Risky Business - Risky Business #721 -- Why Storm-0558's Microsoft hack should have failed
Episode Date: September 12, 2023On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: How Storm-0558 stole Microsoft’s signing key Cisco 0day being... used by ransomware crews We were right about Elon stumbling into the Ukraine war Someone’s amazing image library 0day just got crushed Much, much more! This week’s show is brought to you by Nucleus Security. Co-founder Scott Kuffer is this week’s sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing. Show notes Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center Microsoft reveals how hackers stole its email signing key… kind of | TechCrunch Kevin Beaumont: "One extra thing to highlight -…" - Cyberplace Preventing Authentication Bypass: A Tale of Two Researchers - YouTube BEC phishing kit hits thousands of Microsoft 365 business accounts | Cybersecurity Dive Microsoft Teams phishing attack pushes DarkGate malware CISA warns of attacks using Microsoft Word, Adobe bugs New Emergency Chrome Security Update After Critical iOS 16.6.1 Release Mozilla patches Firefox, Thunderbird against zero-day exploited in attacks Cisco security appliance 0-day is under attack by ransomware crooks | Ars Technica Cisco BroadWorks vulnerability snags highest CVSS score | Cybersecurity Dive High-profile CVEs turn up in vulnerability exploit sales | Cybersecurity Dive MGM Resorts takes systems offline following cyberattack Save the Children International hit with cyberattack, but says operations weren’t impacted Sri Lankan government loses months of data following ransomware attack (6) Risky Biz News: US and UK dox and sanction 11 more Trickbot/Conti members. Charges included too. Opinion | The untold story of Elon Musk’s support for Ukraine - The Washington Post Elon Musk on X: SpaceX unveils Starshield, a military variation of Starlink satellites China-Linked Hackers Breached a Power Grid—Again | WIRED Just waiting for a mate - YouTube North Korea-backed hackers target security researchers with 0-day | Ars Technica Cars are collecting data on par with Big Tech, watchdog report finds Crypto Town Hall on X: "Crypto Kingpin's Downfall: 11,196 Years Behind Bars!"https://t.co/1RCNJ8um4c" / X
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name is Patrick Gray. We'll be getting into the news in just a minute with Adam Boileau and then we're going to hear from this week's sponsor, Nucleus Security.
Nucleus makes a vulnerability management platform and its co-founder Scott Kufa will join us in this week's sponsored interview to talk about, I guess, just how much things have changed in phone management lately. Like these days, phone management is a discipline that's all about prioritization and actually
knowing your environment.
And I guess people would say that that's what vulnerability management has been about for
a while.
But I'm kind of going to argue that the difference is these days, we actually have the tools
to do that instead of just doing PowerPoint slides where we talk about it in aspirational
terms.
So that interview is coming up after this week's news segment with Adam Warlow, which starts now. of just doing PowerPoint slides where we talk about it in aspirational terms.
So that interview is coming up after this week's news segment with Adam Warlow, which starts now.
And Adam, obviously the big news of the last week is that Microsoft came out and actually
explained how the mysterious Storm 0558 key was acquired.
For those of you who don't remember, when a bunch of state department and other US
government 0365 mailboxes got popped, it turned out that a threat actor, Chinese intelligence,
had obtained a consumer account signing key from Microsoft somehow. And it was all very mysterious.
And they were using this key to mint access tokens into corporate accounts, which it shouldn't have
been able to do and blah, blah, blah, blah blah blah blah Microsoft has finally given us a post-mortem where they've disclosed how they think
uh the attacker got the key and look it's a doozy like what an attack yeah this is a hell of an
attack and you know I know we were both kind of mad at Microsoft when the news first broke about
this particular attack like how could they be so sloppy And now when you see the amount of hoops
that the attackers had to jump through,
I'm a little more impressed with both Microsoft
and the Chinese hackers in question.
So the attack goes that they broke,
the Chinese broke into some Microsoft engineer's computer
through mechanisms unknown,
but they got to the point where they had access tokens
into Microsoft's corporate environment.
Well, we do actually have a bit of information on that mechanism
thanks to TechCrunch.
I think it was Zach Whittaker actually asked them,
well, how did that employee's account get compromised?
And the answer from Microsoft was malware.
So there was some sort of access token stealing malware
on a device used by an engineer.
Yes.
So then they took that corporate
network access and found like microsoft has an area of the network where they store like
where they do debugging like where they get uh crash dumps and other you know things that have
gone wrong in production and you know people can pull them apart and work on them there
so it turns out back in 2021 one of the Microsoft like production identity services crashed
dropped the crash dump in the very well segmented Microsoft production network
which then eventually found its way across into the debugging environment now there's a bunch of
steps that normally would have sanitized that you know crash dump to remove key material.
And through a number of these things combined going wrong, they ended up with live key map in the crash dump
in the debugging environment.
Which is accessible from the corp network.
Which is accessible from the corporate network.
And then the attackers either figured this out or got lucky we don't really know how much luck was
involved in this process because microsoft described the circumstances where the crash
dump got caused uh and they had key material in it as a race condition and we don't know whether
which made which made me wonder and we talked about this the other day uh just in slack it
made me wonder whether they're trying to imply that the attacker actually triggered the crash
and forced the key mat into a crash dump which would be just like next level very cool that would be i
think maybe the timing doesn't necessarily support that unless it's very very long game
but it's still you know we don't know the exact scenarios that that went through where key material
gets into the crash dump but either way crash dump with keymat ends up on the low side of the network and
the attackers found it and we don't know kind of how much knowledge was required to do so like how
deep did the Chinese have to be inside Microsoft to understand that that had happened to find it
and get it out Microsoft says they don't have logs of the dump being exfilled so they don't know
exactly how it got out.
But the point is Chinese found it, found the key mat,
and then at some point figured they could use that
to sign access tokens for consumer accounts.
And that then also worked against some or all APIs
in the enterprise environment.
So there's a number of aspects there where that's gone wrong.
Like the key in question had actually expired in i think 2021 yeah but was normally the sort of thing that your
crypto libraries should you know you know they shouldn't allow you to validate with an expired
key i mean i don't think i'm saying anything terribly controversial by saying that you know
no not not so much uh so like the Chinese had to understand that they,
despite its expiration, that they could sign new tokens with it.
And then through another kind of set of snafus
where Microsoft failed to check if a token for the corporate side,
for the enterprise outlook,
was being signed by Kemat from the consumer side.
And they've explained kind of how that happened.
They had a shared code library
where the documentation said it would check,
but it didn't.
And no one noticed and it ended up in prod.
So there's a lot of moving parts in this process.
And you have some,
I mean, I have some sympathy for Microsoft in,
like this was a pretty,
this was some sweet hacks by the chinese i mean
it was like reading through it like honestly what went into my head and and someone else mentioned
this to me as well that they had the same mental image which was of some sort of rube goldberg
device like it was it was that sort of hack just so many little things impacting other things and
like such a weird way to get there but they got there yeah which leads to a whole bunch of questions like you know how could microsoft screw up um the like signing validating the signing of auth tokens
like that's kind of one you've got one job as an auth token and that is to be correctly signed and
issued and then there's the question of how much understanding did the chinese need to have to be
able to pull this off and how far up in microsoft
are they to be able to have that knowledge and understanding well funnily enough the microsoft
blog post here references how anyone with access direct access to the production environment has
like extensive background checks and whatnot kind of implying that the same level of vetting isn't
applied to people who work on the corp side so i don't know whether they're hinting
there might be some insider threat dimension to this or not but yeah i mean certainly yeah someone
definitely knows a lot about how this stuff works at microsoft right to be able to pull this off
yes exactly and but one of the things that when i was reading this write-up and i'm thinking like
man if i had pulled that hax off, like I
would be high-fiving and backslaps, you know, like the whole office will be celebrating kind of thing.
And then to only use it to get access to like State Department people's email kind of seems a
waste of what a sweet hax this must be. Which, you know, that's my attacker, you know, attacker side
thinking a little bit. I'm sad for the Chinese who lost this sweet technique. But yeah, like it's a hell of a story overall.
And I'm glad that we're starting to see the specific details.
And some of it's quite reassuring in a way.
Like the fact that it was this complicated
and it was this much of a kind of stunt hacks
makes me feel a little bit better about Microsoft's
kind of position in it all.
That was my initial reaction.
But then it's like, hang on,
you're not validating key expiry for access tokens?
You're using the wrong expired key to sign into this part.
Like, you know, at that point,
and talking with Tom Uren as well,
he's looking at this in tomorrow's
Seriously Risky Business newsletter.
You know, he worked at ASD,
which you would describe as a high security environment.
And this whole thing has just made him rub his temples. And he's like, there's no way something like that describe as a high security environment. And this whole thing has just made
him rub his temples. And he's like, there's no way something like that in a genuine high security
environment, you validate this stuff, you know, and this stuff is important, Microsoft, come on.
And, you know, I was thinking initially, why aren't they using HSMs? And I thought, you know,
and, you know, again, you and I talked about that, and maybe that's just not realistic,
given volumes and uptime concerns and stuff. But then I saw other people who know better than me on Twitter saying,
well, you know, at least they should have some sort of root of trust in a HSM
and then rotate their keys better or whatever and, you know, do better validation.
And then I thought, well, okay, even if they were doing that,
their validation was broken so it wouldn't have mattered anyway
and then that made me mad at Microsoft all over again.
Yes, I've also been on this roller coaster a bit reading reading about uh these various parts and
one of the things that made me mad at Microsoft again was uh so Kevin Beaumont Gossip the Dog
he linked to a black hat presentation from 2019 where a pair of bug hunters from like HackerOne
gave a talk about a bug that they found with Microsoft Outlook authentication.
And in their case, they were looking at the like,
new Outlook user interface was being presented to users.
There were some new APIs in there.
One of them would accept, you know,
like an unsigned JSON web token as part of its process
and kind of auth onwards.
And you could leverage, eventually leverage that into being able to make API calls
as any email user within a specific Enterprise Outlook tenant.
And then they used that process to compromise anybody's email
at Hotmail and Outlook, the consumer services,
because they shared the same auth system
and the same kind of trust anchors
and stuff and that's another example of microsoft blending consumer and enterprise services because
the public hotmail and outlook are just another tenant as far as they're concerned
and the fact that they could get auth services without checking the signatures at all on auth tokens into prod like that suggests
a level of oversight is lacking because of the speed that uh you know cloud services have to
move and so on and so forth this is this talk is three years old we should probably yes yes from
2019 so uh and then this talk was actually a joint talk between the two bug hunters and a guy from
microsoft msrRC talking about the changes
they were going to make to how they verify keys and the processes around them, blah, blah, blah,
blah, which, you know, kind of a little bit on the nose at the moment. Yeah. So that's four years
old. There you go. And look, speaking of Kevin Beaumont, I mean, he was pushing the idea that
this might be malicious insider quite early on. I'm still, look, to be honest, I'm still skeptical
about, I think these days understanding this sort of stuff is very important if you're an attacker. So I think
we shouldn't underestimate the amount of knowledge out there about how all of this is glued together,
but I'm less skeptical than I was, let's put it that way. Mostly because of the language used in
the Microsoft blog post. What's your gut feeling on that? Like, it feels like a lot of understanding
to have about gubbins
that would be difficult to get if you weren't an insider or didn't have some degree of insider
access but microsoft is a very big place and being an insider at microsoft like there's a lot of
degrees of insider like it's not like there's just one sort of user uh so you know i would be
surprised as an attacker if i had that much understanding of all of the moving parts and the gubbins of Microsoft
without a degree of insider access.
But they've also probably been in there as attackers
for years and years and years because why wouldn't you?
So it's kind of hard.
Yeah, I'm on the fence as well.
Yeah, yeah.
What's funny too, if you read through the Microsoft blog post,
it is written with pure rage.
It is seething.
Like if you ever
want to read a technical blog post that
seethes, the
phrase, this issue has been
corrected in brackets, appears
one, two, three, four, five
times in the
blog post. This has been corrected.
And then they did this. This has been corrected and then they did this this has been
corrected you know through gritted teeth um but yeah so i guess that's our discussion on that but
um yeah very interesting right like an interesting hack not as stupid as we like it's it's so is this
as stupid as we're expecting or is it not like it's just it's certainly not the scenario i expected
i'm guessing not the one you expected either.
Yeah, I think it is less stupid than I expected
and I have more tolerance for Microsoft's, you know,
vacillating about some of the details
because it is really complicated to unpack
and they don't have all the evidence for every part of it.
But on the other hand, keys are there so you can validate them
in the correct context and they didn't expire and something like that.
That bit still makes us angry.
Yeah, that bit made, as I say, like it was really Tom's reaction to that,
which really, you know, sort of snapped me out of it.
Because initially I was like, oh, yeah, okay, Microsoft, we forgive you.
And Tom's like, you what, mate?
So I'm really looking forward to reading his write-up uh in the seriously risky
business newsletter tomorrow um yeah that'll be good because tom always does such a great job on
this stuff uh moving on and but i guess staying uh with microsoft stuff uh there's some bec fishing
kit out there uh that is just smashing 0365 business accounts. They've targeted 56,000 accounts, this crew,
or threat actors using this particular tool have targeted 56,000 accounts
and they've compromised 14% of them in a year.
And I guess this is interesting because this is just a case
where the release of a tool is really driving these campaigns.
Yeah, there's this group that makes
hacking tools or has a marketplace for selling hacking tools called Well and their particular
tool for doing 365 phishing has been like it's a particularly well-engineered tool by the look of
it and a number of people have been renting it and using it to carry out campaigns against Microsoft
stuff and this you know set of tools and the marketplace it comes from like there's lots of
of all of the components that you would need to weaponize attacks into 365 you know all the various
bits of the of the process are all there and it seems yeah it has been very successful and as you said, like good quality tools
lower the bar for attackers
and so of course we're going to see, you know,
more widespread attacks and more successful ones.
Yeah, and it supports MFA pass through and whatnot.
So really at this point, you know,
and it's something we've been saying regularly.
I mean, a couple of years ago we'd say
we think you should move to FIDO 2
and now I would say you absolutely need to move to Fido 2
or some sort of equivalent to avoid these sort of things
because they're coming for you.
Yes, and the fact that the tools are sufficiently friendly
and powerful that people can just buy them
and chain them together increases the likelihood
you're going to encounter them in the wild.
Yeah, I mean, talk to any CISO and they say,
oh, my number one problem is spearfishing.
And then, you know, there is a solution for this. It's called proper authentication.
Now we're going to talk about the dark gate malware being spread via Microsoft Teams.
Now, I find this interesting because it tells us a few things, right? It tells us that the controls Microsoft has put in place to filter messages in Teams for things like malware and scams isn't good enough. But it also tells us
that the controls that are in place on email are getting better. You know, Proofpoint's seen this
because, you know, people would know Proofpoint's a big sponsor. I talk to Ryan Calumby over there
all the time. And, you know, you sort of see this when they crush crews
being able to do this effectively on email.
That's when they start moving to stuff like LinkedIn.
And it seems like Teams at the moment is flavor of the month.
Yes, like the tooling has got to the point where it's workable.
There's actually like an open source Teams phishing tool
that I think actually a US Navy guy wrote and and released and that's been picked up by a
bunch of crime crews as the technical mechanism to deliver messages yeah this is another this is
another example of a tool driving the crime and Catalin and I well Catalin all three of us were
talking this morning and he just said as soon as this thing got open sourced everybody started
using it yeah exactly right good tools Good tools, especially for less sophisticated attackers
that aren't building their own.
They're a godsend and can absolutely change
the kind of likelihood metrics in their favor.
So anyway, Teams has a mechanism where you can message users
from other external organizations to kind of facilitate
collaboration between people.
And if that is
enabled for your enterprise then you can receive messages from people outside your org and the user
interface is like it makes some attempt to remind you that you are dealing with an external person
but it's like teams is such a chaotic like the the UI is such a mess already.
People are already so used to having to ignore
half of the Teams UI because it's so overwrought.
And it's not just Teams,
like having to ignore those messages.
Like we use Workspace
and every time I try to schedule a meeting
with someone who isn't from a risky biz domain,
it throws warnings at me.
Or try to share a file or whatever
with someone outside of the risky.biz
domain which is like four or five people and it's like this person's outside of your workplace yeah
there's a degree of you know like warning fatigue i guess absolutely yeah if your regular workflow
involves sharing with outside people anyway point is teams is a complicated new set of attacks
surface both technically and socially and people are leveraging this to, you know,
deliver pretty common garden malware through, you know,
like zip files with links to PDFs in them, you know,
via Teams Messenger.
So old payload.
And my point is try squeezing that through like Proofpoint these days
or any of the major mail providers, like forget it.
Yeah, yeah.
So as we've improved mail security, you know,
the attackers have just moved to a different medium we've improved mail security, you know, the attackers have just moved
to a different medium that doesn't have the,
you know, 20 years of experience
with bad emails that we have, you know, in email.
Yeah, but I mean, you would think Microsoft
would have some people who could,
you know, make a ding on this.
I don't know.
So I think it's a case that the email providers
have got good, but Microsoft has been,
yeah, just maybe a bit lazy
when it comes to dealing with this threat on Teams.
Yeah, and I think Teams is moving real quick,
just like every other cloud thing.
There's so much pressure to compete with Slack
and Google Workspace and whatever else
that features and so on are the priority
more than learning the lessons of the last 20 years
and then implementing them sanely
in a new messaging platform.
And I'm sure if Lotus Notes had won that war, you know, we would be seeing people doing these kinds of things through Lotus Notes as well. So it's, you know, attackers go
where the users and where the eyeballs are. And, you know, it shouldn't be a surprise to anyone,
including Microsoft. Now, it's been a Odaypalooza this week, Adam. A bit of a time warp Odaypalooza
because we've got CISA warning about Oday attacks in the wild
using bugs in Microsoft Word and Adobe Reader.
So I'm like, wow.
Old school.
Old school.
But then there's been this interesting thing.
So there's been some Odays used in a campaign called,
what was it, Blast something?
Blast Pass.
Blast Pass, right?
So this led to an iOSos update so citizen lab and
some others uh pulled apart some campaign and uh found that uh people were using these bugs in ios
to what was it to install pegasus right it was pegasus yes so yeah the nso bugs so apple fixed
the bugs and we think okay that's that but then uh more recently just like in the last i think in the last day mozilla and google have both fixed bugs in firefox and chrome and the bug is it's the same cve which
affects an image processing library or an image handling library and so now you go back and read
the ios advisory and it says it doesn't specify the library but says it's in image processing so it looks like the bug they were using worked on Chrome, Firefox, Safari and just
absolutely everything so someone's absolutely legendary you know image processing bug has just
got squashed, pour one out. Yes I think in the case of Chrome and Firefox, they linked it through to libwebp,
the processing for the webp image format,
which when Apple said, like, we fixed a bug
in their general image processing library,
seems pretty reasonably likely
that it's webp processing in all cases.
Yeah, and the reporting chain too,
like Mozilla and Chrome also thanked Citizen Lab and whatever,
and it was like a day after the Apple one.
So you've got to think that this is the same bug.
Yeah, it feels like the same bug.
And I guess if it's because of the shared WebKit heritage
of all of them, that's certainly a point in the column
of people who've been arguing that WebKit
has become a monoculture and is a bit of a liability
for the ecosystem as a whole,
given we only have one browser engine now.
Well, not really, though, because I think one of them,
is it Chrome that got off WebKit?
I don't know. It's changed.
It's not all WebKit anymore.
It might be begat from WebKit.
Yes, the lineage is into WebKit,
and we're in a third-party library that's shared by all of the WebKits.
Yeah, but that's not the normal case
when we're seeing browser bugs these days.
The reason we're talking about this is because it's unusual.
Yes, and I guess the interesting thing is going to be
are we going to see a Microsoft Edge patch?
Yeah.
I wonder if they have WebP processing
in their WebKit-derived world as well.
We haven't seen anything from Opera or Vivaldi
or any of the other WebKit friends. But yeah, it's interesting to see a bug that's so broadly applicable and i guess
yeah whoever nso group uh found that one is as you say probably poor and went out because that's a
good bug now did you ever watch futurama a little bit yeah yeah do you remember when the old guy i
can't even remember his name when he had terrible news he'd come into the room and he'd say,
good news, everyone.
So that's a great way to introduce this next item.
Good news, everyone.
Some ransomware crew is owning people with Cisco Oday.
Yes, we've seen crews using a bug in Cisco ASA firewalls
and its firepower threat defense.
I guess also a firewall-y sort of thing.
Well, it defends against threats, like ransomware crews.
Well, it's a little bit awkward for everybody involved
when you're getting wrecked by your security appliance.
This is actually, it's more interesting than the average Cisco bug.
Like it's, whoever found this, like it's more interesting than the average cisco bug like it's a um whoever found
this like it's interesting work it's a bug in their authentication system where you can like
confuse it about whether it's authoring to the local user database on the device or the like
radius you know network backed uh auth into corporate uh such that essentially you can
brute force local device creds bypassing the rate
limit which is the guts of the bug and then kind of leverage the mixed auth subsystem between the
vpn access remote access part for users and the local admin access to the device so if a local
user device has a crappy password and you can guess it, then you can kind of off the corp without having a password or MFA.
This is the sort of thing you do to something that was well-designed,
but well-designed 15 years ago.
Yes, that's exactly, in a nutshell, that is it.
So anyway, net result of all of this is you can brute force remote VPN access
to a corporate through a Cisco device. That's designed to stop exactly that
and then ransomware them and so on.
So good job.
Yeah.
Staying with Cisco.
More good news, everyone.
Tell me about this Broadworks bug,
which is a perfect...
I always, you know, every time I see a CVSS 10,
I imagine people like judging diving or gymnastics
and holding up the little cards but
yes it's a it's a three people holding up little tens on cards here tell us about this bug because
this one sounds like awful so Cisco Broadworks is they're like uh part of their communication
suite so it's kind of internet facing internet telephony and messaging kind of thing it's not
necessarily their most popular product in that market but it's one of the ones that they bought anyway uh there is a bug in the sso integration so essentially i think you can
just like make up your own auth tokens and log in without auth uh which for an internet facing
device that then is connected into corp once again going to be a bad time now a couple of ransomware
attacks just to talk through
because they're sort of bookends in a way.
Save the Children has been ransomwared
because these guys just continue to plumb new depths.
And also MGM Resorts, including casinos,
its casinos have been ransomwared
and like the slot machines are down.
You know, it's turning into a Lord of the Flies situation,
I'm imagining, at mgm resorts at
the moment as people can no longer sign for drinks and have to resort to primitive uh you know
techniques like paying with cash to actually to actually order their cocktails yeah so look that
one's getting a lot more headlines than the save the Children one because I guess ransomware people being amoral shitheads isn't news,
but inflicting this sort of loss on a casino is just, you know,
it's a tantalising headline, isn't it?
It certainly is.
And MGM is not a small operation either, right?
I mean, they own or operate like a dozen big hotels in Vegas,
you know, like the Mandalay and Bellagio and so on.
And so, yeah, a lot of rich people sitting around
not able to get into their rooms
because the electronic key card system is off
and they can't gamble and they can't drink.
You know, that's, you know, hellfire and damnation.
And it looks like they got owned pretty good
because their website's down.
Like it's just redirecting to some sort of placeholder saying,
oh, we're having a bit of an incident at the moment.
It's like, yeah, no shit.
And I mean, the fact that you've got these social media posts
of like all of the slot machines down,
can you imagine what that's costing them right now?
Yeah, that must be quite a lot.
I mean, they have what, like 30,000, 35,000-ish beds a night
occupied in Vegas.
And that's a lot of gambling that they are missing out on.
And I guess the other one of note this week
is that the Sri Lankan government lost a bunch of email,
like lost four months' worth of email
because there was a ransomware attack
and they weren't able to restore all of the email,
so it's just gone.
Yeah, there are some suggestions that it was their on-prem exchange
that got hacked, presumably through not being patched.
Well, presumably by being on-prem exchange, I guess,
is all you need to say there.
That too, yes.
But yeah, they did not have backups and they lost something like
four months' worth of email for 5,000 government users.
So that's not an ideal service level for an email provider.
Now, the Justice Department in the United States
has charged 11 Russians in absentia
for being connected to Conti and TrickBot.
What's interesting about this, though,
there's sanctions against them as well, right?
So those two announcements came together. So there's sanctions against them as well, right? So those two announcements came together.
So there's sanctions from the Brits and the US Treasury Department
and also charges from DOJ.
What's interesting, though, is that the announcements of these actions
have kind of spelled out a little bit more
how Conti and Trickbot operators are cosy with Russian intelligence,
which is interesting because, you know, we even
had that interview with Andrew Boyd from CIA a while back, and I loved his description of the
relationship between Russian intelligence and the criminal world as being a dotted line.
And this just sort of fills in more of a blank, fills in some of the blanks on what that dotted
line looks like. Yeah, we've often talked about some of those links and some of them are like shared people some of them are you know more financial you know where
they're getting paid and they're actually operating together but all of the links were tenuous i guess
and even still looks tenuous like they're receiving tasking from them but why is it just because
they're nationalists what's in it for them and it's like really not clear but but at least we've
at least got you know the brits coming out and saying you know they are taking tasking from russian intelligence
yes uh nbc news uh says that they emailed russia's ministry of foreign affairs but
did not get a response so yeah massive surprise there i suppose it beats a poop emoji yes
oh now speaking of Elon Musk.
Nice.
Nice segue.
So this is interesting, actually, because, you know,
very early on people would remember that when Elon Musk first suggested sending Starlink stuff into Ukraine,
we were like, well, this seems like the Ukrainians
are going to use it for military purposes.
Does he know what he's doing?
And now we've got excerpts from an upcoming biography on Elon Musk being,
being published all over the place.
The book is being written by Walter Isaacson,
who was there when all this was happening.
And it turns out like what was going on with Musk at that time was pretty much
what we speculated would be happening.
I actually went back to a podcast we published in March last year
to cobble together what we actually said at the time
when it was clear that Starlink was first being shipped into Ukraine.
Here's what I said.
Speaking of SATCOM, Elon Musk being Elon Musk,
when this war kicked off in Ukraine,
said, hey, I'm going to send a whole bunch of Starlink terminals to Ukraine.
And his thinking is so that the information can be free, man,
so that they can still get on the internet
and tell the world what's happening next minute.
These Starlink terminals that have been sent into Ukraine
are being used by Ukrainian drone operators.
Russian officials are apoplectic.
This makes Starlink absolutely a military target.
Well, you do get the impression Musk just didn't think this through, right?
Because he's thinking it's one thing and very quickly it's the other thing.
And that's Elon going to Elon.
So that's what we said about it in March.
And now these excerpts have come out.
And it's basically elon saying you
know to to his his biographer how did i wind up in this war this wasn't what this was supposed to
be about you know and whatnot so it just turns out we called that right he just didn't know what he
was doing yeah yeah i think we we nailed that one pretty much on the head and it has painted a target
on spacex and we were just before we recorded there, there was some news of an outage for Starlink,
which they'd withdrawn all their routes by BGP, et cetera,
which lasted about half an hour.
No idea if that's related or not.
Well, last time this happened,
it was literally an expiring certificate somewhere.
Well, yes, yes.
There's been many reasons why a network operator
might not be able to carry packets.
But yeah, it's a good reminder that this stuff has a reach
that I don't think even Elon really understood at the time.
And the solutions of those problems for SpaceX as a company
and for everyone else who's trying to figure out,
like if you're Ukrainians,
trying to figure out how to rely on something
where one guy can just
you know make your comms go away on a whim because yeah you know he's having a bad day on on twitter
now it's been it's been an interesting week with this whole story because there was a report that
wasn't quite correct from the biographer that said that elon turned off starlink access around
crimea in the middle of a Ukrainian operation targeting Russia's
naval assets in Crimea. And he came out and he said, and I believe him too, he came out and said,
no, we just didn't enable service around Crimea. And then the Ukrainians came and said, turn it on.
And we said, no. And he's been getting a lot of flack for that. I don't think it's entirely fair.
I don't think he is obligated to make himself a priority military target. He didn't really sign up for this. I mean,
people would have heard me say this previously, that it's not really why he sent this stuff there,
and he definitely bit off more than he could chew. But this Crimea stuff just turned into a huge
issue. But thanks to him engaging with the criticism and
whatnot we actually got to learn something new so december last year he announced or spacex
announced that they were building a a different satellite internet or satellite ip network that
was going to be called uh that is going to be called starshield and the idea is that's the one
that's going to be used for defense department purposes and you know military and whatnot the bit of new information
that we've got though uh is from a tweet from when's this this is from september 9 australia
time uh so he tweeted that spacex is building starshield for the u.s government which is similar
to but much smaller than Starlink,
as it will not have to handle millions of users.
Now, here's the interesting bit.
That system will be owned and controlled by the US government.
When they announced Starshield,
it was going to be for militaries and governments,
but now he's actually saying the US government is going to own it.
I found that very interesting, and it's amazing
no one seems to have noticed that he said that.
Yeah, like that's a pretty interesting nuance
because when they originally were announcing Starshield,
it sounded like a network,
maybe even on top of existing infrastructure,
like it's a virtual network thing.
Because they were saying like,
it's going to be managed and operated by SpaceX
on behalf of government users.
And maybe there'll be some overlay cryptography
or some other controls and things.
But actually having dedicated satellite infrastructure physically owned by a government and presumably
with a whole bunch of different controls around keying and network access and management and so on
like that does kind of put it at arm's length right i mean at that point you're saying
well i mean there's plenty of satellite operators that sell satellites to government entities.
There's plenty of rockets that launch satellites
for other entities.
There's a degree of distance in that relationship,
which, as you say, maybe makes the targeting
a little less priority and a little more,
you know, this is a nation state doing nation state stuff
that happens to just buy equipment from a vendor,
much like the rest of the defense industrial base.
Yeah.
But it's just funny how we've sort of speed run the concept of like defense
contractors in a year and a half.
You know,
like we do love doing that in the tech industry.
We think we're going to,
you know,
change the world.
And then we speed run financial regulations.
You could use it for Netflix and artillery correction.
Not really,
bro.
You know,
that's the, that's the thing not so much um so look they're all going to work it out and meanwhile look you know starlink has proved to be vital to the ukrainians um there was a time where it got a
little bit dicey but they've worked through it i i feel like uh starlink has got to a reasonable
point of compromise now where when they take new territory, they can contact Starlink. They have dedicated contacts
there and say, okay, please adjust the geofence. And they do. And I think it's reasonable. I mean,
look, one thing where I think Elon's telling porkies is he's saying he didn't allow the
Ukrainians coverage over Crimea because he was worried it was going to start a nuclear war.
I think that's bullshit. I think the reason he didn't enable it is because he was going to make
Starlink a, you know, very much a priority target for the Russians. So I think he's doing as much,
or, you know, SpaceX is doing as much as it can to help the Ukrainians without turning
their board of directors into Novichok targets. You know, I think that's really the line they're trying to walk.
And when you put it like that, you know,
I think they've found a reasonable compromise.
Yeah, yeah, I think so.
Because, like, there is still a difference
between we're a civilian service that's being used
and we are actively, you know, kind of supporting military use
and, you know, cooperating with, you know, that's what you're saying.
Well, we're crossing your red lines, I think is the thing.
You know, we're helping people cross your red lines and, you know.
Yes.
I just don't, you know, as much as people are, you know,
I don't like the guy, right?
I don't.
But I think expecting him to cross Russia's red lines, like, I don't know,
that's not going to make for a good time.
And, you know, he had the Russians at him as well over this,
contacting him and saying, don't you dare, you know, so.
Yeah, and there was that story about like the extent
to which he had perhaps been kind of manipulated
by the Russians to believe more in the fear
of nuclear escalation and so on and so forth.
Oh, yeah.
You know, like if I thought that my actions could influence,
you know, nuclear warfare or not,
then I too might take that into account, you know. Yeah or not then i too might you know take that into
account you know so yeah when he's got senior russian figures ringing him up saying you know
we'll start world war three if you do this and we'll probably kill you as well and you know
yeah yeah i mean that's you know it's well that's why you build a similar network you sell it to the
us government and then they can use it however they want and if you've got a problem with that the heat yeah you know you take it up with the u.s government and
that's why we have defense contractors yeah exactly and that's a you know it's a smart play
for them yeah it is it is now we're just going to turn our attention to this report from andy
greenberg at wired which is looking at apt 41 hacking a bunch of power grids in asia somewhere
yeah we've seen reports uh I think, from Symantec
looking at their investigation into a group they called Redfly,
which was in some power operator's grid,
not necessarily doing anything but gaining access.
Just waiting for a mate.
Yeah.
Sorry, that's an Australian meme.
Look it up.
So they didn't say which country it was,
and obviously we've seen the Chinese pre-positioning
in Guam, for example, as a thing that's of concern.
This group, Redfly slash APT41,
is the same group that we saw in India
in the power grid there at some point,
sort of some shared C2 infrastructure or something
that ties these two together.
Yeah, so I said it was APT41, I should say.
It's a group with shared infrastructure with APT41.
Otherwise the threat intel people are going to write me emails.
Exactly, yeah.
So for some people, India is in Asia.
So that could be, like it might just be more India,
but it also might be other places in asia
we don't really know and semantic hasn't said yeah but i guess the point is pre-positioning
in power grids uh in chinese adversaries is a thing that we have seen more and more of and
they're not doing it uh for shits and giggles so yeah yeah it's not exactly subtle is it no it is
not yeah and meanwhile you know there's um
just the rhetoric coming out of china lately and uh you know they're banging the drums pretty hard
at the moment so um this is all in keeping i think with with that uh general vibe uh north
koreans are sliding into dms again adam um sliding into security researcher dms like hey
you know help me with my oday project let's share
information yeah and then after a couple of months of leading them on hitting them with
some kind of bug in a tool that you know is common for security researchers we don't necessarily know
what they what bug they were using but any niche tool is going to have going to have bugs and
especially if you're sharing things like save files or whatever else um so uh i guess
going after security researchers like it's kind of a high risk play in that you know they are a
little bit sus but if someone shows up and compliments your research most researchers
are just going to turn into little purring kittens and hand over you know root shells on their boxes
and so on and so forth i've seen a few people people complaining on InfoSecMastodon that they haven't been targeted
because it's kind of a badge of honour
to be attacked by the North Koreans,
much like you and I didn't get sanctioned
by the Russian government,
and we were very disappointed.
Yeah, I mean, they sanctioned a crime column,
a semi-retired crime columnist
from the Age newspaper in Melbourne
and didn't sanction us.
Yeah, they sanctioned the boss
of our like public radio
station in new zealand but not me so yeah it's very rude they needed names and they needed them
quickly yeah exactly what happened there like that's so obviously what happened with russian
sanctions against australia and new zealand just give us names of people that people have heard of
like nothing to do with anyway uh we've seen a reporting
this week too about a report from mozilla which has looked at the data collection uh habits of
car makers and this is look i think this is worth flagging right and i think mozilla's done us a
service here by flagging this as an issue because the amount of data collected by cars these days
is actually i mean they're collecting quite a lot
and their terms of service are awful.
And it's really funny actually
because automotive companies are just like,
ooh, let's be data collecting.
Let's do data collecting.
This sounds fun.
And I'm just doing it all wrong and it's horrible
and probably being stored in old MongoDB
on the internet or whatever.
And it's just, yeah, they've done a good job flagging this.
What did you think of this?
Yeah, I thought it was a good read
and it's absolutely necessary work
because car manufacturers are kind of so old world
in their thinking about infosec
and a modern internet connected car that you're driving.
It's kind of like driving around in an IE6
in terms of the level of sophistication about security thinking and that should terrify anyone who was
you know old enough to remember the ie6 era um but tied in with location data and microphones
and cameras and you know details about where you are where you go and your life habits and so on
i mean like um i think nissan's policy like the the mozilla looked at
a bunch of like terms of service and things that you agree to and like nissan's policy says that
quote sexual activity is an example of the type of information it can collect from your car
and kia says the same thing but also about your sexual orientation uh so you know i guess if you
you know park outside a a gay club and Kia decides
to sell that advertising data to you then
I guess
well either that or they're watching you get down
to business through the cameras in the car
you know
if the backseat is where you do then yes
they may well be doing that
so I mean it's
kind of what we expected
when we've seen we've seen
coverage in the past about you know the extent to which data brokers can sell data that they've
collected from car companies bought from car companies and you know any attempt to turn
internet connected cars into revenue we've seen all you know they're just throwing the kitchen
sink at the car like like bmw trying to sell you heated seat upgrades, right? Once you've got a connected car,
there's so many ways you can try and monetize that
for long-term revenue versus just selling a car up front.
So, you know, it's a rip.
Once again, we are speed running all of the bad practices
of every other bit of the tech industry,
but now, you know, in automobiles.
We've got a Model 3 as our family car,
like a base Model 3.
It's a couple of years old.
We charge it with solar energy from our rooftop.
And, you know, it is basically a surveillance capsule, right?
Yes.
Like it's got cameras on the inside.
It's got cameras on the outside.
It tracks its location.
It's wild, wild times.
Speaking of wild times,
a guy called Faruk Fatih Ozer has been sentenced in Turkey
over running a dodgy crypto exchange
called Dodex. It crashed in 2021.
He has been sentenced
to 11,196
years in prison, which
Adam, means he's going to be pretty old when he gets
out.
Yes, his sentence definitely
reflects the sort of change
in value of cryptocurrencies.
His sentence has gone to the moon. Much like the sort of change in value of cryptocurrencies. His sentence has gone to the moon.
Stonks, mate. Stonks.
Yes, exactly.
The investors in his cryptocurrency scheme lost anywhere between $13 million to $2.6 billion,
depending on how you try to count it or who you believe.
Yeah, but how could he have lost $2.6 billion?
Like, he would be able to...
You can't spend that much, is my point.
So, I don't know, that seems strange.
But, you know, I've linked through to a tweet
from Crypto Town Hall, which says, you know,
if he got 11,196 years, how long should SBF go to jail for?
And it's like, but that's America, man.
And that's a white-collar money crime, you know?
Yeah, that's three months in a, And that's a white-collar money crime, you know? Yeah, that's three months in a relaxed white-collar prison.
Well, we did see what happened to Elizabeth Holmes,
so I think those days might...
Don't you? Maybe, yeah.
The times might have changed, actually.
We will see.
We will reserve judgment on the American justice system
and see how they do this time.
See if he can get his way,
somehow weasel his way out of
that drama. You never know
you can afford good lawyers. Well mate
that's actually it for this week's news. Thanks a lot for
joining me and we'll do it all again next week.
You certainly will Pat. I'll talk to you then.
That was Adam Boileau
there with a look at the week's security news
and look just before we move on to, I realized that we spoke about what we got right about Starlink in March last year, but I didn't mention what we got wrong.
And what we got wrong is I really expected Russian electronic warfare systems to be pretty good at locating Starlink terminals.
And it turns out that for whatever reason, so far that hasn't turned out to be the case.
So yes, I didn't just want to talk about what we got right
without talking about what we got wrong.
And that was definitely wrong.
Okay, moving on.
And it is time for this week's sponsor interview now
with Nucleus Securities co-founder, Scott Kufa.
Nucleus makes a vulnerability management platform
that ingests
information from all your vuln scanning and detection tools, normalizes that data, and then
helps you slice and dice it. And you can also pull in stuff like asset inventory information through
RunZero or whatever tool you want. And the idea is that Nucleus can put you in a position where
the way you're prioritizing your vulnerability remediation actually has some thinking and processes behind it. So yeah, this chat with Scott is really just
about recent trends in vulnerability management and prioritization and about how VM is actually
interesting again. Here's Scott Kufa. There's been such a huge increase in how different tools
assess technologies that the old ways of doing vulnerability
management just don't really work anymore, right? And it's reinvigorated a market that's been
stagnant for, you know, let's say since 1991 when Ron first wrote a scanner.
Yeah, yeah. But I mean, it certainly does feel like people are rethinking all of it,
right? And not just, I mean, you guys, what you're doing with your aggregation of,
I mean, that stuff just needed to happen, right?
Like someone needed to build a tool
that does what Nucleus does,
which is to aggregate all of this information
from all of the scanning tech in a business
and pull it together into one spot.
But it sort of feels like it's not just that,
like everybody's rethinking this stuff pretty hard,
like from the identification, classification,
remediation, across top to bottom of that process, it's being rethought.
Absolutely. Yeah. And the thing that's really interesting about it is that a lot of the same
issues that we tried to solve with CVSS in the early days are starting to resurface. That's
what's so fascinating about this. It's really like a come full circle moment because before CVSS really
came out, before there was this classification, every vendor was responsible for coming up with
their own risk score about how risky a vulnerability was, if they even acknowledged it at all.
And now what we're seeing is that every single vulnerability scanner on the planet and some
non-vulnerability scanners are all coming up with their own risk scores. And so in a lot of ways,
we've actually taken a step back because at least with CVSS, it was like a semi-objective baseline
of what a vulnerability meant. But now you go to two different vendors and the risk score for the
same vulnerability on the same asset are different. And so now where it's like blowing the whole thing
wide open and it's a really fascinating time to be in the BM space, which I never thought I would
actually say out loud. Well, no, look, surprisingly enough, I agree because I've always thought
volume management and patching, right? Because those two things are inherently sort of linked
together. They've been one of the big things that everybody has to do, but it's always been one of
the more boring things in InfoSec, right? It does feel like it's getting interesting now because,
I mean, for precisely what you say, which is we've realized that cvss doesn't really give you as complete a picture as you need to make
a decision that you can't trust anything that comes out of the vendors mouths right and that
even independent researchers and this is a long-standing problem have a habit of you know
often over hyping research that they may have done right right? And this has been an issue for 20 plus years.
So it does feel like, you know,
everything is just kind of being reinvented a little.
I mean, you know, you even look at stuff like RunZero,
which is a, you know, asset discovery tool.
And increasingly, the way people are using that
is to do rapid response to big time vulnerabilities, right?
Like, where are my Fortinets?
Where are my Exchangeets? Where are
my exchange boxes? Where are my three CX devices? And that's, you know, so we've almost got this
situation where an asset discovery tool is being, you know, and volume management, like those
categories are almost collapsing a little. Yeah. And honestly, I would say that, you know,
so Steve and I, our CEO, we had this conversation about two years ago when RunZero
first came out, because I don't know if you remember, we were one of the first integration
partners with RunZero. In fact, I think we built the first integration, if I hopefully, you know,
HD doesn't come after me and correct me. But I remember thinking like, you know, you can't do
vulnerability management without good asset management. But then asset management on its own is just asset management.
You have to use it to drive action.
So it really makes sense that those boundaries would start to come down because one flows into the other.
And then once you've done vulnerability management correctly, that should flow back out to your assets as well.
Right. And then and then you get, you know, even more complicated because there's a whole bunch of other different types of assets.
Like, how do you manage the vulnerabilities in your code repositories and your cloud inventory?
Again, these are all problems that it's a big enough problem on its own that it requires its own tool set, like Run Zero, to capture just asset inventory and then dump that into a ServiceNow CMDB or something like that.
But you still have to drive the remediation action, and it's a circular loop.
So I totally see why this is happening. Yeah, yeah, yeah. but you still have to drive the remediation action and and it's a circular loop so i totally i totally
see uh why this is happening yeah yeah yeah i mean i was just i was just i was just thinking there
that um another reason that this is all changing is you look at the stuff that's getting enterprises
in trouble at the moment and it's stuff like move it and it's stuff like fortinet and it's stuff like
pulse secure and whatever and you know processes we you know you
think in 2023 most enterprises should have processes where they can quickly remediate
issues like that and that's just proven not to be the case so i think that's another thing that's
sort of recognizing that we need to rethink the way we do volume management which is okay you have
your everyday processes for keeping things in a generally okay state but you need to rethink the way we do volume management, which is, okay, you have your everyday processes for keeping things in a generally okay state, but you need to have the capability to rapidly respond to things.
And I think that's one of the reasons that there's a bit of a rethink going on here.
What do you think of that?
Yeah, I think that's fair. I want to be cautious of what the rethink really is, because what we see is that, you know, when people are rethinking vulnerability management, they pretty much always are talking about better prioritization or like responding to regular like responding to celebrity vulnerabilities.
Celebrity vulnerabilities. I love it. Yeah, that's great.
That's what we call it.
Yeah, yeah, you know, it's like, you know, hey, I saw Log4J yesterday on the street. It was good stuff. But what we're seeing is that most organizations struggle just to do the basics right. And so I think, you know, the last that really are the ones that put them at most risk. So like a celebrity vuln might be something
that, you know, you hear about and they could be really bad. But for every one of those, there's
50 or 100 vulnerabilities that you have that are publicly facing in your environment on critical
infrastructure that nobody's doing anything about. Like every, you know, 37%, I think now was the
last Mandiant report I saw
of like all attacks originate
with just a vulnerability that you knew about
and had existed for over a year
on your external infrastructure.
Yeah, I mean, you're checking me here
and saying, you know,
it's not just Fortinet, Pulse, Secure, and Moveit.
There's plenty of other stuff
like sitting out there on your organization's edge
that is a problem.
Oh yeah, I could call out quite a few vendors
from the data that we see at this point.
But like, you know, everybody points
at the Microsofts of the world
and, you know, some of these ones,
Cisco's, right, with really huge market caps.
But I mean, we see some of these tools
that are designed to help keep us safe
as the ones that are the worst offenders, right?
So like, for example,
the number one most prolific vendor on the SysEcev
based on market cap is actually avanti
right and so avanti the patch management solution is actually uh one of the more insecure pieces of
software in your organization it's overtaken adobe by the way so fun fun little catch fix there but
then again it makes sense like people say oh why is this security stuff uh you know so dangerous
and it's because it's usually deployed with a lot of privilege right it doesn't get the same qa that consumer software that's used by billions of people gets
like it it totally makes sense but it's still depressing nonetheless especially when you see
when when you look at some of this stuff and you see some of the design choices they've made you
just think what the were you thinking yeah yeah well, I immediately brain goes to MongoDB default, you know, default open.
Yeah.
Right?
And just deploying that on the internet.
And the sad part about that is when you talk about vulnerability management, most people aren't even talking about those types of issues.
Right?
They're not talking about the, oops, we forgot to change the default password or we deployed something in an insecure way in our, you know, AWS VPC.
And all of a sudden we have an S3 bucket
that can be accessed on the internet, right?
So how you manage all that, it's fascinating, right?
It's becoming much more of a,
like in the old days, I would say a data management problem.
Like it was hard to create the data
to like know what you had to fix.
And we very quickly pivoted into,
okay, now we have so much data,
we don't really know what to do with it.
We can't possibly do anything with all of it. And so what are we going to do? And so when you think about
what happens when you can assume that the data you're getting is in real time and is actually
high quality, right? So if we could assume that we knew all of the software running in our
environment at any given time, and we could just look up all the vulnerabilities on that
infrastructure, like that's ultimately
what the scanners are doing, right? They're just comparing what you have installed and then they're
looking it up in a database. And so if you can rely on that information, it's like, what else
can you do, right? Can you rethink how we do scanning entirely, right? Like, you know, they're
bundling scanners into EDRs and we're starting to see Microsoft Defender go after this vulnerability
scanning market and CrowdStrike go after the market.
So where we are 10 years from now, it's a fascinating thought exercise when you think
about the opportunities for vulnerability management.
I mean, I don't think we're quite as far along with the information thing.
Like, I think that you've got a biased view of that because your entire job is to aggregate
that information, right?
But for most enterprises, it's not quite there yet.
But I do
take your point. You look at stuff like Spotlight from CrowdStrike and whatever, and there's a lot
more high quality information available now. But I think really, as you say, the problem is like,
it's turn off the fire hose, please, right? Like you've got all of this information,
acting on it very, very hard, trying to go through and like remediate,
like every issue that you would find is just like entirely not feasible. But I don't think
anyone's ever really thought, you know, that's been feasible for quite a while. I think we've
raised the white flag on that one years ago. Yeah, which is interesting, right? Because I mean,
when we look at a normal customer, I mean, you might find 100 million active vulnerabilities
in one of our normal customer environments.
And so, like, when you think about the breadth of that, it's almost really hard to wrap your head around.
And it's like, how do you actually start to fix all of those, right?
Because even if 1% of your vulnerabilities are really bad, like, that's a lot of vulnerabilities to have to fix.
That's still a million, right?
Yeah, it's still a million.
You've got, you know, three people that are responsible for it.
And so, how do you actually go about doing that has become the new name of the game. Like, do we, now we're, like, we're starting to see these topics around, well, how do you group
vulnerabilities together in the right way to maximize remediation efforts, especially if you
don't own the fixes, right? Because your IT team might own the fix. But if it's an Oracle database,
your Oracle team might own the fix. And so how you coordinate all that has become a really big challenge that is fascinating and I think has
contributed in a large part to why it's become so popular again. I mean, like, honestly, some of the
content we're putting out, it's like, you know, it's beyond my wildest dreams in terms of virality.
Obviously, I didn't go viral, but... Yeah, one of your teams did a LinkedIn post that got a million views.
Is that right?
Yeah, about vulnerability management.
Like, you know, put out a bubble chart about the biggest vendors on the Sisychev list.
And, you know, he's gained, you know, 16,000 followers in 30 days.
Like, it's wild.
Like, I didn't realize there were that many people that actually cared about vulnerability management.
Celebrity vulnerability management posting.
Yeah, I love it.
That's right. Mate, that's all really interesting stuff. Like we don't,
you know, we could talk about this a lot more, but we've run out of time. Uh, thank you so much
for joining me to, uh, talk about what's, uh, what's shaken out there in, uh, you know,
the, the vuln management space. Absolutely. You know, I'll, uh, always spare a moment to talk
about VM. That was Scott Kufa there from Nucleus Security.
Big thanks to him for that.
And big thanks to Nucleus Security
for sponsoring this week's show.
They've been with us
since they were a little babby startup.
And yeah, they've certainly grown since then
and are definitely not a babby little startup anymore.
So congratulations to them on that.
But that is it for this week's show.
I do hope you enjoyed it. I'll be back soon with more security news and analysis. But until then,
I've been Patrick Gray. Thanks for listening.