Risky Business - Risky Business #730 -- Apple, Facebook go all in on e2ee
Episode Date: December 12, 2023In this week’s edition of the show Patrick Gray and guest co-host Dmitri Alperovitch discuss: Major telco in Ukraine taken down by Russia Apple and Facebook go a...ll in on e2ee Why 702 reauthorisation is looking a bit sketchy The USG wants your push notifications The year in review, plus some predictions for 2024 This week’s show is brought to you by Thinkst Canary. Haroon Meer, Thinkst’s founder, is this week’s sponsor guest. He joins us to talk about APT groups pivoting to living-off-the-land techniques.
Transcript
Discussion (0)
Hey everyone and welcome to the last episode of Risky Business for 2023. My name is Patrick
Gray. Adam Boileau is not joining us today. He is recovering from some minor surgery he
had over the weekend and yeah, he's resting up, he's recovering well, he's fine and he
will be back in 2024. Instead, joining us today for a bit of a recap of the year that was 2023
and a discussion of some recent news is Dmitry Alperovitch.
G'day, Dmitry.
Hey, Patrick. Good to be with you again.
This week's show is brought to you by Thinkst Canary
and Thinkst's founder, Haroon Mir, is going to be along a little bit later
to actually talk about a big trend that really kicked off in 2023.
Well, did it kick off or did it accelerate?
But living off the land.
He's going to be coming along to talk about the big pivot
from some major APT crews towards living off the land.
And indeed, Dimitri and I, we're going to touch on that in this discussion.
So plenty of interesting stuff happened in 2023.
So I thought it would be an interesting idea just to talk through some of the bigger trends. We had most of the team here at Risky Biz HQ contribute
into a document and sort of come up with a rough shape of like what we could talk about. And
there was plenty, right? But I also, I almost feel like we should kind of start at the end
in a way, because over the last last few weeks we've seen this big campaign
targeting enterprises that are running Citrix border devices and the way this whole campaign
has been executed has been pretty slick and I think it is almost certainly a sign of things to
come and we're going to see more of this in 2024. What do you think? No absolutely I think it's part
of the broader trend that we've been seeing for quite some time,
but it's certainly accelerated this year,
which is a movement,
particularly by these ransomware actors,
away from end-user targeting
towards more infrastructure targeting,
whether it's software applications like MoveIt
and Citrix
and all kinds of enterprise security systems
like Fortinet and others,
because the attack surface there is just so huge, right?
It's hard to get a Windows bug or an Office bug or a Chrome bug.
It takes a lot of effort, right?
And it costs a lot of money.
But these things, in many cases, are just so atrociously written
that you have a lot of opportunities to find zero days.
The patch cycle on them is not as rapid
because you don't have auto updates in most of these systems
like you may have in your OS or in your browser.
So it just presents a lot more opportunities for these guys
to take advantage of this, get straight into the core of the enterprise
and perform your ransomware activities.
Yeah, I mean, it's the way to do it, right?
And it's a lot easier
than spear phishing someone and then having to do, you know, lateral movement and provask. I mean,
you know, these things, they sit on the edge of the, you know, Citrix and your Fortinets and
whatever, their domain joined and sit on the edge and they've got, and they're full of bugs. Like,
it's just, you know, why not? But I mean, these things have also been around for a while and have
consistently had bugs published in them publicly and their patch cycles have all been bad.
It's like, you know, criminals have finally figured out that this is the way to do it.
I mean, if anything, they should have figured this out 10 years ago, but they figured it out now.
And I just can't see that we're not going to see more of it next year.
Yeah, clearly they're putting effort into finding these vulnerabilities right so that that was the key shift when they decided that this is an area
that deserves devoting some research into right and i can tell you but i mean they didn't they
didn't discover this bug like they got it from reversing a patch right you know but even that's
interesting yeah and that's what i mean that yes we've for decades have had this opportunity where
a patch comes out you can reverse it find the vulnerability and off you go trying to take advantage of the fact that many people don't patch quickly.
But the fact that they're now focusing not just on OS bugs, not just on browser bugs, but moving towards these patches for other systems, I think is an indication that they're refocusing their efforts on what they see as a low-hanging fruit.
And by the way, Patrick, I got to tell you, having spent over two decades in the security industry,
some of the most atrociously written software I can tell you from experience is often written by security companies
because they often don't practice what they preach.
This software engineering is not being done with secure design principles.
And not everywhere, but in a lot of places,
there's the pressure in the smaller companies to get the features out quickly.
And in bigger companies, you have bureaucracies that are kind of atrophying
and not practicing secure coding.
So you have opportunities in a lot of these security systems
to identify vulnerabilities,
and we've certainly seen that in things like Fortinet
and Pulse Secure and the like,
but I think you're going to see a lot more of it in the coming years.
Yeah, I think people are going to need to really re-architect
the networks to get this stuff off the border.
I mean, I just think running this sort of stuff at the edge is just going to be too much
of a liability. But there's very limited options in terms of how you are supposed to address this
as a CISO, right? So I think it is the pickle du jour. There's almost no options because,
frankly, if you just want to get a plain old firewall, you don't have many options in this case because almost no firewall today
will not include a web filter
and decoding of protocols and the like.
All these features that they've built in over the years
that just increase your attack surface.
And if you just want plain old,
I want to block some ports, et cetera, at the edge,
it's very, very difficult to find something
that's actually going to work.
Yeah, yeah.
If you want yourself a 90s checkpoint or whatever whatever 90s they were good they were secure well they
were but they were impossible to manage so what would always happen with checkpoint right is that
one day there would be some sort of outage and someone would put and allow any any rule into them
and then things would work again and they would just never take it out so um they became basically useless so let's not let's not get all misty and
nostalgic for the uh for the old days let's just say that fair enough now look it wasn't just these
vendors making older style solutions that had a bad year uh we spoke about this last week uh with
adam you know we spoke a bit about how Okta had a
rough year in terms of, but we both felt that like maybe they got more bad press than was justified.
Like totally fair to criticize them when they've had a couple of incidents and whatever, but maybe
the criticism went a little bit overboard. But, but, but nonetheless, we've seen increased targeting
of Okta, right? And we saw, I think it was December last year, so about a year ago, we saw the LastPass hack announced. Increasingly, we're seeing attackers go after some of these critical parts of the LastPass breach, the way the thing was architected meant that the impact was somewhat limited, although we have seen subsequently a bunch of people lose their crypto.
And the thinking is that some of this encrypted data that was stolen from LastPass was cracked.
And then that material was then used to move some crypto around, but almost reassured by the way some of these vendors that we put trust in
have sort of responded with and dealt with some of these incidents, even though LastPass kind of
botched some of the communication around all this. So did Okta, let's be honest. But, you know,
again, I think it's something we're going to see more in 2024, which is people targeting some of
these vendors that are trusted parts of the ecosystem.
No, for sure. I'm not sure I would give Okta a pass like you and Adam did, primarily because
of their communications on this has been pretty bad, right? I think Ryan Norain posted on Twitter,
one of their notifications said that they were experiencing a trust event.
Yes, a trust event.
Is that what we're calling this now, right?, that wasn't great. And the fact that they were telling customers that they had to strip out cookies
and other sensitive information from these HTTP archives that were getting submitted to the support
system was not an ideal solution, because most customers, of course, wouldn't do that. But
yeah, implementing a system that would actually do it automatically is the way to do that.
So I'm not sure that they don't deserve some of the blame
here, both in terms of what happened in terms of how they handled it. But you're right. It's good
to see that some of these providers are doing better. And even when they experienced a breach,
it's more contained. But of course, we still seen so many supply chain hacks, particularly done by
the North Koreans, where they're going after these esoteric programs like 3CX, CyberLink, and others that they've noticed are used by a bunch of
companies, or they can use it to get into another victim that they could compromise and go off from
there. So I'm not sure that this is yet a victory, and that we're not going to see a lot more supply
chain problems going forward. No, and I think you're right. Like, I don't think Okta should be free from criticism.
And I did also roll my eyes pretty massively when they called it,
oh, we're experiencing a trust event.
Like, that's euphemistic language that George Carlin
could have written a whole bit about, right?
Like, that was just, yes.
What I don't understand is everyone knows what it is, right?
Just call it out.
You're just bringing in more criticisms
when you do things like that.
You're being too cute.
But I guess the main point, right?
The reason I feel good is
it's exactly what you mentioned.
It's containment, right?
Compare that to when RSA got hacked,
you know, a decade or so ago
and someone, oh, it was the Chinese,
walked away with all of the seed data
for every single RSA,like hardware token on the planet.
But I got to tell you, I worked on that incident and pretty much no one got hacked as a result of that incident because they did find it.
They did replace all the tokens that they were being sent out.
So even in that case, it was fairly contained.
I mean, it's hard to pull these off and mass scale, right? Even if you look at SolarWinds, there were only
a few victims that were ultimately compromised through that really sophisticated campaign.
So we do have to be, I think, circumspect that these are not sort of the all-powerful
vulnerabilities. Once you're in there, you can do pretty much anything you want um now why don't we talk a little bit about how
cyber intelligence and NSA stuff and 702 has come up as a huge topic again this year I feel like
the average person or the average you know cyber nerd doesn't really care about this as much as
they did in the immediate wake of the Snowden disclosures. It just doesn't seem as hot a topic anymore.
But 702 is, of course, the US government surveillance program
that allows the US government to surveil non-US persons
who might be using Facebook or US service providers or whatever,
and they can grab the content of those communications without a warrant because they're not Americans, so they're not subject to the protections that Americans are.
But the controversial thing about 702 is that sometimes data on US persons if they believe that that query might return evidence of a crime.
Certainly, it looked like the FBI may have overused that permission a little bit, and it's all blown up up turned into a big political issue currently i think what in the in the in the u.s in dc where you are there are still like competing bills uh being proposed and you
know because 702 is going to expire at the end of this year and it's just turned into this massive
blow up and things are looking very uncertain no it's really concerning actually because we're
recording this on tuesday december 12th congress is supposed to go out of session through the end
of the year, literally this Friday, in just less than three days. And if they don't renew this
authority, it goes away as of January 1st. And they're still fighting about it. There are two
competing bills in the House, one from the intelligence community that looks to be more or less focused
on renewing this as is, at least till April, to give them time to renegotiate longer-term
authorities. And then the judicial committee, led by Congressman Jordan, Jim Jordan, is actually
looking to revamp this whole 702 process, actually require warrants for a lot of the searches, which would
really kill... Well, for the searches that might pertain to US persons, I believe. That's right.
Not for foreigners, yeah. That's right, that's right. But that would really kill the FBI's
ability to do these early investigative processes where they may not have enough authority to
actually get a warrant because they're just looking at a suspicious report or
something like that that doesn't give them enough to really go to a judge and request a warrant so
a lot of contentious activity there and we'll see if it gets done in in the next three days or so
yeah yeah and you know listeners would probably know that i i think probably what the fbi did
with 702 was not okay uh but that 702 as a program that is available to organizations like
NSA is actually terribly important. Yeah, and a lot of people sort of think about this program
as countering terrorism, and that's how it certainly evolved. But a lot of the cyber
intelligence that the FBI gets now is coming from 702. You know, on my own podcast, I had Brian
Vordren, the director of the Cyber Division, talking about this. And a lot of the notifications they do for victims comes from 702, right?
They're tracking the Chinese or the Russian intelligence actors.
Then they're looking who they're contacting on the U.S. side.
So it's not just about investigating potential crimes in the U.S. related to national security.
It's also about helping victims that may be targeted by foreign cyber actors is there is a carve out though for cyber stuff so even the bills that have been
proposed that would put a warrant requirement uh have on on 702 searches they actually have a carve
out for doing cyber related stuff so you would not need a warrant uh in those cases so so it is
interesting that like everybody agrees,
like bipartisan agreement,
that the cyber stuff that happens under 702 is useful and stays
and is not a privacy problem.
But really where it is,
I think where the FBI got into trouble here
is that it was found that they had done 702 searches
for January 6 protesters,
which of course has really pissed off the right wing,
the very right wing part of the Republican Party. they also did searches against BLM protesters which has really annoyed
the very left wing part of the Democratic Party so it's like way to go FBI you found a way to
alienate absolutely everyone all at once bravo and this is why the Jim Jordan bill is actually
bipartisan you have Democrats signing on to it which does not often happen with Jim Jordan. For your audience that's not in the United States, they may not appreciate that
Jim Jordan is not exactly liked by the Democratic Party. He's a somewhat controversial figure,
but it is amazing that the FBI managed to create this unholy alliance, this unholy political
alliance. And you just think, wow, the FBI bringing people together. It's fantastic.
But, you know, it is sort of related in a somewhat related thing I wanted to talk about is actually just in the last week, we've seen a couple of interesting announcements, right? So Facebook is going to roll out end-to-end encrypted messaging on its platform.
And that's quite difficult, right?
So because you've got, you know,
browser-based messaging, you've got the app-based messaging, like handling all the keying and stuff
on that, like, you know, Facebook owns WhatsApp and they rolled out E2E pretty easily to WhatsApp,
but doing it on Facebook is a lot harder. And one of the things that stopped them from doing
that previously is because Facebook being able to see some of these communications made it easier
for them to track child abuse, grooming, things like that, right? So it was a step that they
didn't want to take, but they are now taking that step. And I don't know what safety measures
they've built in to compensate for the fact that they're losing insight into those messages.
But also I was on a briefing, was it early this week or late last week? I think it was late last
week with Apple. So Adam Boileau and I, we were briefed by Apple and it was an update on their advanced data
protection feature, which is part of their whole iCloud sort of ecosystem, right? And the idea is
you can end-to-end encrypt all of the data that you store in iCloud to a point where if you lose
all your devices, you lose all your key mat, you know, that data is gone, right? Apple cannot get it anymore. Their presentation was very interesting because essentially what
they were arguing is look at all of the data breaches around the world, look at who's getting
owned. The fact that we would store this stuff in the clear just is insane. So what we're doing
is we're going to increasingly store user data in an end-to-end encrypted way.
And I think it's very difficult to argue against it.
In the case of iCloud photo albums being encrypted and whatnot, I don't think that has as big a national security or law enforcement impact as encryption around messaging and things like that. It certainly has some implications for child safety
and I'll be curious to see, again, what Apple does,
what sort of compensating controls they build
to offset any harms that might be introduced there.
But I think this is both of these things together,
it's a sign of things to come,
which is increasingly providers, whether they're
social networks, whether they're communications device makers like Apple, you know, increasingly,
we're going to see them locking themselves out of the data access equation. And this is going to
create issues for law enforcement and intelligence agencies. Yeah, these crypto wars have been fought,
of course, since the mid 90s. And I think
it's fair to say now after, you know, three decades of it, more than three decades, that
the United States government and other law enforcement partners around the world really
lost here, right? They were arguing for back doors into these algorithms, it really went
absolutely nowhere. And in fact, the trend now is to implement E2E encryption by
default. And I do think that that is the right call, as you say, that from a security perspective,
this is absolutely the necessary step. And you have to appreciate that there's still lots of
ways in which investigators now can investigate these crimes, both on the national security side,
as well as on the child safety problems because
of the metadata that is still being collected right i've talked to facebook before when they
told me that they were planning to do this activity and they've told me that basically
they have a variety of ways to look at the metadata when they have you know a middle-aged
person reaching out to a lot of underage kids right just the virtue
of the fact that they're trying to connect with them is a clue and many other things that they
can look at that are pretty strong signals without having to look at the content itself
so i do think that there are going to be compensating controls is it going to help
them find every single problem probably not but there is a balance here, right? And ultimately, in the
United States, we have the Constitution, and we balance the need for law enforcement to investigate
crimes with privacy and civil liberties protections that we get under our Bill of Rights. So you can't
shift totally in one direction or the other. There has to be that balance. I think E2E actually,
at this point,
given the security threat that literally everyone faces,
which, by the way, is not just to privacy,
but literally to life and liberty,
because you can see how some of these states
can go after activists and protesters
and actually result in cases like Khashoggi,
where someone may actually die.
So it's important to do a better job
of protecting that. Yeah, I mean, I don't use iCloud, right, for things like photo backups.
The reason I do not use iCloud for messaging and photo backups is not because I'm worried the
government is going to go and grab that stuff. The reason that I don't use that is because I am
worried that eventually it's going to be, there's going to be some sort of data breach. And in fact, we did see widespread exploitation of, or widespread, a widespread
brute forcing campaign targeting celebrities iCloud accounts. What was that like? That was
quite a while ago. But you remember when all of those, yeah, all those celebrity nude pictures
and stuff leaked because they got their iCloud accounts cracked. So I think, you know, this
solves that problem and it is the right thing to do.
It's funny that you mentioned metadata
because there is some news this week about,
it's Wyden, Ron Wyden is asking about
USIC access to push notifications
for Android and Apple devices.
What I find really interesting about this
is people are freaking out
because they don't understand
how push notifications work, right?
Because they think that, you know,
when you get a signal push notification,
oh, wow, if they can intercept that,
they're going to see the message preview and stuff.
That's not how push notifications work.
The way that it works is that, you know,
signal will tell Apple to tell me
that I have a signal message
and then that display is generated locally.
But what I find very interesting about this is it is an amazing source of metadata
because you can do all sorts of timing correlation.
Like, you know, just in the case of Signal,
say you and I are having a Signal conversation, Dimitri,
as we are known to do from time to time,
it wouldn't be too hard to eventually figure out,
you know, that that conversation was happening with you
and you were happening with me.
Because if you can actually analyze the metadata,
if you can watch one end of the conversation
and just see how many packets
and the timing of those packets
and correlate that with people getting notifications,
you know, if you've got enough compute,
you're going to be able to do some cool stuff there.
And this is what you were talking about,
about how techniques have evolved.
So when I see, you know, Ron Wyden asking about,
oh, push notifications, it isn't this terrible.
I just think, oh, someone had a really good idea there
about how to do some cool stuff with metadata.
What do you make of this?
Have you noticed the reaction going around on social media
of everyone freaking out about push notifications
because they don't understand them?
I did. I did.
And I do think that this is not one of those things that we should be having a big debate about.
We have plenty of issues to discuss, you know, whether it's Pfizer, whether it's E2E.
But this seems like a distraction from the real problems. At the end of the day, one of the reasons why I'm not concerned about all these networks doing E2E is because the metadata that's available to law enforcement is just so much
greater than it ever has been in history, right? The people that are investigating whether it's
crimes or national security cases back in the 90s wouldn't even dream of having the types of access
that they can today with the metadata, with its location base, whether it's push message timing, like you just
talked about, or a variety of other things that you can get about someone. So the fact that this
is not content and can be made available to law enforcement and national security investigations
as well, I think is actually a mitigating factor to them not being able to access content itself
in some cases.
Yeah, I mean, that's actually the way I see it as well, which is like, you got to give them something. Like if you've got them relegated to trying to do timing based, you know, timing
correlation based things with, you know, push notification timing data. I mean, like, let's
just call it a win and move on. Now look, some news that just happened overnight. A top mobile internet company
in Ukraine is down. And, you know, this is a large company over there and it's causing some
real headaches. It looks like this was some sort of Russian attack. But again, we're not really
seeing this. As far as we know yet, and this might change in the next 24 hours, we haven't seen this
action, which is a big, splashy, impressive cyber attack, coordinated with any sort of military action. And funnily enough, until this news actually hit the wires, we didn't have, between
all of us working at Risky Biz for our year-end review, we didn't even have Ukraine-Russia in
this document, which I think is really interesting because ultimately nothing
really wild, nothing really amazing, nothing really counterintuitive happened over there.
It was all much as you expect and maybe a little bit less than you'd expect if we're being honest.
Well, it is interesting because at my institute at Johns Hopkins, I interviewed Ilya Vityuk
last weekend virtually at a conference, and he talked about
how the Russians really over the last year have switched from doing these disruptive, destructive
attacks to collecting intelligence, which is being very effective in terms of going after military
targets and then very quickly actually operationalizing that intelligence on the battlefield.
So it is interesting that literally a couple of days after he said that, we see this attack that is disruptive.
And actually really well done.
I've been talking to some sources in Ukraine about this.
It was really, really well done.
I can't go into the details just yet,
but very impressively executed.
24 million people affected.
It's one of the top telcos, not the only one,
but one of the top ones.
And you had all kinds of cascading effects, most notably that the air raid sirens in some places,
some cities around the country are now not operational, at least for the time being.
Now, I have to give you a caveat to listeners. As you know, Patrick, I recently was in Ukraine
a few months ago, and literally no one pays attention to air
rate sirens in Ukraine. So the fact that it's down is not as dire as people might initially assume.
But there are other implications, bank terminals, ATMs were affected, etc. And it looks like it's
going to take a little bit of time for them to repair this, to restore from backups. So it's not great,
but there are other ways to connect to other networks.
It's pretty easy to switch in Ukraine to another telco.
You can literally buy a SIM card.
The phones are not typically locked.
So it's not the end of the world.
And again, like we've seen this before with cyber attacks
is that you can achieve significant effects
like we saw in Viasat, like we saw in Kyivstar, but that effect is fleeting and you have to use it if you're in a
military context very, very rapidly to take advantage of that. And it doesn't seem like
the Russians are capable of that, at least not yet. And in general, of course, it's really hard
to synchronize kinetic military operations with cyber military operations.
And I really have not seen any evidence, despite the fact that I know some industry people have reported this.
I've not seen any ability of them to actually do this well in a way that makes sense.
Yes, we see cyber attacks going after a particular critical infrastructure component and missiles flying it at the same time but i don't view that as coordinated i view that as actually
uncoordinated because you have two different groups going after the same target and it's sort
of a who gets there first and um you know on a cyber scenario you might have spent many hours
or days trying to get into that target and then it gets blown up by the missile forces so that
doesn't make you feel good yeah yeah exactly i mean when you take you texted me this one uh this morning
and my immediate reply to you was you know you were like the russians have done this and my reply
was to what end you know and it's like what are you just trying to is it flex is it just harassment
you know whatever it is i just don't know don't know that they're doing much that's interesting.
Now, we contrast Russia's approach
to what we've seen from the Chinese this year.
And, you know, now we're getting into the cool hacks section
of this year in review
because we did see some really cool stuff.
And isn't it amazing, just for a second,
that, you know, if you look at what we were talking about
10, 15 years ago,
every cool hack was basically associated with the russians and now 10 15 years later it's the chinese and the north koreans
that amaze us you know on an almost daily basis well i mean the the russians certainly like the
sandworm group and whatever they do some pretty cool stuff uh they they definitely do but they
don't really seem to have the scale right that some of these others do and you look look at what the Chinese have been doing this year. First of all, there's been the
attacks against like telco providers in Guam and whatever, that have really alarmed people in the
IC. Like you talk to them, like when I was over in DC, and I was staying with you, and I met some
of these people, and you know, people I know, people you know, and you talk to them about this,
and they really look a bit rattled when you when you talk
to them specifically about these campaigns that are targeting you know critical u.s infrastructure
in places that are sensitive right and uh the one that they made public uh was was really around a
telco in guam where obviously the united states is so you know big switch and we're talking about
this with haroon mir in this week's sponsor
interview because he's been around forever and i thought he would be a good person to talk about
that and i was right um so that's a good interview coming up in just a moment but
you know the switch to living off the land i think has been really interesting because
so many shops are just not set up to detect anything that doesn't involve like a file,
doesn't involve malware.
And the Chinese have figured this out
and now they're using, you know,
I mean, it's trade craft that's been around for a while,
but they've just turned it
into their standard operating procedure
and it's getting them results
and that's freaking everyone out.
I mean, that's the rough shape of this, isn't it?
No, it is.
I just want to talk a little bit about Volt Typhoon
that you referenced here,
this Chinese actor that's penetrating critical infrastructure. You're right, people are very concerned. But I'm sort of surprised that they are surprised, right? Because this is
exactly what you would expect from China that is clearly building up its military for a potential
invasion of Taiwan over the next 10 years. And if you want to impact America's forces' ability in the region
to defend Taiwan, to come to their aid very rapidly,
this is exactly what you would do.
So is it really a huge surprise that they're indeed trying to get into these networks,
trying to collect intelligence on how they work,
how they could potentially disable them?
This is exactly what you would expect from them in preparation for a potential invasion of the island um years later
so i think that's i think that's the part that is freaking them out is that this looks like
preparation they're like oh my god they might actually be doing this and that that's kind of
what it feels like yeah but you don't have to look at cyber to know this everything that they've been
doing from a military standpoint has been preparation as well. For God's sakes, when Nancy Pelosi visited the island a year ago,
look at what they've been doing since then in terms of incursions into Taiwan's air defense
zones and the like. I was just in Taiwan a month ago. Things are, they're under massive pressure
from the Chinese on the military side. So I guess I'm surprised that people are not noticing that and looking at cyber in isolation.
And by the way, I'm a little bit less concerned about this activity than some of my friends in the U.S. government because there are mitigating controls, right?
And not all of them need to be necessarily in cyberspace because, for example, if you have targeting of water utility well yeah you could
do some things to kick out the adversary to shore things up on the water side but you know what you
could also do stockpile a bunch of water bottles right so uh it's not going to necessarily solve
all your problems but in terms of giving opportunities to for you to deploy large
forces to a particular location you can supply them with water in other ways.
That's just one example.
Or generators for potential of utilities in the region to go down.
So there's all kinds of things you can do from a resiliency perspective to address both
cyber attacks, kinetic attacks, as well as natural disasters.
And we should be looking at all of them when we're thinking about potential of a conflict in the Indo-Pacific. I get what you're saying, but I don't think it's easy to
just like airdrop in enough water to cover everyone or enough generators to fully replace
power. I mean, you can keep your military going that way, but... They're doing this in Ukraine.
I mean, they have so many generators, power goes down repeatedly and people are surviving. It's
not great and not everyone has
it but you can absolutely do it in particularly you know when you're talking about guam it's a
very small island you don't have that many people on it you can absolutely do it in in particular
places i'm not saying you do it across the entire united states but in the region i think some of
this is absolutely doable i certainly am of the same opinion that uh you are not going to just completely destroy everything, right?
There's usually a way around them, but I think they could still make things a little bit sticky,
particularly if there's a lot of them all at once in coordination with certain other activities.
The other thing the Chinese did this year that was kind of impressive was this Storm 0558 attack in which attackers managed to
create authentication tokens for online exchange accounts. And, you know, they then were able to
steal email data from a bunch of US government mailboxes, some at the State Department,
others in undisclosed areas. This one, however, you're not really going to be able to talk about
because you're the vice chair of the Cyber Safety Review Board and you're actually currently investigating this one,
right? Yeah, I absolutely cannot share anything since the review is ongoing. So I'm afraid I'm
going to sit this one out. Can we at least get you to acknowledge that it was a cool hack?
Well, I'll just say this, that if this wasn't an impactful incident, Director Easterly,
Director of CISA and Secretary Mayorkas
would probably not be tasking the Cyber Safety Review Board to investigate it. And I'm afraid
I'll have to end it there. Now, speaking of the review board, let's talk about the advanced
persistent teenagers. Because the review board called this, okay, so you did an investigation
into, you know, started out as an investigation into you know started out as an
investigation into lapsus and then very quickly discovered well lapsus isn't really the thing
here the thing here is that there's now this big group of teenagers big nebulous blob of teenage
hackers uh who form sort of ephemeral groups to do various operations and whatever uh and you know
you did this fantastic report about it.
I said at the time that I thought it should be required reading for all CISOs because
the way these kids hack is just brutal and they cross all sorts of lines. And if you're coming
up against them, like no one's going to be prepared unless they've actually put some time
into understanding how they work. And then, you know, months later, after this report drops,
we see similar kids attacking Caesars and MGM,
and now they're partnered up with Russian ransomware crews,
and they're essentially acting as affiliates.
So really interesting hacks, you know,
Western teenagers working in concert with Russian ransomware crews.
We're going to see more of this next year for sure.
But I think, and I'm really surprised,
the one prediction that I made this year that I was really surprised I got wrong
is I thought that these guys were going to wind up in cuffs really quickly,
and that hasn't happened.
What do you think this is going to look like over the next 12 months, Dimitri?
Well, some of them have ended up in cuffs,
but unfortunately, and we highlight this.
Well, some of the lapsus ones,
but not the scattered spider ones who did the Mm and not yet not yet but you know we highlight this problem in the
report is that in many cases these are juveniles and in fact these groups specifically target
juveniles because they're juveniles and they can get arrested and then be out the next day and
literally continue their activities so that presents just a fundamental problem for our criminal justice system
of how do you deal with these actors
that will not be deterred by arrests and prosecutions
because by the time they're 18,
they could be out
and effectively most of the things that they did
while they were juveniles
will be under seal or what have you.
But you're absolutely right.
One of the reasons why we were so fascinated doing this review
is that a lot of times we in cybersecurity community
get so obsessed with nation state actors.
They're doing all kinds of interesting things,
whether it's supply chain hacks or really cool zero days.
And these guys with very rudimentary, I would say, technical skills
have been so successful into breaking into all these major companies, Fortune 500 companies,
big security companies, and literally just using social engineering, right? In combination,
by the way, in some cases, with SIM swapping, where they're able to basically clone a phone
number and bypass MFA that's based
on SMS. And it was really great to see one of the recommendations we put out in our Cyber Safety
Review Board of Lapsus and similar groups was the need for FCC in the United States to actually look
at this issue of SIM swapping, see what you can do in regards to trying to minimize the amount of activity that
the telcos are seeing with someone trying to clone phone numbers. And FCC actually moved forward on
this and announced in their reports some recommendations to try to take action on this
issue. So it was great to see the CSRB recommendations being implemented by the FCC.
And do you think we're going to see more of it next year?
Almost certainly, because this activity is so successful, and it's so easy for them to
do because it requires so little technical expertise.
Now, the one thing that we found really, really interesting when looking at Lapsus, and that's
not true of some of the other groups, but they actually made very little money from
any of these intrusions because what they wanted to do was grab source code at these big companies
and then try to extort money from these companies or threaten to publish source code.
And literally, like almost no one paid them anything in response.
So they were doing these intrusions and not getting paid.
And the way they were making money is actually through sort of traditional crypto mining stuff
that they would try to do within the networks
that they would compromise.
So it's interesting that they were actually
not big money makers for them.
Yeah, yeah, yeah.
Now, a couple more things that I just want to cover
and then we'll wrap it up.
The pig butchering stuff this year has just been amazing
where you've got all of these pig butchering operations
using trafficked people who are being held against their will,
and you've got militias in Myanmar
going and trying to free these people
in the border regions of Myanmar
who are being held against their will to do pig butchering.
I mean, this was really the year
that we discovered just how awful these operations are
and that indeed some of these people are being double victimized because they get kidnapped,
forced to work doing crime for horrible people,
and then eventually they get arrested and thrown in prison.
So just a miserable, miserable situation there.
I mean, did that just blow your mind as well?
Yeah, really amazing that you now have this trafficking being combined with cyber and these scams that, you know, we've had scams for a long time, whether it's business email compromises or romance scams that would generate hundreds of millions of dollars for these criminal groups.
So I guess it was only a matter of time before they would do something like this now. And mate, just to wrap it up, I'm going to
go with a somewhat optimistic prediction for 2024, which is that we might see Microsoft start to do
things a bit differently, right? Because we've got a shake up there in terms of management,
new CISO coming in. We've had announcements of things being phased out, like NTLM. We've got more
logging on Azure. VBScript has been deprecated, right? So we're seeing a little bit of movement
at Microsoft. We've seen them announce their Microsoft Secure Future initiative, which my
colleague Tom Uran, he was pretty critical of it, saying that it's not like the trustworthy
computing initiative from back in the day. It seems a bit half-assed. But, you know, still, it seems like Microsoft
is at least waking up to the idea
that they might need to get their shit together.
So we could see some happenings there next year.
I mean, what do you think about that?
Because they, you know,
they have not been as responsive as they should have been,
in my view, when it comes to some of this stuff.
Look, I think it's very promising.
I think we'll have to see what comes out of it.
And again, I'm very limited what I can say
because we're looking at all of this as part of the CSRP review.
But certainly their announcements are very intriguing to US government officials.
All right, we'll leave it there.
And that is it for a discussion of some of the big news of the week
and the year in review
and some predictions for 2024.
Dimitri, thank you so much for being co-host a bunch of times this year
and thanks for filling in for Adam while he's recovering.
This week, it's been great to have you on the show as a regular
and I hope we can keep doing it next year.
I appreciate it, Patrick.
Always great to be with you.
Looking forward to more in the new year.
That was Dimitri Alperovic there filling in for Adam Boileau.
Big thanks to him for that.
And big thanks to Adam for everything he's done this year.
He's working with us now and it's fantastic.
And yeah, what a treat.
And get well soon, buddy. And seeing as it is the last show of the year I'd also like to say a big thank you to my other colleagues Katalin Kimpanu, Tom
Uren and Tyrion Ferrier. You've all done absolutely splendid work throughout 2023 and it's been
my honour to work alongside all of you so thank you all very very much. I hope you're enjoying
your break and yeah looking forward to getting back into it very, very much. I hope you're enjoying your break. And yeah,
looking forward to getting back into it in January next year. I'd also like to say a big
thank you to our secret contract editor who helps out with some of our text based editing, you know
who you are. And also a very big thanks to our Risky Biz News newsreaders, Claire Aird and Caitlin
Sori, both of whom had babies this year. Congrats, you two.
And also a thank you to our third news reader who chooses to remain unnamed
so as not to complicate her frequent travel to complicated places.
You've all done terrific work this year as well.
Thank you very muchly to all of you.
It is time for this week's sponsor interview now with Haroon Mir,
the founder of Thinkst Canary.
Thinkst makes hardware honeypots you can put in your environment
and has also built a lot of alerting infrastructure
that'll help you run Canary tokens
in a really reliable way.
And a great use of this sort of so-called
deception technology is in catching attackers
when your other detections have failed. And there's a
bit of that going around at the moment. As you've heard throughout the year, a bunch of APT groups
are pivoting towards living off the land, you know, a bunch of criminal groups as well, right?
But why does that make detection hard? And what can we do about it? Haroon joined me for this
conversation all about living off the land techniques and the implications of their widespread use. And here's what he had to say. I think two things are true.
I think the one that says this isn't new, like forever when we pen tested as Sensepost, one of
our big things was that we were not zero day people. Like we had a proud history of owning
everything we touched.
But largely, even way back then, we were doing living off the land stuff.
It's smart.
It's harder to detect.
It works.
Like even fairly recently, Ryan Huber had this great quote about any sufficiently advanced attacker is indistinguishable from your power users.
And that stuff just makes it that much harder. It also changes away from the thinking that says a point solution works.
Because one of the good things about catching exploits and catching malware was, well,
here's this really strange thing happening on your machine. And if you look for a really strange thing, you've got to hope.
And this starts to make it more subtle.
And yeah, it's going to cause people problems.
It stops you being able to say one-word answers,
like just put this on and you'll be fine.
And yeah, it's going to be fun times.
It just feels like so many of the tools,
and it's like it's changing,
and this has been changing over the last few years,
but so many of the tools are focused on either detecting
or preventing that initial event that gets someone on the box, right?
But really what we're talking about here is detecting malware-less
post-compromise activity in an environment.
And probably the reason we don't have as many tools to deal with that
is it's a harder problem to deal with, right?
Absolutely. It's a harder problem.
It requires a different level of understanding.
And look, there are still things to key on.
But I think, firstly, as the ray of sunshine that i sometimes am
um i think it's a good thing i think part of the problem that defenders have had historically
is the belief that uh keying in just on this one type of malicious activity
gave them visibility and it didn't and and it And it's why we so frequently have been caught
with our pants down because we are now watching for when our browser does weird memory stuff,
which indicates that there's an exploit in our browser, except the attackers were phishing us.
And then we said, let's really focus on that thing.
And instead what started happening was
they were social engineering the help desk
and getting in that way.
And if you go one bit more esoteric
and one bit more meta,
I've quoted before, but a long time ago,
there was an interview that Gary McGraw did
with the first CISO.
And he did the study for the US on how cyber was going to affect things.
And when asked what was the hardest part of the study, the answer that he gave was when you roll around cyber experts and ask them questions, by the time you roll around to the first one
again, the answer has changed.
Yeah.
And he wasn't saying they were being mercurial.
He was saying DDoS wasn't a problem when he started.
And by the time he got to the end, suddenly it was a problem again.
And this type of malware wasn't a problem.
And then it was again. And what that causes a problem with is when we make our detections.
And in some ways, it's the only thing you can do, right?
Like the only way to catch this exploit is to look at its behavior in memory.
And so we get on the hamster wheel, buddy.
And that's the problem.
And the problem is that most companies then form trying to, like they pick a thing and
they become the world's best memory examiners. And then the whole company focuses on how do we
examine memory and how do we get this right? And then the attacks entirely come through another
avenue. And all of this effort, engineering, marketing money has gone in solving that problem, except attackers start using another door.
And for the totally shameless plug, the reason we like Canary and Canary tokens is always because our belief is it doesn't matter how people get in, they have actions on objectives.
Like there's stuff they want on
your network. They want some files, they want some access. And so in a way we end up being super
lucky because that's the stuff that the attackers are there for. And so it doesn't matter whether
they got in through a Chrome zero day or whether they got in through some social engineering.
The part that we end up alerting
on is the reason why they're on your network and so they inevitably come to us it's it's like if
we've got the gold they come to us and they let us know that they're around and doing stuff and
it almost doesn't matter uh how they got there and and that's ignoring like tokens that can actually fire on living off the land binaries and stuff like that, which are still useful, but will almost be temporal.
Like it'll catch this wave and probably miss the next wave when attacks come in a different way.
Yeah, but I think, I mean, look, to a degree, it doesn't matter what sort of control or what sort of detection you're building,
there's always going to be that whack-a-mole element, right?
Exactly.
But, but, but, you know,
there's a word that I love to try to apply
to security technology, any of them, right?
And it's enduring.
Is this an enduring detection?
Is this an enduring control?
And how much work do you need to, you know, how much,
what do they say?
It's a really annoying term, but they say feed and water right how much feeding and watering of this
solution do you need uh to perform to make it enduring and i think you know i mean i'm not
trying to butter your bread too hard uh here haroon but yeah i mean i think canaries is certainly one
of those um detections that is enduring because you don't, because it's easy if something changes,
like changing a Canary token, not too hard.
It's so, so in large part, it's what we aim at.
Like I've mentioned on the podcast before,
like throughout the year,
we play with dozens and dozens of ideas that we think,
hey, this is a useful detection. Like, hey,
this stuff catches people. But we deliberately don't go put into the product things that then
require too much feeding and water. Like there's some things like this is super cool. If you have
a conversation with the gruck, the gruck has literally written papers that he hasn't published or at some point uh has shouted
about which are good detection ideas but they super temporal like like it's going to work only
right now and it's going to take a lot of work and and one of our firm beliefs are that defense teams
like like people now talk about how defenders have or defender constraints, but defenders have
constraints also in terms of the goodwill they have in the company. Like they can ask for N
agents to be installed and then they better show some progress. They can ask for disruptions only
so many times. And so if more vendors care about the feeding and watering, they stop wasting defender goodwill in organizations, because that's a limited resource also. And so the less you have to ask them to do in their org, the more likely that they'll actually drop your detection and the more likely that they'll actually get goodness out of it. Yeah, I mean, and we were talking about this before we got recording, but, you know,
I was at NSA, what, a month or two ago,
and chatting with Morgan Adamski
of the Cyber Collaboration Center,
and I, you know, she was talking about
the living off the land stuff
and about how it's just become, like,
such a standard way to do things now.
And I asked her, like, why is that?
Is it because it's hard you know and
it and it is it's harder to detect because and it's not because it's inherently harder to to
detect than malware it's just because we haven't set up to detect non-malware based stuff right
like that's not the standard security solution you get out of the box the standard stuff you get out
of the box is is very much uh malware focused and i think that's like a bigger picture example of exactly what you're
talking about uh which is it's temporal right and and here we've got you know a whole detection
approach which is sort of file based which is you know kind of been to a degree it's kind of
been invalidated at least for those users right doesn't mean you shouldn't detect on files but you know what i'm saying yeah it's just yesterday's war to some extent yeah it's interesting i think it's
why we're seeing the rise of detection engineering right like like all all product aside you're
starting to see more and more that stuff works because if you're bank of america you can have
20 people doing it you know like it works if you're bank of america absolutely and and that's absolutely
our thing is is that like like we exist to give that advantage to people who don't have huge
detection engineering teams and and so we take the stuff that we think they should be doing
that can be done in a packaged way and give it to them and it a while back, Risky Business covered Casey Smith's sensitive command token.
And again, like if you've got a-
Oh, that's a great one.
I mean, there's so many jokes going around on-
Who am I?
Yeah, the whoami.exe at the moment, right?
It's almost become a meme.
It's become a meme.
It's totally cool.
And again, it's because that stuff just works.
And detection engineering,
like I think is great. I think if I was, I've said this before, if I was working
at a large company, there's a ton of stuff that's worth doing and worth engineering.
Again, like where we try to make ourselves useful is typically when people try to put down honeypots or try to put down
canaries. Again, the feed and water question becomes realistic because what happens when the
person who dropped that honeypot or honeypot network leaves or gets promoted or gets involved
with something else? If that stuff isn't maintained, it becomes a problem. Like everyone has had a, we'll tail this
log file and we'll see when this thing happens. Except eight months into it, like who's actually
making sure that system works? Who actually makes sure that that whole reporting pipeline still does?
That was Sarah. She's on leave. I didn't tell anyone, right? Like it's, yeah, no, I get it.
And that stuff just disappears.
And it's funny because when new security folks join us,
one of the things that almost everyone says,
you can see it almost like clockwork,
is they get to a point where they go,
actually what we've built is a reliable reporting pipeline.
Because now what, like you start to get to a point
where you go, I know, like this is going to happen
and we'll just trigger a canary alert to show that it's happened.
We'll watch the registry and we'll trigger a Canary alert because you know that that stuff's going to get to a dashboard and people are going to react to it.
And it's not rocket science, but it works.
And mainly it's why we think customers like us.
Let me ask you, have you seen a bit of a bend in the growth curve over this year?
Because, I mean, I just would have thought over the last three months with, you know,
particularly entire industries like the defense industrial base being told by organizations
like NSA, you need to be detecting this sort of thing that you're not set up to detect.
You know, are you seeing those sort of orgs come on board at the moment yeah we start we're starting to see more and more of that like
like specifically in the last year we've had more of the large government uh large uh the sorts of
orgs that that the defense contractors the the defense industry saying, listen, we need something here. How do we make this happen?
So the idea is happily taken root.
And yeah, for the most part, our pitch remains simple, works,
and that's why people like us.
All right, well, we're going to wrap it up there.
This is the last interview for 2023.
And yeah, thank you for all of your contributions to the show throughout the year.
It's been great to chat to you.
And you and I, we had a good catch up
before we recorded this interview.
I think we were talking for about 45 minutes there.
It was great to catch up with you as well, Haroun.
And we'll talk to you again next year.
Thank you.
Always cool.
Thanks, Pat.
That was Haroun Mir there
with a chat about living off the land.
And you can find Thinks to Canaries stuff at canary.tools.
And you absolutely should be having a play with canaries and canary tokens.
And that is it for this week's show.
And that is it indeed for the 17th season of the Risky Business Podcast.
We'll be back on January 10 with the 18th season of this show
with more security news
and analysis. But until then, I've been Patrick Gray. Thanks for listening. Thank you.