SN 748: Our Malware Lexicon

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

1 Like

The story broke last Friday and by that time Xiaomi had also made a press release. But very few blogs seem to have picked it up, instead they all said there was no response from Xiaomi. I’m not sure what was going on.

The first report I read was from El Reg, which included the official Xiaomi press release, but every report I’ve read or heard since then says that Xiaomi hasn’t responded, which I find very curious. I’m not a Xiaomi customer and I’d never use one of their cameras, but the reporting seems very bias in this case.

Xiaomi’s press statement said they made some changes to the cache system on their server for people with slow internet connections to improve quality and who were attached to Google’s Home Hub system. They said that that was a total of just over 1,000 people with this connection and a lower number of those had low-bandwidth connections.

They have cured the problem, but they are leaving the connection to Google’s systems closed until Google and Xiaomi can get to the root cause.

The problem doesn’t affect people using Xiaomi’s own Mi Home app to control the $38 cameras.

Also, I think Steve misinterpreted the Microsoft conclusion on RDP. Most of what he says is true - don’t expose RDP directly, go through VPN etc.

  1. RDP is a “secure” protocol, in that it is encrypted.
  2. Microsoft say that you should monitor specific events. Steve went off on one talking about secure doors and flimsy doors, which the secretary keeps an eye on. The reality is very different. Generally, you don’t have someone pouring over the logs, looking for these events. Most businesses have Icinga, Nagios, PRTG etc. running on their networks and they monitor key metrics about the network - machine availability, network throughput, drive space and health and, among other things, you can check the remote machines’ event logs using WMI to read out specific events. You set a threshold on those to trigger an alarm if, for example, an unusually high number of failed attempts to login to an RDP server are recorded.

This is very common in most businesses that take service reliability and security seriously. This is just adding an additional metric to your existing setup. Obviously, such a company probably doesn’t have RDP exposed directly to the Internet either. But where it is necessary, for some reason, this check will give your admins a quick heads-up when an attack starts.

Hearing Steve talking about warrant canaries reminded me that it isn’t the first time the idea of passive warning has been used, where to actively warn would be obstruction of the law.

In the UK, the Automobile Association was formed at the beginning of the 20th century to protect the interests of motorists, particularly against the speed traps that every rural police force was throwing up after the introduction of a national 20mph speed limit. All the members carried a badge on their cars, and the roadside staff saluted any car with the badge.

Around 1910, one of their “motor scouts” was convicted and fined after signalling a member to stop and warning him of a speed trap. So after that, all the members received a notice in the mail:

Of course, if a member did stop and ask, the answer was “speed trap ahead, sir” - but that was legal.