Risky Business - Risky Business #717 -- The kids are okay. At ripping your face off.
Episode Date: August 15, 2023On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: More victims identified in Chinese breach of Microsoft email acco...unts Cyber Safety Review Board to investigate Microsoft We got some stuff wrong last week More details on Viasat hack revealed Special guest Heather Adkins talks about the CSRB’s Lapsus$ report Much, much more This week’s show is brought to you by RunZero. Its co-founder HD Moore is this week’s sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing. Show notes Chinese Microsoft hackers also hit GOP Rep. Don Bacon of Nebraska - The Washington Post US cyber board to investigate Microsoft hack of government emails | TechCrunch Richard: "@briankrebs @metlstorm @riskyb…" - Mastodon.Radio Mastodon.Radio An SSRF, privileged AWS keys and the Capital One breach | by Riyaz Walikar | Appsecco Chamber of Commerce urges SEC to delay cyber rule implementation | Cybersecurity Dive Satellite hack on eve of Ukraine war was a coordinated, multi-pronged assault | CyberScoop Microsoft to freeze license extensions for Russian companies Takedown of Lolek bulletproof hosting service includes arrests, NetWalker indictment Ransomware Diaries V. 3: LockBit's Secrets How the FBI goes after DDoS cyberattackers | TechCrunch Meet the Brains Behind the Malware-Friendly AI Chat Service ‘WormGPT’ – Krebs on Security Multiple zero days found affecting crypto platforms Lawmakers press FCC for action on Chinese-made cellular modules Panasonic Warns That IoT Malware Attack Cycles Are Accelerating | WIRED Rapid7 to cut 18% of workforce, shutter certain offices | Cybersecurity Dive SecureWorks layoffs affect 15% staff | TechCrunch Researcher says they were behind iPhone popups at Def Con | TechCrunch Review of the Attacks Associated with LAPSUS$ and Related Threat Groups US should crack down on SIM swapping following Lapsus$ attacks: DHS review Kevin Collier: "Def Con is over and nobody hac…" - Infosec Exchange
Transcript
Discussion (0)
Hey everyone, this is Risky Business and my name is Patrick Gray.
This week's show is brought to you by RunZero, which obviously they make an amazing asset
discovery tool.
The company was co-founded by HD Moore, the creator of Metasploit, and HD is joining me
in this week's sponsor interview for a really interesting chat about asset scanning and
how it ties into vulnerability management these
days. And this is something I've been thinking about a lot lately. Patching targets at the
average enterprise are really low, like 5% to 10% of CVEs in large organizations. So the vulnerability
management game is much more about patching the right thing at the right time these days. And
asset discovery tools like RunZero are becoming
absolutely critical in doing that. So I spoke to HD more about that and also about how do your own
discovery is a bit of a lost art and we also spoke about how you can scan ICS gear with UDP packets
and not do damage. We also have a feature guest in this week's show, Heather Adkins. She is the VP
of Security Engineering at Google
and also serves as the Vice Chair of the Cyber Safety Review Board or the CSRB. And she's joining
us this week to talk through the board's Lapsus report. That is coming up later. But first up,
we're going to jump into the week's news segment with Adam Boileau. And Adam, it looks like we're
still discovering the true scope of this recent attack against
Microsoft email accounts using that stolen or somehow acquired mystery key. Now we've got a
congressman from the United States, Don Bacon, another one of those terrific American names.
Don Bacon apparently had his email popped. Yes, and he's a guy that's been pretty important,
I think, in some of the conversations around the US support of Taiwan.
And in that respect, this may have backfired a little bit
because he seems to be not super happy about Chinese hackers
busting into his emails and is now waving the stick
about how much they are going to support Taiwan.
So maybe an own goal there for the Chinese intelligence services.
I mean, I think the thing that I find interesting about this is not so much that this particular person was targeted. It's
more that, you know, it's been a little while now and we're still unpicking the scope of it.
Yes. Well, I mean, I guess they had access to some of the extended logging that Microsoft
provided for a fee in the cloud, but still digging through cloud logs, understanding what they mean,
understanding the breadth of something like this is really hard. And, you know, we don't know to
what extent Microsoft's been involved in, you know, helping with this investigation, I would imagine
quite a fair bit. But yeah, it does take times to understand, you know, the impact of intrusions in
the systems that you don't really see the inside of normally. I mean, we need to keep perspective here, though, like hacking into a politician's email
account, especially a politician who is doing China-Taiwan stuff in an espionage context
that is definitely in scope.
Yeah, like it can be legitimate targeting and also, you know, kind of concerning in
the sense that we don't understand how the cloud works enough to figure these things
out ourselves as an outsider.
But, yeah, legitimate nonetheless.
Yeah, yeah.
So I think the takeaway here is that China was doing quite a lot
of espionage here and perhaps should not have been able to.
And, you know, since we last spoke, I think we spoke last week
about Ron Wyden writing an angry letter.
It was either last week or the week before,
suggesting that various bits of the government get involved
in investigating Microsoft and urged the CSRB to pick this up
as an item for its next investigation.
And the Cyber Safety Review Board has indeed done that.
Now, we've got Heather Adkins joining us later in the show.
We're not going to talk to her about this investigation.
She is recusing herself because, obviously,
her day job is VP of Security Engineering at Google, talk to her about this investigation. She is recusing herself because obviously, you know,
her day job is VP of security engineering at Google, which means she works for a competitor of Microsoft. So obviously, she's bowing out of that one. But I, for one, cannot wait to read
this report in six months or whatever, a CSRB report into what actually went wrong here.
Yes, that's exactly what, you know what something like the CSRB is for,
investigating these kind of really big, complicated issues
that affect a whole bunch of people beyond the victims
of a particular attack and breaking it down for us
in a way that makes it clear what overall we should be doing
when we consume cloud services like this.
So, yeah, I'm very much here for this as well.
Well, not just what we should be doing, but microsoft should really be doing as well yeah exactly like
all of us because we are so reliant on the cloud vendors and microsoft in particular to run their
stuff right and when their stuff is a work in progress like they're building it as they um as
they're building the building the plane as they fly that sort of thing exactly like so we do kind
of need some help from the outside as customers to be able to understand how to do it i do wonder
you know there's lots of people on the csrb who also work in the computer industry and everybody
is a microsoft customer so i imagine it's going to be a difficult conversation around the table
there as to who's going to conduct parts of this investigation and so on because heather can't be
the only one that is considering
what the conflicts might be.
Yeah, I mean, one thing I find interesting about all of this
and it's something that's sort of come up in the discussion
on the periphery is CSRB does not have subpoena powers.
They can't make people talk to them.
If you look through the Lapsus report,
which is one that we're going to be talking about later with Heather,
they had good cooperation from a bunch of the people
who got owned by those crazy lapsus kids,
but some of them just chose not to.
So I think it's going to be really interesting
when members of the CSRB present Microsoft
with a bunch of really uncomfortable questions
to see what they're going to do
because they can't just not answer them
because that would look terrible in the report and is the sort of thing that will result in the csrb actually getting subpoena
powers which i can't imagine microsoft is too keen on either so i i can just imagine we're
going to wind up with a bunch of really weaselly responses to some of these questions which microsoft
is good at yeah but it's going to be this sort of delicate dance on both sides, I can imagine, right?
I mean, in any other country other than the United States,
trying to conduct this kind of investigation
would probably be impossible, right?
The US is big enough as a Microsoft customer
and also as their host government
to be able to apply the pressure
or as you say, just make it so they have to
by giving the board the relevant powers.
Well, I mean, those powers won't be coming anytime soon.
Certainly not in time for this inquiry.
But, yeah, I really wonder how this part of it's going to play out.
Yes, and for you and I in Australia and New Zealand,
our government is not going to have that kind of power over Microsoft.
So somebody else that does,
we really do want to see them wave that stick around and give Microsoft a little bit of kind of what they need to get them back onto the
right path. Now, Adam, I just want to pick up on some stuff we spoke about last week where I was
saying, look, all of these cloud services, you're going to be sharing cores and these CPU cores and
these speculative execution bugs are going to turn into a real headache.
Turns out I was way off base there because, well,
two out of three of the major cloud providers
have actually really thought about this.
We had a listener hit us up on Mastodon, Richard,
who pointed out that certainly in the case of AWS and GCP,
they have blog posts up explaining how they like purge caches and things like that when they're moving someone to a new core.
And like they don't allow, you know, core sharing with where the cache can get all mixed up and whatever.
So it does look like we are actually in better shape than I realized with regard to major cloud platforms and these types of speculative execution bugs.
Yeah, I was also pleasantly surprised
and especially like the level of detail
that Amazon's documentation goes into
on their kind of hardware-assisted virtualization
that they've built over the years for EC2.
Like there is a lot of detail about how they manage that
and how they deal with minimizing the risks
of these kinds of side channel and so on attacks.
And that, yeah, that was nice and reassuring.
And then same, you know,
Google also has plenty of expertise
in running large scale compute.
And they also have done a bunch more work
than I anticipated, which, yeah,
only leaves Azure with some vague weasel wording
in their documentation about how there are no side channels
in Azure because
reasons. Last week, we also spoke, you know, I mentioned that, you know, I wondered if
services like Azure could wind up with what I was calling kind of the PowerShell problem,
which is that they fundamentally, you know, made some mistakes and it won't really be possible for
them to fix stuff. I couldn't think of a good example at the time, but basically as soon as we finished recording, I did think of a great example,
which is the AWS instance metadata service, right? And this is the one that got Capital One owned.
And I don't think they could actually fix it in the end, but they had to create a V2 and encourage
people to move towards it. So that was an example from 2019. And I just, yeah, I just think this is
an interesting part of
the conversation at the moment, which is you do wonder, because last week we spoke about Azure
fixing something and initially they just fixed it for new apps, but wouldn't retrospectively apply
the fix because they worried about breaking stuff. You know, I do wonder if we're going to get to a
point where Microsoft is going to need to V2 something and leave the vulnerable V1 up.
And this applies to all the providers,
but I just couldn't think of that example last week.
But it is a good one, isn't it?
Yeah, it's a great example.
And I mean, the availability of the version 2
certainly has not made all of the previous,
you know, version 1 metadata service things go away.
I mean, it's still a workhorse technique
when you break into a cloud application or you have a server-side request for drew bug
to use that to then go and move around and you know it's not a hundred percent
of aws backed systems like it used to be but you know these things do have quite a long tail
and you know you can see why i mean instant metadata service is a great example of
a security choice that made total sense in isolation.
But once you think of the idea that customer applications are going to have server-side request forgery bugs in them, it's completely broken.
And they're both reasonable places to start.
But the reality ended up being that, you know, people are going to get badly compromised because of that combination.
Yeah, yeah.
Now, look, I promised,
last thing we're going to follow up from last week
is we made a joke last week
that in-house councils at large companies
will be bending over backwards
to figure out how not to report stuff to the SEC
under their new breach reporting guidelines.
And you and I both heard from a CISO we know
who works for a mega corporation who said
we got that back backwards right because he said totally ass backwards yeah everyone's going to be
so scared of like an sec investigation the tendency is going to be to over report which i did find uh
actually quite interesting like no one wants the sec drama and i think yeah like it's going to be
interesting to see if the sec just gets flooded with incident reports because of this. I mean, all of this will level out eventually and find some sort of equilibrium. But we do have a piece here also from Cybersecurity Dive talking about basically the US Chamber of Commerce shitting bricks over these rule changes and being very mad yeah yeah and you can you know i guess my take on it last time we talked
was you know ultimately pretty naive because you know the idea that they're just going to report
a hundred thousand form 8ks or whatever it was a day um because that's the reality of what you
need to do to comply with that regulation isn't the thing that i had previously appreciated and
the chamber of commerce obviously has its own agenda and things that it's worried about but there are some pretty real problems and
the chamber of commerce is asking for a year delay and actually implementing the rules so that we
have some time to think about what it's actually going to mean and how a hundred thousand four
make k's a day you know submitted to an ap is it actually going to work for the SEC? And what if they get what they're asking for?
Yeah.
Yeah, I mean, I think the whole thing is
we've got to find a good faith line.
Yes.
Right?
We've got to find where does good faith end?
Where does it begin?
Capitalism is so good at that.
Yeah, we've got to build the rules around that.
And I think the only way to do that is
to just see what happens once this new regime kicks in but it yeah it could get messy let's
yes it certainly could anyway it was funny uh now we got some more information on the
viasat hack adam um you know it's being reported as like all this great new detail but i mean this
thing unfolded much the way you would expect it did yeah yes like there
wasn't a huge amount of new detail compared to what the reporting said i mean that the
russians broke into via sat modified the firmware and shipped it out to a bunch of terminals that
matched things in ukraine that they cared about and then the new bit seemed to be that there was
a subsequent campaign that looked like it carried out denial of service on something involved with authorizing terminals back onto the network so that they were not able to re-register or something.
Some kind of auth system it sounded like was being attacked, which is an interesting detail. what I wanted to see was more info about the pre-positioning work the Russians had done inside
Viasat to get all the necessary information to understand the models of modems to understand
where the customers were like to do all of that work in advance so there wasn't more detail about
that there was something about subsequent attacks in the radio layer there was you know vague
conversation about RF based attacks on on modems, whether that's just the mildering electronic warfare in Ukraine
or whether it was something more cybery, we don't really know.
But still, this was a really interesting part
of the very early days of that conflict,
and it's funny how far in the past it seems now.
Yeah, because it's all gone Starlink now, right?
Yes.
You really wonder when that day is coming for Starlink.
You do, right?
I mean, because the fact that it's been playing such a big part now,
it must be sticking in Russia's craw or something chronic, you know?
Yeah.
I mean, that was my best call of 2022,
which is when Musk announced that a whole bunch of terminals
were going into Ukraine.
I said, I don't think he knows what he's doing.
Yeah.
And you guys were like, no, of course he does.
You know, and I was like, no, as it it turned out he really did not know what he was getting himself
into and funnily enough though i had this conversation with a friend recently like i think
he has actually managed to find the line okay so they're in this situation where okay you want to
use starlink to attack targets in crimea, that exposes us to too much risk.
If you stage a breakthrough through Russian lines
and you need to enable it in this territory
where it was previously disabled,
we're going to set you up with a contact
where you can very quickly re-enable that coverage there.
So I think they've found the balance
between helping the Ukrainians
and not making themselves a priority target for Russia. And I do think that's reasonable, right? So some people are like, oh, they're not letting them use it to attack Crimea. to just you know astronomical risk uh from from
russian sigint and all sorts right so i i think in the end you have to give them credit for actually
finding what looks to be a fairly reasonable line through this whole thing yeah i mean i think you're
right that is um it's a very fine line to walk. And especially when Russia is not necessarily known
for being proportional and playing by the kind of norms.
So it's, you know, you have to kind of be more conservative
just because Russia has been a bit unpredictable lately.
They're still wearing a lot of risk, right?
Because ultimately, you know,
Starlink is what is making Ukrainian artillery accurate
because they're backhauling the video over Starlink from drones
back to the firing crews.
Like this is, you know, this is an integral part of Ukraine's war machine,
but they've had to just put some limits on it.
And, you know, yeah, but he didn't know what he was doing.
No.
He didn't think it through, right?
How unlike him.
Yeah, how unlike Captain Impulse Control.
Yes.
Staying with Russia,
and Microsoft has announced
that it's freezing license extensions
for stuff like 0365 into Russian organizations.
I'm kind of surprised
that they hadn't cut them off already.
We've seen a report too
that Atlassian is ceasing licensing for Russian orgs.
So things playing out much as you'd expect.
Although, as I say, I'm kind of surprised.
Like Microsoft suspended software license sales
into Russia quite a while ago.
So I was kind of surprised
that some of these licenses were still active.
Yeah, and when you consider the amount
of Microsoft usage in Russia,
I mean, something like 90% of private sector companies
use Microsoft stuff.
That's not a surprise,
but the fact that that hasn't been a bigger part
of that conversation yet, I'm surprised by it anyway.
Yeah, yeah.
So no more 0365 or Jira.
Although, you know, that was our joke internally, right?
Which is, you know, maybe it's the
silver lining for Russians is they
they're having their Jura taken away.
No more confluence, you know.
Sorry, I laughed.
Now moving to
Law and Order.
And the Lolleck Bulletproof Hosting
Service. The operator has been arrested
and there's a bunch of indictments around this.
So there were five arrests in Poland.
I think the main admin is still on the run by the looks of things.
But yeah, this seems like a win for the team cops, basically.
Yeah, and this particular bulletproof hoster was pretty heavily involved in the network of ransomware,
provided a bunch of infrastructure for them.
Also, a bunch of other crime stuff in DDoS.
And also I think the Kiwi Farms Forum was hosted there.
So taking out this particular hoster
seems like a very much a net good to me.
And Adam, you remember John DiMaggio,
who, you know, went undercover with ransomware crews
like Lockbit and whatever and wrote big blog posts about it.
Well, he's done it again.
And his news from inside – he's a researcher at AnalystOne.
And his news from inside Lockbit looks a little bit less rosy than last time.
Yeah, it's particularly funny.
There's stories about Lockbit publishing fake stuff,
fake companies that they've ransomed on their blog,
lack of support for their ransomware software some of their affiliates got arrested so things
are not looking particularly rosy there but the one that's most funny is that their dark web leak
site appears to have run out of disk and I guess they can't host it in the cloud and just add more
disk super easily so they're now ransoming organizations,
you know,
leaking their data,
but you can't actually download the data because they ran out of disk.
I mean,
this is the scale problem that every startup will run into as they mature,
you know,
a bit of an infrastructure issue there,
but yeah,
the out of disk one got me as well.
Yeah.
That's particularly funny.
Yeah.
So the wheels are wobbling.
They haven't fallen off but
uh things at lock bit are not looking uh so great at the moment lorenzo franciski becqueray over at
tech crunch has this great interview up as well just while we're on the topic of crime he's
interviewed an fbi investigator about um about the whole sort of ddos for hire ecosystem and what i
like about this interview is it's just a really good briefing
if you want to understand you know that ddos for hire ecosystem you know what what is the likely
perpetrator going to look like well they're a gamer they're probably based in western europe
or the united states and you know this is what they do and blah blah blah but it's a really
yeah it's just a really interesting read like it was an unexpectedly interesting read i found what
did you yeah yeah Yeah, me too.
I agree completely. The two guys, there was Elliot Peterson from the FBI
and one of his colleagues, Cameron Schroeder,
presented at Black Hat about their experiences being the FBI's,
you know, DDoS enforcement arm.
And they're both from the FBI's Anchorage office.
And they've been doing it for a long time.
And even one of the funny tip
bits I found in it was that this guy Elliot is the dude that makes the like seat screens that
they stick on on stuff that they've taken over and every time we laugh at one of those you know
kind of blue screens with all the logos on them like they don't have a graphic graphic design
support office or anything in the Anchorage field office of the FBI. They just have to make them themselves.
Is he the one who did the pom-pom purin in Anchorage?
I don't know, but I wouldn't be surprised.
You kind of get that vibe.
So that's a fun detail.
But yeah, the interview just has a bunch of interesting stuff of what it's like
being the cop that actually has to deal with this stuff.
And presumably being woken up at Christmas
because someone's DDoSing a game service or whatever else.
So yeah, well worth a read.
Yeah, and it's funny that they point out that there's, like,
entire industries created to mitigate this stuff,
like Akamai, Cloudflare, whatever, you know,
and it's a big expense.
But, yeah, just a fun read.
Another fun read this week is Brian Krebs
has done a great write-up on Worm GPT.
This is the chat GPT, like, LL that BAC crews and and fraudsters are using which you
know is actually pretty effective like it's a pretty useful tool by the looks of things
particularly for people who don't have a great grasp on the English language what I did find
very funny is that like this guy's just been doxed here Like we know his name is Rafael Moraes and he's from Porto in Portugal.
And, you know, Brian contacts him on Telegram
and asks him questions and he's like,
sure, I'll talk to you.
I'm an open book.
So I'm expecting us to be talking about his arrest next week.
Yeah, he seems to be like a computer security student
or maybe he's recently graduated.
And it does seem a little,
like he seemed a little unclear
about whether he's for
or against crime given that the service is marketed for people to use for criminal endeavors but he's
talking now about adding some guide rails back into it to try and uh you know make it less dangerous
but then what's it for like it's still advertising on crime forums etc so yeah like i mean you kind
of admire his entrepreneurial spirit in a way but uh you
might have picked the wrong industry uh to get started your career in buddy yeah but that one's
a good read i'd recommend people go check that out um got a good write-up here from john greeg
it's something that we did cover in risky business news as well but the so-called bitforge uh
vulnerabilities in cryptographic multi-y Computation Protocols. Now, these
things are very important to cryptocurrency platforms. And what we're seeing at the moment,
I think, is this new wave of research into the, you know, crypto ecosystem where people are just
tearing it apart. And usually, like, thankfully, it was researchers who found these bugs. But,
you know, people are tearing these things apart, finding these bugs and using them to make bank.
And I just think this sort of stuff
is really going to accelerate the death
of large parts of the crypto ecosystem,
cryptocurrency ecosystem.
Yeah, I think you may well be right.
I mean, implementing crypto systems is hard for everybody,
you know, and we've seen that in implementations
of auth protocols and encryption protocols for on-the- wire stuff like it's no different in the cryptocurrency world they're
not magically better at crypto anything and math and implementing secure systems on top of robust
protocols than anyone else is so it is kind of nice to see someone do this not necessarily
immediately for crime but the guts of the issue here is some issues with multi-party signatures
multi-party crypto which is used for wallet control in a number of you know big cryptocurrency
trading platforms and so vulns in those are you know they are these are implementation bugs they're
not necessarily design flaws but they are still a very big deal because of the amount of money
sloshing around in the ecosystem and the difficulty of changing out kind of such primitive parts of it
so great research and uh you know it's just amazing it hasn't been used for crime immediately
yes exactly now suzanne smelly has a really interesting report up here at the record
uh so there's a house panel uh on China and it's asked the Federal Communications
Commission to, and I'll just read from Suzanne's piece here, to help combat the threat posed by
Chinese manufactured cellular connectivity modules embedded in IoT devices. Now what's really
interesting about this is, you know, we've had that big conversation about the risks posed to
networks by things like, like by building them on Huawei kit, right?
So you don't want to use Huawei
if you are a Western country like Australia
or New Zealand or the United States.
Okay, fair enough.
What's interesting is I've noticed
that the conversation is now switching
to these edge devices,
which at scale present risks of their own.
So we spoke recently about solar panel controllers mostly being made in China and how this could be a bit of their own. So we spoke recently about, you know, solar panel controllers
mostly being made in China and how this could be a bit of a problem. And now we're talking about,
yeah, these little cellular modules. So these panel members noticed that, you know, Russia
stole a bunch of John Deere tractors from Ukraine, and John Deere was able to remotely brick these
things through their cellular modules. And, you know, to the US politicians on this panel,
they looked at that and said, well, aren't we using a bunch of Chinese modules that are the
same and couldn't China do the same thing to us? And I think this is, you know, probably the right
place to be looking at and thinking about, right? Like is, you know, forget about the network for a
minute and start thinking about the endpoints and what could go wrong there. Yeah. And I think people do underestimate the level of complexity
in things like cellular modems. I mean, those are fully fledged computers hidden inside, you know,
what you imagine as a modem. And most of us think of a modem in the classic kind of 80s, 90s sense,
where it's just a, you know, a thing that makes some tones or whatever whereas cell modems are proper complicated and making those you know does require a bunch of complexity so both from a backdoor perspective but
also a bugs perspective an ongoing support perspective they're a much more important part
of the network edge than people give them credit for and i think like that john deere story is
interesting because you know we've seen so much kerfuffle with farmers wanting to jailbreak their john deere equipment legitimately so that they can
make it do other stuff and then at the same time seeing like there is some value to having uh
control of these devices in the field um yeah but that does go both ways and the amount of embedded
um microcontrollers with all sorts of interesting software and network connections beyond cell modems,
you know, and all sorts of other gear
and air conditioners and UPSs
and solar panel controllers, et cetera.
Like this is an area that now that we are in the world
where, you know, state competition can happen on IoT,
on edge devices and computers,
like we do have to care now.
Stealing farm equipment too as a spoil of war i mean you
can imagine the conversation though you're the russian soldier who's stolen someone's tractor
or harvester or whatever you got it across the border you sold it to someone and then it gets
bricked that's going to be an interesting conversation that is going to be an interesting
now i want to talk about a presentation that happened at Black Hat by, was it Black Hat or DEF CON?
It was Vegas anyway.
No, Black Hat, I think.
Black Hat, yeah.
So Panasonic, a team from Panasonic,
did a big talk about how they're thinking about security risks
in their IoT devices and about a honeypot program they spun up
to sort of capture good intelligence on how people are attacking their products.
I just found this really great, actually,
that you've got a manufacturer like Panasonic
thinking about this sort of stuff and doing this sort of research.
So I just wanted to talk about it as a way of saying,
hey, Panasonic, well done.
Yeah, this was really reassuring to see
that there are people inside a big vendor,
electronics manufacturer like that, doing this kind of work
and that they are thinking in novel ways about it.
So for example, one of the things they talked about
is that expecting consumers and owners of devices
to be able to deploy firmware updates
is maybe not realistic, right?
And having an ecosystem
that respects the reality of the situation
that you need to be able to respond beyond just,
well, here's a firmware update on a website, that's the end of our obligation um one of the things they talked
about was having systems that can detect and respond more generically uh so that even if we
don't apply the patch you've got some chance to receive like telemetry that blocks relevant
attacks in the field without necessarily fixing the bugs and that kind of thing so it's really nice seeing a big vendor being doing what it should be doing and absolutely doing what it should
and also i think it's a you know we're also focused on cost when we buy appliances or buy devices
and you know the cheapest thing is sometimes cheap for a reason and the more expensive ones do
support longer life lifecycle support programs,
more in-depth thinking about security,
and there's a reason to not always go
bargain basement on everything.
They're just chasing that new labelling law.
They want to get their five stars on their box.
Well, if it gets the job done,
makes them do it well,
then I'm all for it.
Now, some crappy news.
There's been a bunch of layoffs in the security field.
Rapid7 cut like hundreds of jobs, 18% of its workforce.
I didn't realize they had quite that many staff actually
until I looked into this the other day.
But yeah, they fired a whole bunch of people,
which really sucks.
SecureWorks has laid off 15% of its staff.
We've seen layoffs at NCC Group as well.
So, you know, a lot of people getting laid off all at once uh at the moment and some of these companies they're not even doing badly like i think
rapid seven is doing just fine but i don't know if they're trying to juice the share price or
whatever but yeah certainly sucks for the people who've been laid off i don't i don't approve of
this adam yeah and we i guess we thought that some of the tech industry wider tech industry
layoffs you know that the security was a little bit insulated from it which does not necessarily
look like it's the case and yeah i mean these are real people with real lives and bills to pay and
it is always hard seeing people um lose their jobs and as you say especially when you know the
financial numbers maybe don't look so bad. But that's just capitalism for you.
What are we supposed to do, right?
Yeah, I mean, I will say, though,
that in the general tech ecosystem,
the number of people hired into tech
throughout the COVID-19 pandemic was absolutely huge.
So even if you look at the layoffs compared to the hires,
we've still got a lot more people employed in tech
than we did a few years ago. And the job market still seems pretty healthy particularly in
security so i do think security is different i think that if you have been laid off from a
cyber security job your odds of getting another one are pretty good yeah i think so yes you know
so so as a as an industry like i hear anecdotal evidence that uh security budgets are getting cut
and that will flow through to the vendor ecosystem.
But if you look at the market research data out of firms like IDC
and whatever, budgets are still forecast to grow.
So I think it is a slightly uncertain period in the industry at the moment.
But by and large, if you're going to be in tech,
cybersecurity seems to be a good place to be.
Yeah, I think so.
I would be more worried about being in a vendor
than necessarily like an end, you know,
a company cybersecurity role
because, you know, how much stuff can Fortinet possibly sell
after the last couple of years?
So, you know, I would be more worried about that
if that was me.
But yeah, it's just, you know,
it always is hard seeing people having their lives
shaken up by the businesses around them.
Yeah.
I mean, did you know, though, Fortinet's worth more than CrowdStrike?
I know.
They're like a $40 billion company or something.
Like, it's insane.
So I think they're probably going to continue to sell stuff, right?
Probably, yes.
Because at this point, they've got, you know, a very well-oiled marketing and sales machine.
So, you know, I'm just preparing to disappoint you on that one.
Yeah, I know.
I know.
And before we leave, before we wrap it up this week, Adam,
Kevin Collier posted to Mastodon.
I just thought this was really funny.
I wanted to repeat it because, of course, you know,
it was Vegas week last week.
Now, you know, unless you've been living in a hole,
you would know about the giant orb.
Yes, Las Vegas has been blessed with a giant display screen
in the shape of a sphere.
Yeah, and this thing is humongous, right?
And it's very cool and obviously is just waiting for someone to shell it.
And it didn't happen.
And so Kevin, who's a cybersecurity reporter with NBC,
has posted,
DEF CON is over and nobody hacked the giant Las Vegas sphere.
Four days of the biggest hacker conference
set next to a giant LED globe
and it didn't do anything against its program
except maybe turn off briefly.
Someone's getting old.
Yeah, yeah.
Because, I mean, it's just, it's so asking for it.
He made good points there. But I think also, Adam, this is a it's just, it's so asking for it. He made good points there, though, you know.
But I think also, Adam, this is a sign of the times.
It is.
This is a sign of the times because it's entirely possible
that it's well secured.
It's entirely possible that it's air gapped.
No, surely not.
I think hackers are just getting on.
We saw Dave A. Tell whinging about his experience.
The crowds at Black Hat.
I know it did seem a little little get off my lawn
which you know i feel like you know he and i are of not dissimilar vintage and i also feel like
they should get off our lawn but um yeah like maybe it's just maybe it's a sign of the times
that uh yeah i think so because i can't tell i can't tell whether it's because this field has
matured or because uh you know and nobody wants to target it or this field has matured or because, you know, and nobody wants to target it
or this field has matured and it's actually possible
to build a giant LED orb in the middle of Las Vegas
during DEF CON and have it not get owned.
Like something's changed for sure.
I think it's just the hacker kids getting old.
That's what it is.
We can't secure anything, surely not.
Okay, Adam, that is it for most of the news. But we're going
to chat with this week's feature guest now. Heather Adkins is the VP of Security Engineering
at Google and also serves as the Vice Chair of the Department of Homeland Security's
Cyber Safety Review Board. Heather, welcome. Thank you. Good to be here.
Now, the reason we asked you to come along today is because the CSRB has been in the news a fair bit over the last week or so.
So let's talk about the Lapsus report. The CSRB's report into the activities of Lapsus was released
last week. And CSRB spent a bunch of time looking at what those crazy Lapsus kids got up to. And I
guess one thing we should sort of clear up straight off the bat is that Lapsus wasn't really an
established group that even lasted very long or had a defined membership. You know, what we call
Lapsus is more, you know, it's more like a frame of mind, man, you know, like it's a group of TTPs
and a grouping of behaviors, like, would you, you know, like it's online juvenile delinquency,
basically, like, would you agree with that?
I think so.
I mean, they certainly styled themselves lapses.
They had a public telegram channel, but it was pretty clear that they were all sort of
involved in other things.
And there's this broader threat landscape that they all operated in.
And in some cases, we believe probably are still active and operating.
But I think, yeah, lapses is a mindset. I think that's a good way
of putting it. So look, you know, I've read the report. I think every CISO listening to this
should read this report because really what it spells out is, you know, these kids were just
doing whatever it would take to get things done. And there was a bunch of stuff in the report I
didn't know, like they were compromising people's, you know, like iCloud or, you know, photos albums in the cloud to pull out
embarrassing stuff that they could use to blackmail people to perform certain actions for them. I mean,
this is social engineering on steroids at this point, isn't it? I think so. And they certainly
were very creative at social engineering. We tend to in kind of a threat intelligence
landscape, put labels on things, put threat actors in boxes, try to figure out what their
favorite techniques are. I think what you had here were a lot of very creative kids who have
digital skills and are just learning in real time, like you can see them kind of learning new
techniques. And so there were really no rules. And, but, you know, the large majority of the very successful attacks against
well defended organizations did stem from some fairly basic social engineering, where they were
just, you know, using accents, different languages, just calling people up. You know, if the first thing didn't try or
succeed, you know, try, try again until something succeeds. And they weren't really worried so much
about failing. They were only worried about succeeding, which is in their benefit.
They sort of strike me as like the next generation of the type of hacker that Kevin
Mitnick was back in the day, right? Like, really just in an attitude sense, right? Which is just to go all out.
I think so. I think though, if you kind of listen to Kevin's interviews over the years,
he was super interested in just learning how things work. You didn't get a maliciousness
on the other end of that. I think what we did see here is they would delete infrastructure,
like the Lapsus guys would delete infrastructure in some cases,
taunt employees on kind of internal chat, like internal Slack.
So that was a little bit different.
You never really saw Kevin sort of bring out a malicious tone to what he did.
Yeah, they're definitely nasty.
That's for sure.
So the big takeaway, I think there's a few takeaways from the report.
One is that where these attackers tended to strike was where business process outsourcing
organizations, enterprises, and telcos, in the case of like
SMS two-factor authentication, they seem to exploit the seams between where those things
join up, which is something that I found quite interesting.
I found it interesting too. And, you know, I think about, you know, what was I doing when I was 16
or 17? And I certainly didn't study the interrelationships between multinational organizations and their workforce supply chain.
So it was interesting to see how they had pieced together.
You know, if you went after a particular business process outsourcer, you could then sort of chain exploit all of their customers.
And in the case of telcos, they were going after the telcos in some cases
via the BPO, but going after the telco in order to do the SIM swap in order to attack the target
downstream. So it was kind of multi-chained, which is super interesting and just sort of
understanding kind of how all these pieces are fitting together. Yeah. I mean, the report makes
it clear that they actually had a rather good understanding
about how all of these business processes worked,
which is, you know, I mean, it's smart.
Yeah, they're smart.
It struck me reading it, you know,
we've used the term like full,
we've seen the term full spectrum cyber
used, you know, in marketing materials
for security companies over the years.
And like, to me, like this with the lineage
back through like the LulzSec crew crew like this is what full spectrum kind of feels like to me the willingness
to do anything and to cross boundaries that you know as a security professional we've kind of
been taught to ignore like when i'm a pen tester by trade and you think you know we have enough
trouble coming with a scope that reflects the reality of threats in business environments anywhere and then these kids are just so far
beyond what we as a security industry are kind of prepared for like do you think that the way we
manage infosec risk is kind of ready for punk kids well well it's really interesting because I think about a lot of the nation state actors
that we study. And believe it or not, many of them are professionalized. You know, they're not
going to call up your local police department and have your house swatted. They may arrest you if
you ever try to walk, you know, across the border to visit them. But I do think for that reason, a lot of people doing InfoSec at the moment,
probably kind of think about the bad guys at a distance, you know, they're, they, you know,
they're going to operate within these constraints that we assume. And we build these sort of
investigator biases around how they behave. So this was, I think, a huge wake up call, right?
You had a set of threat actors
who weren't afraid to have a public telegram channel,
talk about their victims on Twitter,
and, you know, just openly taunt
their targeted organizations.
And in some cases, that was the purpose,
was just to taunt them.
Yeah, so I think it definitely...
Full-spectrum assholes, I think, is what we call it.
Yeah, chaotic evil.
Your words, not mine. Now, look, look, definitely... Full spectrum assholes, I think is what we call this. Yeah, chaotic evil. Your words, not mine.
Now, look, look, you know, the key takeaway,
the big one out of the report
is that enterprises should absolutely not rely
in any way, shape or form
on SMS-based multi-factor authentication.
It makes the point that, you know,
code-based stuff and push-based stuff
is of limited utility as well.
It's better.
So you've sort of laid out the spectrum of effectiveness for multi-factor authentication. At the worst end is SMS,
and then you've got code generators push. And then, you know, at the good end, you've got FIDO2.
I also will point out that a lot of the organizations that had more mature security
programs actually caught these things in the process, evicted the attackers, adapted. So
there is some good news in the report as well. But that big takeaway is that SMS MFA has no place
in the enterprise. Would you agree? Yeah. And I think really the target here is a passwordless
world where, hey, look, you know, we've gotten people into MFA by using SMS because it's readily available.
Mudge gave a talk about this just a couple weeks ago, talking about how many account
hijackings we have prevented by rolling out MFA over SMS.
And that's a good thing.
But this is a milestone.
This is not the end goal.
And what we found is we are now at the point in the ecosystem where we need to start moving
beyond the milestone of SMS to the next milestone, which is FIDO. And even security keys or, you know,
FIDO backed keys and protocols are probably also not a passwordless world. We have much more work
to do, probably another decade of work to do. But what we wanted to do is really inspire the innovation part of the community
to continue to study usability and continue to study the feasibility of what tech will look like
when we no longer use string based passwords and you know, some form of factor. So yeah,
time to get away from SMS, but also please keep innovating towards a passwordless
world.
Previously, when people have taken aim at SMS MFA, right, in the case of like, you know,
Facebook using it to secure accounts and whatever, people like Alex Damos will come out and say,
look, you know, when you're trying to secure hundreds of millions, billions of accounts,
you know, it's better than nothing.
It stops cred stuffing.
You know, it actually still has utility.
I am sympathetic to
that argument. I'm just wondering if we should be less sympathetic to that argument now that we know
what we know about how criminals have adapted to SMS MFA. Do we still think, I mean, you can't
really argue that it's not better than nothing, right? Look, I think if you haven't implemented
anything, you might just jump this milestone to the next one. You might not bother
with SMS, you might just go straight to security keys. However, if you're walking this slow road
towards a passwordless world, and SMS is as good as it gets for you today, I think you're right.
I think it's a good choice. I would agree with Alex there. But you can't stop, right? I think
you have to keep going down the road. Well, I think the issue more in the B2C stuff
is that consumers might not be able to use
some of these newer solutions.
They might not have a hardware key.
They might not have a device
that supports passkeys, for example, right?
So I just get the sense that SMS
is probably going to be around for a while longer
and for low value accounts,
it's still going to be better than nothing.
I think that's right.
And I think the consumer hardware will improve. That will happen in some
parts of the world faster than others. But the idea is that in 10 years, this is just the de
facto standard and we have a much better solution across the whole ecosystem.
Now, the board has made some recommendations in terms of what various US government agencies can do in terms of tightening up the SMS, you know, sorry, the SIM swapping stuff.
You know, do you think it's likely that, you know, like the FCC or the FTC or whatever are going to actually act on the board's recommendations?
And what is it that they can even do?
Well, interestingly, as we were writing the report, the FTC came out with some guidance,
and you can read that. There's a nice little footnote in there referencing it.
I think they are going to try to look at improving the kind of identity verification experience,
for example, might be something they look at. I don't want to speak on behalf of them.
But I think there is recognition that more needs to be done here. And we make lots
of really detailed recommendations of examples of things you can do to kind of better identify
people who need a SIM swap. There are legitimate reasons to do this. But when you cannot identify
yourself reliably, we do need to put some friction in there to make sure that you're not a bad guy trying to do it.
So I do have hope.
I think there's general ecosystem recognition.
We'll see what the path to getting there is.
Yeah, now, look, as I said earlier,
everyone should go read this report.
I think it's a really excellent write-up of, you know,
like what these people can do to you. And there's a bunch of
interesting stuff in there beyond social engineering. They did not do trash hacking.
They were using bring your own vulnerable drivers to disable EDR and whatever, which is just proof
that unless you're configuring and monitoring your EDR correctly, it is useless. And this is why.
But we will wrap it up there. But Adam,
I believe before we go, you had one last question. Yeah. Do you feel like in the process of the
investigation, you got the sense that the telcos finally understand their role in the identity
ecosystem? Or is that a thing that's still just, they don't really get their responsibility?
Yeah, we were really lucky. We had kind of great conversations with actually people from all over. I think for telcos, you know, if you've ever had to go through that experience of moving your phone service, either between providers or between phones, if you are experiencing friction in that process, the user journey of that needs to be smooth. And I think that they're balancing some business risks.
And, you know, I think we should recognize that.
But I do think there are solutions to this
and I'm hopeful.
Okay, well, that seems a nice and fluffy place
to leave it, Heather Adkins.
Thank you so much for joining us.
Thank you for having me.
And Adam, thanks a lot, as always,
for doing the week's news
and we'll do it all again next week.
Yeah, most welcome, Pat.
I'll talk to you then.
That was Adam Boileau there with a check of the week's security news
alongside Google's Heather Adkins.
It is time for this week's sponsor interview now with HD Moore,
the co-founder of RunZero.
RunZero is an asset discovery tool that
works really really really well uh it has a network scanning component but you can also feed it data
from various apis and integrations but long story short it gives you incredible visibility into the
devices and software in your environment and it's extremely easy to set up and now run zero has been
around for a while the clearest use cases are emerging. And a
big one, according to HD, is rapid response to these big threats in your org, like file transfer
appliances that turn out to have horrible CVEs, crappy border devices like Fortinets. Being able
to rapidly find those things and deal with them is something that people are definitely using Run
Zero for. Here's HD. So most customers who use Run0
use this as the very first step to respond to a new risk, a new incident, a new exposure.
When you're looking at something like the movement vulnerabilities, the the sisters
vulnerabilities, even like the older like Exchange proxy shell buds, those are all issues that you
can't really scan for. Your typical scan and patch process or software inventory isn't really going
to work very well because those particular installations may be on a system that's not part of your endpoint
management. They may not be covered by your volume management, maybe in a separate environment,
except ADU, a subsidiary. And what it really takes to be able to find that stuff quickly
is having an inventory of all of your external and internal facing applications and assets
that you can search pretty much instantaneously to get ahead of these issues.
It was amazing to see how quickly it went from
move it being mentioned on your show to turning into
effectively this massive nationwide breach event, effectively,
as we watched multiple businesses, government agencies,
all slowly reporting all the data loss that they've heard
because of their movement exposures.
So we really try to help customers identify where their technology exists, where their
products exist, and be able to respond instantaneously to events like this.
Yeah.
I mean, one thing I wonder too is there are other ways to do quick and dirty discovery
of certain things, particularly externally facing things.
I think this is, what's amazing to me is it strikes me as a bit of a lost art, right? When you look at some of
this stuff, like your FortiGates, your Moveits and whatever, like anyone armed with Nmap and
a little bit of knowledge should be able to find that stuff on the perimeter. Why do you think it
is people aren't doing that? Do you think that is a bit of a lost art, the art of doing your
own discovery with something like a port scanner and Telnet or Netcat.
Do you think that's a bit of a lost art?
Oh, definitely.
There's so few people who are doing any kind of new work in the scanning space these days.
If you look at the nmap case, you can go pretty far with nmap.
If the built-in scripts don't cover the type of application you're looking for,
you can quickly add one.
Look for the title of the web page, look for the favicon of the body. Some of their indicator that
that application is installed. You got to
know what criteria to go look for,
then go build the script and run the scan.
For things like a lot of the FortiGates and other
applications where they're exposing a web interface, you
have to, oftentimes there's a TLS handshake,
there's maybe a read your ad, give me, you have to get
a cookie first, send the cookie back, and then
end up at the right page before you can really detect
which version or which landing page you're on.
But you're right.
Like with a little bit of effort, folks really could be using off-the-shelf open source tools
for this stuff.
But those tools are often pretty good about telling you what a particular service is,
but they don't really tell you what the device itself is.
Like they could say, hey, we see this embed this web server, but they won't say, oh, it's
a FortiGate appliance.
Yeah.
And that's kind of the big gap right now out of at least the open source and the vulnerability
management tools.
No, I mean, I think you're right.
Like it is different these days
when you're having to do some sort of TLS handshake
instead of just doing a straight banner grab,
which is how it was back in the sort of NMAP days, right?
Yeah, in the case of IaaS web servers and applications,
they're even more annoying
in that the default virtual host that you connect to,
if you don't send sni or the um you
know server name indicator header and your tls connection you'll get the default website you
want to get the real application and so for those ias host applications you have to know what name
to talk to in the first place just to be able to get any response with application otherwise you
get the default ias website so scanning these days has gotten tricky so you are getting people
these days coming to you just to solve that use case. And it's really funny, right? Because this is pretty much the simplest thing that Run Zero can do, right? Like
you've built this absolutely sophisticated space shuttle and people are basically using your space
shuttle to take it to the shops to buy a bottle of milk is what you're telling me.
It's true. We have lots of other use cases too, but the thing that I think we're most excited
about helping customers with is that 30 minute later response of now you
know where all that stuff is that you're worried about. And then we do a million other things
too like tracking asset ownership, integrating their cloud stuff, telling you where your
empire protection is, what type of security controls you have in place for a given asset.
We can tell you, is this a device that you've been covering with your phone scanning? Is
it a device that you have an endpoint agent on at all? Is it running some totally unauthorized crap you've never seen before? So we really try to
help folks get a lot more context around who was an asset, how long it has been there,
how has it been changing over time? Anything we can do to tell you basically who to phone to
basically take that device offline, otherwise mitigate it. Yeah. I mean, one thing I find
really interesting about asset discovery these days
is its applications involve management.
But it is, you know, as much as it's related,
it's not the same thing.
And I just do wonder how much guidance
do you push out through the console
in your product to people
to tell them what they should be looking for, right?
Because when you think about stuff like Moveit,
I mean, you know, people listening to my show,
people who are up on the news, they're going to know that this is something they need to
look for.
But that's not going to be the case at every enterprise.
Do you find that you need to give people a prompt or do an automatic query for them and
spit out an alert saying, hey, this is something you really need to take care of?
Or do you just leave it completely under the control of the customer?
Yeah, there's a really wide range of that.
You know, any large security team is typically going to be listening to your show, keeping up with the news, generally seeing the noise and interwebs, talking about some new exploit going around.
But then there's a long tail of everybody else. And as you kind of move down to like SMB,
mid-market, kind of the smaller companies that don't have dedicated security teams,
they're really expecting you to push that to them. So we create our kind of workflow for it is we start off doing a little bit of research for us, like how do we find this
thing? What port is it on? Do we already detect it? Do we already basically have a fingerprint
for it we can quickly give to customers? And then there's really two phases. The first phase is
if there's a way that you can search within the Run Zero inventory to find it already without
having to create a specific fingerprint for it, get that out first. Create a query, push it out
to all the customers, put a blog post out there for it, say, here's how you can find
all that stuff this second. In cases where that particular method is slow or inefficient,
what we'll do is go create a separate fingerprint specifically for that product,
push that out, and then as folks are running their daily hourly scans, it'll be a much faster way to
fingerprint whatever that particular thing is. So good examples there are like, we can identify Moveit by default on day one, but we can tell you the
exact version of Moveit on day two, day three. Yeah. Yeah. So I'm curious, what sort of companies
run Moveit, run FortiGates and whatever, and don't necessarily know that they're running them?
You know, is that a category of organization that exists?
Absolutely.
We worked with quite a few customers who were responding to both,
you know, 40-git firewalls being exposed and the move-it exposures.
And half the time we were telling them, hey, you've got a move-it instance,
and half the time they were asking for help on us saying,
hey, how do we find the rest of them?
So it was definitely a wide range out there.
But for move-it in particular, it was really surprising to see how popular it was within small government.
So municipal, state, regional, we didn't see a ton of federal for it, but you definitely see a lot of the smaller government agencies using the software.
Now, you mentioned that people were trying to hunt down their Fortinet gear.
I'm curious about this because Adam and I have spoken at length about how this is a real pickle because you can't really fix that stuff, you know? So what are they doing
when they find it? That's a great question. One of the customers we reached out to about the
FortiGate SLDBN, they've actually just blocked the port. They said, we're going to take the thing
offline or we're going to put a filter in front of it on the fire, on that either router or firewall
saying you can't talk to SLDBN port at all until they are able to get ahead of it. And for...
So block until patch.
But I mean, like we know that these things,
there's going to be another bug like,
you know, next week, right?
So is that what they're just doing?
Is they're pulling it offline,
suspending access to the VPN,
patching, opening it up,
waiting for the next one?
What we saw in a lot of cases,
especially with Moveit,
is that folks who create IP ACLs
for the one or two customers
that had to use it during that time period,
and they work on replacing it with something else going forward because they realize like hey this thing with this bad it's not going to get better quick so um you
know i can't speak particularly for fortinet but there's a lot of equipment out there where you
know the first time you find the first vulnerability you realize that you'll see one a
month going forward for the next year until they really get on top of it yeah yeah yeah so look
another thing that you've been doing lately is a big push into ICS.
It's interesting because you've figured out a way
to safely scan ICS environments actively
by understanding the way these things,
by the way their protocols work, right?
And often it's UDP-based stuff.
You've figured out how to scan them carefully
in a way that doesn't push them over.
That said, there will still be customers who do not want you to do active scanning of an ICS environment.
And in that case, you can plug into some span ports and do it passively.
So you have built a passive capability into the product.
What I was going to ask is like, you know, how popular is this proving to be?
Because I know, you know, I'm an advisor with RunZero.
I know this is something you've worked on for a couple of years now, right?
Is really trying to make this thing useful to ICS.
You've done that now.
What's the reception been like?
We've got a, it's pretty much two camps.
It's very polarized.
You've got folks who, you know,
operate in a routine environment
and they just scan it with runs around day one
and everything's fine.
Everything goes about the business.
You've got other folks who are terrified
of running any scans at all
and it's just hoop jumping all the way.
And it could be that the team that we're working with
is, you know, totally fine uh running a scan or at least
scanning the management devices if not the actual you know plc's controllers uh but scanning like
you know the windows hmis things like that uh and then it's the networking team within the ot
department that says no you can't do that or we're just going to block it entirely so we have a lot
of customers where um they're fighting they're fighting their own teams a lot yeah there's a lot of that
um there's a huge turf wars between the ot networking teams the ot admins and the it and
security teams um that's one of the reasons we built the the passive sampling solution is that
if you don't want to trust our scanner you can now just plug in the top board pipe packets into it
and you can use any existing explorer installation as a passive capture broadcast monitoring point
i know so you don't have to have a spam port but if you do great you can also any existing Explorer installation as a passive capture broadcast monitoring point.
So you don't have to have a spam port, but if you do, great. You can also pipe traffic to it through ERSpan, GRE, VXLand, Q&Q, any kind of tagging and encapsulation that you typically see
for passive detection tools. You can pipe directly into the Run0 Explorer now and get a lot more
information. What is really funny though is in the last six months, we've seen a huge push by
OT vendors to now add scanning capabilities.
After these vendors have been telling folks, no, you can't do it safely for years, they finally realized, oh, they do can.
And as long as you speak the right protocols and don't trip over things and are careful about it, it's a great way to figure out what's in your environment.
So what, they're making their own?
Yeah, it's been fun to see what they call it.
I mean, I'm sure they know what they're doing.
These folks work in the space a lot.
They probably know what protocol they're speaking. They're emulating the management tools for the OT
protocols themselves. So they'll use the same Modbus queries that the HMI workstation will to
monitor the same equipment. Which is why it runs here in the day one. We just speak the same
protocols that you expect to see in the network, but the OT vendors start to realize that this is
actually something you can do. And the data is so much more better than passive. We still run
side-by-side scan versus passive across most environments to get a sense
for how well it's working. And what we see is that passive, of course, only sees data that
happens to occur. So if nothing's talking to your device, you get no data for it. If the only thing
it's doing is beaking out DNS, that's about all you can pull off the device. And it's such a
limited resource that some of the OT inventory solutions require 24 hours before they'll give you a list of any devices from when you start capturing data.
Well, and you're just not going to see, there's some stuff you just won't see because it's never
going to beacon out, right? Like, whereas when you're doing active, especially with something
like OT, OT, very simple devices often, you know, you need to go active to find them.
But I guess my question was really more about like,
you know, you've built this product now,
like what's the demand like?
Because I find that the ICS market is a weird one
because people will build a thing for ICS and OT, right?
And then no one buys it
because it's just such a fundamentally different
part of the market.
You know, what's the reception been like commercially?
We don't sell a lot to OT specific.
We do sell a lot to security teams that handle OT and IT together.
And so, you know, the OT folks are coming to us saying,
you're the best OT solution in town.
We're going to use you because they don't know where we are.
But if you have a security team that has a remit of,
we need to lock down ports, we need to disable telnet,
we need to turn off SDP, like just really basic stuff.
And they can't use a bone scanner to it because it'll kill all their gear.
Then they look at us as a way to get that visibility and start improving the security.
All right, H.D. Moore, thank you so much for joining us to give us an update on all things Run Zero.
Always very interesting. Cheers.
Thanks, Matt. Appreciate your time.
That was H.D. Moore there with a chat about all things Run Zero.
And you can find them at runzero.com.
And that is it for this week's show. I do hope you enjoyed it.
I'll be back tomorrow with another edition
of the Seriously Risky Business podcast
in the Risky Business News RSS feed.
But until then, I've been Patrick Gray.
Thanks for listening. Thank you.