Risky Business - Risky Business #722 -- Microsoft embraces Zero Trust... Authentication?
Episode Date: September 19, 2023On this week’s show Patrick Gray, Adam Boileau and Lina Lau discuss the week’s security news. They cover: Microsoft’s 38TB oopsie MGM’s Okta compromised, w...as this what Okta was warning us about? Why we need a cyber knife fight Google Authenticator sync abused in the wild Much, much more This week’s show is brought to you by Push Security. Co-founder Adam Bateman is this week’s sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing. Show notes Microsoft AI researchers exposed sensitive signing keys, internal messages | CyberScoop Wiz on X: "🚨 BREAKING: Wiz Research discovers a massive 38TB data leak by Microsoft AI researchers, including 30,000+ internal Teams messages. Here's what you need to know 🧵 https://t.co/2V8u9IekGV" / X Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token | MSRC Blog | Microsoft Security Response Center (6) Microsoft's Security Culture Just Isn't up to Scratch Threat actors claim to have compromised MGM Resorts’ Okta environment | Cybersecurity Dive MGM, Caesars attacks raise new concerns about social engineering tactics | Cybersecurity Dive I Gambled in MGM's Hacked Casinos ‘Scattered Spider’ group launches ransomware attacks while expanding targets in hospitality, retail MGM Resorts disruption linked to recent attacks against hospitality industry | Cybersecurity Dive Caesars Entertainment says it was also a victim of a cyberattack Clorox warns of product shortages a month after disclosing cyberattack | Cybersecurity Dive DHS: Ransomware attackers headed for second most profitable year (1) chrisrohlf on X: "I can think of multiple occasions where well respected experts assured the world that taking offensive actions would put an end to this ransomware problem. Unfortunately 1) it won’t end that easily and 2) they’re still seen as experts. This is an economics problem that is enabled…" / X White House urging dozens of countries to publicly commit to not pay ransoms Cyberattack on Kansas town affects email, phone, payment systems Major trucking software provider confirms ransomware incident Several Colombian government ministries hampered by ransomware attack Manchester police officers’ data stolen following ransomware attack on supplier Upstate New York nonprofit hospitals still facing issues after LockBit ransomware attack Evidence points to North Korea in CoinEx cryptocurrency hack, analysts say How Google Authenticator made one company’s network breach much, much worse | Ars Technica Chinese Spies Infected Dozens of Networks With Thumb Drive Malware | WIRED Mozilla, CISA urge users to patch Firefox security flaw UK passes the Online Safety Bill — and no, it doesn’t ban end-to-end encryption Exiled Russian journalist hacked using NSO Group spyware | Hacking | The Guardian Три журналиста рассказали, что получали оповещение от Apple о хакерской атаке. Такое же приходило Галине Тимченко, в телефоне которой нашли шпионскую программу Pegasus — Meduza War crimes tribunal ICC says it has been hacked | Reuters XINTRA - Cybersecurity Training CrikeyCon 2022 - Lina Lau - Inside the Persistent Mind of a Chinese APT - YouTube SaaS attack techniques SaaS attack matrix: The shadow workflow’s evil twin SaaS Attack: How to SAMLjack a poisoned tenant SAMLjacking a poisoned tenant demo - YouTube SaaS Attacks: Shadow workflows + Evil twin integration demo - YouTube
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name is Patrick Gray and this week's show is brought to you by Push Security.
They are a funded startup and they do SaaS security. So basically you can use their tech to see where your users are putting company data
and you can stop them from doing that in an insecure way or discourage them from doing that in an insecure way
and you can also get an idea of what your insecure way or discourage them from doing that in an insecure way.
And you can also get an idea of what your exposure is like when a SaaS provider gets breached.
You know, you can look up how many of my users have accounts with that service, that sort of thing. So Push founder Adam Bateman is this week's sponsor guest and he'll be along later on to talk about some research they've done into how to attack companies via SaaS accounts.
Some quick housekeeping, Catalin Kimpanu and Tom Uren have both taken this week off.
So if you're wondering why you're not getting your risky business news and seriously risky business podcasts and newsletters, that's why.
They're off doing normal human being stuff.
So yeah, let's get into a check of the week's news now with Adam Boileau.
G'day, Adam.
Hey there, Pat.
And also joining us this week is a special guest co-host, Lina Lau.
Hello, Lina.
Hi.
And Lina has a background in incident response,
and these days she runs the training company Sintra, and that's with an X.
And they offer courses on things like attacking and defending as you're an M365.
I'm going to drop a link to the Sintra page in this week's show notes.
But yeah, let's get into it now.
And the first thing we're going to be talking about is a discovery,
let's put it that way, out of Wiz,
where Microsoft appears to have leaked some data, Adam.
Yes.
So Wiz obviously keeps a pretty close eye on what Microsoft's cloud is up to.
And one of the things you can do with Microsoft Storage is you can provide links that are
authenticated into Microsoft Storage systems.
So they're equivalent of S3 buckets, I suppose.
And Wiz was scanning around and found a link from some Microsoft employees' GitHub page
to a thing that was meant to allow you to download some training data for a machine learning model
that they had been working on.
But the link that they had created to do that
actually linked to essentially like the entire bucket
where the data was stored.
And that had a whole bunch of other things
from that Microsoft person's life,
including backups of their workstation at Microsoft,
amongst other things
and not only was the data there and exposed it was also writable the token that they have provided
allowed you for rewrite read write access so that's a little bit embarrassing yeah um whiz
wrote this up in a blog post and a little a little bit breathless i suppose but we've seen
this is whiz thing, right?
Like they'll do some really good work
and then they always overcook it
with the marketing side of this, right?
So they're saying like,
oh, there's hundreds of thousands of Teams messages.
What they don't mention in their breathless Twitter feed
is that that came off like three workstation backups.
Yeah, so what I found really interesting
was they was talking about how difficult it was
to revoke the SaaS token and rotate the keys.
But it's just as simple as rotating the account key.
I just kind of felt like the Wiz writer was a little bit inflated in terms of the remediation side of things and what was actually exposed.
And if you look at the screenshot that they posted, they had like SSH keys and Azure access tokens.
But a lot of these are actually encrypted. So it's not even in plain
text. Yeah. Which is, makes them kind of useless. Right. So, and I just find the whole thing crazy
that you've got these things like SAS tokens that you can embed in clear text in a URL.
Oh my God. Yeah. That's like the premise of how like storage account abuse works in Azure. And
it's wild. It's wild to me that they
had this one container where they had all of these, you know, backups of workstations and
Teams messages, along with the actual relevant data. It's wild to me that they stored it all
in one container instead of like segregating the data. But I think all of this speaks to a bigger
problem. You know, we've gone to this situation where we've got this all singing, all dancing FIDO2 ecosystem.
Probably people in Microsoft are using these things.
And then we've just got like a string of hex, right?
That just gives you access anywhere and can be embedded in a URL.
And I just think, what the f*** are we doing?
I mean, this is the challenge with moving from a world
where we understood how operating systems worked
and we understood how operating systems worked and we
understood how networks worked because there were only a few of them now every cloud vendor every
system every product inside a cloud vendor has got their own crazy world that you have to learn
all of the details about and i mean i didn't really know much about sas tokens and the fact
that they are like created client sides you don't really have an audit log of them being created.
Like there's some records of them being used.
But if you want to understand how your environment works,
you have to understand the specifics of, you know,
400 different cloud services and their security model,
which may change underneath you.
And it's probably poorly documented.
And that's how we're now supposed to do it.
Whereas, you know, sure ntlm inherited rights
were complicated or you know netware rights masks or whatever else but at least there was a finite
number of those that we had to understand as security people back in the in the you know in
the old man days whereas now it's just so complicated and understanding the impact of
those is real hard yeah we only know that that one one SaaS token was leaked because it was on GitHub.
Yes.
But what stops an employee from generating multiple SaaS tokens to share the data across teams or over mail?
How do you know how many SaaS tokens are created?
How do you know how many things you need to revoke?
It just, the fact that there's no auditing, it's wild.
I mean, if I had to name this feature, I'd probably call it zero trust authentication.
You just can't trust it.
It's nuts, right?
It kind of has parallels in a way
to how the curb infrastructure
and Windows Active Directory works,
where you can create very long-lived tokens
for persistence for whatever else
without any real way of understanding
that they've been minted
and then you just have to rely on people knowing they need to rotate everything all the time and
now we're back to like having to change passwords every three months except now we have to change
all of the underlying you know keys that people don't really understand or know about so like
you know we're heading the right direction on on authentication overall but
some of these days feels like a step backwards you know yeah golden tickets everywhere right
yes yeah i thought it was really interesting that in the microsoft write-up they said that they had
some like automated scanning service that they use that they run over everything to look for
exposed tokens and things and it did identify that same thing that wiz did but their system
marked it as a false positive which is really interesting interesting. Yeah, I saw that as well. And I'm like, well,
you need to do some tuning there. And I think it was because it was like, I think it wasn't just
the presence of that token that was the issue, it's that it was over provisioned. And how are
you going to know that from secret scanning? How are you going to know that this SaaS token is
providing access to the stuff we intended to provide access to versus a whole bunch of workstation backups and Teams messages and this
and that, right? So I noticed that as well. And I thought, you can't fix this with secret scanning
when you're expecting there to be a secret there. Yeah. And the blog post did not say this has been
corrected. So clearly it's still a problem for them. This has been corrected. This has been
corrected. Manually check the permissions.
Yeah, I mean, yeah, good luck, right?
I mean, but then again, I mean,
there's a lot of startups, right,
in the secrets detection space
and maybe that's the next step.
And I think even Trufflehog do some stuff around there
where they actually take the secrets
and then do stuff with them to see how bad it is.
But I'm not sure on that.
That might've been just ideas.
I'm sure they're going to email me now and tell me, right?
So now let's talk about MGM. MGM still having a hard time. Let's start with you on this,
Lena. I mean, you must have been watching this. You've got a background in incident response,
and I imagine you must be, well, glad you're not in incident response anymore because it's a
very stressful job, but also watching this one and just thinking, just imagining what it would
be like to be on MGM's team at the moment.
Yeah, it's not a good situation.
I mean, they said that they have super administrative privileges
in Okta and global admin in Azure,
which gives them a complete free-for-all in terms of their cloud environment.
I can't imagine the damage.
And to be honest with you,
I think this whole situation has obviously caused MGM a lot of pain, public pain.
Yeah, exactly.
And I mean, we are kind of wondering at this point whether that Okta warning from a little
way back where they talked about people socially engineering MFA resets on Okta super admin
accounts, maybe this is what they were talking about.
It seems a few people are wondering
if these incidents are connected. Yeah. I mean, I don't know who's doing the IR on this, but they
would be able to see in the logs, whether or not a super admin account did log into Okta or perform
anything. So I don't know if MGM is going to release like a incident response write up on
how the intrusion occurred, but I'd be super interested in seeing if that was actually the
initial entry point. Well, cause we did see a lot of talk about how there was
social engineering involved, and this would fit with what Okta described. What do you think, Adam?
Yeah, I think there are a number of clues that do suggest this is the same set of campaigns,
same people behind it. The parallels with Caesar's Palace, which also got themselves
compromised by what looks like the same people the month before, also had an Okta element.
So I think we've seen a couple of write-ups from some of the, like, you know, threat, intel, incident response-y sort of people.
I think Palo Alto's Unit 42 wrote up a bunch of, you know, tradecraft from that kind of group.
And it looks like it all kind of lines up so i think we're
probably like this is the sort of thing that we're talking about and clearly it's working pretty well
for them if they got what 15 mil that are caesars yeah and you know mgm hasn't paid yet but they're
having a rough time i mean i think we said this last time but don't let your help desk reset mfa
for your super admin roles i mean that's a pretty easy change to make.
What do you think, Lena? I mean, you've been on the inside of a bunch of breaches that I'm guessing
looked a lot like this. You know, what's the general advice you'd give people to avoid having
this done to them? To be honest with you, this happens all the time. Like I've worked a lot of
cases where social engineering has been involved and people just cave in because the second you
add some kind of personal component to it, like, oh know i worked in the x office or i knew x person information that you can just
get from google or linkedin you start to think that they're telling the truth it's wild the way
this human psychology works and then from the perspective of forensics and ir and what a company
would see you would just see an account credential being reset. And you, you know, your EDR tool's not going to pick up on that because it's a normal IT person resetting an
account. Where a normal IT person getting rid of MFA, you would think, okay, that IT person,
that's their job. That must be normal business as usual. And that wouldn't really raise alarm bells.
It's not until then the threat actor enters the environment, abusing what that IT admin did,
and then performed a series of other things. Then you're like, oh God, how the heck did they get into my environment?
I mean, but would you agree that like doing something like removing or resetting MFA on
something like a super admin account is something that the help desk just shouldn't be able to do?
No, absolutely not. And also if they are doing that, there should at least be some checks and
balances in place, you know, informing X or Y. But to be honest with you, in most organizations, that doesn't,
that's not really a thing because the help desk is usually so inundated with requests that
adding an additional process just slows down business operations. But I definitely agree.
Yeah. And I also think that like when you are federating a new identity provider, like
that should
generate about 10 different emails and Slack alerts and SMS messages and, you know, flashing
lights and maybe an air raid siren.
Yeah.
But that's the same as like a lot of companies still don't, you know, alert on a new domain
admin account being created or there's just gaps that exist for some reason.
And I can't, I don't really understand why, but they do exist.
And unfortunately, it's just unfortunately a little bit normal for the industry.
Yeah, it won't happen to us.
And look, we've got some disaster tourism journalism here,
Adam, courtesy of Jason Kobler over at 404 Media.
404 Media is a sort of start-up publication run by a bunch
of ex-vice people like Joe Cox and Cobler, and there's one other.
I can't remember her name.
I'm very, very sorry.
But Jason flew to Vegas and spent five hours in Vegas in total
and just went to MGM to see what the damage would be like.
And, you know, I think there's – you can't really put it delicately.
It's a shit show.
Yeah, it certainly is.
Like, it sounds like a real mess on the ground.
And he didn't stay at MGM,
so he's not sure what the guest experience is like.
But he did a bit of gambling, tried to buy some drinks,
talked to a bunch of the staff,
went through some of their manual processes.
And the real flavour you get, which is quite vicey in a way,
is the human experience of being an employee
at an MGM casino right now sounds
pretty rough you know if you work in the food counters or in the kitchen or whatever
but I did feel a little bit disaster tourism-ic from this particular piece. I don't know I don't
mind watching casinos suffer right like I think ransomware crews should only target casinos and
then I'd be I'd support them I mean it it would be, it would be funny if they only hit casinos and not hospitals and schools for disabled children. You know?
I think it's funny that it like disrupts someone sitting at a slot machine for 18 hours a day,
having to stop and then beg someone at do some human interaction. Maybe it's good.
This is what I'm saying.
Maybe it's good for people with gambling addiction.
This is what I'm saying. And like, so he points out like the cards that you use to feed like money into into these slot machines they're not working right so you have to actually put cash
into them and then when you want to get money out you have to hit a button and wait for 15 minutes
until some overworked and very stressed staffer comes up wearing a bum bag full of cash right
15 minutes of self-reflection exactly this is what i'm talking about right so maybe this is more than
15 minutes this is this is like it's it's 15 minutes. This is like, it takes a while.
You know, it's been a while since we've seen a ransomware attack
that we can actually get behind.
But it looks like it was the same crew that hit Caesars too, right?
And that they've been hitting other hospitality targets.
I think this is the discussion that is happening
in terms of attribution,
whether or not Alf V and Scattered Spider
are the same group or not. They're definitely affiliates, but whether or not they're grouped intoution, whether or not Alf V and Scattered Spider are the same group
or not. They're definitely affiliates, but whether or not they're grouped into the same group or not,
I think that's just like a discussion that's not super clear at the moment.
Yeah. Now I wanted to ask you about this because you're, you know, from that whole
industry previously in incident response where you really care about those attributions. For us,
we don't really care so much, right? So like in preparation for this week's show, you're like, oh, there was some bad reporting from VX Underground and whatever.
And like all the threat intel and IR people are very, very interested in this. Why don't you just
give us a quick rundown on all of that? What's been going on? Yeah, sure. So basically VX came
on Twitter and they said that, you know, the threat actors that messed with MGM tampered with
slot machines, you know, teenagers from UK and US broke in. And Alf V came
out with a publication. And in that publication, they called out the rumors from VX and said those
things did not happen. And in that write up, they called out that it's really difficult delineating
between various threat groups, because there's crossovers and tool usage. And if you look at how
a lot of these ransomware groups function, a lot of them do use the same toolkits, the similar
playbooks. And it's really hard to make a distinction between one group and another
when there's significant crossover and tools. Yeah. So basically we had Alfie coming out and
dissing VX and calling them second rate, right? Like that is basically what happened.
Yeah. Okay. Yeah. That's interesting. Like it's really interesting this like call out about
attribution, because if you think about it, what stops one threat actor from reading a write up from CrowdStrike or Mandiant and going, okay, why don't we, you know, get this group blamed for what we do and let us copy their entire set of TTPs and perform the actions?
Yeah, but is there any evidence that that's actually happened?
Because we keep waiting for the grand false flag attacks that are always coming next month, right?
Well, Patrick, how would we know?
Because there's been very clever people like you
working in incident response who would just know, Lena.
It's difficult, though, if they hack into a nation state infrastructure
and do the attack from the proxy from the infrastructure
and then use the same tools.
You know, you just sound like a paranoid madman
if after every attack you go,
oh, but once again, this may not be this threat group. It could be another threat group. No, no, no. I'm with you.
I'm with you. So really what you're saying is we need to be careful about connecting the Caesars
one to the MGM one. Is that kind of what you're saying? We just don't know yet. We don't know.
Yeah, that's it. That's it. Meanwhile, bleach shortages, Adam. Bleach. I mean,
somebody think of the bathrooms yes uh bleach
manufacturer clorox appears to have had some manner of ransomware thing going on it's disrupted
bleach production and they are predicting unlike the um unlike the casinos they are predicting
some material financial impact so perhaps bleach manufacturers are an easier target there you go
and we've seen a cyber attack on a small town in Kansas
affecting all sorts of systems.
We've seen a trucking software provider impacted,
several Colombian government ministries.
This is all ransomware.
We saw Manchester police officers' data stolen
following a ransomware attack on a supplier.
I'm guessing that's the same supplier that we spoke about recently
that was printing ID cards, I think.
Yeah, there was another supplier
to the Metro Police in London.
Yeah, I'm wondering if it's the same.
So I'm not sure if they're connected or not,
but Impact is pretty similar.
Yeah, and upstate New York non-profit hospitals
are still facing issues after lock-bit attacks,
according to John Greig over at The Record.
So, you know, just a lot of ransomware stuff
going on at the moment. So I thought we, just a lot of ransomware stuff going on at the moment.
So I thought we might just dive into it as we often do and talk about it in terms of it being
an issue. The White House, interestingly enough, is urging governments in countries that are sort
of part of this, you know, anti-ransomware, the counter-ransomware initiative to agree to not
paying ransoms, which I think is fair enough. Like, I think it would be silly to just put a blanket ban
on the payment of ransoms across an economy,
but insisting that governments don't, I think, is sensible.
And what else have we got?
We got some info here out of DHS in the US,
and John Gregg's written it up,
and apparently, you know, it's going to be the second most profitable year
for ransomware operators on record.
And that's led to some people to sort of ask, well, what are we doing?
Right. And we've got this tweet here from Chris Rolfe.
We've got this X here from Chris Rolfe.
And it says, I can think of multiple occasions where well-respected experts assured the world that taking offensive actions would put an end to this ransomware problem.
Unfortunately, one, it won't
end that easily, and two, they're still seen as experts. This is an economics problem that is
enabled by technology, and you cannot deter or attack your way out of it. Now, first of all,
I don't think anyone said that it would absolutely end it completely. And the other thing I think is
an issue here is that we haven't really started
doing proper offensive stuff against ransomware actors. We've seen limited operations. We've seen
the FBI do some takedowns, which is not really what we were talking about when we were proposing
sort of more offensive, you know, real-time operations against ransomware crews. So I think
he's kind of arguing that something we haven't
tried hasn't worked. But while you're here, Lena, what do you think the effectiveness of all-out
cyber knife fighting ransomware crews would be if we actually gave it a good go?
Honestly, I think this is one of those situations where you don't know the answer until you try.
It's like the debate on whether or not we legalise drugs for everybody. We just don't know the answer until you try. It's like the debate on whether or not we legalize drugs for everybody. We just don't know what the result will be unless we do it. I think the issue with
this situation with ransomware is the fact that who exactly are we talking about? There's hundreds
of employees in ransomware as a service. You know, there's the actual hands-on keyboard people doing
the hack. Is that who you're talking about? Are we talking about the developers, the people managing
the people doing the hack? Are we talking about the initial access brokers? Are we talking about? Are we talking about the developers, the people managing the people doing the hack? Are we talking about the initial access brokers? Are we talking about the devs? Who exactly are
we talking about? Because if you look at ransomware as a business, it's a full organized crime with
all these various components. And so the concept of hacking back, are you just hacking back the
people hacking you? Or are you hacking back the people running that? Are you hacking back the organization that they're buying the ransomware from, the affiliate programs?
You know what I mean? It just kind of blows this, it's a huge issue.
I'm with you. But I think that, you know, anyone who's used to doing, you know, offensive operations
is going to sit down, put together an org chart and figure out where the vulnerable points are,
you know. And I think, you know, obvious targets would be the actual developers, right, because they sit at the very top of the
hierarchy in a lot of ways. But what you say is interesting when you called it organized crime,
because it is and it isn't. It's distributed. You know, it's this open marketplace, weird type of
crime. And it's been like this for a long time now but it makes it very different to like a drug cartel or you know or a mafia organization there's no one person sitting at the top that you
can target so i understand that there's going to be challenges involved in attacking a distributed
uh crime ecosystem but i i just think let's not write it off until we've tried it and i just don't
think we've actually given it a proper go yet. We have seen here in Australia the announcement, I think it was late last year,
of a 140-strong ASD and AFP task force to do this.
But they've been very tight-lipped on what it is that they've actually done.
You just hear the occasional murmur out of government people that,
oh, no, they did stuff and it worked.
And, okay, that's nice.
It's very easy for them to say that.
It would be better if we had a deeper idea.
But do you see what I mean, Adam,
when I'm saying like people are sort of saying
it hasn't worked when it's something
we haven't actually tried yet?
Yeah, there's a number of paths, right?
There's the actually doing the operations,
you know, technically targeting people and systems
and getting in and disrupting their communications,
disrupting their trust models,
which is where we have most leverage
because of that distributed nature of their organizations. But then we also have to talk about it right because there's no point having a
doomsday weapon if you don't tell people about a doomsday weapon so we have to kind of have some
successes to talk about them you know in the case of australia it hasn't been that long
again getting to the point where you've done that whole cycle of disrupting a ransomware operation
and then it being far enough past you can now
talk about it without burning too much the way of sources and methods so you know it it feels like
the you know it's in progress but we haven't yet seen a full cycle of what that looks like but
you know you talk to people who work in incident response and the general consensus seems to be
that you know there are a degree of generally understood norms about
say targeting western governments where if you roll into a you know government agency of a you
know five eyes nation probably you should just turn around and back the f**k up little man
yeah i mean well we look you know you can say that and it sounds like theoretical you're actually
talking about a an incident that you know obviously we won't mention details here but uh incident responders that you know have seen ransomware actors get a cobalt
strike beacon onto a fedgov system in a five eyes country and just say lol nope and leave yeah which
is you know that's you know is that deterrence is that just kind of general normal setting we don't
really know but but someone clearly decided it wasn't
worth the the juice wasn't worth the squeeze right yes exactly exactly and i think like in fairness
to chris rolf uh the argument he has been making really was comparing like military defend forward
against apt crews to what we were doing against ransomware crews and then the way that we would
you know that cyber commentary defend forward against other government targets is pretty different to how you
would approach ransomware crews and so i think you know there is a lot of nuance in this kind
of conversation and it's still very very early in this whole process to say whether or not this has
worked or not you know gut feel you know being afraid that
you're going to get cybercommed or that they're in your forums messing with you or that you have
to validate identities out of band but you're in a distributed organization where no one really
knows each other like that adds friction and cost and that's what we've said all along is the goal
is to add friction well and to you know and to establish some norms like don't target systems
of national significance yes yeah right and that's that's that's what victory norms, like don't target systems of national significance.
Yes.
Right?
And that's what victory looks like.
I don't think anyone credible is saying
that you're going to completely end ransomware with this.
But at the moment, it's just too big
and hitting too much important stuff.
I mean, if you can get them off hospitals
and critical infrastructure, you're winning.
Yeah.
And the fact that casinos can get hacked, right?
Oh, yeah, go nuts.
There's plenty of money there.
That's a target-rich environment.
You know, don't hit a water utility in a small town.
Yeah.
But, you know, if you want to go hit casinos, then, you know,
is it a victimless crime?
Casinos and law firms.
Casinos and law firms.
Go for it.
You know, let's just work out some new norms here.
I mean, I think it'll be really interesting to see
because the fact that ransomware is just growing
and it's become honestly a bit of an epidemic,
it's just attractive to young, impressionable people
who want to get into the hacking space.
Like you join a cybercrime forum,
you start watching the marketplace.
It's alluring to join a ransomware group
or perform something illicit because it's, you alluring to join a ransomware group or perform
something illicit because it's you know in your head you just think you can make money and you
don't really think about the consequences i think the more ransomware is more known outside of the
security community the more attractive it is for people with that kind of mindset and yeah i mean
i just think you know let's rmrf those forums do you know what i mean like this is what i mean when
i'm talking about-
Goodbye, Intel companies.
See ya.
That's the thing.
They are going to be against this because that's their bread and butter.
But if you can go in there, grab a copy of their secret key
that authenticates their hidden service, then vaporize them,
I mean, let's do that.
And we just haven't seen that.
Like, the FBI loves getting into places and collecting evidence
and collecting intelligence and then doing an orderly shutdown.
I'm talking about chaos.
Let's go for some chaos.
Let's go for a cyber knife fight.
You're like the detonate button.
And until we've done that, until we've done that,
we can't say it hasn't worked.
That's all.
Yeah.
No, I agree.
Now moving on, it looks like North Korea has hacked
yet another cryptocurrency exchange.
This time they racked off with $31 million in cryptocurrency. I just think it's amazing that this has turned into
North Korea bread and butter and they've just turned this whole crypto theft stuff,
it's a well-oiled machine and they just keep going and going and going. Lena, have you ever
worked a Lazarus or North Korea incident? And if so, how did you rate their tradecraft?
I think they've definitely gotten better as time has passed. I remember back in the day,
the way that they used to breach organizations was using open source tools. It wasn't super
sophisticated. They were really messy. But now they've really zoned in and developed a really
good tradecraft around how they target crypto organizations which makes sense because that's like a primary massive chunk of how they make how their economy
runs yeah it is i mean they used to hit central banks and they've stopped doing that which i think
is a sign that the measures that swift took when this was happening actually worked uh because it
sent them scurrying off to steal crypto
tokens or whatever, like fake internet money, which I'm going to call a victory,
but that's because I'm, you know, I think crypto is a clown car.
I think a lot of the times there's a lot of like crypto startups, the market's super unregulated.
A lot of these organizations focus on making money and doing crypto security is a massive
part of it. But because of that, because there's not much regulation,
because there's all these new coins popping up,
new exchanges popping up all the time,
it just opens up so many different organizations
that North Korea could target versus X bank in X country.
You know what I mean?
It's like there's a set amount.
Yeah.
Now we've got this story here from Ars Technica.
Dan Gooden's written it up. And it's a company, it's based on a blog
post of a company having a big old sook because one of their, one of its employees got their
Google Workspace account owned and then was socially engineered into entering a one-time
password that allowed the attacker to synchronize their like Google Authenticator
thing. So the reason we're talking about this is because it was a few months ago now that
Google said, okay, that's it. You're now able to synchronize your Google Authenticator seeds
into your workspace account. Now, on the whole, I actually think this is a good idea because changing phones prior to this would actually be a major ordeal.
And now you just put the app on your phone, you authenticate and bang, everything synchronizes and it's a convenience feature.
But is there a trade-off? Yes, and this is it.
Lena, let's start with you. What are your thoughts on this? Now that we've seen someone maliciously synchronizing
Google Authenticator one-time password seeds from a hacked workspace account,
does that mean that this is a feature that should die? I mean, I actually still think it's a good
feature. No, I think it's a good feature. I've used this feature. I think it's a great feature.
I think the issue is more like the education around phishing is obviously not working or not
getting through people's heads.
And the reason for that is, you know, criminals are getting creative in how they do it.
They make it seem legitimate.
And in that write-up, they talked about how they pretended to be an IT member with knowledge of the floor plan and internal processes.
Like that would convince anyone.
I'm sure that I could get phished with that.
Touch wood.
Yeah.
I mean, I remember talking to Kevin Mitnick actually about this stuff years ago.
And he's like, oh, look, the thing is, you know, he could actually socially engineer
a help desk to find out some of their open tickets and say, well, look, I'll handle those
tickets because we're auditing your performance and we want to speak to some of your users.
So give me a recent ticket.
So he'd actually take a ticket from the help desk, a real one, and actually ring up the user and help them
with their problem. And then he would ring them up a week later and ask them to execute malware.
And they would, because he'd already established that he was part of the help desk, had their
ticket, worked them through the problem. So social engine is always going to be something when if
someone puts in enough effort, it's going to work. I mean, the one thing that occurred to me here is that it just makes
defending your workspace accounts or your Gmail accounts much more important
and perhaps you should be FIDO2ing that, you know,
using your passkeys or whatever, which is going to protect the account.
I mean, is that what you thought as well, Adam?
Yeah, absolutely.
You read this, you think this is what FIDO2 is for so you can't socially engineer someone when you know there's
no code or token to give them it just works and it works by validating who the hell you're talking
to so like that should be a human not that should not be a human's problem validating who you're
talking to that's a thing that you know we can solve with technology there's not very many problems
that we're good at solving with technology but you know where we can solve with technology there's not very many problems that we're good at
solving with technology but you know where we can we probably should and like i have some sympathy
for for this company because they did get pretty thoroughly wrecked and they do list you know
security is a thing that's important to them i think their customers were like crypto crypto
people or crypto so that was the customers that whoever victimized them went after yeah but um
like understanding how your echoes auth ecosystem actually works like the as-built reality of it
and where you can get fingers into it you know that's the thing attackers are great at uh well
i mean i was just thinking like i just said oh you should use your fido to pass key right
pass keys get synchronized across icloud accounts so then you're going to get someone
hacking your icloud account to get your pass key for your workspace account to reset and synchronize
your one-time passwords I mean you know ultimately it always boils down to the weakest link up the
top which is always going to be some sort of password reset procedure right yeah exactly and
if it all backs into your you know your phone number and now you're dependent on the telco we've seen how well that's gone for everybody um you know and even just like
when i read the story i opened up my google account settings and my apple account settings
and looked at it and thought do i really understand the vectors into my personal account
auth system right there's a bunch of combos of things and like old work email accounts and so on and so
forth that like it's hard for me to understand the full picture of what my personal auth ecosystem
looks like yes doing that for a whole company it's legitimately hard yeah i mean i had to work
really hard to remove my mobile number from important accounts right so that they just don't
have it and i still get pestered by them. Give us your mobile number, you might lose your account. And I'm like, that's fine. I don't care. I'd rather
lose my account than give you my phone number and get SIM swapped. Yeah, the hard thing about like
IR is a lot of the times companies focus a lot on, you know, EDR logs, event logs, security logs,
network logs, they don't think about peripheral logs like this, like authenticator logs and
sending all of this into the environment. And sometimes a lot of these things aren't even logged. Like if you want to transfer your Google authenticator to another
phone, it just pops up a QR code that you can scan. Where's that logged? Is that getting pulled
into the scene? Do you have alerts set on that? We don't really hear about that, you know?
Yeah. Now look, let's talk about some old school hacking now. And Andy Greenberg has a write-up in Wired
about a bunch of USB malware doing the rounds in Africa.
And it looks like it still works there.
So a presumed Chinese APT crew is actually using this as a vector, Adam.
Yeah, it's a pretty retro style of attack,
but absolutely still works in places where use of USB keys on untrusted computers is still relatively common.
So in some areas of Africa, Internet cafes are still very much a thing, and sharing USB sticks is still a thing.
And so we're seeing in some cases 10-year-old USBb born malware like derived from plug x even doing
the rounds ending up in interesting places and obviously china has a bunch of you know geopolitical
interest in africa so everyone has a geopolitical interest in africa yeah like i feel sorry for
africa at the moment because there's just so much old school going on there yeah yeah there
certainly is uh china's been you know triaging
where they've ended up um you know because usb malware as we found out with stock snatch you
know it's kind of difficult to keep control of because it can spread in ways that are unpredictable
and but why don't we see this being used in the united states or australia or new zealand like
why you know is there something different about about markets that might be a little bit
or regions that might be a little bit behind
in terms of InfoSec programs?
Like are we better equipped to deal with this
or is this still something that could happen here?
I think it's less about InfoSec
and more about, you know,
USB sticks are for sharing data
and that you share data on sticks
because you don't have your own computer
or the computers are shared.
So it's kind of an economic thing, I think.
Yeah, I think it's also just like companies moving to the cloud
and prioritizing sharing data over the cloud on SharePoint.
Using SAS keys that give them access.
Yes, that's so good.
Yeah, your storage container.
But also like a lot of really large companies
with the mature security team disable USB ports from working.
Yeah, so that's kind of what I was wondering,
if this is just something that's kind of addressed here. You know, why is it not addressed there? And I guess that makes sense,
right? Which is that if you haven't moved to an all singing, all dancing cloud world that relies
on really good connectivity, then I guess, yeah, you're going to be sneak-editing stuff around,
aren't you? It's funny they're using this method. Like something happened similarly with China,
where they lured someone from General Electric to present at a conference and then they messed up the hdmi cord so that
their laptop wouldn't you know display the presenter notes and then they were like oh
yeah let me fix it let me shove a usb in and yeah then they exfiltrated all the data yeah i mean
nice well done hey now i wanted to i want to do a follow-up we mentioned this last week this
bug that appeared to be hitting like a whole bunch of browsers and it's the webp library bug
and man i was right you know i said someone's sweet sweet bug got squashed and it's just popped
up in everything the reason i wanted to mention it again this week is because there was a uh i saw
some social media posts on this where people were just realizing
how present this bug is in Electron apps, right?
And they are like statically in there
and every single one of these Electron apps
is going to need to get an update
against this WebP bug.
And it just goes back to my golden rule from years ago.
Friends don't let friends run Electron apps.
Amen, brother.
And I think Signal shipped a patch for Signal,
which is built on, Signal desktop is built on Electron.
So they shipped one out quickly.
But yeah, there are so many Electron apps
with embedded Chrome in them
that are just never going to see a patch.
Yeah, I saw threads on like one of these,
one of these like text-based, you know,
Twitters or the clones or whatever,
just with people just going,
oh my God, and this and this and this.
And you could just see the horror dawning on everyone
while the browsers might have copped updates like these other apps.
I mean, even, what, Teams is Electron-based, isn't it?
Discord, yeah.
Yeah, Discord, yeah.
I mean, there is a lot of Electron apps out there.
And there's just kind of no real reason for them to exist anymore.
Like in the older days when browsers were more
restricted you know you could kind of see why you want a non-sandbox browser based app but
with progressive web apps and with everything else there's just no need for electron anymore
i mean there used to be there used to be features that you could get uh via the electron versions
that you couldn't get via the browser is that still true i don't know i just don't know because
i run everything in a browser because i'm not suicidal exactly right so there are some aspects where like file handling
and some like local interaction stuff can be more straightforward but that you know the the there's
just no reason for it anymore and modern browsers you look you look at how the browser is integrated
on mac os you know and the amount of extra protections you get around like sandboxing
access to files and so on,
like there's a reason why we put everything in a browser and why we've spent the last 20 years
making the browsers safe to use.
Well, it's funny.
I mean, they're safe-ish, right?
I'm thinking relative to ActiveX.
Relative to Electron, yes, 100%.
But I did find it interesting that lockdown mode
is getting an update in iOS 17
and a lot of it is like removing various
APIs and whatever from the from the browser right so like they're safer but I mean Lena let me ask
you are you a app or tab person I'm an app person but I think that's a generation thing
is it yeah why don't you just throw that throw that stuff in a tab I don't know I don't know
what it is I love discord I love signal I love but i've got discord over here it's
in a tab i just i don't know what it is i i don't know why you want to use it in a tab it's like not
as pretty so i don't get owned i know i think it's a generation thing because i don't know anyone
around my generation that puts discord in a tab the kids today adam yeah kids today i don't know
and we should point out too for those who haven't guessed,
Lena is not of our vintage, right?
We thought it would be great to get someone on the show
who's actually younger than us for a change.
Now let's talk a little bit about NSO Group
and some Pegasus spyware.
A journalist, Galina Timchenko, who is,
I think she's like the head honcho over at Meduza,
which is a Russian independent media outlet that's actually been banned in Russia.
I listened to the podcast done by Kevin Rothrock,
who's Meduza's English-speaking head of content.
That's really good.
It's called The Naked Pravda.
Recommend people check that one out.
But yeah, the boss at Meduza had NSO group malware turn up on her phone.
It's not really clear who's behind this.
If I had to guess, it's a European country that wants to do third-party collection
because if you're an exiled Russian journalist,
you're going to have a bunch of interesting sources in Russia
that would be impossible for you to cultivate.
But if you can get on that person's phone,
you can observe their communications with those sources.
So that's what I think.
The reason I don't think it's Russia is, I mean,
I don't know if you've seen Jackie Brown, the movie, Adam,
but there's a moment with Odell where he says,
My ass may be dumb, but I ain't no dumb ass.
And that's, I mean, I think NSO might be stupid,
but they're not dumb enough to sell Pegasus to Russia.
Like that, it's a bridge too far, right?
So my guess is here, Europeans doing,
some European country doing third-party collection
on a Russian journalist device.
What do you think?
I mean, I'm conflicted about this,
because I would imagine that if you were going to do that,
like Pegasus at this point is pretty visible.
Like our techniques for
spotting pegasus in the wild i'm reporting on it and the fact that if you find it citizen lab's
gonna get involved it's gonna get media coverage like it seems like a high risk play in that
respect well what's been what's been the negative consequence for whoever did this we don't even
know who it is that's a good point i mean that's the advantage of using of using nso group right
is it's impossible to attribute it to anyone in particular.
Yeah, so there's that kind of like safety of hiding in a crowd.
You know, anyone could be in there.
So that's a good point.
Either way, it seems a risky operation to me.
But, you know, as you said, if there's no consequences, maybe it isn't.
And it looks like other Russian journalists have been notified
that they probably have been Pegasus as well.
One thing I found really interesting about all of this is it was actually Apple who notified
the journalists that something was up on their device. And that tells you something about the
level of telemetry that they're getting. I mean, I'm guessing an exploit misfired,
there was a crash dump, you know, and I've talked to people in vulnerability research about this,
and all one bad crash, know when apple's sitting there
on all this telemetry and they see a device do something that no other device has ever done
and they go okay that's a crash dump we might want to look into uh and just quickly before we go we've
got a report here from reuters that says the uh war crimes tribunal of the international criminal
court uh has uh had some sort of incident and stuff stolen.
You know, the story doesn't come right out and say it,
but does tend to hint that the suspicion is that Russia was behind this.
I mean, I don't think we'd be all that surprised to discover that, you know, the Russian government was hacking the Hague.
No, I don't think we'd be surprised at all,
given that they've also, you know, expressed interest in prosecuting Putin as well.
So, you know, I guess it makes sense to go task them.
You put out an arrest warrant for Vladimir Putin,
you're probably going to get shell-popped on you, right?
I think so, yeah.
Seems likely.
Well, that's actually it for the week's news.
Adam, thank you so much for joining me as always.
Most welcome, Pat.
And Lena, thank you so much for coming on and co-hosting this week.
That was fantastic and I hope we can do it again.
Thank you for having me.
That was Adam Boileau and special guest co-host Lena Lau there with a look at the week's security news.
It is time for this week's sponsor interview now with Adam Bateman from Push Security.
They do SaaS security and recently published some interesting work on what SaaS-based attacks can look like. And they've spun this into
a sort of MITRE attack style matrix for SaaS attacks. So here's Adam Bateman to talk through
that and a few other SaaS-y things. Yeah, so when we built Push initially, it was to
help people identify all the different identities that employees are creating on the internet across various different cloud applications.
So they could understand which apps were being brought into the organization, where company data was going and which of those should and could go under SSO.
But as we started to look at these and discover different applications, we realized just how impactful a lot of these applications are. And so there's a lot of red team and instant responder blood running through
push. And so we couldn't really help ourselves. We just kind of started to look at this through
a red team, a red team as eyes. And the idea of this research was really to answer two questions.
Firstly, if you were sort of targeting a company through this SaaS native world, firstly, is it possible to take control of a company without touching the endpoint or the
network at all? And the second point was really, is it possible to take control of a more trivial
application and then use that to actually leverage your access into something more critical,
and exactly the same way it is in the on-prem-prem world right so i think a lot of the time people think about you know active directory okay well i need
to defend this thing but it's the dev server on the on the side it actually has a path through
to compromising it or you know my website and my vpn endpoint are important but it's the dev server
on the internet no one knew about which could actually give the attacker a foothold and use
that to advantage to take control of something wider so we were looking at it from the same through the same lens using yeah using old school thinking
for the new school exactly yeah applying it through into this new world yeah so we kind of
think about uh you know identities in the cloud are the modern attack surface it's a little bit
like open ports on ip addresses used to be previously. So when we started doing this research, we were looking at it
and we decided to build
a MITRE attack framework inspired matrix
of all the different SAS native attacks
that were out there and possible.
And some of those are known ones
like credential stuffing and MFA fatigue.
But a lot of those are ones
that we've actually,
through looking through a Red Team's lens,
we've come up with and had a look at ourselves.
And so the idea around the research was really what kind of attacks could you use?
So we did certain things.
There were some really simple techniques in there.
Like if you were to compromise a trivial SaaS application, something as trivial as a Trello
board, and it's not connected to SSO could you for example create an API key
then connect to the API and backdoor all the links inside the application so that when an employee
comes along they're very used to their their session timing out and so when they click a link
it then redirects you off to an Okta login page you can then man in the middle the the kind of
SSO and then take control of the application and redirect them back
to where they came. And that was possible. We also found a lot of these applications have
lots and lots of different things in there, like API keys and access tokens and webhooks and
different things like that. So a lot of applications that from the website wouldn't appear like they
are, would have a major business impact but actually you can steal
access tokens and api keys and webhooks and do things like send do iam phishing so you can
actually send malicious links inside people's teams or slack and use that to phish people and
take control which is where people are not expecting it yeah yeah i mean we're seeing at
the moment too um ransomware crews at the moment using
teams actually um which is you know a different thing because you don't need to compromise an
account to send a team's message to someone but it is that thing of like having success by popping
up where people aren't expecting you to it's got hard to do ransomware over email because the email
security providers have got good at you know between their good intel
and their good filtering they've got good at stopping that stuff so that's driving people
into things like linkedin and things like teams because you know as you say you're not expecting
to get malware from your company slack exactly yeah and then we've we've said throughout the
industry forever it's attackers will go where of the is the lowest friction and
if you again come back to the pen testing world if you were then pen testing a public facing
infrastructure you might go and pick one particular server and go hyper deep and try and find
vulnerabilities but in addition you would go broad and you'd sort of run vulnerability scanners across
the whole public ip address range to see what you can pick out. The same is true in the cloud world.
So for example, super easy, I'd say credential stuffing is probably a SaaS applications
worst enemy. People are creating new accounts all the time across the internet, whether they're
inviting colleagues in or they're signing up and experimenting with new SaaS applications,
or they're actually adopting new SaaS applications as those identities are
created you know attacker can very very simply do credential stuffing so using passwords that
have been guessed or stolen or bought or you know have been won through result of prior phishing
campaigns and just spray them continuously across all the different SaaS applications and then
immediately pick off weak accounts as they come along, right? So that could just run automatically and you can pick off these different accounts. And the result of
that could be access to one of the applications we've spoke about that holds integrations into
core systems or webhooks or API keys. But also a lot of these applications themselves are actually
really powerful. So you get finance applications, for example,
which are connected up to your bank account. And if you get things like Ramp and not picking on
Ramp in particular, it's just a popular finance application. If you gain access to that, you can
make transfers out of your account. You can generate credit card details.
Now you've written up how you can chain together some of these attacks into realistic attack scenarios.
And you've got a couple of interesting ideas around persistence there.
I'd love it if you could just walk us through that.
Yeah, sure.
So the SAS attack matrix was really for us the first installment.
So it shows an overview of all the different 38, so far 38, SaaS attack techniques that exist, which are SaaS native.
And then what we're doing from here
is releasing a series of blog posts
which chain those different individual techniques together
into more of an attack scenario.
So you could actually see how those will play out.
And we released one recently
called Samuljacking a Poison Tenant,
which really blends together.
It's effectively like a cloud equivalent of a
watering hole attack like leveraging legitimate SaaS applications when to you sign up as somebody
inside the company and because they don't do email address verification I can sign up as anyone
and then start inviting anybody else into the company so it gains momentum and then you're
admin on that system you can do some clever things that was the first blog post the second post that's now coming out is about uh what we call shadow workflows and this
is about the evil one this is the one i wanted to talk about because it is it is yeah it is horrible
so shadow workflows and um evil twin integrations is what we think about so the idea here is once
you've compromised a let's say Azure, and you've gained access to
someone's account, how do you persist? And the way we think about this is that automation apps
like Zapier, and there's a dozen others, they are kind of the PowerShell of the cloud world.
So if you gain access to someone's account, if you a zapier or thap into their into their account
you can actually use that to set up a ton of automations to harvest files from their one
drive on a continual basis or forward emails out to you on a continual basis once you've got access
to email there's a lot of stuff you can do so you could go across all the other sass applications
hit forgot password and you can actually reset and gain access to everything you leverage passwordless or whatever you want to do. But the thing that's
particularly tricky about it and where the evil twin side comes in is that if you gain access to
someone's account and they already have one of these automation apps, like for example,
Zapier, as we mentioned, you can actually install your own Zapier app into their account.
And to them, it only shows as one.
And because there are no new consents,
nothing shows in the Azure logs.
So now what you have is a very, very stealthy way to backdoor that account
where they don't see anything different.
And I now can log into my own Zapier account
and I can use that just to harvest data
from their account on a regular basis.
So, you know, a lot of this research,
you know, as you say, it's the red teamer and incident responder blood coursing through the
veins of the staff at Push Security that led to this, you know, led to this research. And a lot
of it is theoretical. What have you observed attackers doing in the wild, right? Because I'm
guessing most of it is pretty low sophistication, volume stuff like cred stuffing like fishing you know with the you know some of
these more advanced fish kits and and whatever um have you seen anything fancy yet i guess is what
i'm asking well i mean this is the thing that's crazy about it and this is where we should how
would you know is what you're gonna say i'm guessing yeah yeah yeah i mean like we we help
people to identify vulnerable identities across everything, right?
The core applications and the broader apps as well.
But what we're saying is there's a lot of focus at the moment on the kind of core productivity apps.
And there's a lot of attacks happening there.
But is that because of the fact that's the only place you can get logs?
If you take these thousands of other SaaS applications, it's super limited. you can't get the information from those so it becomes really hard even if you
take something very very common like credential stuffing which is hugely powerful for getting
mass compromise across lots of apps how would you determine that without having the logs
in a central location even the sas vendors themselves would need to all collaborate to
make that happen but the thing that's kind of interesting, I think the best result from this is a report that we saw come
out from Auth0, owned by Okta, and massively oversimplifying what they do here, but they
effectively provide authentication or login for lots of different SaaS applications. So we're in
a pretty good position, I'd say, to talk about this. And they released a report. And in that report, it said
that 34% of the total traffic across all industries to their platform is credential stuff.
Yeah, yeah. It's crazy. I know some people who work in other places that see that, like CDNs
and whatever, CDNs that offer WAF and whatever. And yeah, it's insane. The amount of bot traffic
to these places, if you measure it by volume, maybe not 34%, but if you measure it by like connections, it probably is.
Absolutely. And as I said, it's a really low, it's a high ROI attack. It's easy to do. Anyone
could execute it. And so to leave that running continually and picking off accounts as employees
are creating them makes a lot of sense. In terms of public breaches as well, I'm absolutely no
doubt we're going to see more of these. I mean when you work in this space you start to attract conversations and so we we
hear from people saying oh hey i just actually these red teamers are now uh just compromised
us without touching the box box once like without touching any metal whatsoever and uh you hear
about real incidents and bug bounties and these things that are coming up. But it's interesting to me that the best public cases you can see are things where applications like MailChimp are getting compromised and other mail service providers.
And the reason for that is because what they do is compromise someone's mail service provider and then are actually using those applications to send emails downstream to their customers in order to fish them
from a legit company domain and those things are probably being picked up because of the fact there
is something there yeah something useful i mean this is you know going back to what you said is
like you know i think the bulk of the activity is obviously targeting stuff like the you know google
google productivity and microsoft productivity things and those sort of accounts. And I think one of the reasons for that though
is because they're standard.
Attackers know them.
Do you know what I mean?
It's sort of like why there's no malware on,
not a whole heap of malware on Mac.
Like people get comfortable with what they know,
but I don't think that means that we can just say,
well, it's all fine.
Then we don't need to worry about it.
Now we exchanged a few notes.
So I'm going to say something
that is going to be highly irritating to you,
which is, but hey, you know, people are using SSO.
Why is this a problem?
Yeah, that's a common one.
And that's fair point.
Common misconception, right?
Yeah, yeah.
It's a really, really good question.
I mean, we do pull in,
we connect into IDPs and pull those identities in as
well so it's about giving the entire picture but the thing that's interesting is that because we're
in this world of self-service where a different a different departments have taken it into their
own hands they sign up themselves and experiment with different applications and there's a it's
after they've done the experimentation,
then they will go to the security team
or procurement team and IT team and say,
hey, we would like to use this application.
Now, what do we do?
And they don't tend to want to do that
until they're certain they want to use it
because of the red tape.
And so my point being is that-
By the time they've officially procured it,
they've been using it a while, right?
Exactly.
And a lot of these have got very, very low usage tiers or free for a year up front so it could take a long long time to discover
them and so my point being is that connecting onto sso is now the last step in the process not the
first step that's the first thing to consider the second thing on top of that i haven't looked at
all thousand applications but we did take 500 of the most commonly used ones that we see
and the ones that we deem to be high impact either because you could tell from the website
and the feature set that it's high impact like the finance applications or because they contain
a route to a more critical system through access tokens and API keys and we found about a third of
those have any support for SSO whatsoever and then then within those, you have to be on obviously
the top tier, the famous SSO tax in order to make that happen. So it's not possible always to add
it to SSO and also not always justified. But I think the thing that's really insightful for people
is that people tend to think about SSO as a shield for their identities, and it's really not. It's a
management layer.
So what I'm saying is that the way that SAML is implemented on these different SaaS applications
is very inconsistent. And when you actually add and onboard an application onto SSO,
you can actually often still log in using the local accounts anyways. They would still be
vulnerable to things like credential stuffing, right? So it's healthy to think about SSO like
a... It's just like when Microsoft used to leave leave like imap open right for people who had you know modern
cloud-based email but you know legacy support i mean it's similar to that you just might not
realize that it's only you know that you can authenticate via not saml as well as via saml
right so i think of it like Active Directory, right? You connect a
workstation onto a domain. Does that mean you can't log in as a local admin? You shouldn't
defend those accounts anymore? Or does it just mean that you have now a management layer where
you can manage his identity? It's the same thing. Adam Bateman, very interesting stuff. Thank you
for joining me. We're going to link through to that research that you published. I actually had
it sent to me by a couple of listeners when it first dropped. So people can have a bit of a read
through that. A pleasure to chat to you and hope we can do it again. You too. Thanks a lot.
That was Adam Bateman from Push Security there. Big thanks to him for that. And big thanks to
Push Security for sponsoring this week's episode of Risky Business. And that is it for this week's
show. I do hope you enjoyed it. I'll be back in a couple of days with another edition of our Snake Oilers podcast.
But until then, I've been Patrick Gray.
Thanks for listening. Thank you.