before I forget, as I did last week because this was two weeks ago, I wanted to acknowledge all of our listeners who wrote to let me know that the Brave web browser deliberately randomizes its browser fingerprints, that is, the fingerprints they're using, as reported by EFF's excellent Cover Your Tracks online testing facility, which we talked about a couple weeks ago. So for anyone who may have been a little unnerved and disturbed by the fact that, in my case, neither uBlock Origin nor Privacy Badger, both which I was using in Firefox, were of any help in that regard. We went through all of the bits of significance that the EFF's Cover Your Tracks site was able to glean from running script on my browser to lock me down. And I was, what, I was unique among 244-some thousand browsers that they'd seen in the last 45 days. So the Brave Browser looks like the right answer for that. And that's a screenshot I have in the show notes, says "Blocking tracking ads?" Yes. "Blocking invisible trackers?" Yes. I had both of those on Firefox. "Protecting you from fingerprinting?" No. And that's where for me it said this browser is unique. So if you're using Brave, and you go to the Cover Your Tracks site, it says your browser has a randomized fingerprint. So thanks to our listeners, I wandered over to the Brave browser site to look around. And when I saw that the browser natively supports vertical tabs, that clinched the deal for me. I have made the switch to Brave, so we'll see how that goes. I'm not nearly as fickle as Paul Thurrott, who changes browsers as often as he changes his pants. But, you know, I've been using Firefox forever, as our listeners know. I'm now using Brave. So I've been very impressed with everything I've seen. One thing that I immediately checked was one of my enduring annoyances with Firefox, which on Windows, is it 10 or 7, I'm not sure which, maybe both, anyway, it has this ridiculous refusal to allow me to simply drag a URL from the browser's URL bar into a Windows Explorer folder or to the desktop. I know that it won't let me do it under Windows 10. I'm not sure about Windows 7. The day before, on Saturday, I needed to save some URLs, so I was forced to copy the URL from Firefox over into Chrome, paste the URL into Chrome, then drag and drop the URL from Chrome into Explorer, which Chrome allows me to do. And I understand this is a security measure. But guys, please allow me to turn it off if it's interfering with my workflow, as it continually does. I've looked into disabling this nonsense. There is a way. Mozilla knows about this. There's a way to turn that off. You're supposed to be able to append to the command line that launches Firefox the option "--no-deelevate" because what's happening is Firefox's authorization, its security privileges are being deliberately de-elevated to protect the user from things that the browser might try to do if something malicious gets a hold of it. It doesn't work for me, apparently because there's also some interaction with my desktop's UAC settings. I'm sometimes annoyed by Microsoft also being overly protective because I know how to use Windows. So anyway, whatever the case, the bottom line is that the protection Firefox believes it's providing to me is not worth the hassle of not being able to simply drag and drop the URL of a page that I'm at into a folder. And neither Chrome nor Brave similarly harass me. So I imported my Firefox settings into Brave. That worked flawlessly. It allowed me to turn off the unnecessary title bar up at the top. Of course I had to reauthenticate to Bitwarden and relog into a few different sites. But I'm up and running now with Brave. And I'm happy. So anyway, and the more time I spent looking around Brave's site, the more impressed I was about their philosophy and their approach. And, boy, if you look at the list of things that they tweak from the Chromium which Google uses, they've done a lot in order to Brave-ize the common open source Chromium browser template. So anyway, I'm liking it a lot so far. And by pure coincidence, a piece of welcome news regarding the Brave browser surfaced last week. I'm sure I would have shared it with everybody even if I hadn't become a Brave user myself. Anyone who might have been curious about Brave's stance on Microsoft Recall would have their curiosity satisfied by the headline which read "Brave blocks Microsoft Recall by default." They wrote: "Starting in version 1.81" - and the world is currently at 1.80. That's what I have under Windows 10. So starting with version 1.81 for Windows users, so it'll be the next update, "Brave browser will block Microsoft Recall from automatically taking screenshots," they wrote, "of your browser activity." They explain: "Microsoft first announced Recall in May of 2024 and immediately drew fire from security and privacy advocates. Recall saved full-screen screenshots every few seconds and stored them in a local plaintext database, leaving it open for exploitation by anyone, including malware, who had access to the machine. The outcry caused Microsoft to hastily roll back the feature and re-work it significantly. A year later, Recall is back, and Brave is ready for it. We will disable it by default for Windows 11+ users, with a toggle to turn it back on for users who really want Recall. "Microsoft has, to their credit," they wrote, "made several security and privacy-positive changes to Recall in response to concerns. Still, the feature is in preview, and Microsoft plans to roll it out more widely soon. What exactly the feature will look like when it's fully released to all Windows 11 users is still up in the air, but the initial tone-deaf announcement does not inspire confidence. "Given Brave's focus on privacy-maximizing defaults and what is at stake here," they said, parens, "(your entire browsing history), we have proactively disabled Recall for all Brave tabs. We think it's vital that your browsing activity on Brave does not accidentally end up in a persistent database, which is especially ripe for abuse in high privacy-sensitive cases such as intimate partner violence." Wow. Okay. They said: "Microsoft has said that private browsing windows on browsers will not be saved as snapshots. We've extended that logic to apply to all Brave browser windows. We tell the operating system that every Brave tab is 'private,' so Recall never captures it. This is yet another example of how Brave engineers are able to quickly tweak Chromium's privacy functionality to make Brave safer for our users." And then they provided a list which is what I referred to earlier, which is just astonishing. I mean, it scrolls. It's just all these things they've done. They said: "For more technical details, see the GitHub issue for this feature. Brave is the only major web browser that disables Microsoft Recall by default in all tabs." And they finished by saying: "We were partly inspired by Signal's blocking of Recall. Given that Windows does not let non-browser apps granularly disable Recall, Signal cleverly uses the DRM flag on their app to disable all screenshots. This breaks Recall, but unfortunately also breaks the ability to take any screenshots, including by legitimate accessibility software like screen readers. Brave's approach does not have this limitation since we're able to granularly disable just Recall; regular screenshotting will still work," they said. "While it's heartening that Microsoft recognizes that web browsers are especially privacy-sensitive applications, we hope they offer the same granular ability to turn off Recall to all privacy-minded application developers." So I don't know if I coined the phrase, which I'm now...

Leo: What could possibly go wrong?

Steve: No, the tyranny of the default.

Leo: Tyranny of the default. You did not coin that. That's been around for a while, yeah.

Steve: Anyway, wonderful. You know, I've been saying it for at least 20 years because it occurred to me...

Leo: Well, maybe you did, then.

Steve: I may have because, you know, it has been, it was one of our - maybe it was TNO, Trust No One.

Leo: That's another one, yeah.

Steve: But Mulder did have that on his poster down in the basement of the X Files. So I think that I probably picked that one up from Mulder.

Leo: Give the X Files credit, yes.

Steve: Exactly. Anyway, we know that defaults matter. And I have little doubt that Brave browser users will be glad to know that, regardless of anything else that might be going on, Microsoft Recall will not be able to snoop into their browser windows unless they explicitly choose to permit it. You know, all these things that Brave does, they're just defaults. So you can, if that's too much for you, you can back Brave away from that. Anyway, I sort of have a good feeling about this. I feel, you know, I feel a little self-conscious and kind of like I'm abandoning Firefox because I want to support Mozilla. But I like what Brave's doing. And so I'm there now. And we'll see how long that lasts.

Leo: Good. I think you did coin "tyranny of the default." If you coined that 20 years ago, I think you get credit.

Steve: We've been using it, I think, for the duration of the podcast.

Leo: Yeah. Okay. Wow. I'm going to give you credit from now on. I apologize.

Steve: So get this. In the wake of a whopping $380 million damages lawsuit being brought by the famous bleach maker, Clorox, against its IT provider Cognizant, it's foreseeable that future IT contracts will be adding some sort of maximum damages clause to their boilerplate because, wow, $380 million. Here's what the Reuters News Service wrote under their headline "Clorox accuses IT provider in lawsuit of giving hackers employee passwords." So they're saying that their provider was giving out Clorox's employee passwords. They wrote: "Bleach maker Clorox said Tuesday" - that's a week ago - "that it has sued information technology provider Cognizant over a devastating 2023 cyberattack, alleging that hackers gained access by simply asking the tech company's staff for its employees' passwords."

Leo: Gee, they were just trying to be helpful.

Steve: That's right. We wouldn't want you to get locked out of your accounts now, would we.

Leo: No.

Steve: "Clorox was one of several major companies," they added, "hit in August of 2023 by the hacking group dubbed Scattered Spider" - and we'll be hearing about them a lot during this next couple hours - "which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom. "The group is often described" - that is, Scattered Spider - "as unusually sophisticated and persistent, of being unusually sophisticated and persistent. But in a case filed in California state court last Tuesday, Clorox said one of Scattered Spider's hackers was able to repeatedly steal employees' passwords simply by asking for them."

Leo: Repeatedly. Repeatedly.

Steve: Repeatedly, yes.

Leo: I would sue them, too. That's not good.

Steve: "According to a copy of the lawsuit reviewed by Reuters, 'Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques. The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials over." Now, in an emailed statement, because Reuters said to Cognizant "What?," Cognizant pushed back, saying it did not manage cybersecurity for Clorox and was only hired for limited help desk services. They wrote, that is, Cognizant wrote: "Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed." Now, I'll leave it as a question for our listeners. Why, if that's true, did Cognizant have the ability to give out Clorox employee authentication credentials? Anyway, Reuters says: "Three partial transcripts included in the lawsuit obtained by Reuters allege conversations between the hacker and Cognizant support staff in which the intruder asks to have passwords reset, and the support staff complies without verifying who they are talking to, for example by quizzing them on their employee identification number or even their manager's name. "'I don't have a password, so I can't connect,' the hacker says in one call. The agent replies, 'Oh, okay, okay. So let me provide the password to you; okay?'" Do not hire these people, or do not give them access to your company's authentication. "Maxie Reynolds, a security expert who has specialized in social engineering and is not a party to the case, said: 'The apparent ease with which the hackers got what they wanted wasn't necessarily an indication that they weren't skilled. They just tried what typically works.' She said the full transcripts were needed to offer a full and fair evaluation of what happened in 2023, but said that, 'if all they had to do was call and ask straight out, that's not even social engineering. And it is negligence/non-fulfillment of duty.' "The lawsuit said," wrote Reuters, "that the 2023 hack at Clorox caused $380 million in damages, about $50 million of which was tied to remedial costs" - that might have been them paying the ransom, if there was one, or maybe just restoring from backup, but how could that be 50 million? "And," they said, "the rest attributable to Clorox's inability to ship products to retailers in the wake of the hack."

Leo: Ooh, that's not good.

Steve: So they're saying 50 million in remedial costs and 330 million in lost revenue as a consequence of the downtime. "Clorox said the cleanup" - which, you know, Clorox would know all about cleanup; right? - "was hampered by other failures by Cognizant's staff, including failure to de-activate certain accounts or properly restore data." So it does sound like, if Cognizant was in charge of restoring data, again, not just help desk stuff. So it should be noted that Clorox is asking for - the fact that they're asking for $380 million in compensatory damages does not mean that's what they're going to receive from a court or a jury trial. Rarely do you get more than you ask for. However, just looking at Reuter's reporting of this, I am, and it's been made clear already, immediately skeptical of Cognizant's rebuttal. If, as they claim, they were only hired to perform limited help desk services, how did they have access to Clorox's network and the ability to reset employee passwords at will? You know, those limited help desk services don't appear to have prevented that. So anyway, my feeling is, with the ability, the capability to arbitrarily reset Clorox employee passwords comes responsibility to do so with proper oversight, which doesn't seem to be the case. What we clearly appear to have here is a case of outsourcing gone awry. Outsourcing, as we now know, everyone has seen this, right, is the new 21st-century business model. It's the idea of hiring for the services you need rather than growing them yourself in-house. It's got a name. It's formally called BPO, Business Process Outsourcing. It's now an industry, and frankly I'm not a fan. I understand the promise of agility and scalability. Today's startups typically are a small group of people with a bunch of contracts for the services that they need. But what about a company like Clorox? Really. Surely they could afford to operate and manage in-house IT services. But they've been around forever. And I would wager they once did. Certainly they once did their own IT; right? They could afford to operate and manage in-house IT services, and they must have once. I would bet that some pencil-necked C-suite executive got greedy and decided to "trim the fat" and demonstrate how they could shave, what, half the cost of running IT in-house. And they may have reduced their IT operating overhead by half, who knows, right up until it cost them $380 million. So it's easy to point fingers at some lame IT contractor, and it certainly is worth asking why Cognizant - who don't appear to have been quite cognizant - were ever given the opportunity to screw up so badly. But in this business, you get what you pay for. And I'm not going to shed too big a tear for Clorox. You know, they clearly set themselves up for this. And but again, having, you know, outsourcing this means, you know, you get what you asked for. Leo, before we began recording, I think it's before we began, or I guess we were live but weren't recording, I was talking with you a little bit about the fact that for all of this year my wife and I have been involved in remodeling a home. I've had much more contact as a consequence of that with what has happened in the world to support, you know, where you need to call somebody to get some help with something. You need to widen this ship or where is this or that. It's really - we're in a sad state of decline.

Leo: But Steve, let's be fair. Did you outsource the plumbing?

Steve: No, actually. I have an amazing...

Leo: You did all the plumbing yourself?

Steve: Oh, okay, that's true. I'm not a plumber.

Leo: Did you outsource the carpentry? The thing is, it's not that the outsourcing is inherently bad. We outsource our IT because we're too small a company to have an IT department. And Russell has much more expertise, even though we're a technology company, than anybody in the company. They just hired the wrong company.

Steve: Yeah.

Leo: I don't think it's necessarily bad to outsource. I think that's actually often the best way to go, if you don't have the expertise. And especially in tech because there's such a land rush for skilled technologists these days. It's pretty hard to build your own IT department in a lot of companies because they can't afford these people. So maybe the problem is just that they didn't hire the right...

Steve: Well, that's clearly the problem; right?

Leo: Yeah.

Steve: You know. Or, and who knows, maybe Cognizant got so busy they had to grow.

Leo: They poorly trained their people, that's pretty clear.

Steve: Yeah.

Leo: Yeah. That's what really happened.

Steve: And I think many of their people sit in front of a screen, and the screen pops up, and they just push some buttons. You know? So there's no sense of loyalty. There's no connection. They don't know, you know, who Clorox is.

Leo: Yeah, but just because somebody is paid by Clorox doesn't make them loyal or effective, I've got to point out.

Steve: Yes.

Leo: So, I mean, I think this could happen internally as well as externally. I think it's poor training on Cognizant's part; and I think they are on the hook, as they should be, for this.

Steve: Yeah, yeah. There needs to be accountability.

Leo: Yeah.

Steve: Let's take a break, and then we're going to talk about the beginning rollout of Windows 10 ESU, the way Microsoft found of not terminating security updates this coming October.

Leo: Yeah, let's hope Microsoft isn't - maybe they should outsource their security. Might be that somebody else would do a better job. You ever thought of that? You ever think of that? On we go with the show, Steve.

Steve: So we talked about this recently, and last Tuesday Windows 10 end-users will have begun, according to Microsoft, seeing the notices we talked about before. So here's what Microsoft posted about this last Tuesday. They said: "From modern security to faster performance and the latest features and experiences, Windows 11 is built to help you work, play, and create with ease. With support for Windows 10 ending on October 14th, 2025, we're here to ensure your transition is smooth, secure, and up to date." In other words, you know, you need to be moving to Windows 11. However, of course, as we know, half the world hasn't yet and shows no interest in doing so. Microsoft said: "We understand that moving to a new PC can take time, and we're here to support you throughout the process. Windows 10 Extended Security Updates (ESU) program is designed to keep your current Windows 10 PC protected after support ends, helping you stay secure during the transition. Starting today, individuals will begin to see an enrollment wizard through notifications and in Settings, making it simple to select the best option for you and enroll in ESU directly from your personal Windows 10 PC." Okay. Well, I've seen no sign of it so far. Six days after that announcement I went poking around in Windows 10, which has been fully updated, looking for any sign of this ESU offer. I couldn't find it. Nowhere in settings. I haven't received any notifications. So, you know, it's in rollout mode. I did check. I don't have one of the fancy MSDN long-term servicing versions. It's just Win10 Pro, or Enterprise, rather, so it doesn't have all the extra Win10 nonsense. So I would expect that people are going to begin to see this, and we'll have the option for moving forward. Now, maybe Enterprise, having just said that, maybe Enterprise won't be getting that because they'll be presuming that an enterprise version is part of an enterprise, even though I'm not hooked into Active Directory or anything. Anyway, for what it's worth, that'll begin happening. And as we know, we talked about this before, if you've been using Edge or Bing, you get Bing points in Windows. I already had, I think you need, what was it, 1900 Bing points? Anyway, I had more Bing points than I needed, so I qualified for six months of extended updates. Or, if you let Microsoft back your system up, back your system settings up into the cloud, then you qualify that way, too. Basically they're trying to give it away without looking like they're giving it away. So, again, six months of free updates for Win10, and you get to stay there. And after that, probably 0patch is the way people will be able to continue to stay secure even after Microsoft finally says, if indeed they do ever finally say that, okay, enough is enough, and we're not giving you anything more. We'll see. The following story appeared last Friday in the online news publication RBC-Ukraine. While we might expect there to be some nationalistic bias in their reporting of the facts, the facts reported do line up with that from other sources. Their headline was "Cyber blast in Crimea. Ukrainian intelligence crashes Russian occupation servers." And I wanted to share this because obviously there's just no longer any question whether Russia and Ukraine are at war. You know, it's no longer, what was that, limited military experiment or whatever it was?

Leo: It's been that for quite some time.

Steve: Yeah.

Leo: Yeah.

Steve: So this story shows just how "cyber" today's modern warfare has become. RBC-Ukraine reported: "Cyber specialists from Ukraine's Defense Intelligence (HUR) have carried out a large-scale special operation targeting the occupation authorities in Crimea. According to a Ukrainian intelligence source speaking to RBC-Ukraine, the operation lasted several days. A powerful DDoS attack effectively paralyzed the information systems and network infrastructure in Crimea." Now, that lines up with what we know of Ukraine's offensive cyber capabilities. They've previously demonstrated a number of times that they have the capability to launch and sustain significant DDoS attacks against their adversaries. The article continues, writing: "While the Russian occupiers were scrambling to identify the cause of the government systems' failure, Ukraine's cyber experts" - I'm pretty much sure, I have a feeling they knew the cause. "Ukraine's cyber experts infiltrated the electronic accounts of the leadership of the occupation administration in temporarily occupied Crimea." Okay, well, they're obviously spinning the facts here, but okay. They gained access to the following digital resources: the electronic document management system DIALOG, the systems SED and Delo, and accounting platforms 1C:Document Flow, Directum, and ATLAS. "Over two days, 100TB of documents belonging to the occupation authorities of the peninsula were downloaded. Among the files were 'top secret' documents containing data on military facilities and logistics routes used to supply occupying forces in Crimea. A Ukrainian source said: 'There's so much data extracted that we're about to learn a lot of explosive details about the operations and crimes of Russian occupiers in Ukrainian Crimea." After copying all valuable information, Ukraine's cyber specialists wiped all data stored on the servers of regional and district government bodies, ministries, and agencies of the occupation administration in Crimea. "The successful Ukrainian hacker operation did not go unnoticed in Moscow. Russia's State Duma has already labeled it an element of hybrid warfare. Meanwhile, the so-called Ministry of Internal Policy, Information and Communications of Crimea stated that 'Technical specialists are taking all necessary steps to restore services. However, some services may remain unavailable to users.' Notably, earlier this month, Ukraine's cyber specialists targeted the Russian company Gaskar Integration, one of the largest suppliers of drones for the Russian army. In June, Ukrainian hackers also attacked one of Siberia's largest Internet providers, Orion Telecom. And earlier, RBC-Ukraine sources reported that Ukrainian intelligence cyber experts hacked into the online system of Russian Railways. As a result, the official website of Russian Railways went offline." So I encountered another interesting piece of related news, which was that Russia has established free and open WiFi access zones so that their citizenry in Russia could continue to access the Internet where cellular services have been discontinued. It turns out that Russia has been forced to shut down large areas of cell phone service because Ukrainian drones were using those services for their navigation. So it's clear from all of this that the battlefield is becoming more and more cyber. Not only is more cyber technology being employed for kinetic military operations, but all nations have become quite dependent upon the convenience created by today's networking for operational management. The fact that nearly, well, apparently more than 100TB of bureaucratic, operational, and apparently some military data - some of it apparently marked "top secret" - were sitting on databases online and Internet-accessible would surprise no one today, but that doesn't make it any less irresponsible. You know, we've had fun through the years covering proof-of-concept stories where data was cleverly made to jump to and from air-gapped systems, Stuxnet by far being the most famous of those. But the practical truth is, air-gapping is a huge pain in the butt to employ, specifically because it works so well. Disconnecting things, like completely disconnecting them, works. It may not be perfect, but it actually doesn't need to be. Even if it only drastically limits the bandwidth available to leakage due to operator errors, even that would be a massive benefit. There's no way anyone is going to exfiltrate 100TB of data from a camera that can see the blinking activity lights on a network router. You know, when we've talked about, like, you know, monitoring the keystrokes of people typing, or bouncing a laser off of a balloon in a conference room and reconstructing the audio. Well, those hacks and gimmicks work, but they're not high-bandwidth. So I get the convenience of everything being connected. But with that convenience comes the liability of it being connected to everybody else. And what we talk about on this podcast so often, Leo, is authentication failure. You know...

Leo: Yeah. It's a hard thing.

Steve: It is. Well, it's arguably...

Leo: The hardest.

Steve: ...the hardest thing; right?

Leo: Yeah.

Steve: It's what separates the real world from the cyber world is the question, who am I really talking to?

Leo: My name is Steve Gibson. I forgot my password. Could you give it to me? It's just that easy, Steve.

Steve: Oh by golly, no problem.

Leo: Oh by golly.

Steve: Oh by golly.

Leo: Oh, we wouldn't want you not to be able to get in there, no, unh-unh.

Steve: Right. Wow. So while we're on the topic of being able to keep the data we have inside our networks from getting out, TechCrunch carried the news of yet another major data breach - and just wait till you hear who did it and how it happened. TechCrunch wrote: "U.S. insurance giant Allianz Life has confirmed" - yes, Leo - " to TechCrunch that hackers stole the personal information of the 'majority'..."

Leo: Almost all.

Steve: Uh-huh, "...of its customers, financial professionals, and their employees" - which sounds like a complete database breach - during a mid-July data breach. When reached by TechCrunch, Allianz Life spokesperson Brett Weinberg confirmed the breach. Brett said: "On July 16th, 2025" - that's 13 days ago - "a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life. The threat actor was able to obtain personally identifiable data" - you know, this is like an insurance company; right? - "related to the majority of Allianz Life's customers, financial professionals, and select Allianz Life employees, using a social engineering technique." Sound a little bit like Scattered Spider, maybe? Uh-huh.

Leo: Hi, my name's Mr. Allianz. I forgot my password.

Steve: It's right there in the title. It's right there in the title. Yeah.

Leo: We used them for years for our travel insurance. So I'm in there database many times.

Steve: Yup. "The company disclosed the data breach on Saturday in a legally required filing with Maine's" - the state of Maine's - "attorney general, but did not immediately provide a number of how many Allianz Life customers are affected. According to the spokesperson, Allianz Life has 1.4 million customers, while its parent company, Allianz, has more than 125 million customers worldwide. "Allianz Life said it notified the FBI, and added it had 'no evidence' that any other systems on its network were compromised." On the other hand, remember that we've also seen companies now telling their IT people "Don't look, please. Don't look for the evidence because you might have to swear under oath." Wow. "The insurance giant would not say if it had received any communication from the hackers, such as a ransom note." In other words, they're not saying no. They're just not saying. "The company also would not attribute the breach to a hacking group. "Allianz Life is the latest company in the past month to have been hacked during a wave of data breaches targeting the wider insurance industry, including Aflac, a major provider of supplementary health insurance. Security researchers at Google said in June that they were 'aware of multiple intrusions' across the insurance sector attributed to Scattered Spider, a collective of hackers and techniques that rely on social engineering, such as deceptively calling and tricking helpdesks into granting them access to a company's network."

Leo: Oh.

Steve: Imagine that.

Leo: Who would ever do that?

Steve: How could that possibly work? Who would fall for that, Leo? "Prior to targeting insurance companies, the Scattered Spider hackers were seen targeting the UK retail industry, as well as the aviation and transportation sectors, and are historically known for hacks targeting Silicon Valley technology giants. Per the Maine filing, Allianz plans to begin notifying affected individuals around August 1st." So Leo, you can look for the notice in your email sometime later this week or next week. Okay. So let's just step back for a minute here. I have a bit of a rant. Here we are again. As long as "I forgot my password" and, oh, I love this one, "I don't have my authenticator with me right now," remain acceptable options, we're just pretending to have security, and we're never going to move past our current online impersonation problems. I mean, really!, what is the possible security benefit of even bothering with fancy, time-based, one-time token, identity authentication if "Oh, but I don't have it with me right now" is acceptable? Really. If you don't have it with you right now, that's just too bad. No login for you. Does that inconvenience you? Good! That's what you asked for. That's what you signed up for. That's what you said you wanted. It's because you want to also significantly inconvenience any bad guys that it might be that you will also be inconvenienced if for whatever reason you might be unable to produce the exact thing that you want no bad guys to be able to produce. You can't have it both ways. You either have true security, which might mean - and it would be on you - that you might be inadvertently locked out and be unable to login when you're unable to meet the requirements you had previously arranged and agreed to. Otherwise, we have the world we're actually living in today. We're all in this world where we're allowed, the only thing available, is some feel-good security theater using an authentication system which would most fairly be described as "optional." Right? With optional authentication, not being able to produce the required magical six digits on demand simply means that it will be necessary to jump through some additional hoops to get yourself authenticated. That's all. The problem is, the bad guys are more than happy to jump through those same hoops. They wake up every morning in anticipation, wondering just how many hoops they're going to be able to jump through today? How many lazy fat Westerners' accounts are they going to hack today? But seriously, whenever I see one of those "I left my authenticator at home" links to click on underneath the authentication prompt, I just shake my head. Why even bother with it, if you don't need to actually use it? You know? A cool and underappreciated feature of the SQRL system was that after its user became comfortable with the system, they understood, they'd figured out how it worked, they'd backed up their single global encrypted identity, they could enable a feature in SQRL's user interface which requested every website they subsequently logged into with SQRL to please immediately, completely, and irrevocably disable every alternative login solution and plant a flag in the account to prevent any human agent from ever overriding authentication, no matter what anyone else ever says, and no matter how much anyone begs. That is what true security looks like. But the world is clearly still not yet ready to take their own security that seriously. And Leo, you know, when you step back from this, when you think about it, what's the cost of having that level of security? So you forgot your phone with your authenticator. So you can't log in to check your tweets. The world is not going to end. Life is not going to be over as you know it because you're unable to authenticate on some given instance. And the point is you have to not be able to authenticate because if you can, then anybody can, potentially. So again, a few, what, maybe it was some point last year I realized that using a password manager, or an authenticator, what it really was, was really just an accelerator. It made it easier and quicker to authenticate because it provided that stuff. But it you didn't have that stuff, you'd have to jump through a few extra hoops in order to authenticate. Many people, you know, just say, oh, I just forgot my password. They wait for a login link to be emailed to them, and then they log in that way. It's a little slower, but it works just the same. So it ends up being that email is actually the thing that we have to protect. Everything else is just theater. Anyway, I just - again, I see this, especially with an authenticator, you say, you know, I've added this. I want the extra protection. I want multifactor authentication. I'm going to do this. And then underneath the authentication is I don't have my authenticator with me right now. Really?

Leo: Put it in Bitwarden. Back, Mr. Gibson, to the show.

Steve: Okay, so, yes, thank you. The Washington Times last Thursday headline is "Hackers breach intelligence website used by the CIA."

Leo: Oh, boy.

Steve: That's right.

Leo: You'd think they'd know how to secure their website. Maybe they outsourced it.

Steve: One would hope that our CIA - yeah.

Leo: Oh, boy.

Steve: Okay. So I'm just going to share the intro of this. They wrote: "Unidentified hackers recently compromised a major intelligence website used by the CIA and other agencies to submit details of sensitive contracts, according to the National Reconnaissance Office, the spy satellite service that runs the site. "The breach targeted proprietary intellectual property and personal information submitted on the Acquisition Research Center website in support of several innovative CIA spying programs. A National Reconnaissance Office spokesperson told The Washington Times: 'We can confirm that an incident" - an incident - "involving our unclassified Acquisition Research Center website is currently being investigated by federal law enforcement. We do not comment on ongoing investigations.' Especially those that are embarrassing. 'The extent of the breach is not fully known, but people familiar with the activity said hackers likely obtained information on key technologies for CIA operations. "Other potential areas of compromise could include the Space Force, its efforts to build surveillance satellites and space weapons" - oh, boy - "and the Golden Dome missile defense program. Data from one highly sensitive program, Digital Hammer, was compromised, said people familiar with the hacking. Digital Hammer compiles cutting-edge technologies for human intelligence gathering, surveillance, and counterintelligence operations. The program focuses on the threat of Chinese intelligence and information operations." Anyway, the story continues at some length, so I put a link to the entire piece in the show notes for anyone who's interested in knowing more. It's unclear whether we're going to obtain more reporting on this, given that it's the CIA. But my hunch, just based upon the timing of the event and the nature of the breaches that are resulting from the exploitation of Microsoft's recent SharePoint disaster - which we'll be digging into when we get into today's main topic - I would not be surprised to learn that this CIA site, whose role and profile require it to be all about sharing files, might not have been another victim of that recent SharePoint zero-day remote code execution vulnerability. And I should note that this is not - this is unusual, but this is not a failure to update problem. Everybody who updated on Patch Tuesday got attacked. So it's not the CIA's fault, as we'll see. But it sure does fit the profile of a SharePoint breach. Now, the Pentagon, however, says no, they didn't get us. Speaking of the SharePoint hack, NextGov's headline last Thursday was "Pentagon not impacted by Microsoft SharePoint hack, says their tech chief." NextGov wrote: "The Department of Defense has not been ensnared by a broad intrusion into on-premises versions of Microsoft SharePoint, its chief information officer said Thursday. Katie Arrington said at the ATO and Cloud Security Summit on Thursday in a stage interview: 'As of right now, no, not that I'm aware of.' Arrington said she's been doing daily calls with Microsoft while the department has been conducting forensics investigations since the zero-day vulnerability was publicly identified this past weekend." Meaning a weekend ago. "Thus far," they wrote, "several federal agencies have been impacted, including the departments of Energy, Homeland Security, and Education. And up to a dozen federal agencies have been notified of possible compromise by CISA, the Cybersecurity and Infrastructure Security Agency, according to a source familiar. DHS issued a statement that its investigation into the hack remains ongoing, but 'there is no evidence of data exfiltration at DHS or any of its components at this time.' "Arrington said the latest series of hacks and attempted hacks reiterate the constant threats posed by state actors to U.S. and defense systems. When zero-day vulnerabilities which have not been previously uncovered and therefore give developers zero days to patch them" - not quite the case in this instance, but we'll get there "are found, cybersecurity professionals need to act immediately and apply those patches." Well, everybody did in this case. "Arrington said: 'Russia, China, Iran, North Korea, are they going to continue? Yes. Are they going to look for any hole that they can find? Yes. It's a zero-day the day you found out about it. A patch was made that same day. And how fast we deploy the patches, how fast we work as a unified body to, I say, turn the lights on an adversary when they do something, that's how fast resilience will be.'" Okay. Now, I have no idea what any of that double-speak mumbo-jumbo there at the end was. But as we know, patches, especially from Microsoft, often take much longer than, to quote Katie, "that same day." But what I really wonder, seeing what she said here, is whether Katie is aware that this entire quite serious mess was primarily created because Microsoft botched and fumbled the original Patch Tuesday patch release by, once again, as I said, only patching a symptom and not the underlying cause of the vulnerability. Anyway, we'll be getting to that shortly. We have our first photo, Leo, of a DPRK laptop farm. Now, this was not a farm set up by the DPRK, you know, aka North Korea. Oh, no. This was a 50-year-old American woman.

Leo: Who was busted.

Steve: Who was busted.

Leo: Yeah.

Steve: I had formed an image, I guess in my mind's eye, when I'd previously discussed and described the so-called "laptop farms."

Leo: Doesn't live up to the image, does it.

Steve: No. No, the tchotchkes hanging from the right metal rack, and there's some purses and handbags and things. It's not exactly what I would - not your high-tech laptop farm.

Leo: I'm thinking this lady said to her friends, I found this great way to make money.

Steve: Uh-huh.

Leo: It's really easy to just send me the laptops. All I have to do is connect them to my Internet.

Steve: Uh-huh, put them on my WiFi.

Leo: Yeah.

Steve: You know, I had imagined something more glamorous than three metal wire racks containing about 30 assorted random-looking laptops with large fluorescent Post-it notes stuck on them.

Leo: That's probably the password on there, I'm sure.

Steve: Yeah, exactly, or to identify which one is which because you've got to associate them with your fake employees and so forth.

Leo: No, that's true. Yeah.

Steve: Anyway...

Leo: I bet she didn't do any of that, though, really. All they had to do was give them a U.S. IP address; right?

Steve: Probably, yeah.

Leo: Yeah.

Steve: So this is Christina Marie Chapman, recently sentenced to a term of eight and a half years in prison, probably will actually serve less on good behavior, for this operation of an illegal North Korean laptop farm whose purpose was to help North Korean IT workers pass, you know, spoof being U.S. residents. We've talked about this a number of times. This is an actual serious problem currently in the U.S. You've got to know who you're hiring when you're hiring remote online help as part of your "outsourcing." Altogether, the workers managed to land more than 300 jobs at U.S. companies and generated more than $17 million in revenue for the North Korean regime. And of course they are under sanction by the U.S., so this is all against the law. U.S. employers are not allowed to be paying North Korean workers anything; and, you know, it's a mistake if they do. So unfortunately, facilitating that illegal conduct will get you eight and a half years in prison. I wonder if it's, like, three months per laptop, Leo.

Leo: I hope she gets to bring her tchotchkes, that's all.

Steve: Yeah, that'd be good. Okay. So last week I shared a blog posting and a forensic analysis by Expel Security describing a remote, third-party, man-in-the-middle attack on FIDO authentication using passkeys. Given Expel's description of the process, which amounted to a classic real-time website intercept and forwarding attack, the only way this could have been possible was if it was not necessary for the passkey-equipped FIDO authenticator to communicate with the authenticating user's local desktop browser in real-time because the authenticating user would be the man in the middle, and the FIDO authenticator would be in the hands of the unwitting victim. As I noted last week, the nature of this vulnerability is well understood. You know, that's why in my case I had incorporated a SQRL client-to-browser link using the Localhost IP on that desktop to allow the user's browser to talk to the system's resident SQRL client. Now, many of our on-the-ball listeners wrote to say that they were pretty sure that in FIDO's cross-device authentication model this client-to-browser link was not optional and that it must be present, created by Bluetooth. And they are 100% correct. FIDO explicitly prevents this attack and will not successfully authenticate without a local Bluetooth link between the user's web browser and their cross-device authenticator.

Leo: Oh, that's smart.

Steve: Which means that what Expel described is impossible.

Leo: Yeah.

Steve: Now, given that, the presumably FIDO-based man-in-the-middle attack that Expel Security described having witnessed should not have been possible. It turns out that the attack was not possible and did not happen, at least not as they described. Last Friday the 25th they made another posting to their Threat Intelligence blog with the headline "An important update (and apology)..."

Leo: Whoops.

Steve: "...on our PoisonSeed blog," where they wrote: "On July 17th, we published a blog posting covering a recent incident we observed. On further review, we found our original findings are unsupported by the evidence."

Leo: Oh, boy.

Steve: "The original post described a new form of phishing attack that allowed an attacker to circumvent a FIDO passkey protected login. It stated that this attacker used cross-device authentication to successfully authenticate while not in close proximity to the authenticating client device. The evidence does show the targeted user's credentials (username and password) being phished and that the attacker successfully passed password authentication for the targeted user. It also shows the user received a QR code from the attacker. This QR code, when scanned by a mobile device, initiates a FIDO Cross-Device Authentication flow, which according to FIDO specification requires local proximity to the device which generated the QR code, the WebAuthn client. When properly implemented, but without proximity, the request will time out and fail. "So at the time of the original post," they wrote, "Expel believed the attacker successfully completed the authentication workflow, resulting in access to protected resources. After discussing these findings with the security community, we understand that this is not accurate. The Okta logs show the password factor passing successfully, but all subsequent MFA challenges failed, and the attacker is never granted access to the requested resource." So that solves the mystery. I am sure I also once knew that a Bluetooth link was required, and not optional, for FIDO cross-device authentication. And I'm very glad that's the case. But I got swept up in their report, which I assumed to be correct, and I doubted what I knew. I suppose I also gave away the fact that I'm not a frequent user of FIDO passkeys cross-device authentication, since anyone who likely deals with the need for Bluetooth linking all the time would be well aware of that requirement, as many of our listeners were. So we've got that figured out. And it is very good news, as you've noted, Leo, that the device must be in proximity to the browser, and that they have to communicate by Bluetooth link.

Leo: It just makes sense.

Steve: It does.

Leo: Yeah.

Steve: It does. So, okay. Is our data safe anywhere?

Leo: No.

Steve: Don't you start to get the feeling that our data is not in fact safe anywhere, and that no one can be trusted to keep anything we might disclose, and often need to disclose, like, you know, if we're dealing with hospitals to set up appointments and doctors and so forth? It's just not safe online.

Leo: Yeah.

Steve: So here's another example we can add to the pile, and talk about sensitive personal data. TADTS, those are the initials, TADTS, of The Alcohol & Drug Testing Service. As their name suggests, they perform drug and alcohol testing, and they do so for multiple U.S. states. Apparently not being in a great hurry - perhaps they were waiting for some statute of limitations to expire - the organization now admits that they were hacked, and that those bad hackers stole the highly personal alcohol and drug testing data of three quarters of a million users. 750,000 people...

Leo: Oh, my god. Oh, my god.

Steve: ...had their alcohol and drug testing service data stolen. Yup. And even more gallingly, they waited, the TADTS people, waited a full year to disclose this. They became aware of the data breach last July 9th, 2024. Which is why I wonder about some statute of limitations. The organization is only now notifying affected users, those three quarters of a million affected users. But don't worry. They're offering free credit monitoring, folks, to prevent the use of those highly confidential data which they were entrusted with, but turned out to be unable to protect a year later.

Leo: Oh, I hate it when - I just hate it when they do that.

Steve: You know, Leo, I have no plans to unplug from the grid and live in a cave. It turns out - you were speaking of plumbing earlier? My wife is a huge fan of indoor plumbing.

Leo: Yes. Yes, me, too.

Steve: It's so convenient.

Leo: I'm with her.

Steve: So it doesn't really seem as though the rate at which, I mean, doesn't it seem as though the rate at which we're losing this battle is accelerating? I mean, it's nuts. And I do feel, though, because we've been at this now for 20 years, I feel as though these are chickens coming home to roost. I mean, it does no one any good to say that we told you so. I mean, I'm speaking to the ether. I mean, our listeners are doing everything they can to be safe. Certainly they're very security concerned. No one can help it that underneath the authentication link or the authentication field is a link saying, you know, oh, I don't have my authenticator with me. Let's do something else. Okay, we didn't design these systems. But this is the consequence of the fact that security is really, not even has it never been taken seriously, it's still today not really being taken seriously. It's considered an inconvenience if someone can't log in. So we make it very simple. You know, the lowest common denominator is email. If you can get email, then you're okay. And unfortunately, that means, you know, oftentimes you could say, oh, oh, but I don't have access to my email right now, and I really, really, really, really, really, really, really have to log in. Please, can't you. Oh, well, okay. And then...

Leo: In that case...

Steve: Yeah, here's your password. They literally, in one of those examples I didn't share, but it was in the lawsuit, they reset the person's password to clorox123.

Leo: Oh. That's secure. You're going to change that as soon as you get home; right?

Steve: Yes. But it wasn't monkey123.

Leo: No.

Steve: It was clorox123.

Leo: Yeah.

Steve: So who could ever guess that?

Leo: Never could, no. No, never would guess that.

Steve: Okay. So thank god we have a bit of good news here. The Financial Times reporting is locked behind a paywall, but many other outlets are reporting on the Financial Times report. The Verge, being one of those, wrote: "The UK government is reportedly set to back down from its battle with Apple to obtain back door access to secure user data protected by the company's cloud encryption. Victory hasn't come through the courts," wrote the Verge, "or government figures changing their minds on privacy matters, but thanks to ongoing pressure," turns out, "from the U.S. during the two countries' trade talks." Turns out JD Vance, apparently, is not happy with this. "Multiple unnamed UK officials told the Financial Times that the UK government is working on a way out."

Leo: Good.

Steve: "One of those sources said: 'The Home Office is basically going to have to back down,' adding that Vice President JD Vance was especially opposed to the UK's demand, which may violate the Cloud Act treaty between the two countries, saying: 'It's a big red line in the U.S. They don't want us messing with their tech companies.' "Another official echoed that, explaining that the UK wants to avoid pushing too hard for 'anything that looks to the U.S. Vice President like a free speech issue.' A third official said the UK had 'its back against the wall,' and wants a way out. 'It's a problem of the Home Office's own making, and they're working on a way around it now.'" So this entire Apple Advanced Data Protection mess now appears destined to disappear. Now, that's great news, and hopefully politicians and their governments won't put themselves and the rest of the world through many more of these no-win stand-off cycles. They need to realize, at least as regards privacy, they cannot simply demand anything they want. The laws of nature are not theirs to establish. There are problems, no doubt about it, arising from the abuse and illegal conduct enabled by the powerful privacy protections created by encryption technology. But stripping privacy from everyone else, that cannot be the solution.

Leo: Yeah. If anybody's going to spy on U.S. citizens, it's going to be us.

Steve: Yes, we don't want - we're jealous of that privilege. That's right.

Leo: No Brits allowed. That's our job. Yeah, yeah.

Steve: Okay. There is a little bit of cloudiness on the horizon, however, because Denmark is reintroducing "Chat Control." You know how the control of the EU moves around from one EU state to another. EUToday posted the news under their headline: "EU Reconsiders 'Chat Control' as Denmark Reintroduces Controversial Encryption Scanning Bill." They write: "Known informally as 'Chat Control,' the proposal has re-emerged under Denmark's EU Council Presidency, which began on July 1st. Lawmakers are scheduled to debate the latest iteration of the bill on October 14th, 2025." Okay, now, we can hope that the EU takes note of the egg that the UK has ended up with on its face with reporting that they're now trying to backpedal and, oh, no, that's really not what we meant to do, because they've gotten themselves in a big mess. The reporting continues: "Originally introduced in 2022, but repeatedly stalled due to political opposition, the legislation seeks to impose obligations on messaging platforms - such as WhatsApp, Signal, and Telegram - to scan user content for child sexual abuse material (CSAM). If adopted, the law could lead to widespread" - now, this is interesting. "If adopted, the law could lead to widespread client-side scanning of messages before encryption, a measure that critics argue poses a serious threat to digital privacy and data protection." Okay, now, nobody wants that to happen. But as I've been noting earlier this year, the solution I can see to this, if we have to have one, is to employ device-side local AI to examine what's being sent. I get it. It's creepy. And it's a mess because, for example, parents ought to be able to take photos of their own young children without the police being alerted. But if this must be done, doing it device-side and not messing with encryption backdoors, to me that's the only way to get there. The article said: "The Danish Presidency has placed the proposal among its top legislative priorities." Yikes. "While no new text has been publicly released, Copenhagen has signaled its intention to find a compromise that balances law enforcement goals with legal and technical concerns raised by member states, civil society, and industry stakeholders." Well, good luck with that, of course. Nobody wants to have Big Brother spying on them, even if Big Brother is inside their own phone. The article said: "The European Commission originally tabled the regulation in May of 2022, aiming to bolster the detection and reporting of CSAM online. Despite its stated purpose, the proposal was criticized for its scope and method, particularly the inclusion of end-to-end encrypted services in the scanning regime. Attempts to pass the measure under previous presidencies, including Belgium and Poland" - so this is a hot potato that keeps getting passed around - "failed to secure a qualified majority in the Council. Belgium proposed a version in June 2024 that restricted scanning to shared media and URLs, contingent on user consent. Poland's February 2025 proposal classified scanning as a voluntary 'preventive' action. Though regarded by some experts as an improvement, it, too, failed to gain traction. "Denmark now assumes the role of broker, hoping to navigate between longstanding opposition from digital rights advocates and calls from several member states for stronger tools against online exploitation. The Danish Presidency's official program states its intention to 'strengthen the abilities to make use of the digital development for law enforcement when fighting serious crime, while also addressing the misuse of new technologies.' "Criticism of the CSAM bill centers on concerns about weakening encryption. Client-side scanning, central to earlier drafts of the proposal, involves monitoring communications on a user's device before encryption takes place. This method is seen by experts as equivalent to surveillance and is considered by many to be incompatible with the principle of confidentiality of communications enshrined in EU law. In 2023, the European Court of Human Rights issued a ruling that effectively prohibited states from requiring the weakening of secure encryption standards. This legal precedent, while not explicitly blocking the Chat Control proposal, adds a layer of complexity to its adoption and enforcement. "Digital rights organizations and privacy advocates have described the initiative as a disproportionate response to a serious problem. They argue that mandatory scanning mechanisms risk creating vulnerabilities that could be exploited by malicious actors and set a precedent for broader surveillance. At present, the contents of Denmark's revised proposal remain undisclosed." So we don't know what's going to happen in October when they bring this thing back up for discussion. Because, again, this hot potato gets passed around from country to country. Now it's in Denmark's lap. "Analysts suggest," they wrote, "that the fate of the bill may hinge on Germany's position. The new federal government has not yet indicated whether it would support the measure; and without its backing, a qualified majority may remain out of reach. According to Patrick Breyer, former MEP for the German Pirate Party and a vocal opponent of the proposal, the Danish Presidency's success will depend heavily on its ability to secure Germany's approval. Even if the CSAM proposal were adopted in October" - so adopted in October - "it would still need to proceed through trilogue negotiations with the European Parliament and Commission, where further amendments are likely. "The Chat Control bill is part of a wider series of initiatives by the EU aimed at giving law enforcement greater access to encrypted data. On June 24th [of this year], 2025, the European Commission unveiled the first phase of its ProtectEU strategy, which proposes the development of decryption capabilities by 2030." Which sounds ominous, "decryption capabilities." What? "The strategy is still at a conceptual stage, but indicates the long-term policy direction of the European institutions. "While efforts to curb the spread of CSAM enjoy broad political support, the methods employed remain contentious. The question facing EU lawmakers is whether security objectives can be met without eroding the privacy rights of European citizens. As the debate resumes under the Danish Presidency, it is clear that any legislative outcome will need to reconcile fundamental rights with the imperatives of public safety, a task that has so far eluded consensus." And Leo, I think it's impossible.

Leo: Yeah.

Steve: Right? I mean, what they're asking for, like everybody wants something that crosses a no-man's-land for the other side. You know? Basically they want censorship without censorship. Or they want censorship without any violation of privacy rights. They want to see what you're sending, but they don't want surveillance. Well, seeing what you're sending is surveillance.

Leo: Right. They don't want surveillance for themselves.

Steve: Right.

Leo: Which is the thing protecting us, frankly, because I don't think they care about surveillance for us. But, yeah. I worry that, I mean, governments are forcing these things through. Already in the UK they've got age verification requirements that people are already cracking. I can't wait till next week. I'm sure you'll talk about this. The story, they're using images from videogames.

Steve: I know.

Leo: There's a great website where you can enter in your British zip code, and it will give you the driver's license of your Member of Parliament to use for a fake ID. It's just - that's what happens, though, when you create these, you know, surveillance societies, you teach people how to get around them.

Steve: Yeah.

Leo: So let's hope we can get around it; right?

Steve: Yeah. Okay. We have some listener feedback after we take a break so I can recaffeinate.

Leo: Download your encryption tools today, boys and girls. You never know when they're going to outlaw them.

Steve: So...

Leo: It's feedback time.

Steve: Yeah. Mike Sander said: "Hello, Steve. New subscriber, long-time listener. You've mentioned over the years how you're still using Win7, and maybe Win10. With Win10 soon to go out of support, I wonder if you might consider discussing how you would (or not) use Win10 after October. The tech press seems to view this as a 'hair on fire' event. Perhaps I'm numb to the risks. I have never had any antivirus beyond Defender. To the best of my knowledge, I've never had a virus. I use Firefox pretty much exclusively. I really do not want to move to Win11 for a variety of reasons I'm sure I do not need to enumerate. Your views on this topic might be of interest to others who listen. Regards, Mike." So Windows 11, I've had some updated experience with it recently, is extremely pretty. I set up several dedicated Windows 11 machines at both of my development locations because I expected that I was going to need some time with Windows 11 before I'd be able to finalize the work on the DNS Benchmark under Windows 11. I assume that configuring Win11 for native whole-system encrypted DoH operation was going to drive the Benchmark crazy. But to my surprise, the new DNS Benchmark code all worked perfectly under Windows 11. In any event, Windows 11 was so pretty that for a while I was a bit seduced by it. But that wore off. I've seen too many postings by people asking how they can go back to Windows 10 after making what they come to feel was the mistake of moving to 11. So since I use Windows as my daily work platform, if I'm able to avoid losing any performance to rounded-corner animated zooming and fading Windows - lovely as they may be - and all the other stuff they've added that really doesn't matter to me, that's what I'm going to do. So I'll be sticking with Windows 10 for the foreseeable future. And given that I'm still using Windows 7, whose support ended more than 10 years ago on January 13th, 2015, and that Windows 10 has an even stronger following today than Windows 7 did back then, and that so many machines are compatibility-disabled to make the move to Windows 11, I suspect that Windows 10 will refuse to die. Like, you know, really stubbornly refuse. Having ridden the Windows 7 train, I've seen that at some point in the probably distant future, but eventually, the browsers will start refusing to upgrade themselves any longer. Right now Chrome won't, and Firefox won't, and I'm using a back version, the last version of Brave that would agree to run on Windows 7. So, you know, as I've said, browsers are the main attack surface for PCs today. So that'll eventually become a problem. You know, my Windows 10 machines operate behind two layers of NAT routing and a pfSense firewall. They're all on their own isolated LAN segments, separate from IoT devices, which are roaming around. And like you, Mike, I've never had a virus or a malware problem. It may be that my surfing is tame, and also that I never fail to treat the external Internet as a hostile foreign power. You know, I'm never in too big a hurry to put something through VirusTotal that I download and I'm not sure about before I open it or run it. And I do, you know, as much security checking as I can. Sometimes I'll actually launch something in a VM, if I'm not sure. So, yeah, I'm taking a lot of responsibility for my security. Given the maturity of Windows 10, which is significantly more now than Windows 7, I can't see any reason to feel pressured to move to Windows 11 only for the sake of an ongoing flow of security updates to repair the things they will be breaking in Windows 11. You know, having played with it for a while, I understand its appeal, Windows 11. It is truly lovely. But I don't plan to move. So I will be glad that Microsoft will finally stop, or has stopped, messing with Windows 10. They're going to leave it alone, so that it will have another six months of updates after October. Now we know that we're able to make it to April of 2026 before this really becomes a problem. And at that point I think that, if anyone was concerned, then the 0patch people will, as long as Microsoft continues to offer any updates, the 0patch guys will be reverse engineering those updates and offering them. So I think Windows 10 is going to continue for a long time into the future. Dennis Borntrager asked: "Does SpinRite 6.1 work on drives bigger than 2TB? I can't get it to do it." I'll just quickly say yes. It operates actually on drives up to 144,000 TB, as it happens. That's 48 bits of sector addressing. The 2TB limit comes about because of 32 bits of sector addressing and the use of older machine BIOSes. So I'm sure, Dennis, that you're attempting to connect a larger drive through USB on a machine with an older BIOS. If you just move to a machine with a newer BIOS, as many of our testers did during the development of 6.1, it'll run on a drive of any size up to 144,000 TB, which probably ought to hold everybody for the foreseeable future. Rick LaBanca said: "In your second zero trust example, I thought all you need to do" - oh, and he's talking about the one where we had the two customers of the one supplier and the four boxes for whether they've been allowed to purchase 100, 200, 300, or 400 of the items. He said: "I thought all you needed to do is hash the quantity sold and give it to each other. A match means the same amount sold, but the amount is not revealed." Okay. That's technically true. But Rick's question is a great example of why these zero knowledge proofs can be so tricky. The problem with his suggestion is that both parties could hash the various purchase quantities themselves to obtain the direct hash equivalents of those quantities. Then, if either party were to reveal the hash of their quantity, the other party would see which of the hashes had been provided, and they would immediately know the other's quantity. So in this case the hashes are just unique versions of the quantities. The reason we needed to jump through all of those hoops with the locked boxes and the paper slips dropped through the slots was to concoct an algorithm that would deliberately blind both parties to any knowledge other than whether or not they had purchased the same quantity. If not, they would still learn nothing of what quantity the other party had purchased, only that it wasn't the same as theirs. So interesting tricky problems. Lee MacKinnell said: "Hi, Steve. On your comment about needing cheap biometrics for age verification," he said, "my smartphone in Australia cost me $100 Australian dollars. It's a Samsung Galaxy A15. It's a current model, released on 16th of December 2023. It has a fingerprint sensor that I use with Bitwarden and passkeys. A flagship phone is not required. I bought this phone because it was affordable. Lee from Brisbane, Australia." Okay, now, I appreciate Lee's note, and I'm glad to know that low-end biometric-enabled smartphones are available. And Leo, when you were talking about people, like, spoofing their age authentication with a photo of somebody else or something, this is why every time I've talked about age verification I've included the phrase "unspoofable biometric age verification." Clearly, it's got to - there has to be a biometric binding between a person's actual age and their ability to verify that on the fly. I checked with the Internet, and it turns out that Best Buy...

Leo: How's the Internet doing these days?

Steve: Best Buy was willing to offer me a - oh, now it's taking dictation, whoops - was willing to offer me a...

Leo: Oh, you bought one.

Steve: ...brand new Samsung A15 for $39.

Leo: Nice.

Steve: With next-day free delivery.

Leo: Look at that. It's pretty.

Steve: I was astonished. It's got a side-mounted biometric fingerprint sensor, multiple cameras, a nice high-res AMOLED screen, connectivity via WiFi, Bluetooth, NFC - of course Android. That means that it could almost certainly serve as a full-featured authenticator. And a price of $40 would be hard to beat. I mean, I was astonished by the fact that a state-of-the-art Samsung Android smartphone could be had for 40 bucks. As I said, one of the biggest problems with age verification is that it's difficult to see how it can be done without biometrics. Verifying someone's age only makes sense at all if that verification can somehow be locked to their physical body. Any privacy requires that both the biometric lock and the real-time age verification with some, like, with a remote site all be performed locally, that is, if you're going to prove that you are the age you claim you are to an adult-only access site, you can't use a third-party site, otherwise you lose privacy. So it's got to be an assertion that your device is able to make of your age, in very much the same way that passkeys is able to make an assertion that you own the private key that is in your passkey. That's why I referred to FIDO the other day. This is very much a FIDO-esque problem, and it's why I talked about Stina and authentication. There's a lot of overlap here between passkey-style, prove that I own the private key directly in a two-party conversation. So what we need is we need a third-party one time to create that identity assertion. You know, you go to the post office. You go to the DMV. You go to a notary and show, you know, and prove who you are, show them a government ID, prove your age. They then allow you to create a binding with your device. And then there's some hope that this could happen. But anyway, I don't see any way that age verification can possibly be made available for no cost because of the need for some sort of biometric attestation, a facial recognition, a fingerprint, or whatever. So I don't know how we get there. And it's going to be interesting to see. And to your point, I have a feeling we're going to have lots of false starts before we finally solve this problem. Unfortunately. One last piece of feedback from a listener that just came in this morning, so I updated the original show notes to v1.1 so that I could include this, from Sable Cantus, who wrote "Regarding Project Hail Mary." He said: "Hi, Steve. Long-time listener, SpinRite owner, and SoCal native here." He said: "I was listening to the show when you were thinking about the movie adaptation. I just wanted to share that I think we'll be in good hands with this movie. Last Saturday, I attended San Diego's Comic-Con and went to the panel for 'Project Hail Mary.' Andy was there" - Andy Weir, of course, the author. "Andy was there with the directors, and Ryan Gosling, and the same screenwriter who wrote 'The Martian' adaptation, Drew [who we talked about before]. They spoke about the production and the storytelling. We watched a few clips, and the first five minutes of the movie. Andy Weir said that Ryan brought more depth to Dr. Grace than was written in the book. Andy stated that every number you see onscreen, every formula, even if it's blurred, was Andy's work by hand."

Leo: Wow.

Steve: "He made it clear that he spent hours verifying the science behind everything in the movie." Sable said: "I don't expect them to capture the entire journey of a huge book. I am impressed with what I saw at the panel. I don't think they're skimping out in any way. They did show the set for the tube, and that alone showed me they are not cutting corners. Keep up the good work, Steve. Live well and prosper. Sable."

Leo: Nice.

Steve: So I am hopeful, Leo, that we might get a great movie. Lorrie finished reading "Artemis."

Leo: Oh.

Steve: She said she was a little put off by the science because apparently it is deep in science, like, I mean, I'm in love with it. I'm just - I'm just starting...

Leo: That's what we like.

Steve: Yes. And the idea that aluminum smelting, which is going on on the moon, produces a huge excess of O2 and silicon...

Leo: Handy.

Steve: ...I think is very cool. And the fact that glass is made of silicon and O2. And so there's a glass factory. I mean, it's like, okay, that's hard science fiction. I mean, that's as hard as it gets. And I love it.

Leo: Yeah, Andy spent a lot of time thinking about what a moon colony would require, how you could make a sustainable moon colony.

Steve: It is wonderful.

Leo: Yeah. So you like - you're reading the book now, or not?

Steve: Oh, yeah. I am into "Artemis" now.

Leo: Okay. And you liked it.

Steve: Just the beginning. I have a hard time making time because there's so much other stuff I'm trying to get done.

Leo: Tell me about it, yeah.

Steve: Yeah. But I am absolutely 100%, I mean, mostly the guy is a writer.

Leo: He's a very good writer, yeah.

Steve: He really - and Lorrie is very choosy, and she said, as she put the book down, finishing it last night she said, "This guy is as good a writer as Michael Crichton."

Leo: That's good.

Steve: And that's, you know...

Leo: I'm glad to hear that Lorrie liked it because the protagonist is a woman. And, you know, a lot of times women say men can't write women. But I think he did a good job. And I'm glad to hear Lorrie liked it. That's good, That's good. Yeah. Good. Well, read it, everybody. I guess the movie version of that did not happen, or maybe it's still in the cooker. I don't know.

Steve: And Andy is working on another book.

Leo: Oh, good.

Steve: He's got one on the topic of AI. And it's going to be...

Leo: Of course he does. Of course he does.

Steve: ...his style, his humor, his science. And it's supposed to - apparently he's been a little stalled because he's very involved in the movie production of "Hail Mary." So that has slowed down his work on this next book. But it was expected in the spring of this year, so that means it's like, you know...

Leo: Almost done, yeah.

Steve: We're going to have another book from Andy probably, you know, I would imagine late - I'm just making this up - late summer, early autumn maybe, early fall.

Leo: Good. Well, I'll interview him when it comes out, if he'll have us. I have kind of a tradition. I've interviewed him for every book so far.

Steve: I bet he will.

Leo: Which makes me think, where's Daniel Suarez? What's his latest book? I feel like - because he did write a book about AI, I think, yeah. In fact, all his books have a certain amount of AI in them. "Kill Decision."

Steve: Oh, my god, yeah, yeah, yeah, the very first one.

Leo: Yeah.

Steve: We had the motorcycles and the drones and - yeah.

Leo: Absolutely, yeah. I guess I'll call Daniel, and I'll call Andy, and we'll see if we can get - that'd be fun to have both of them on. If I can get them both, or even if I just get Andy, I would love to have you on with us.

Steve: That'd be fun. You got me.

Leo: Yeah, yeah. Good. Deal. Let's talk about SharePoint.

Steve: Okay. So today's title, to remind people, is "Inside the SharePoint Zero-Day RCE." RCE of course, the abbreviation we all know, Remote Code Execution. The title leaves little room for misunderstanding. A remotely exploitable code execution vulnerability exists in all unpatched widely and long-used on-premises instances of Microsoft's SharePoint server. And it is known that more than 400 organizations have been attacked and hacked as a result of this flaw. Among the growing number of victims are several U.S. federal and state agencies, universities, and hospital chains. Because a trio of Chinese APT groups appear to be behind the attacks, we would perhaps not be surprised to learn that the U.S. federal victims include the U.S. Department of Homeland Security, get this, the U.S. National Nuclear Security Administration...

Leo: Not good.

Steve: Not good.

Leo: Not good.

Steve: ...and the NIH, the U.S. National Institutes of Health. For those who are not tied into the enterprise world and may not be intimately familiar with Microsoft's SharePoint, Microsoft says that SharePoint enjoys 200 million users. That's not servers. That's people using it. But here's how Wikipedia describes it in two lines. They said: "SharePoint is a web application by Microsoft that's primarily used for building an Intranet and managing and sharing files. Launched in 2001" - the year of the Space Odyssey - "it was initially bundled with Windows Server as Windows SharePoint Server, then renamed to Microsoft Office SharePoint Server, and then finally renamed just SharePoint. It can be used on premises or as a Microsoft 365 hosted service," you know, in the cloud. So this news was breaking while we were recording last week's podcast. I don't know why that's happening now, Leo, but like for - this is the second time, second week in a row. It's like, while, you know, like last week, while we were recording the podcast, CloudStrike's outage was - I mean Cloudflare, sorry, Cloudflare's big DNS outage was happening for an hour. So today's news, while we were recording last week's podcast. Anyway, enough time has now taken for the story to have taken shape. So I'm going to share first what WIRED wrote since it nicely places the story into context and provides some background. And after that we'll examine what the security firms who dug into this more deeply found. So WIRED said: "Hundreds of organizations around the world suffered data breaches as an array of hackers rushed to exploit a recently discovered vulnerability in older versions of the Microsoft file-sharing tool known as SharePoint. The string of breaches adds to an already urgent and complex dynamic. Institutions that are longtime SharePoint users can face increased risk by continuing to use the service, just as Microsoft is winding down support for this platform in favor of newer cloud offerings." In other words, as I said before, Microsoft is like saying, sorry, we're no longer going to support the things you bought from us in the past. Now you're going to have to subscribe to the same thing in the cloud. They wrote: "Microsoft said last Tuesday that, in addition to other actors, it has seen multiple China-linked hacking groups exploiting the flaw" - this is Microsoft acknowledging this - "which is specifically present in older versions of SharePoint that are self-hosted by organizations." In other words, using SharePoint Server 2016 and 2019, or maybe even older ones. "It does not impact the newer, cloud-based version of SharePoint that Microsoft has been encouraging customers to adopt for many years. "Bloomberg first reported on Wednesday" - that's last Wednesday - "that one of the victims is the United States National Nuclear Security Administration, which oversees and maintains U.S. nuclear weapons. "'On-premises' or self-managed SharePoint servers are a popular target for hackers because organizations often set them up such that they are exposed to the open Internet and then forget about them, or don't want to allocate budget to replace them." That sound familiar? Oh. "Even if fixes are available, the owner may neglect to apply them." This is WIRED magazine; right? This is not this podcast. We say that all the time. WIRED said: "That's not the case, though, with" - get this - "with the bug that sparked this week's wave of attacks. While it relates to a previous SharePoint vulnerability discovered at the Pwn2Own hacking competition in Berlin in May, the patch that Microsoft released earlier this month was itself flawed, meaning even organizations that did their security diligence were caught out. Microsoft scrambled this week to release a fix for the fix, or what the company called 'more robust protections' in its security alert." Now, I'll just pause to say this really shouldn't surprise us. We've covered in the past how Microsoft's current incarnation of security updates appears to focus upon implementing a quick fix for the symptoms, rather than addressing underlying systemic weaknesses. I don't know that's what happened in this instance, but if it quacks like a duck. WIRED continued: "A Microsoft spokesperson wrote in an emailed statement: 'At Microsoft, our commitment, anchored in the Secure Future Initiative, is to meet customers where they are. That means supporting organizations across the full spectrum of cloud adoption, including those managing on-premises systems." Wow. Okay, talk about a statement that says nothing. Anyway, WIRED continues: "Microsoft still supports SharePoint Server versions 2016 and 2019 with security updates and other fixes, but both will reach what Microsoft calls 'End of Support' on July 14th, 2026." Well, okay. This is the 29th, so that happened. I'm sorry, 2026. So next year. What am I saying? This is 2025. So July 14th, 2026. So just short of one year from now, support for 2016 and 2019 SharePoint servers will end. They wrote: "SharePoint Server 2013 and earlier have already reached end of life and receive only the most critical security updates through a paid service called 'SharePoint Server Subscription Edition.'" Right. So you can subscribe to, as now Microsoft is doing, to receive extended support. WIRED wrote: "As a result, all SharePoint server versions are increasingly part of a digital backwater where the convenience of continuing to run the software comes with significant risk and potential exposure for users, particularly when SharePoint servers sit exposed on the Internet. "Jake Williams, a longtime incident responder who is Vice President of Research and Development at Hunter Strategy said: 'Years ago, Microsoft positioned SharePoint as a more secure replacement for old-school Windows file-sharing tools, so that's why organizations like government agencies, maybe the CIA, invested in setting up those servers. And now they run at no additional cost compared to Microsoft's 365 subscription in the cloud that requires continuous payment.'" Okay, this is not me saying this. Again, this is somebody else. So no surprise. He says: "'So Microsoft tries to nudge the holdouts by charging for extended support. But if you're exposing a SharePoint server to the Internet,' he said, 'I would emphasize that you also have to budget for incident response because that server will eventually get popped.'" WIRED says: "The United States Cybersecurity and Infrastructure Security Agency said in guidance about the vulnerability Tuesday that 'CISA recommends disconnecting public-facing versions of SharePoint Server that have reached their end-of-life or end-of-service. For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use." Now, the problem is, it's working, and it's been paid for. So when budgets are tight - and when are they not? - going through all the hassle of switching to a paid Microsoft cloud-based service, and then needing to continue paying for it, can be a difficult sell to upper management. As I've observed here recently, the entire model that's evolved across our industry of selling online software systems that are later found to have critical vulnerabilities and expecting their users to suddenly take proactive responsibility, or even be aware that there's a problem that needs their attention, is inherently impractical and is badly broken in practice. WIRED's author of this article apparently agrees, writing: "The ubiquity of Microsoft's Windows operating system around the world has led to other situations in which a long goodbye" is the way he put it, "a long goodbye has created security issues for holdout users and other organizations or individuals with connections to a vulnerable entity. Microsoft struggled to deal with the long tail of users on extremely popular Windows editions including Windows XP and Windows 7." And of course I would expect this whole drama to repeat itself with Windows 10, starting soon. WIRED wrote: "But legacy software is a challenge for any software or digital infrastructure provider. Earlier this year, for example, Oracle reportedly notified some customers about a breach after attackers compromised a 'legacy environment' that had been largely retired in 2017. Yet people were still using them. The challenge with a service like SharePoint is that it often acts as an ancillary tool without ever being the center of attention." Meaning it's just kind of there in the proverbial back closet somewhere, working and forgotten. "Bob Huber, Chief Security Officer at the cybersecurity company Tenable, says: 'For on-premises software like SharePoint, which is deeply integrated into the Microsoft identity stack, there are multiple points of exposure that need to be continuously monitored in order to know, expose, and close critical gaps." "When asked about the alleged breach at the National Nuclear Security Administration, the Department of Energy emphasized that the incident did not impact sensitive data or classified data. A DOE spokesperson told WIRED in a statement: 'On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA. The Department was minimally impacted due to its widespread use of the Microsoft 365 cloud and very capable cybersecurity systems.'" So a bunch of them had migrated to the cloud, but not all. He said: "'A very small number of systems were impacted. NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate.'" So maybe this incident has spurred people to move to the cloud. WIRED finishes, saying: "Microsoft did not immediately return WIRED's requests for comment about the process of sunsetting SharePoint Server. The company wrote in a blog post on Tuesday that customers should keep supported versions of SharePoint Server updated with the latest patches" - although that didn't help in this case - "and turn on Microsoft's Antimalware Scan Interface, as well as Microsoft Defender Antivirus." Unfortunately, as we saw, and we're going to get some more information on this now, Microsoft fumbled and botched the security patch. During May's Pwn2Own competition, which we covered at the time since it was the first time Pwn2Own had been held in Berlin, having moved from Toronto, a researcher with the cybersecurity arm of Viettel, a telecom firm run by Vietnam's military, identified a SharePoint bug dubbed "ToolShell" and demonstrated a way to exploit it. That discovery won the researcher an award of $100,000. But here's where the plot thickens: Exploits discovered by security researchers remain explicitly secret. We only learn that there is a flaw and of its general nature, and nothing more. As part of the researcher's agreement, they confidentially provide all required information to Trend Micro's Zero-Day Initiative team, which then in turn forwards that information to the affected software vendor with a 90-day time expiration on that zero-day flaw being patched. The publication, we all know The Register, theorizes that the exploit may have leaked from Microsoft. I don't buy into it completely, but here's what The Register said. They said: "Less than two months later, on July 8th, Microsoft disclosed the two CVEs - 49704, which allows unauthenticated remote code execution, and 49706, a spoofing bug - and released software updates intended to patch the flaws." So July 8th was Patch Tuesday, earlier this month. The Register wrote: "But mass exploitation had already started the day before, on July 7th." Now, that's not true. Some exploitation had started, not the mass exploitation. "Dustin Childs," quotes The Register, "head of threat awareness at Trend Micro's Zero Day Initiative, said: 'Sixty days to fix isn't a bad timeline for a bug that stays private and stays under coordinated disclosure. What is bad is that a leak happened.'" Which may have been true. Again, no proof of it. "Patch Tuesday happens the second Tuesday of every month," writes The Register. "In July, that was the 8th. But two weeks before then, Microsoft provides early access to some security vendors via the Microsoft Active Protections Program (MAPP). These vendors are required to sign a non-disclosure agreement about the soon-to-be-disclosed bugs, and Microsoft gives them early access to the vulnerability information so that they can provide updated protections to customers faster. "Childs [with Trend Micro] said: 'The first MAPP drop occurs at what we call r minus 14,' meaning 14 days before release. Release minus 14. 'In this case that was June 24th. Then on July 7th'" - which was one day before the Patch Tuesday, he said - "'we started to see attacks.'" Again, not apparently mass and widespread. "'July 8th, the patches were out and were almost immediately bypassed.'" Well, they were almost immediately bypassed for another reason. "ZDI," writes The Register, "along with other security providers, poked holes in the initial patches [true] and determined that the authentication bypass piece was too narrow, and attackers could easily bypass this fix. In fact," writes The Register, "anyone who received the early MAPP information about the CVEs and software updates would be able to tell that this is an easy way to get past it." I want to make sure I don't forget to mention that once the Patch Tuesday patches came out, they were immediately diffed, you know, differences made, and the patches were reverse engineered from the diffs, not from any MAPP, or not necessarily using any MAPP advance information. So, you know, a lot is still unknown. The Register finishes, saying: "On July 18th, Eye Security first sounded the alarm" - so it was on the 18th of July, 10 days later, 10 days after Patch Tuesday that the actual "large-scale exploitation of a new SharePoint remote code execution vulnerability chain in the wild" was seen. "And one day later, that's when Microsoft warned SharePoint server users that three on-prem versions of the product including a zero-day flaw was under attack, and that its own failure to completely patch the holes was to blame." Okay, but there's more: Shodan shows that around 8,000 SharePoint servers in use by auditors, banks, healthcare companies, major industrial firms and U.S. state, federal and international government bodies are in use. 8,000. In other words, it's a mess. The 8,000 figure might be conservative because The Shadowserver Foundation, which continuously scans the Internet for potential digital vulnerabilities, put the number at a little more than 9,000, cautioning that that figure is a minimum, that is a minimum of more than 9,000 instances of SharePoint, of vulnerable SharePoint on the Internet, meaning that they were able to confirm that 9,000 figure, and there's likely more. The Shadowserver Foundation said most of those affected were in the United States and Germany. The last thing I want to share is some of the very interesting reporting by the researchers at Eye Security. Those were the first people to report this, to report that basically the attacks went viral. And the last thing you want is to hear that a zero-day remote code execution vulnerability attack has gone viral. Remember that the first known instance of exploitation occurred on the day before the July 8th Patch Tuesday, which was exactly three weeks ago today, as we're recording today's podcast. The Eye Security researchers wrote: "On the evening of July 18th, Eye Security was the first to identify large-scale exploitation of a new SharePoint remote code execution vulnerability chain in the wild. Demonstrated just days before on X" - which is what used to be called Twitter, the X platform - "this exploit is being used to compromise on-premise SharePoint servers across the world. The new chain we uncover in this blog was later named" - and then they updated CVEs. Microsoft had the first round of CVEs. Then when they fixed the fix, they gave them CVEs 53770 and 53771. They wrote: "Before this vulnerability was widely known last Friday, our team scanned over [get this] 23,000 SharePoint servers worldwide. In total" - at that time, that is, again, before this vulnerability was widely known last Friday - "they discovered more than 400 systems actively compromised during four confirmed waves of attack." So four confirmed waves of attack. They enumerate them. The initial attack wave, 17th of July at 12:51 UTC, coming from IP 96.9.125.147. They think that was a testing wave to verify their exploit. Then there was attack wave one, the next day, on the 18th of July at 18:06 UTC coming from a different IP, 107.191.58.76, and that one was widely successful. The next, the third wave, the second big attack wave, the following day, the 19th of July at 07:28 UTC originating from IP 104.238.159.149. And then multiple smaller waves on and after the 21st of July after a public proof-of-concept exploit script was released on GitHub. So basically the world knew about it at that point. And remember, all of those attacks were effective against both unpatched, that is, never before patched, and then fully patched post-Patch Tuesday SharePoint servers. So there was a 10-day window from July 8th through July 18th when these attacks were effective, and even after the 19th, before the updated update got out to everybody. So in this instance, it was Microsoft's significant fumble of the initial patches that were readily bypassed because they were merely cosmetic symptom-covering patches of the sort that we've seen before. There are postings on the 'Net by people saying that they "diffed" Microsoft's Patch Tuesday patches, that is, not members of the MAPP program who received them two weeks before Patch Tuesday, but they got the Patch Tuesday updates, found out what the differences were that affected SharePoint Server, and then reverse engineered the patches and wrote code to side-step the imperfect fixes that Microsoft had attempted to implement in Patch Tuesday. So basically Microsoft made things much worse by poorly patching SharePoint Server on Patch Tuesday because then everybody else in the world was able to see what they changed, take a close look at it, and see that Microsoft had not actually fixed the problem. Note also that Microsoft's updated patches which do now, the updated patches, do now actually resolve the problem, those only cover SharePoint Server 2016 and 2019. SharePoint Server 2010 and 2013, which are on the Internet, remain vulnerable, and no patch for those is expected. So they must either be isolated from the public Internet or shut down. Okay. So what, exactly, and this is really cool because it's a sort of a here's how, like, exactly what happened. Here's what the Eye Security guys saw that led them to this whole thing. They wrote: "Early in the evening, our 24/7 detection team received an alert from one of our CrowdStrike Falcon EDR deployments at a specific customer. The alert flagged a suspicious process chain on a legacy SharePoint on-prem server, tied to a recently uploaded malicious .aspx file. At first glance, it looked familiar. A classic web shell, obfuscated code in a custom path, designed to allow remote command execution via HTTP. We've seen many of these before. What made this one stand out, however, is how it got there. "Our first hypothesis was mundane but plausible: a brute-force or credential-stuffing attack on a federated Active Directory identity, followed by an authenticated upload or remote code attempt using valid credentials. The affected SharePoint server was exposed to the Internet and tied to Azure AD using a hybrid ADFS. That stack, when misconfigured or outdated, can be a dangerous combination. It all seemed to confirm the theory: credentials compromised, shell dropped, persistence achieved. "But examining the IIS logs [the web server], examining the IIS logs more closely, we noticed that the Referer was set to /_layouts/SignOut.aspx. That's odd," they wrote. "How can that be an authenticated request, just after the user has logged out? Something didn't add up. We found no successful authentications in ADFS logs, or the logging was at least insufficient. Malicious IIS logs did not contain a value in the username column. A POST request to /_layouts/15/ToolPane.aspx seemed rather specific. Referer set to /_layouts/SignOut.aspx cannot be authenticated; right? "We began to develop a feeling that credentials were never used. So how could the attacker write files to the server, without ever authenticating at all? That's when we realized we were no longer dealing with a simple credential-based intrusion. This wasn't a brute force or phishing scenario. This was zero-day territory. "After some digging, we learned that, three days earlier, the offensive security team from Code White GmbH demonstrated they could reproduce an unauthenticated RCE exploit chain in SharePoint, a combination of two bugs originally presented at Pwn2Own Berlin earlier this year in May. Those bugs were still present in the patched SharePoint Server. They dubbed the chain ToolShell. What we discovered on the 18th was not a credential issue. We had stumbled upon a weaponized Pwn2Own exploit already being used in the wild. "When our team began reviewing the impacted systems, we expected to find the usual suspects: standard web shells designed for command execution, file uploads, or lateral movement. Instead, what we discovered was more subtle and arguably more dangerous, a stealthy spinstall0.aspx file whose sole purpose was to extract and leak cryptographic secrets from the SharePoint server using a simple GET request. "This wasn't your typical web shell. There were no interactive commands, reverse shells, or command-and-control logic. Instead, the page invoked internal .NET methods to read the SharePoint server's MachineKey configuration, including its ValidationKey. These keys are essential for generating valid _VIEWSTATE payloads, and gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity. "Then it all clicked. Once the MachineKey confirmation, including the ValidationKey, had been obtained, future payloads can embed any malicious commands and would be accepted by the server as trusted input, completing the RCE chain without requiring any credentialing. This mirrors the earlier SharePoint design weakness exploited four years ago in 2021, but it's now been packaged into a modern zero-day chain with automatic shell drop and full persistence, with zero authentication. "More than 24 hours after we published our initial findings and reached out to affected vendors, including Microsoft, the Microsoft Security Response Center issued an official advisory and assigned vulnerability identifiers. On their page, Microsoft confirmed active exploitation in the wild and acknowledged the severity of the issue." They make one final crucial point, due to the fact that this is a MachineKey exfiltration attack. They said: "The attack we've observed specifically targets the exfiltration of SharePoint server ASP.NET machine keys. These keys can be used to facilitate further attacks, even at a later date. It is critical that affected servers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers. Patching alone is not enough. If you are not targeted, or you are unsure, we also advise teams to rotate their Machine Keys just to be sure. It has no system impact, only that IIS is offline for some seconds while restarting services." So we don't know how many systems, enterprises, organizations, and networks have been compromised as a result of Microsoft's botched patches for the original Pwn2Own zero-day. But that number lies somewhere between the 400 that have been confirmed and the 9,000 that were known to be vulnerable by the Shadowserver Foundation. And the attackers were aggressive and automated. This is a great deal of damage, and the ransomware demands have already begun. As an industry, we need to do better. We need to change the model. And of course this has been an important high-profile incident, so much so that individual reports have now been published by Broadcom Symantec, CISA, Cisco Talos, Censys, Check Point, CrowdStrike, Eye Security, Logpoint, Microsoft, Orange, Palo Alto Networks, Qualys, SentinelOne, Tenable, Trend Micro, and Varonis. In other words...

Leo: Some or all of whom are sponsors of this show. I'll make it easy.

Steve: ...pretty much everyone in the business.

Leo: You know, one sysadmin or security researcher said you should just assume that, if you are running on-prem SharePoint, that you are compromised. You should not assume that you're not.

Steve: Yes. Yes. Unplug, repatch, update patches, rotate your keys. And then of course you need to worry about, if something crawled in, where else might they...

Leo: Yeah, they may have already breached the rest of your network.

Steve: Yeah.

Leo: That's why I set up my Thinkst Canary, our sponsor Thinkst Canary's honeypot to be SharePoint 10. Just, you know, just to see. That's one of those things. Nobody on the outside's going to get into it. But if somebody is in our network, that's the first thing they'd go to. Oh, I know how to hack that. Because that was unpatched. Anyway, what fun. Not for the poor 9,000 people who run on-prem SharePoint, but...

Steve: And so I imagine, you know, this'll push some people into the cloud.

Leo: Yeah, but if you're the, you know, if you're in charge of the nuclear weapons, you probably don't want to run in the cloud; right? You probably want on-prem. But maybe you should stop using...

Steve: Cloud's got its own problems. I mean, it was all of the people who had their email in the cloud that had China reading their email.

Leo: Right. Oh, lord. Gail Poco in our YouTube chat says Pwn2Own was in Vancouver, not Toronto. I don't know. Maybe he's Canadian, and he cares. I don't know. But it was in Vancouver.

Steve: Oh, oh, yeah, yeah, yeah, yeah. Thank you for the correction.

Leo: Yeah, I know what you meant. You meant Canada.

Steve: I meant Canada. And of course I have such fond memories, Leo, of you and me in Toronto when you first proposed...

Leo: In Toronto and Vancouver.

Steve: When you first proposed that we do this podcast.

Leo: We started this show in Toronto.

Steve: Twenty years ago.

Leo: Yeah. You must have come to the lab and...

Steve: You were bored, Leo. And you are no longer bored.

Leo: I don't have enough to do, Steve. I merely work five days a week, a month.

Steve: Yeah, and you had the weekend show, the weekend radio show, and you were just at loose ends, you know. And you said, "Let's do a podcast. What do you think?"

Leo: And you said, "What's a podcast?"

Steve: I did.

Copyright (c) 2014 by Steve Gibson and Leo Laporte. SOME RIGHTS RESERVED This work is licensed for the good of the Internet Community under the Creative Commons License v2.5. See the following Web page for details: http://creativecommons.org/licenses/by-nc-sa/2.5/

Gibson Research Corporation is owned and operated by Steve Gibson.  The contents of this page are Copyright (c) 2025 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.

Last Edit: Aug 04, 2025 at 13:04 (132.61 days ago)

Viewed 5 times per day