Risky Business - Risky Business #729 -- Why patching faster won't save us
Episode Date: December 5, 2023On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: Iran-linked attacks on US water infrastructure Why the ownCloud... bug isn’t the end of the world The D-Link 0day that… never existed? In defence of Okta Much, much more This week’s show is brought to you by Proofpoint. Ryan Kalember, Proofpoint’s EVP of Cybersecurity Strategy, is this week’s sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing. Show notes CISA warns of threat groups exploiting Unitronics PLCs in water treatment hacks | Cybersecurity Dive North Texas water utility the latest suspected industrial ransomware target | Cybersecurity Dive Florida water agency latest to confirm cyber incident as feds warn of nation-state attacks ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation | Ars Technica Staples hit by cyberattack during critical Cyber Week sales push | Cybersecurity Dive New Jersey, Pennsylvania hospitals affected by cyberattacks 60 credit unions facing outages due to ransomware attack on popular tech provider HHS warns of ‘Citrix Bleed’ attacks after hospital outages Payments processor Tipalti investigating ransomware attack | Cybersecurity Dive CISA's Goldstein wants to ditch 'patch faster, fix faster' model | CyberScoop Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers | CISA Kremlin-backed hackers attacking unpatched Outlook systems, Microsoft says Latest severe Chrome bug prompts CISA warning Google researchers report critical 0-days in Chrome and all Apple OSes | Ars Technica Okta again promises it is taking security seriously | Cybersecurity Dive Okta: Breach Affected All Customer Support Users – Krebs on Security Russian and Chinese interference networks are ‘building audiences’ ahead of 2024, warns Meta Meta says it broke up Chinese influence operation looking to exploit U.S. political divisions Clandestine online operations now require sign-off by senior officials - The Washington Post Feds seize Sinbad crypto mixer allegedly used by North Korean hackers | TechCrunch US sanctions North Korean ‘Kimsuky’ hackers after surveillance satellite launch ‘Fugitive’ Spanish aristocrat behind North Korea cryptocurrency conference arrested Used by only a few nerds, Facebook kills PGP-encrypted emails | TechCrunch
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name is Patrick Gray. This week's show is brought to you by Proofpoint and Proofpoint's EVP of cybersecurity strategy, Ryan Callenbaugh, is this week's sponsor guest and he's going to join us to share some thoughts on how we can make better use of our regular users when it comes to fine-tuning alerts.
So everything from asking users via Slack or whatever,
hey, did you mean to send those 50 gig of sensitive files to Google Drive just now?
And then there's the security use cases like,
did you just install TeamViewer with your creds?
You know, did you mean to do that?
Yes, no, you have no idea what we're talking about.
So yeah, the idea being that you
can just really improve the quality of your signals by asking users questions. So that is coming up
later. Lena Lau was supposed to be joining us for this week's news segment, but unfortunately,
she's down with COVID and we wish her a speedy recovery. And in case anyone was wondering,
last week I mentioned that my wife had just come down with COVID and I was expecting the same thing to happen to me.
But in the end, it just didn't happen.
So I felt a bit stupid for a few days, but I never tested positive.
So, yeah, I don't know what happened there.
But either way, I feel like I dodged the Rona bullet this time around.
Hopefully I haven't spoken too soon.
But, yeah, Adam Boileau joins me now for a discussion of the week's news.
G'day, Adam.
Hey there, Pat.
And look, we've got, you know, the usual grab bag of horrors to get through this week.
So many horrors.
Let's start off by talking about Unitronics and default creds and just a big old bag of fail.
Yeah, Unitronics are a vendor that makes some kind of you know plc that's popular
in water systems uh their software had a default cred of one one one one uh which if you put it on
the internet you're going to have a bad time and it turns out some people do put it on the internet
and a water authority in aliquippa in pennsylvania uh appears to have had said bad time yeah so it
looks like what is there some Iran-linked crew?
Like, is this state-linked? Is it hacktivists?
What do we know about who's actually doing this?
Because it's not just this water treatment plant in Pennsylvania.
Like, this is turning into a thing.
Yes, so the Al-Aqweba one was claimed by Cyber Avengers with a three,
which is some kind of Iranian hacktivist group
that does have a bunch of strong ties
to the Republican Guard in Iran.
So that's not a great sign.
We have seen CISA and some other warnings
around intrusions into water authorities.
There's been a couple of other ones as well
that didn't appear immediately related
to the Unitronics thing.
So we've seen compromises of business,
kind of IT side systems at a water authority in Texas. There's been another one where maybe it
was ransomware, but CISA seems sufficiently concerned that they have been warning people
in the industry about the focus. We have seen the Unitronics thing obviously getting a bunch
of attention. Interestingly, Showdown suggests that the majority of Unitronics devices on the internet
are actually in Australia.
Yeah, Australia and Singapore,
number one and two, baby.
Oh, yeah.
So yeah, that ain't great.
But this reminds me of some years ago
when we started seeing just a huge focus on Israeli water utilities
coming from Iranian crews.
And you just sort of wonder if that's what's happening now,
if it's like a rerun of that, but this time in the United States.
Yeah, the ways that you break into the water utility
is going to be pretty consistent across all sorts of jurisdictions,
default creds and field equipment and so on.
So using the same playbook against the US makes a whole bunch of sense.
Yeah, I mean, you just sort of wonder what the most effective thing to do about this sort of thing is,
which is, I don't know, maybe make these water utilities use an upstream provider
that does a bit of firewalling for them or something.
But, you know, then you've got all sorts of access issues and whatever.
So I don't know that there's an easy solution.
No, there don't seem to be any particular easy answers.
And where US authorities were attempting to more strongly,
you know, either provide guidance or regulate,
we've seen some pushback against that as well,
which doesn't make any sense to me.
So...
I think, though, that there were some reasonable arguments
about government overreach,
given how the US government was trying to do that.
Some Republicans came forward and said,
this regulation is overreachy and doesn't quite make sense. you know it really surprised me that i read through the criticism and thought
oh okay i kind of see what you mean here you know so i i think it's more an issue of like
being unsure of like how the federal government can regulate this is it through the epa is it
through other things like how do you do it without it being overreach so i think i i just think it's
a curly one.
Let's put it that way.
It's certainly complicated.
And, you know, the reality is,
even when you give organizations good guidance,
they still probably don't know
that they've got default cred PLCs on the internet.
Yeah.
And, you know, understanding what you have
and your, you know, your asset inventory
and being able to make good choices about like
if we were able to do that already you know we would already be doing it so you know it's
struggle town regardless and especially for small water authorities that don't have the
resourcing or expertise because you know we got a bit of a theme uh to talk about this week we do
oh yeah which is about this idea of like you know expecting organizations like that to
patch you know expecting them to patch at all is a heavy know, expecting organizations like that to patch.
You know, expecting them to patch at all is a heavy lift.
Yes.
And then expecting them to patch within 48 hours is, you know, kind of unreasonable.
And we'll get into that part in a little bit,
but let's talk now about the latest acquisition
to join the Accelion family, Adam, which is OwnCloud.
What a name.
Yeah, exactly.
This one's made probably too much news.
So there's been a pretty nasty CVE pop-up in a bit of software called OwnCloud.
And this is one of those file transfer appliance type things, right?
Like MoveIt, like Accelion.
But the thing is, it looks like the component that is exploited is switched off by default.
It was only added, the vulnerability was only added quite recently.
It just doesn't look like this is going to be anything like the scale of the Accelion
or Moveit campaigns, but it's picking up media coverage as if it is.
And I think that's understandable because it's a similar type of bug and a similar type
of technology.
But just once you actually take a closer look at this,
it doesn't seem like it's going to be a big...
And my Accelion joke, by the way,
is because, yeah, Accelion actually bought this company recently.
Yeah, so OwnCard is like an open source,
I guess, like run your own file storage cloud solution
made by some German company.
And yeah, they were recently acquired by Kiteworks,
which is what Accelion changed their name to after their very embarrassing set of breaches
and the bug itself is essentially like there's a php info that will disclose a bunch of information
about the runtime environment and that includes in containerized deployments credentials and other
things that would allow you to then gain access to it so you are vulnerable if you had the relevant like api endpoint which i think actually was some microsoft related
like graph api thing uh so you had to be running that component never turned on and you had to be
in a containerized deployment where the environment variables contain security critical stuff and then
you had to have it on the internet so that that's not a particularly wide, I mean, I think overall the numbers we've seen
were like 11,000 own clouds on the internet.
How many meet this prerequisite is really not very sure.
I think it was like 900 someone said or something like that.
Yeah, like a pretty small subset.
And so compared to other file transferry sorts of solutions,
like this is not a product that's in wide use by enterprises
and a lot of them are
not super vulnerable or likely to be in a vulnerable state so yeah it's got a lot of
traction for probably not a lot of shells yeah yeah um but i do think this is something we need
to watch i mean i i had that interview with uh it was a sponsored interview with one of the crawl
people a while back um and they really unsettled me by saying, oh, was that George Glass?
Yeah, saying that he's expecting we'll see similar types
of campaigns, not just targeting file transfer appliances,
but things like there's a lot of systems that sit
on the edge of a network that contain important information.
Like the one that he cited that really freaked me out
is payroll systems.
Because, you know, you've got an ODA and a payroll system,
a common one, and you hit all of them yeah
so by no means is this going to taper off this type of attack but probably this one in own cloud
isn't the one we need to be worried about yeah I agree completely there is a lot of nasty things
on the edge of the network and people are very equipped to compromise all of them very very
rapidly when a bug arises but in this particular particular case, you know, bullet probably dodged.
Yeah, yeah.
So let's turn our attention now to the continuing fallout from this so-called Citrix bleed.
Speaking of things on the edge of the network.
Oh, God.
You know, we've just picked the worst ones this week.
But, yes, Staples, the office supply retailer
in the United States, they've had a terrible time. What else have we got here? We've got some hospitals in New Jersey and Pennsylvania.
This coverage, the first one was from Cybersecurity Dive. Second one is from John
Greig over at The Record. And yeah, there's something like 60 credit unions facing outages
in the United States, according to this piece by John Greig, because of attacks on their upstream
providers. Do we know that these ones connect to Citrix, Bleed?
These ones, yes.
Kevin Beaumont's been posting screenshots of their Shodan Citrix.
He's been doing the Shodan screen grabs, yeah.
Yes, yeah.
So this one, Fedcom, definitely looked very Citrix-y and, yeah, big impact for all of
the credit unions that used it.
Yeah.
Look, it's just continuing.
This is going to have a reasonably long tail, at least of another couple of months,
I would expect, of people just getting rinsed by this.
Funnily enough, I had an interesting conversation yesterday
with a local manufacturer here in northern New South Wales.
They had their production seriously impacted
by the problems at the Australian port operator, DP World.
And I found that very interesting because they had, you know,
as far as I know, the disruption only lasted a few days at DP World,
but it caused such a ripple through the supply chain
and caused ships to get backed up and whatever
that it led to multi-week delays in people's containers
actually getting where they needed to go,
which has caused, yeah, big, big, big drama.
So I found that interesting.
Yeah, that is when you see the real world impact, because when we reported on that,
like they were back up in a few days, that seemed pretty good.
But understanding the actual impact of these events, you know,
because diverted ambulances and so on, like we can kind of understand.
But yeah, as you say, the ripples through the supply chain can be, you know,
much bigger than the disruption started with.
And yeah, we've also got some reports here
about a payments processor called Tipalti,
which is quite large.
They're having a bad time.
I don't know if this is Citrix related,
but this is the Alpha V group hitting them, Adam?
Yes, and also Alpha V have been saying
that they're specifically going to go in
after customers of Tipalti,
which includes things like Roblox and Twitch. So they're specifically going to go in after customers of Tipalti which includes
things like Roblox and Twitch so they're picking on the big customers and using that to apply
pressure but also maybe ransoming for data theft against downstream customers yeah so that brings
to a close our little wrap of some of the notable ransomware incidents I will say too that one thing
that I've noticed that's been interesting that we've been seeing more and more of is
some of these crews getting access to
environments, exfilling data but unable to
deploy ransomware and it looks like that might
be what has happened in that case
and we know, remember last week I said
I don't think they deployed malware in the
DP World case? Like right
after we published the show it was
confirmed that no ransomware
was deployed so that turned out to be right.
Yeah.
So maybe we are getting slightly better at, you know, catching it.
What do they say?
Left of boom?
Is that the instant response term for it?
But how much difference that makes, you know, when you're then denial of servicing yourself
by taking things offline and all the subsequent costs, you know, the impact still matters.
Well, better a four-day disruption than a three-week disruption, right?
This is true, yes.
So we're improving the A on the cia triad a little uh not so much with the c still some work to do on the c
right let's talk about some comments now from eric goldstein who is a top cyber security official at
sysr you sent this story to me and you were kind of doing a bit of a fist pump reading this one
walk us through it adam uh so basically he was giving a talk at a conference uh and he said that uh and i quote
to say that our solution to cyber security is at least in part patch faster fix faster that is a
failed model and i'm very here for this because as you say patching within 48 hours like that's
proper hard and patching at all is a thing that we still
find hard and the idea that's just yelling at people to patch better maybe isn't going to be
the solution I'm here for people saying that bit out loud because it's true and then that leads
into the discussion of well is it ultimately on vendors and it architects and people who build these things
to build systems that are resilient in the real world not resilient in theory not if you do
everything perfectly then you're fine right we need to build things that actually practically
people can buy and operate in their environment yeah i mean this has been this has been a 20 year
bit of advice yes which is patch your stuff, you know, patch it quickly.
And what, you think if we spend another 20 years
just saying that over and over, it's actually going to happen?
No, it won't, right?
So I think there's a lot to what he's saying.
I think there's a lot to what you're saying,
which is that we need to think about how to build systems,
particularly for SMBs, particularly for, you know,
water processing plants and whatnot.
We need to be able to give them tools that they can deploy
that aren't going to get them just instantly owned
when someone reverses a patch.
Yeah, exactly.
I mean, the quality of the security,
especially security services and devices that we sell people,
is just not good enough and is not, in many cases, fit for purpose.
Like the fact that Citrix got so many people owned
in the last couple of months, ultimately that's on Citrix, right,
for not building robust systems, but also for not using defense in depth,
not doing all the things that we tell people to.
When you read about bugs in appliances that don't use modern sandboxing,
don't use modern protections for
memory corruption bugs i mean you see cisco products that are compiled without any compiler
protections for memory corruption because the product is 15 years old underneath but yet still
sold with all of the padlocks and shields and marketing yeah but i think you're off base with
this as as well to be honest because I don't think we can reasonably expect
enterprise vendors to make stuff
that is not going to get us owned.
You know, like I think the coolest thing
that I've seen that kind of addresses
these types of issues lately
is that zero networks thing
where you have to go and authenticate
through your SSO provider
before you get a port.
Before you get network connectivity, yeah.
I mean, there are some defense in depth options
that we have not given enough credence to.
And certainly like just not having network readability
to staff goes a long way.
Yeah, you do an SSO and then it adjusts the firewall
and actually lets you hit a port.
It's funny that we kind of come back to firewalling
as being an actually effective control because it's kind of so gone out of fashion with web-based
everything these days but yeah you make a solid point like how many of these bugs wouldn't have
been exploited if you just had a firewall in the way yeah if you just couldn't get to them and and
you know if you had some sort of dynamic way to be able to provision network access via sso and
i don't know if zero networks are the only ones doing this but like i think that in particular is a really interesting product idea and i think it
i think it really i mean i haven't implemented it personally i i imagine it's reasonably
straightforward but i don't know you know can you expect a water utility to implement a product like
that again i don't know but my point is I like the thinking, right? Which is that just putting these things on the internet
and letting all and sundry connect to them and exploit to them,
it hasn't worked.
And it's funny because when we make really big changes
to how technology works, and I'm thinking IPv6, right?
We did IPv6 and we haven't done IPv6, which is great,
but we rolled out v6 without ever stopping to think about what end-to-end reachability would mean for security again.
Because we're so used to v4 NAT and there actually being a network perimeter as opposed to everything being reachable.
And when we can make changes like that without considering the real world impact of it, that's kind of how we get ourselves into these messes as an industry.
Because we're not consistent and sensible and think things through. impact of it right that's kind of how we get ourselves into these messes as an industry because
you know we're not consistent and sensible and think things through right we just
yolo stuff into you know with decisions that maybe make sense in one context but big picture we're
just bad at this and ultimately it's on us as a tech industry it's not on our customers right
they're the ones that have to clean up the mess but we through whatever
mechanism be it defense and depth be a good engineering be it a combination of all of these
things like ultimately it's on us and that i like i like hearing sissa saying that's kind of where
we've arrived at yeah i don't know that it helps though to I mean, it's true though. Yeah, yeah, yeah. No, I know. I know.
I'm just, look, I'm just, it's the end of the year.
Okay.
I'm tired.
I'm tired.
We're all so tired.
It's funny though.
You know, I saw, I think it was actually Kevin Beaumont talking on, you know,
Mastodon or, you know, Twitter or X or whatever the hell saying, oh, you know,
look, it's only a matter of time before these ransomware crews
get Oday in some of these, you know, edge network devices.
And, oh, it'll be so much worse.
I actually disagree with him.
I think that, like, you don't need Oday as a ransomware crew.
Like, look at what they've been able to do with this Citrix N-Day
by reversing a patch.
Why would you bother with Oday and what would it meaningfully get you
like would it get you anything that you didn't get already like what what would that mean slightly
more targets i don't know so i think it is at the point now where if you can reverse a patch
find an exploit and go for it like i don't know man there's only a small subset of targets that
will have patched.
Yeah, exactly.
So it won't make a meaningful difference.
So I don't know that, you know,
big scary O-Day is the thing that's going to make this meaningfully worse.
I think we're already in a pretty bad spot.
I think so.
And being operationally sophisticated enough
to get a piece of information about a bug,
whether it's zero day, whether it's end day,
and then being able to act on that information
on a global scale in 48
hours like ransomware crews can and like we as a defense industry can't that's the important thing
and ransomware has scaled out crime so well through the affiliate model and blah blah blah
that they can do it and we can't defend and well i'm working on i'm working on a year in review
uh podcast for next week and that's one
of the sections that i'm going to talk about with dimitri alperovic because you won't be joining us
next week and we're going to talk about why that is later um but uh yeah i'm calling it sort of
the industrialization yes of crime campaigns right because it's something that's been predicted for
20 years but we've actually finally got there hoorayoray. Yeah. That's great. Now, look, speaking of...
Exactly this point.
Talk to me about your favorite software stack
and what's happening to it, Adam.
So CISA put out a write-up of a couple of intrusions
into some US federal government systems via ColdFusion,
the Adobe hosting platform from the dawn of time.
And this just makes the point so well. these two cold fusion boxes were popped with some bug that came out this year
but the people who were running cold fusion had not patched in one case since 2016
and of course they got shelled and people pivoted onwards into their systems and you know having
cold fusion that is not up to date on the edge of your network like that's been a bad idea for probably a decade and we were just talking about
how patching is not effective control because we can't do in 48 hours we've been saying patch your
cold fusion for a decade and it's still getting people on so yeah probably more than a decade
probably more probably more good job well and and the good news just keeps rolling, Adam,
because this next piece by Doreen Antonik over at the record is like,
you know, the Kremlin-backed hackers are having a hell of a time
using the advanced, you know, advanced tradecraft of like
owning exchange boxes that haven't been patched.
I mean, it gets the job done done and i guess they're going after
government systems in europe that uh you know are somewhat laggardly with patching it seems
but i mean there's laggardly with patching like we've been you know bad mouthing and then there's
just leaving your exchange on the internet which i i mean can we can we say both things can we say
both is bad like that it's the vendor's fault but also there's a little bit of fault of government agencies
getting themselves out of their Russians?
Throw my computer into the ocean.
I'm going to eat my phone.
I'm going to move to live in a tent in the forest,
I think, after this week.
Yes, yes, yes.
And I have noticed too,
and this is something I'll touch on next week,
is this year, I mean,
the news cycle has been very repetitive, right?
More so than usual.
So that's been interesting. But, but, but, we do have something kind of notable here. week is this year i mean the news cycle has been very repetitive right uh more so than usual so
that's uh you know that's been interesting but but but we do have something kind of notable here
uh joe warminsky over at the record is reporting that sisa has actually added a chrome uh google
chrome bug to the uh sisa kev list and i think is this one is this one oday uh this one was i
believe exploited uh yeah and then and then tag google. Yeah, and then Google Tag found it, right? And then Google Tag found it.
Google Tag hasn't linked to an exploit for it,
so it's a little bit unclear.
But yeah, it ended up in the Kev.
And there's a few other Chrome bugs
that have ended up in the Kev over the years.
There's also a D-Link bug that wound up in the Kev,
which was kind of funny.
Well, exactly.
That's not in the run sheet,
but why don't you tell the listeners about that one?
That's funny.
So the Kev list removed a D-Link exploit.
And I asked, well, how does something get into the KevList if it's not really?
Anyway, it turns out it was a fake exploit written by some guy with like fake screenshots in an advisory,
which was then copy pasted by some worm developers into their Mirai style botnet,
which was infecting real systems.
And at some point CISA went, okay,
all the exploits that are in this worm,
we're going to stick them in the Kev list
because clearly the worm is working,
so they must be working.
But it was a fake exploit.
And then some guy wrote a blog post
and challenged the MITRE CVE registration for it.
And they had to pull it out of Kev.
And I said...
Well, they removed the CVE identifier as well
because it's not a real bug.
Removed it from Kev.
A hoax bug.
And I pasted in Slack.
I'm like, how can a bug that doesn't exist
end up in the Kev?
Surely there's some degree of editorial oversight of Kev.
Then I went and dug into what the actual story was
and it turns out totally makes sense
how it ended up there.
But you know, the initial story was pretty funny.
Yeah, which is like how did this not real bug
make it onto a known exploited?
But you know, it was like known exploited attempts.
But it just turns out the bug was fake
even though the worm authors didn't know that it was.
What a world.
Yeah, that was fun.
And of course, you know,
the CISA Kev maintainers can't go out and.
No.
I mean, that seems pretty good verification,
to be honest.
Like if you've confirmed that someone's using it in the wild.
Yes, exactly right.
And you just haven't confirmed that it worked i mean yeah i mean in the end you're like
taking the word of the worm developers that the exploit was good honestly not that unreasonable
for them so like a hundred percent give a pass to the kev maintainers on this one but anyway we
should all be patching our chrome all the time because those chrome maintainers work hard to get
the bugs out quickly
and they really do get used in the wild.
So grim.
Now let's talk about Okta.
And Okta has had a bit of a rough year PR wise.
And I think, look, I think a lot of it's not justified.
So full disclosure,
Okta has not sponsored anything risky biz in 2023.
They are coming back as a sponsor in 2024.
So you have to understand that from January
2024, there is a commercial relationship between Risky Business and Okta, but I don't believe that
is influencing what I'm about to say, but you might have a different opinion. Anyway, disclaimer
done. You know, you often hear people talk about Okta's breach during the Lapsus incident, right?
Where someone got a screen cap and really what it looks like is all they got was a screen cap.
But this created a perception of this huge breach at Okta.
And I think that sort of tainted subsequent coverage.
You know, then you had the scattered spider people
getting access to Okta super admin accounts
by doing social engineering
and where victim companies like MGM
had kind of crazy permissions set up
where the help desks could reset MFA on super admin accounts and stuff,
which I don't think is really Okta's fault.
They got bad press around that as well.
Now, one where they've justifiably gotten some bad press
is when their support got owned.
And this is the recent thing.
Someone has stolen a bunch of HA files
and some of those contain secrets
that the attackers were able to remove from the
HAR files, then use as, you know, tokens and whatnot, and then onwards into a, I think,
a five Okta customers. So that's bad. And, you know, the biggest criticism that I think has
landed out of all of that is that they should have been sanitizing HAR files that customers
were submitting. Cloudfl cloud flare which was one of
the affected orgs actually released a half file sanitizer to github as a way to shade octa which
i thought was actually quite funny and octa should actually absolutely use it um but now we've got
reporting that oh you know they said it was only 130 people who were affected in this octa thing but it turns out it was all of their customers and well not really adam the remainder of their customers appear to have had
some details taken in particular email address and name like maybe in some cases last login dates etc
but not a whole bunch of other useful data and yeah given that we're seeing social engineering attacks
on octa admins that's probably still data that you know you don't want to you don't want out
there yeah it's bad it's bad but we're seeing headlines of like all octa customers impacted
in this breach and it's like well kind of you know brian krebs's headline was octa breach affected
all customer support users which is is true, but it's...
Technically, yeah.
But it makes a bit of a false equivalency
in terms of what the impact for those customers were.
Like, obviously Okta shouldn't be having
their support systems compromised,
but it's just Okta as, you know,
because it has such a high position of trust
in people's organizations,
like it's kind of reasonable that they do get held to a high position of trust in in people's organizations like it's kind of reasonable that
they do get held to a high standard but it does feel a little bit unfair on them lately yeah i i
agree and i think they do need to do better but i also think octa just grew at warp speed for a
long time it's the microsoft problem i'm guessing unlike microsoft that doesn't rotate the key mat
that underpins their authentication events like
that they keep that hanging around for five years or six years I'm guessing Okta do some of those
fundamentals right I mean I remember once when you or one of your team members found Oday in
Auth0 which is now an Okta company you reported it to them they had a they had it fixed like
lickety split you know
i mean they've always been a pleasure to deal with in terms of how they respond
it's just that i mean some of the pr side of it has been a little clumsy in some points
yes earlier on you know they seem to have got a bit more polished over the last couple of years
i guess with practice but it's just they are so important and they are so big
and they get a lot of things right,
but they do got to get it very, very right, you know?
I think just trying to operate at this scale when, I mean,
they kind of are, I mean, I guess they're not a startup anymore.
You know, they're like, they're a huge multi-billion company.
They've just had to grow so much.
And I think, though, that all of this bad publicity
is going to get the people inside
who want to do some of these big projects,
like it's going to get them the authority to do it.
But, you know, there's clearly always going to be a lot of work
to be done at an org like Okta,
just like there is at an org like Microsoft.
Yeah, Matt Kapko over at Subsecurity Dive
reported on the CEO and co-founder Todd
McKinnon on Okta's earnings call and it really you get the impression from him that it has really
become important to them and they've got an opportunity to make the improvements and do the
work and I'm pretty sure their attention you know the executive's attention has been grabbed
and presumably everyone else that wants Okta to succeed and make money one thing i didn't realize is they've never actually made
a profit so maybe in that sense they're still a startup i don't know um they've grown super
quickly like as you say they're a multi-billion dollar company uh but they only lost 81 million
in the last quarter so that's a record which is really not much in the context of a business that
side so they're clearly gettingizing. They're getting closer.
Yeah, they're prioritizing growth, right?
Like they could make a profit if they wanted to.
But, you know, as is typical these days,
just accelerate, accelerate, accelerate.
Exactly, yeah.
And that does come with growing pains.
Yeah, it does, right?
Imagine if you were tasked with managing the security of Okta support.
I know, right?
We know some people who have similar tasks.
Yeah.
Yeah, it's a challenge, that's for sure.
Yeah.
So, I mean, let's see.
I mean, I'm just not at the point where I can condemn them.
Yeah.
You know, that's all.
That's all I'm saying.
Obviously need to do better, but I can't point at this.
It's not like the Storm 0558 stuff where it's like, what?
You know what I mean? You didn't rotate that key for seven years? Like, it's not like the storm 0558 stuff where it's like what you know what i mean
you didn't rotate that key for seven years like it's not like that yeah and i felt bad for octa
reading some of the headlines this week yeah you know when we were preparing the run sheet so here
we are saying octa you know you need to do better but honestly could also done a lot worse yeah yeah
that's it that's that's actually it too uh So let's move on.
And good news, everyone.
Russian and Chinese interference networks are building audiences ahead of 2024, warns Meta.
That's the headline of this piece by Alexander Martin, again, in the record.
Yes.
So Facebook's been talking about influence campaigns that have been ramping up from both China and Russia
and those that are preparing for the upcoming American elections they also talked about the fact that they are
seeing Chinese networks focusing more on things outside of China's region and we've seen them
doing influence ops you know in Asia but gearing up for the US and this ties in well with elements of the US government deciding that
dealing with you know online fraud or online disinformation somehow is infringing upon their
rights and there was this sort of injunction against the US government cooperating with
Facebook a while ago which makes no sense when Facebook was out complaining about the lack of
information sharing that can go on now because they've been injuncted against,
which all seems a little bit dumb given...
Is this part of that whole, oh, big tech is, you know,
persecuting conservatives?
Yes, persecuting conservatives by...
The Department of Homeland Security is censoring speech.
Yes.
Because they, yeah.
Because they have lists of inauthentic accounts
that are being used for propaganda.
So, I mean, it must be so frustrating working at Facebook
and seeing some of these things happening
and then being hobbled by your own side in dealing with it.
So, frustrating.
Well, and it looks like there's a bunch of, you know,
speaking of all these sort of disinformation ops,
Ellen Nakashima and David DeMolfetta
over at the washington
post have a story up um about how like if the pentagon wants to do more influence ops uh they're
going to need sign off from very senior people and this is so it's like it's so clear what happened
here remember like i kind of remember if it was this year or last year but it looked like someone
uncovered this like ultra low traction, ultra low engagement information operation
that kind of tracked back to the Pentagon.
And it was just like real bad,
like just absolutely did absolutely nothing.
And everyone, you know, had a big freak out about it
because it's like US disinformation and whatever.
And it looked pretty clear that it was someone,
maybe not that senior,
who was just giving it a crack with a few fake Twitter accounts.
It was like a made-up Persian language news site
that was just reposting Voice for America content and stuff.
Yeah.
Compared to what China and Russia are doing and Iran,
it's such kind of amateur power stuff.
Yeah, yeah, yeah.
So now the Washington Post has reported
that if people in DoD want to do similar stuff in the future,
they need sign-off from very senior people,
which is just a way of saying, don't do that again.
Yeah, and it's just funny comparing and contrasting, you know,
the Russia and Chinese scale of these things with, you know,
the US with all of its multi-billion dollars of military budget,
still bad at online InfoOps, so yeah.
But the US has always sucked at InfoOps.
Like it has always been quite terrible at that.
Yeah, I mean, the US is more about, you know,
shock and awe and blue jeans and McDonald's.
And they're very good at all of those things,
but not so good at the subtle InfoOps.
So what do we got here?
We got a story about the Sinbad Crypt sinbad crypto mixer which is one of the
crypto mixes allegedly used by north korean hackers it has been seized by uh federal uh
federal agencies from a few different countries yes some shocking development there who would
have thought the cryptocurrency mixer would get seized and sanctioned this particular one had
been used for i think the lazarus group had been putting some of their Horizon Bridge and Axe Infinity money,
which was like, that's what, $900 million worth of funds they stole.
Some millions went through Sinbad.
So yeah, no surprise.
And we've got another one here, actually, about North Korean hackers.
We've got Kim Sookie.
They've been sanctioned by the US government.
Don't know that that's going to make much of a a difference but you know the u.s do love to
sanction people they do and i mean it does have effects on cryptocurrency networks and and on you
know kim suki is one of the groups that we've seen using overseas contractors and and north
koreans working overseas to bring money back so like maybe it'll have some effect i don't know
but nice you know may as well like why not sanction them? Why not?
Now, this connects to North Korea as well.
And this has just been one of my favorite stories
to watch play out over the last couple of years.
You know, there was this guy, Christopher Ems
and Virgil Griffith.
Christopher Ems is British.
Virgil Griffith is American.
And they were the ones who put on like these
how to evade sanctions with cryptocurrency conferences
in Pyongyang.
And I think one,
I think it was Ems,
like he's fled to Russia because I think he was in like Dubai or something.
And it's just been,
it's just wild.
Yeah.
There's a,
there's a third Westerner who is a,
apparently some sort of Spanish aristocrat um who's now who got
arrested at a train station in madrid uh and it looks like uh you know the u.s authorities are
seeking to extradite him uh alexander martin has a great write-up here uh over at the record on
this one but i just you know these guys it's the around and find out just personified and i love it yeah this guy alejandro caudibenos
i think he's out on bail in spain now uh whilst he's trying to avoid his extradition but yeah
it's just so funny seeing crypto bros getting some comeuppance finally uh and yeah i'm i'm here for
it yeah the whole thing the whole thing has just been um crazy uh and we got
it look the best headline of the week uh award goes to lorenzo over at tech crunch he's over at
tech crunch these days uh and the headline is used by only a few nerds facebook kills pgp encrypted
emails yeah it's a great headline sad for us 90s cypherpunks uh but yeah it's it's so very true
apparently and i didn't
even know this there was an option in facebook where you could opt in to having them pgp crypto
your mails from facebook so when they send you a hey you've got a new follower someone tagged
you in a photo you could get that pgp encrypted to you uh which wow i mean i guess whatever one
engineer at facebook implemented that good on you
uh but given that even phil zimmerman the inventor of php doesn't use pgp anymore
yeah about about time to turn that feature off so yeah yeah that's just funny anyway great headline
cracker headline um look that's it for this week's news discussion uh we should mention though that
you know that's it for you this year because in a few days from now, you're actually getting some surgery.
So you're going to be recovering as we put down the last show for the year.
Like, if you're feeling okay, you're going to join us,
but it looks like probably you will not.
Yes, they are going to be digging into my face and into my sinuses
with some endoscopic tools and doing some stuff up in there
and probably, I don't know, I'm going to be in very good talking condition
after that has happened.
But at the very least, I'll be reading the news list
before you guys talk about it.
And look, can I just give the listeners a quick recap
on your health, what happened?
Because people have asked me, right?
Can I give the short version?
Yeah, you can give people the short version.
It's very nice that listeners care
about why I had disappeared for a few weeks there. Yeah, so the short version is you you can give people the short version it's very it's very nice that listeners care uh about why i had disappeared for a few weeks there yeah so the short version is
you were in the united states got a very severe nosebleed um that just wouldn't stop went to the
doctors who took your blood pressure and found that it was at oh my god call an ambulance
immediately levels uh and had probably been at those levels for quite a while.
And your nosebleed basically formed because your blood pressure was so extreme that you
sprung a leak.
Yeah, basically my nose popped.
Yes, you exploded.
So, you know, that wasn't great.
So obviously they had to get your blood pressure under control, which they have done, which
is great.
And also they had to, you know, give you a proper lookout to make sure that your organs weren't paced
from having blood pressure like that for quite a long time.
And meanwhile, because you had this horrible nosebleed,
it's messed things up in your sinuses,
and that's what you're finally getting rectified, actually, in a few days.
That's the basic summary, yeah.
The extra funny bit for me was I was actually
in Silicon Valley at the time, so I ended up
in Stanford Hospital, which is a wonderful...
In the Marc Andreessen unit.
In the Marc Andreessen emergency unit, yeah.
And so it was very interesting seeing
what very high-end, very expensive
American healthcare is like, because I had
doctors up the wazoo
and MRIs and all sorts
of very, very fancy treatments. And, you know,
the building is lovely and all the staff were beautiful. And I'm afraid of what the bill is
going to be like when my insurer finally gets it. Well, and I hope it's as high as possible
because your travel insurer who will be covering this is the same travel insurer that screwed me
recently on something. And when I saw that you were in a very expensive hospital
and I think you sent me even a picture of the menu
that you were ordering your dinner from,
I was thinking-
Room service in the hospital, it's so good.
I believe my words to you were,
please get the lobster.
Anything you could do to maximize
what these wipes have to pay you would be splendid.
So look, best of luck uh for your
surgery in a few days i hope it goes well i'm sure it will you've got uh you know a very competent
surgeon uh taking care of it and you know you're going to feel a lot better when this is done
hopefully we can talk to you next week but i'm i'm not terribly optimistic about that i have not
checked to see if the hospital i am in has citrix on the border so maybe i'll get ransomware and
they'll cancel
the op. So who knows? Well, we will see, but I will try and show up next week and we can enjoy
all of the terrible stuff that's happened this year. And Dmitry Alperovitch will be joining me
for a look back on the year that was 2023 next week. And obviously if any big news breaks,
we'll be talking about that as well. But Adam, that's it. Thank you so much for all of your
contributions over the year. And indeed, now you're working with us here at Risky Biz
and managing a whole bunch of stuff as well.
So thank you for that.
It's just terrific to be working more with you.
And yeah, I can't wait for 2024.
It's going to be a cracker year.
Yeah, it's going to be good fun.
It's really nice to have a bit more time and focus on Risky Biz
and all of the terrible and wonderful things
that we get to talk about every week.
So yeah, I'm looking forward to it that was adam boileau there with a check of the week's security news uh big thanks to him for that
and uh yeah he's going to be back next year when he's had his head, you know,
drilled and bored, drained and replumbed.
We can rebuild him.
We have the technology.
It is time for this week's sponsor interview now
with Ryan Callenberg,
the EVP of cybersecurity strategy
with InfoSec Behemoth, proof point.
And we're talking about how we can make better use of users
when it comes to filtering
certain types of security events and alerts it's something that's come up before during a sponsored
interview i did with tines who are the no code automation platform and like some of their
customers have used tines to instrument asking questions of users like did you just log in from
russia uh yes no maybe don't understand you You know, that sort of information can be extremely valuable
when you're trying to figure out how serious an alert is.
Well, it turns out Proofpoint has been baking some similar features
into its products and, you know, have been asking questions
of users of their products, like mostly their DLP products,
and they found it just worked really well.
So they're doing more of it.
So here's Ryan Colomba to talk about that. We've had some success with our kind of your
more classic DLP use cases, right? When it comes to people sharing unusual amounts of data in cloud
file sharing services, that is an obvious thing to prompt the end user route, right? You might not
want to do this if you are running an insider risk program,
and you're looking at somebody as an actively malicious insider. But if it's somebody who is
just putting a ton of stuff on some random cloud file sharing site, and they're not using whatever
the corporate standard is, where you have a bunch of controls, it's an obvious thing to prompt them
around. And you can clean up a lot of that data exposure before it even starts. The other one is the classic,
I even hate to use the acronym, but DSPM, data security posture management use case around,
hey, that's in OneDrive, it's set to public. We deal with this in even in terms of school
districts, right? You have an individual education plan for a special needs child,
and you're just trying to get it to that kid's parents. A lot of people will just set that to
public because it's the easiest thing to do. And being able to actually have some control around that and pulling in the
end user is a lot more tractable than having anybody go through millions of files with
different sets of permissions that apply to them. And like, this is something you're trying to do
more of, right? Because it beats just generating alerts that no one looks at.
Creating more alerts for the mountain of no one looks at creating more alerts for
the mountain of alerts is not really more alerts for the alert god is not really a great strategy
i think we can all agree on that but moving forward from that premise it becomes a really
interesting thing to think through all right well how would i distribute the labor required to figure
out well this is a login that doesn't make any sense. This is
installation of something that doesn't make any sense, or this is use or manipulation of data
that doesn't make any sense. Can I actually involve the end user in making that call and
take some of the burden off the analysts who would otherwise have to handle that alert and
look at it in the context of all of the other things that they're trying to do?
So maybe it's worthwhile starting on the initial compromise side, right? Because this is the sort
of workflow that should have existed for a very long time. It's the was this you piece from all
consumer internet and financial services. It's a really basic part of the package there, but we
haven't adopted it enough. And we're trying to build these really fragile
conditional access policies
and not simply asking our users, was this you?
Probably through a channel other than email
because you should probably assume the email is compromised
if you're asking the user, was this you?
Yeah, yeah, I was wondering about that myself.
Like if you, even if you plummet through to Slack,
it's like, well, technically they might get in the middle,
but I mean, you know, again, this is designed to be a productivity thing that's going to save you a bit of time.
It's another signal.
It's another input.
Nothing's ever definitive, right?
So let's get that out of the way.
But I think when Tynes were talking about it, they were saying, yeah, unusual geographic login.
You can plumb that through to Slack.
Hey, did you just log in from Russia?
I can think of, do you remember that water utility years ago
where it hit the news that Russian hackers
had hacked into some really sensitive, you know,
water treatment plant or something in the United States
and it turned out it was just one of their staff
who was on vacation in Russia and logged in to do something. So, you know, could have saved us some work, could have saved everyone
some work there if they had had this in place. Well, absolutely. And I think you can go past
the login one to the, did you add a new MFA factor, right? And Slack is good. SMS is good.
Anything that is outside of the email channel is probably good in that case
right adding an msa factor is a really good one we've actually also done did you add a new oauth
app right because that's a classic persistent mechanism persistence mechanism in the cloud
there's lots of legitimate use cases there are quite a few illegitimate ones and it's just it's
the sort of thing that an end user, you can either ask them,
yes, I did this. No, I didn't do this. Or I have no idea what you mean. And it's going to tell you
what you need to know. Yeah, exactly. And it's that third option there, which is, yeah, if a user
just has no idea what on earth you're talking about, that's a fair indication that there's
been shenanigans. Exactly. Exactly. If you don't know what an OAuth app is, or you didn't know what an M365 app was, or that you could connect it to your account,
you probably didn't do that. And it's something that's worth looking into, and probably something
that can be resolved very quickly, and maybe even in an automated way, without actually involving
an analyst. Yeah, I mean, one of the examples you gave me when we were talking about this over the
few days leading up to this interview is remote management tools as well because they are often but that's tricky right because sometimes
you will get people who are socially engineered into installing them and you ask someone did you
install this and they say yes and then you kind of flag that as legitimate like let's not pretend
this is going to be you know comprehensively wall-to-wall good signals but But that leads me to my next question, right?
Which is you've actually introduced
this sort of approach into some of your products.
Where has it been most useful
and where has it not been so useful?
It's really, really useful for certain things
around kind of initial compromise.
That's where we've gotten it to scale, right?
Reporting suspicious messages,
automating the workflows behind that.
These are, this is not new ground, right?
You could argue that actually that was the first scaled security automation use case
that involved the end user was report phish using something like a button.
And then of course, things like awareness, right?
Awareness is a great feedback loop that you can use all kinds of different ways in terms
of actually engaging the user in a way that's specific to the action that they've taken. The RMM use case that you mentioned,
I think is, is a hard one to solve, because sysadmins are using things for legitimate reasons.
And you do have people socially engineered into installing RMMs. But to me, it's one of the best
off label use cases for our DLP technology now, because RMM installation in places that make no
sense, including through the web browser, because there's web-based RMM functionality we're seeing
abused as well, mostly from data theft, those are actually really good signals. I would argue that
they're not great, they're not perfect, you can't fully automate the workflows behind that,
but it's a really, really good thing to detect. It's going to be a little bit better than, in most cases,
trying to get it after an EDR doesn't pay any attention to an RMM
because it has nothing to do with malware.
It's an intractable problem in a lot of other ways,
and it might as well be looked at this way.
Yeah, yeah.
I guess these are going to be lower volume queries, aren't they?
So the chances of user fatigue are pretty low. We used to actually look for things like Tor
browser installation when it came to, why are you installing this type questions that you could then
prompt the user around. Now it is things like RMMs, because it does have an incredibly high correlation with malicious
activity that's not the sort of really, maybe you're violating some terms of your employment
agreement, but you're not actually really putting the whole organization at risk that
you'd get when you install the Tor browser.
And it is the sort of thing that doesn't happen even in a really large organization all that
often.
And even if you could look at who's installing it, and you're pinging the admin behind that,
as opposed to the user whose box it's getting installed on, those are also really useful things, because it's a really simple set of variables you're looking at. And it's not this
esoteric kind of AI driven, is this alert really a true positive or not kind of approach?
It's something to look at.
Speaking of AI, I'm actually admiring the self-restraint here, Ryan, because at this
point I would have expected you to say that you could use a large language model for the
portion of this that interacts with the user.
So you can ask them, you know, instead of just asking them a binary yes or no, it's
like, hey, you know, I'm an AI chatbot from tech, right? Did you install
this or do you not know what we mean? We're just trying to figure out what went on here. I mean,
that's an area where an LLM, you know, because as I've often said, like, I think it's most useful
as an interface, not as a replacement for human thinking. But, you know, in this sort of case,
I could imagine that it would be a very useful interface for doing that sort of stuff with a, with a user.
Cause you could go a little bit deeper than a yes or no question, I guess.
Yeah.
Yeah.
And in those cases where you do need to go past a yes or no question, it makes a ton
of sense.
And there's another use case here that will actually soon be part of the proof point family,
which is misdirected email, right?
Uh, we acquired.
Yeah, you did an acquisition on this, right?
And it's so funny.
It's one of those things that sounds like,
what, that's a whole company?
Apparently it is and you just bought it.
But yeah, walk us through it.
Yeah, well, number one GDPR source of fines
is misdirected email.
Number one HIPAA violation
once we invented full disk encryption.
So people...
Well, yeah, yeah, that's right.
It used to be laptops left in taxis was the number one sort of privacy law uh problem but uh yeah these days
misdirected emails misdirected email and again it's one of those og infosec problems that just
hasn't been solved at scale yet and tessian really did that brilliantly yes that's the name of the
company right tess yeah and you just bought them uh we announced the
the intent to acquire uh we're hoping to close it relatively soon and that's a little bit you're
about to you're about to close on that acquisition yeah exactly and and that's one of those use cases
where your pattern of email sending is incredibly predictive of future sending and auto complete
as it kills us an iMessage when we send naughty things to our
parents or siblings.
I have no idea what the duck you're talking about.
Exactly, exactly.
It's maybe even more harmful when it comes to email addresses because autocomplete is
dumb, right?
It's never been smart and it gets people into massive amounts of trouble because you can't
unsend an email the way you actually can unsend an iMessage now, and in certain cases, unsend an SMS. And these are the sorts of things that,
yes, obviously GDPR fines and PIPA fines are bad. Really, really sensitive data has gotten
disclosed this way too. So it's the sort of problem that just makes sense to solve.
I would have thought this would be, for a company like Proofpoint, a pretty straightforward
engineering proposition. Why did you have to buy this i'm genuinely curious uh we we had actually bought
built a version of it uh but it's always nice to get one that's been tested at scale with millions
and millions of users so it was really more an acceleration choice rather than anything else
yeah i mean i think that's the thing right like it's everything seems simple and still until you
start bumping into the into the corner cases cases. Exactly. That's the thing that happens.
99% of a market-ready product is just the engineers having bumped into all of those weird corner cases,
having heart attacks because of various things breaking, causing drama for customers, etc.
And that's doubly true when the product interfaces with the end user.
And that's where you really have to nail the ux and nail it at scale and to your point we just saved ourselves
a lot of time and our customers a lot of heartache by uh by trying to accelerate that one well ryan
thank you very much for joining us and uh thank you uh for all of your contributions over the
year and you'll be back uh in 2024 to to this with us more, which is great. A pleasure
to chat to you. Great to see you and yeah, chat to you in 24, my friend. Absolutely. Always a
pleasure, Pat. And hopefully we'll all be doing less work in 2024. That was Ryan Callenberg there
with this week's sponsor interview. Big thanks to him for that. And big thanks to Proofpoint
for being a risky business sponsor. And that is it for this week's show. I do hope you enjoyed it. I'll be back next week with the final episode of the year with Dmitry Alperovitch
and maybe Adam Boileau. Let's see how he's feeling. But until then, I've been Patrick Gray.
Thanks for listening.