hpr-knowledge-base/hpr_transcripts/hpr4081.txt

Episode: 4081
Title: HPR4081: The Oh No! News.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4081/hpr4081.mp3
Transcribed: 2025-10-25 19:21:10

---

This is Hacker Public Radio Episode 4,081.
From Monday the 25th of March 2024, today's show is entitled The Oh No News.
It is part of the series' privacy and security.
It is the 60th show of some guy on the internet and is about 12 minutes long.
It carries a clean flag.
The summary is, Scotty gives us some moral panic-ridden pearl clutching nonsense.
Hello and welcome to another episode of Hacker Public Radio.
I'm your host, some guy on the internet.
This is The Oh No News, let's get started.
Qnet warns of critical off bypass flaw in its nest devices.
All right ladies and gentlemen, this article is coming from bleeping computers.
And the beloved QNAP competitor to Synology, you know those little in-house cute boxes.
The beloved NAS in a box.
Yeah, you know the ones.
What they've got a little bit of vulnerability here is actually three vulnerabilities.
One of them, which is label CVE 2024 21 899, is marked as low complexity
and it can be executed remotely.
So three vulnerabilities in total.
One can be executed remotely.
The other two just sort of play off of the first.
I'm not going to go into too much detail with it.
All you need to know is if you have a QNAP device and they have the models listed in the article here.
It's the QTS models, the QTS 5.1, QTS 4.5 models,
as well as the QUTS hero and the QUTS cloud models.
I believe version 5 and 4.5 are the models that are affected by this vulnerability.
However, there's a simple fix.
They've already patched it all you have to do is update.
The article also walks you through on how to update from the UI.
You know, go to the control panel, click on systems, firmware update, check for updates.
Your system should pull down updates and you'll be good to go.
So if you or a loved one are using QNAP devices, just go ahead and perform an update.
Now, the article does go on to tell us a little bit more about a few ransomware groups
that are currently targeting QNAP devices like deadbolt, checkmate, and Qlocker.
But like anything that's on the internet, it is an attack surface.
So you can always want to stay up to date.
Not only that, you're also going to want to back up your data.
Backing up your data is a surefire solution to prevent ransomware attacks
or actually won't prevent the ransomware attacks, but it'll allow you to recover from a ransomware attack.
See, that story was just a nice little warm-up.
It was a refreshing cup of tea in comparison to the next story.
Switzerland, play a ransomware leak 65,000 government documents.
Yeah, hi!
Can you say yikes?
I know Switzerland likes to take that neutral stance,
but right about now, they're going to have to be firing up a storm.
So yeah, they're going to have to do some let-goals.
65,000 government documents were leaked.
And it seemed like a lot of files were in Switzerland's justice department.
So they're covering agencies like the Federal Department of Justice,
the state secret rate of migration, internal IT Service Center,
the Federal Department of Defense, Civil Protection, and Sport.
They even said that around 5,000 of the documents were just flat out personal information.
We're talking about names, email addresses, telephone numbers, and home addresses,
along with the good old technical details, like their classification information.
Oh, and let's forget about, let's definitely not forget about their account passwords.
We're also a part of that.
Yeah, and I like the way how in the article,
they sort of shrink away, like, you know, lean close to the microphone and whisper.
Yeah, a small subset of the data that was leaked,
containing software and architectural data, along with more passwords.
Yikes!
I can't imagine having to do the presentation for that one, right?
Can you imagine having to put together a PowerPoint and a standard front of a bunch of guys
in the government and explain how this happened?
What you see, what happened was, those guys over there did it.
Yeah, it's not my department, it's the other guys that did it.
If you could fire anybody, fire them, I knew I should have went to work at Google.
All right, so there'd be a little bit more clear.
Explain is a company that contracts to work with the Switzerland government.
So if you want to split hairs, you can say it's not actually the government that was breached,
but the company that was contracted to perform these tasks for the government.
Nonetheless, the government employees and government data was still lost due to the attack.
Well, this just goes to show you Switzerland should have hired me
because I could have got them breached for a quarter of the price they paid.
Explain, you understand?
And we would have got a lot more jokes out of it as well.
And here's one of the things that I think is kind of funny.
They mentioned that analyzing the delete data, right?
Saying that this is legally complicated.
Let's stop and think about it.
It's already broadcasted on the internet for everyone to see how much more complicated,
you know, how much more complicated could it get?
And you know, let's make sure only the appropriate containerized agency departments
with only the specialized individuals in their perfectly positioned cubicles
have access to this documentation that we found on the great wide open.
I don't see any information on how the attack was carried out.
You know, we don't know if this was like a sis admin hunt or a fishing type attack
or anything with that information is just not present.
And I'm willing to bet it's because somebody used password one, two, three.
Now I need to be clear, the article did not say that, but I wouldn't put it past
them either, right?
You got one individual somewhere in this investigation that had password one, two, three.
Well for the Swiss government or explain, you got my email, go ahead and contact me.
I can only promise you one thing that the next time you get breached, at least with
me on board, you'll have a much better time will throw a breached barbecue will do it
almost like one of those gender reveal parties, except rather than revealing the gender,
we'll be revealing how we got breached, right?
And the name of the person who, who, who was that ground zero during the attack, right?
Whoever was targeted for the attack, put them on blast.
So you imagine how hard it would be to get hired after something like that.
So we probably wouldn't do that.
That would be too mean.
You imagine putting like, okay, we have determined that the person responsible for the breached was
DNT.
If you have any questions concerning the breach, contact DNT.
Oh, that one was a toughy, maybe we should move to something a little bit lighter.
Let's move over to dark reader for just a moment.
Spoof to zoom, Google and Skype meetings spread corporate remote access Trojans.
Now this story brings me back to a time when Microsoft mentioned in the past that they
were going to be making it possible for Android apps to run on Windows.
Does anybody remember that now Windows, which is already just flooded with malware because
they have the largest, they have the largest user population.
The vast majority of machines you buy out there today come preloaded with Windows.
So that's understandable.
I'm not faulting them for having malware when you have a large user population.
Obviously, you're going to have more tax, but to think that it will be a good idea and
allow Android applications knowing that Android is just at this point, Android is malware.
You know, it's so bad over an Android market and look, sorry, not sorry, Android users
out there.
If you're using like FDroid or something like that, okay, kudos, I got you, right?
There's a sale official S for those of you that can run it from understanding it didn't
run well here in the US, like no carrier, whatever, or let you get out on network with it or
whatever.
I could be mistaken, but that's just what I remember from the last time I heard something
about it.
One way or another, if you just run like stock Android from whatever vendor, LG, Samsung,
whatever, you got to know you're dealing with a ton of malware that you, you wrap that
malware.
It's like a malware burrito, you know what I mean?
You got malware flatbread called Windows and you, you sprinkle in a whole bunch of malware
from Google.
It's terrible.
I'm going to give you a little bit of a spoiler alert here.
You should have just used Jitsy, all right.
Anywho, the attacker is basically using fake meetings, luring people in for these rats.
And by rat, I mean remote access trojan, and you know what?
Not even just Jitsy.
I mean, has anybody heard in next cloud recently?
I mean, you know what I mean?
There's so many better ways to do this and a lot of these meetings, I'm pretty sure could
have just been an email, right?
Am I right?
Well, you can get fished like a responsible adult.
I love the marketing in this article.
They have a nice little slogan here, click to compromise.
That's a good one.
If only Windows had a repository of software where you could go in the terminal and use your
package manager to pull down software that has been reviewed by, you know, knowing Windows
it'll probably most likely just be Microsoft employees.
But you know, if if they were going to do things in an open manner, you can get more eyes
on not just the software itself, but the code, but we're not going to go there.
Oh, wait, I forgot Microsoft heart slantics, that's right.
I forgot about that.
I mean, they did open source to calculator, right?
Now, what we do, we do have that fantastic new calculator, just what we always wanted.
I include this article so that the next time you get invited to a terrible meeting at work,
share this article with your boss.
Let him know, look, I can't go to each of these meetings because it's too dangerous.
It's too dangerous.
I could, I could lose my credentials.
I could get remote access Trojan, especially if you're forced to run Windows as well.
Oh, goodness.
And if you're still using Android, good heavens.
Shut that thing down and get you some F droid.
Or you can do like the rest of us who, you know, those of us that wear our top hats and
monocles walk with a cane, we are in our, in our, in our tuxedos, we carry iPhones.
Yeah, we have, we have the blue bubble of sophistication, never mind that it's almost impossible
for us to do anything with the device and we own nothing, not even the device itself.
Never mind any of that.
We got the blue bubbles.
Okay.
Alrighty, ladies and gentlemen, that's all I got time for today.
I hope you guys enjoyed another episode of the Oh no news.
If you have any questions about any of the pearl clutching panic, written nonsense,
we've broadcast here today on Hacker Public Radio, please contact DNT.
You're welcome to leave a comment, a show would be much appreciated.
And for those of you that are new to Hacker Public Radio, you can start by just introducing
yourself, letting us know who you are and what sort of hobbies you enjoy.
If you're worried about rather not, we'd be interested in it.
I mean, just look at what I'm doing clearly, it can't be too hard if I'm able to do it,
right?
And don't worry about if people like it or not, I've been doing this for a little while
now and I have not had one single complaint at all, never wink, wink.
So don't be shy.
Come on out here, give us a show and I'll catch you guys in the next episode of Hacker Public
Radio.
Bye-bye!
You have been listening to Hacker Public Radio at Hacker Public Radio.org.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording a podcast, then click on our contribute link to find out
how easy it really is.
Posting for HBR has been kindly provided by an onsthost.com, the internet archive and
our sings.net.
On this advice status, today's show is released on our Creative Commons, Attribution 4.0
International License.