SN 943: The Top 10 Cybersecurity Misconfigurations

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

With regard to ECH, we use an AV solution at work, which uses its own certificate to mitm very connection.

This really irritates me, as I use the site certificate to work out whether I am at the genuine site or a fake.

But, on the other hand, 60% of our malware warnings are drive-by downloads being blocked by the AV solution - and it is often adverts being served on reputable sites that are the problem.

The other 40% is emails.

I don’t think we’ve had a single instance of users using USB sticks etc. and bringing malware into the company. Our users are generally very good and get them checked first, if they don’t destroy the sticks themselves.

I had one of our sales reps give me a stick that he got from a prospective customer at a trade show in China. He said, his colleague had used a hammer to destroy his stick as soon as they got outside the convention centre, but he was curious, whether the stick was legit or not.

I put it into an isolated PC - booted into desinfec’t and signatures updated, before being removed from the network for testing. The stick was empty, apart from a hidden rootkit.


I am surprised that some of these misconfigurations are still a thing. USB can be blocked, with some exceptions, pretty easily, so plugging in USB sticks you’ve found in the car park shouldn’t be an issue, or at least it wouldn’t be if you’d blocked all USB devices except those you trust
If we prevented AV makers from being able to stick a root cert in your certificate store, or whatever, then how would you do content filtering? And, now I think about it, would ECH not break adblockers if the adblocker is unable to see what website the client is connected to?

1 Like

Malware sticks identify themselves as standard HID devices, I.e. a keyboard.

Ah, I see how that’d be a problem

1 Like

This is very interesting
I have received several phishing emails per week but never had anyone give me a usb stick. I think the main target for this type of attack are people working in sales departments.

Sales departments, or car parks of large companies, for example. They are left on the ground, in the hopes that somebody will pick one up and plug it in. But the sticks are very targeted.


In the states we call these a “candy drop.” I’m sure the Germans have a suitable long compound noun for it.

I haven’t heard a special name for it over here.