Risky Business - Risky Business #731 -- SEC Twitter hack moves Bitcoin price
Episode Date: January 9, 2024On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: SEC Twitter account hack moves bitcoin price Kaspersky admires ...Triangulation hackers’ fine work Telcos hacked all over Israel hacks Iranian gasoline pumps again Iran up in Albania, Sudan, Egypt and Tanzania and much, much more… This week’s show is brought to you by Nucleus Security. Co-founder Scott Kuffer joins us to talk about why patch management is more nuanced than just “patch fast!” Show notes U.S. Securities and Exchange Commission on X: "The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products." / X Mandiant, the security firm Google bought for $5.4 billion, gets its X account hacked | Ars Technica 4-year campaign backdoored iPhones using possibly the most advanced exploit ever | Ars Technica Spyware attack chain used previously unknown iPhone hardware feature, report says "Dutch engineer carried out Iranian nuclear sabotage": VK - DutchNews.nl Russian hackers infiltrated Ukrainian telecom giant months before cyberattack Ukraine telecom cyberattack one of ‘highest-impact’ hacks of the war Pro-Ukraine hackers claim breach of Russian internet provider Ukraine says Russia hacked web cameras to spy on targets in Kyiv Optus outage: Banks, telcos to be quizzed at Senate hearing A “ridiculously weak” password causes disaster for Spain’s No. 2 mobile carrier | Ars Technica Albanian parliament, telecom company hit by cyberattacks Paraguay military warns of ‘significant impact’ of ransomware after attack on internet provider Iran confirms nationwide cyberattack on gas stations Hackers disrupt Beirut airport with anti-Hezbollah message Telecom organizations in Africa targeted by Iran-linked hackers Myanmar rebels take control of ‘pig butchering’ scam city amid Chinese pressure on junta AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on. | Ars Technica BreachForums administrator detained after violating parole Autistic teen behind spate of Lapsus$ hacks sentenced to indefinite hospital stay Global law enforcement seizes $300 million, arrests 3,500 involved in transnational cybercrime operation Toronto Zoo says it remains open after ransomware attack Central Bank of Lesotho facing outages after cyberattack Kansas City-area hospital transfers patients, reschedules appointments after cyberattack Cyberattack on Massachusetts hospital disrupted records system, emergency services LockBit claims November attack on New Jersey hospital that disrupted patient care First American becomes latest real estate industry giant hit with cyberattack Ivanti warns of critical vulnerability in its popular line of endpoint protection software | Ars Technica US officials say Russian targeting JetBrains servers for potential SolarWinds-style operations | Reuters SSH protects the world’s most sensitive networks. It just got a lot weaker | Ars Technica LastPass enforces 12-character master password lengths | Cybersecurity Dive FTC soliciting contest submissions to help tackle voice cloning technology Biden signs short-term FISA extension before year-end deadline Foone: "The 37C3 talk on TEA1 encrypti…" - Infosec Exchange Crypto hedge fund CEO may not exist; probe finds no record of identity | Ars Technica
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. I'm Patrick Gray and the entire Risky Biz team is back on deck after a nice break.
So yeah, Risky Biz News and Seriously Risky Biz are back up and running as is this show.
And yeah, it's our 18th season of the weekly Risky Business podcast, which is a bit crazy. But Adam, how was your break? Because we left you last year and you were just about to go get some
slicey dicey on your face there, you know,
which isn't the best way to spend your holiday.
But, you know, you're recovered.
You're feeling good.
Yeah, everything went really well.
Super smooth.
I had a great break.
I didn't think about computers for a couple of weeks, which was amazing.
And now I'm back and there's all sorts of juicy stuff
to talk about this week.
So I'm glad that I can use my nose to breathe through while we do it.
Yes, yes, that's fantastic.
Extra oxygen.
You need the extra oxygen for the discussion today.
So, yeah, we're going to get into the news we missed
over the last month or so in just a minute.
And then we're going to hear from Nucleus Security's Scott Koufer
in this week's sponsor interview.
And we're talking about how Nucleus is in kind of a unique position to observe how different types of organizations deal with
volume management because they operate a platform that helps them do that, right? So that's an
interesting chat. You know, like some people focus on prioritizing, you know, high CVSS numbers and
that's their approach. And other people are like, really want to understand context. And, you know,
there's just a few different approaches there. And it a it's an interesting chat in fact i you know
i sent that one to you uh to to check over and and listen to uh yesterday adam and um yeah i mean
it's a good one yeah it really illustrates kind of how complicated thinking about patching is these
days like it's not as simple as it used to be and we were bad at it back then and we're still bad at
it now but at least now we've got better data, one hopes.
Yeah, yeah.
And I think, I mean, the fun thing for me was in that it's like we've been screaming at everyone to patch rapidly for 20 years.
And it hasn't really got us anywhere.
So maybe, like, we need a different tactic for the next 20 years.
I should mention, too, we are back.
But next week I have a – I'm going camping with my family.
We booked this a long time ago.
So I'm off next week. And then we'll be back in earnest, I promise going camping with my family. We booked this a long time ago, so I'm off next week,
and then we'll be back in earnest.
I promise the week after I will be back at work properly.
I've had a lot of time off lately.
It's been good.
But let's get into the news, Adam.
And look, something just happened this morning for us, Australia time,
which is the United States Securities and Exchange Commission's
Twitter account got compromised.
Now, you and I have long been very frustrated with what people do with these high-value accounts when they take them over,
which is usually to say, hey, send us your Bitcoin and we'll send you 10x the Bitcoin back,
and real dumb scams that not many people fall for, like when Joe Biden's account got taken over, it was a scam like that.
I think the people got insta-caught and they made in the order of tens of thousands of dollars
what they did this time is they published a tweet the attackers published a tweet with artwork that
looked very much official and the tweet read today the sec grants approval for bitcoin etfs
for listing on all registered national security exchanges.
The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection.
The Bitcoin price spiked immediately by something in the order of like two and a half percent.
And if you look at a rough value of all Bitcoin all bitcoin in circulation it adds up to about 900 billion dollars so we're talking about a movement of about 22 billion
dollars in the value of bitcoin um of course it was very quickly discovered that the tweet was a
fake and then the price uh went down and then actually went down further uh than its previous
price but i'm guessing whoever did this had access to the account, positioned some things in a way that they would profit from Bitcoin,
you know, maybe a leverage buy or whatever it was,
and, you know, or bought some sort of instrument
that would allow them to profit from this
and then pulled the trigger on it.
This was actually very smart.
And the first time I've looked at an account takeover on social media
and thought, that's cool, that's what I would have done
if I was a criminal, right?
Risky biz, advice to criminals well you know we were joking before that we're we're like rank rating crime right and this one's this one's five stars i reckon yeah the ways to make money by
doing this are so varied and you know the naive option of just buying and selling or whatever
and leaving traces on the blockchain you know might get you snapped but there's so many ways uh you know to leverage being able to move the market around like this
and you know we do wonder whether you know kind of how much money you would make out of this because
as you say like that's quite a big potential and how much you can skim out of that in the process
like it's pretty worthwhile and so much better as you said than some of the other scams that we've
seen you know you've got barack obama's twitter account and that's the best you can do you know embarrassing for everybody yeah
i mean they could have tried to tank a uh company's share price by you know posting a critical tweet
from the sec saying they're launching an investigation or whatever there's fraud or you
know you could really do something like that but you're gonna get caught right because you need to
be shorting those shares there's records of it everywhere now i know bitcoin's quite traceable these days but there
would be a bunch of ways i think that you could pull off a trade here in non-obvious ways that
you might actually get away with so i just think this is a real interesting crime and look this
comes on the heels of mandiant getting its twitter account taken over i think that was last week
what's going on at Twitter?
I mean, you know, is there some sort of new account takeover technique
that's doing the rounds that only a few people know about?
Or is this a coincidence?
Like, it's impossible to know, but Twitter just does seem to be degrading
the longer it goes under Elon Musk's ownership.
Like, it's just getting less and less useful.
I spend less time there now,
even though I'm one of the last hangers on.
Yeah, it certainly is concerning.
We have seen some people posting evidence
of like account takeover
through like CSRF style bugs or something.
And obviously Twitter's staff,
you know, are pretty skeleton these days
for dealing with those kinds of things.
You know, Mandiant and the SEC, I guess, both have in common that they're kind of big
organizations that probably have shared accounts that multiple people use.
Yeah, which means probably no MFA, right?
It certainly makes MFA really complicated.
And so if you're only relying on passwords, then perhaps there's some options.
But like Twitter is just, as you say, in a state where so many things are changing and so many controls that presumably we previously relied
on have just gone missing that yeah it's hard to judge from the outside you know with two samples
but but it does it give you the the tingly feeling it it does a little bit yeah like like even if
even if it is a coincidence it's sort of the thing that you just sort of feel like,
oh, we might be about to see a little bit more of this.
Like, oh, and by a little bit, I mean quite a lot, you know?
Yes.
And we live in hope because we do love a good mess.
But as you say, Twitter has just lost so much power and influence,
you know, with the exodus of the user base.
But clearly you can still move the markets around with it.
So, yeah, something to someone. What's interesting about the Mandiant one, though, is it is a perfect example of one of the user base but clearly you can still move the markets around with it so yeah yeah but i mean to someone what's interesting about the mandiant one though is it is a perfect example of one of
the stupid scams that i was talking about right like it's just they they impersonated a cryptocurrency
wallet company and trying to post some you know some scam tweets whereas the other one man it had
a few moving pieces to it they probably had access for a while set up a trade you know and they're
like okay we're going to make the Bitcoin price move now.
And, you know, having the power to make a $900 billion, you know, let's just say it's equivalent to a $900 billion market cap company.
But being able to make that price move by two and a half percent, you know, and then to capitalize on that.
I mean, do I hope they made money?
I kind of do.
Like, it's so weird, isn't it?
When you come across a crime you admire.
Yeah, we've already had one person we know ask,
hey, Pat, was this you?
You've got a history of talking about this stuff.
But, you know, look, if I were a criminal,
this would be right up my alley.
So, yeah, five stars.
What would you say?
If you were rating this on Yelp as a crime,
crime for Yelp, you'd give it five, right?
I mean, it's pretty good.
I mean, I guess.
Maybe not five, maybe four and a half.
Oh, come on. How could it five. I mean, it's pretty good. I mean, I guess. Maybe not five. Maybe four and a half. Oh, come on.
How could it be better?
I mean, they lost the, like, it got rectified quickly.
It did get snapped pretty quickly, yes.
I don't know.
I guess we will know if it was you if you, like, go out
and make some extravagant purchase, like a new car or something.
Yes.
Yes.
He's joking because he knows I traded in my Tesla yesterday
because, you know, not just because...
And we've only had it for like just over two years.
And driving a car made by Elon Musk is kind of embarrassing these days.
It is.
And second of all, the Australian government introduced a bunch of tax incentives
to basically salary sacrifice new EVs.
But our current one isn't eligible.
So it made sense for me to get rid of that and get into something new,
another EV,
which is not a Tesla, by the way,
because it's a great EV, but it's a terrible car.
Let's put it that way.
Very sus on the back of a crime.
True.
Got something much nicer.
And you've seen pictures of it.
It looks a bit like a criminal's car too.
It does look like a Russian cyber criminal's car.
It's very black.
It's got a nickname too, Vader.
Vader is the name of the car.
Anyway, moving on.
Enough about my impulse purchases.
And on to triangulation.
Now, look, we've known about the triangulation campaign.
That's what Kaspersky named it.
We've known about it for a while. This was, of course, a iOS campaign,
presumably by Western intelligence, targeting a whole bunch of people in Russia, including, Russia says, diplomats and whatnot stationed in Russia, and also staff working for Kaspersky, the security company.
Now, Kaspersky has done write-ups on how they managed to actually capture this malware and reverse engineer it, and that was really cool. Like good old cat and mouse fun and games with that.
But now we've got some real technical details on this campaign
and it's pretty tasty.
Like it's pretty cool.
It is really, really solid work.
Three of the people involved with tracking this down at Kaspersky
gave a presentation at
CCC about their experience of cough capturing it and then some of the bugs that are involved
and the whole exploit chain that they identified is just I mean there's interesting bits
everywhere along that chain and interesting kind of choices that have been made and so on and so
forth and you know obviously way more than we can talk about here.
But there's a few interesting parts.
One is that Kaspersky did indeed spot it straight off network telemetry,
like looking at network traffic analysis in their environment
and saying, hey, that looks sus.
Outbound connections straight after iMessage.
Yeah.
Is this an iMessage exploit?
Well, you've got to remember that when people, you know,
crap all over network, you know, NDR products, right?
Because they do find stuff where you're not going to find that any other way.
Yeah.
So that part was interesting.
And then the exploits, like the iMessage bug was an interesting one
in that it was a Apple specific TrueType font parsing bug
using a feature that Apple themselves had not used in probably 20 years like it's a
90s era TrueType feature so that was fun and Apple's fix was just to disable that bit of the
TrueType font and then there were a bunch of local privisks that were really cool up into the kernel
and bypassing some of the kernel memory protection and other exploit mitigation tech but the one that really stood out as super fun was a component that leveraged a hardware feature in the apple
sock and the theory is it's somewhere in the graphics chip where you could write an address
and write some data and then write a hash of that data to a specific place in memory
and it would magically get written anywhere else in memory.
What do you mean anywhere else?
So you could overwrite arbitrary hardware.
So you could pick where it went?
Yes.
Oh, wow.
Okay, right.
Because I haven't really read,
because I knew you were looking into this one,
but that's, I mean, that seems useful.
That's a write what where primitive, as they call it.
And yeah, so you just wrote the what and the where,
and you wrote a magic hash using a fairly primitive,
like I think it was 20 bits of hash,
so like two 10-bit hash functions that you kind of combine
using a mechanism that was unclear.
And these particular, so this is like memory mapped ios so there's some hardware device that's mapped into the address space of the of the
main processor they think it's in the graphics processor somewhere just because that's kind of
what it's near but these are addresses that no one has ever used so like the apple source code
for the operating system doesn't refer to these
memory addresses going back historically there's no evidence that anyone ever used them you know
understanding this hash function would require reverse engineering or observing use of it now
we understand why the russian government came out and said that apple helped them because there's a
bunch of people out there right now like everyone's whacking on their tinfoil out and said that Apple helped them because there's a bunch of people out there right now,
like everyone's whacking on their tinfoil hats
and saying that this is some sort of backdoor functionality
that Apple has put into its products to help the intelligence community,
which, I don't know, man, seems pretty unlikely to me,
but it's still weird.
And that's the thing.
It's still weird.
We even had an email from a listener who was the first one
to alert me to this going, this is, you know, and forgive me i can't remember your name uh you who who mailed in
but yeah they were like this this does seem legitimately weird to be in there yeah i mean
there's a couple of theories around it uh one is that it's existing debug functionality perhaps
from arm there was some kind of slight tie up with an ARM core site
debugging mechanisms and you could imagine this kind of thing being useful for debugging embedded
hardware. It's the sort of thing that would never end up documented anywhere, would never end up
being used anywhere else. But then there's the next question which is so how did the attackers
know that it was there right which is also a bit of a head scratcher. That is also a head scratcher
and we
don't really know we may in the future discover some more about this but this particular part of
it is very interesting and you know apple hasn't said anything about it yet i imagine like if it
wasn't them then they need to know figure out like where it came from and how it got there
and how long it's been there because this is a thing that some researchers
have looked into the equivalent kind of mechanism on Apple silicon so on desktop mac os with
the m series CPUs and there's kind of similar mechanisms there and some of the other Apple
can patch this right oh yeah absolutely of course they figure out. So what Apple has done in the interim is they have marked
those memory regions as inaccessible.
So they've used the memory management unit to, say,
deny rights to these ranges.
So that solves the immediate problem of those bugs
but does not answer the longer question of how and why
and how long and who and how did they know and so on and so forth.
So all very very very interesting
and then the rest of this bug chain then goes on to like kernel you know so it goes on to kernel
exploit bypasses all memory protections and then instead of doing what it wants to do it loads
safari and reruns another exploit against safari and then uses that again to get kernel execution and bypass
kernel memory protections and so on and so forth. So it owns and owns devices twice. So it owns
devices twice before finally dropping its implant which definitely feels like we bought this
particular chain from one place and we bought or we had this existing tooling that already works
well so we're just going to glue it all together and carry on so you and i i mean we both looked at this and decided it felt oddly contractor-y somehow it's just got contractor vibes on it for
some reason um and you know if you look at social media discourse on this so many people are saying
oh the nsa must be so sad that they lost this amazing capability but you know you remember a
while ago it looked like a u.s defense contractor
i think it was l3 harris was apparently considering buying an so group to put them to work for you
know organizations like the u.s government and you know this is kind of why when you want to do a
wide distribution kind of thing that might get caught you know like sort of what i'm getting at
is this strikes me as the disposable exploits
that are going to be used by groups like the US government,
not so much their top-shelf stuff.
So, you know, it's really cool and everything,
but I think we need to calm down on the idea that, you know,
this being discovered has hurt the United States, I see.
Yeah, I mean, there were definitely a few places in this chain
where the tradecraft wasn't perfect
i mean other than the fact that that kaspersky spotted them i mean there was a couple of other
bits where it was a little clunky like some of the things that removed traces of the exploitation
like missed missed a thing which is one of the things that kaspersky used to figure out what
was going on uh and there was a couple of other bits like there was a thing that cleaned iMessage logs by using
a hat like a table of hashes of iCloud accounts and Kaspersky you know cracked the hashes back
to iCloud accounts and look through them and you know that's if you were doing super targeted you
really don't want to give away other parts of your of your process things that aren't necessarily so the tradecraft was
good but not like not flawless yeah which you know but that's what i mean like this just feels like
some contractor got paid a bunch of money to develop something that you know the u.s government
could just yolo yolo around with right and and eventually get it rumbled and it probably produced
some valuable intelligence and you know that's that that. Yeah, that's just, you know, everyday life in this Google world.
Yeah, well, these days, right?
Like, that's kind of, you know,
I don't think that's something we've necessarily seen a lot of,
you know, from the USIC.
And that's, you know, I'm predicating all of this
on the idea that it was the Yanks, but I think it was.
Yeah, I mean, certainly they have a desire to target
the people in that environment and they
have the capability to do so so it makes sense we have seen other people targeting stuff there
of course i mean there was that bit where israel just bust into kaspersky to help themselves
uh to kaspersky's telemetry and logs and things so like plenty of people have this capability
uh but this one did smell yeah you know i'm with you i'm with you i'm with you anyway
we should we should move on because we've been talking about this for ages right uh there is a
report out of the netherlands uh that says a dutch national apparently was the one to plant the
stuxnet virus inside uh iran's nuclear program but the story's a bit sort of garbled doesn't make a
whole bunch of sense says somehow he put the virus on pumps that wound up in the thing. And, you know, Kim Zetter, who is the Stuxnet expert, is on social
media saying, yeah, I don't really get this either. She had originally written a story in 2019
talking about some alleged involvement of the Dutch intelligence service AIVD.
But it's, I don't know, man, it just doesn't convince me. I've always thought it's weird that,
I've always thought it's weird to expect
that someone actually needed to walk into a Iranian facility
to spread, you know, to cross the air gap.
Like the idea that you needed a mole seems strange to me
because they already owned the contracting firm
that developed the ICS stuff for the Natanz plant.
So I just would have thought
you would infect their computer, infect their USB drives, and they'll walk it in for you. So I,
you know, everyone's like, how did they get it in there? And I'm like, well, that seems an obvious
path. I don't have any inside information there, obviously. But yeah, apparently there's allegations
now that this guy, Dutch fella, who's been named, did it and then actually died in a motorcycle
crash two weeks later, which, you know, no foul play expected.
But that might sort of explain, if this is legit,
it might sort of explain why a few people are talking about it now,
because the guy died and maybe because of the way he was recruited,
they're not going to be exposing anything by naming him.
I don't know.
It still seems risky to me.
But, yeah, what do you make of this?
I mean, I think, I mean, it's certainly interesting.
Obviously, the history of Stuxnet, you know,
it's super important to our industry
because it was such a big deal at the time.
One of the areas of discussion I've seen around this
is the timeline for when Stuxnet got USB spreading capability,
whether it was there from the beginning
or whether it was a later edition
and whether this was a, they got in initially
by getting someone to walk it in on an existing piece of equipment. Okay, that makes sense because that's the and whether this was a, they got in initially by getting someone
to walk it in on existing pieces of equipment.
Okay, that makes sense
because that's the bit that I was missing, right?
Yeah, and I'm not sure
whether the timeline lines up with that theory,
but I had seen someone talking about that.
And it's kind of unclear like, you know,
what the pumps in question are,
like whether it was software for configuring pumps
or whether it's the pumps themselves
or whatever, that detail is kind of lost in translation,
in this case kind of literally because we're reading it
in machine translation from Dutch.
The guy had an Iranian wife and Iranian family,
so was pretty able to cross the border and go and visit people there.
And he seemed, according to reports in Dutch media,
like he was kind of adventurous and he liked excitement and so on.
So, you know, a reasonable target for assisting his intelligence service.
Well, I mean, he might enjoy a bit of risk,
hence the motorcycle accident two weeks later.
I mean, yes.
The Dutch reporting talks a little bit about the extent
to which the Dutch government were aware of the details,
which, you know, obviously if the CIA or the American government came to you for help,
they're not going to tell you all the specifics of what they're up to.
So that seems a little bit sort of, you know, asking the prime minister of the Netherlands
at the time whether he knew about it seemed, you know, obviously he just said no comment.
I don't talk about intelligence matters, blah, blah, blah.
But yeah, it was definitely getting coverage there.
It's, you know, an interesting twist on the tale
and you know i feel a bit sorry for the family i guess of the guy you know having this dragged up
well no apparently i think i saw something that they uh gave permission to the meteor orgs to
name him and whatever so i don't know look it could be a few details getting filled in here
i don't know it was a long time ago but point is, we just talked about two really, really cool campaigns, right,
by presumably Western intelligence.
We're talking about triangulation, Stuxnet.
Now let's talk about some cool hacks that don't really appear to have achieved much.
Just after we broke at the end of last year, it looked like Kyivstar,
which is one of the major telcos in Ukraine,
they got burned pretty bad by the Sandworm group.
It looks like they, you know, Russian intelligence.
They were inside Kyivstar's network for like months and months,
it looks like, and they really prepared a decent takedown,
torched everything, burned it all to the ground.
But to what end, right?
Like, so this is the thing that we've been saying consistently through this
war which has been going for nearly two years now aside from the uh you know the via sat hack
uh you know the night before the invasion none of it's none of these operations seem to have
really achieved much like so i i just don't i don't understand it i don't get it and i'm guessing
part of it is just doing it because you know, Ukraine's their enemy and hurt their enemy, inconvenience them, looks good on a PowerPoint
deck when you're talking to your bosses. But what military objectives did they achieve here?
Yeah, I mean, it's a really good question. Ilya Vityuk said that there was no impact on military
functions. So, you know, it was only limited to civilians. And having, you know, major telco disrupted, it seems like it ought to be really bad.
But as you've seen with Optus in Oz, that, you know, maybe it's not quite as bad as we expected.
You know, when I've written reports to telcos about being able to bust their stuff, I've always said, look, it's going to be terrible.
Everything's going to go wrong.
Society will collapse.
And it turns out maybe I was wrong.
You mentioned Optus, and most of our listeners would remember the name Optus, right,
because most of our audience is based outside of Australia.
They're Australia's second biggest telco, and they had a major data breach,
which put them in the news and whatnot.
But they also had a big outage late last year,
and it looks like it was just a straight old bgp f**k up right which
just makes it real funny but the whole network went down and we're talking like 10 million you
know 10 million customers or something and the media really tried to make it you know sky's
falling sky's falling and they went out and tried to write stories about how gen z were in tears and
walking and you know banging their heads on the walls and stuff and they just weren't they were like oh yeah it's a bit of a you know it's a bit of a
but they're interviewing all these 21 year olds are like yeah it's a bit of a drag but like it's
cool you know so basically it meant that for a day people were more likely to talk to each other
on public transport like it was a it was in it was a bit of an inconvenience for people who are
affected but it wasn't the end of the world and that you know we've just seen that's the mighty blow that Sandworm were able to inflict on Ukraine which is to mildly inconvenience for people who are affected, but it wasn't the end of the world. And that, you know, we've just seen, that's the mighty blow that Sandworm were able to inflict on Ukraine,
which is to mildly inconvenience them.
To be honest, I am amazed at how quickly they brought the telco back.
Like it must have ruined, you know,
the people who worked there must have had a really rough, you know,
few weeks towards the end of last year.
But, you know, rebuilding the entire telco
from like several thousand virtual machines, tor know, rebuilding the entire telco from like several thousand virtual machines,
Torch, that run your entire telco,
like that's a lot of work, but...
And I think they got backups and stuff as well.
But, you know, like the Russians managed to get to the backups.
I think I saw that.
But, you know, this is what Ilya Vityuk was telling us
in that interview we did with him last year,
which is that, you know,
their playbook is really about response and recovery and being organized when something like this happens because i don't think that
their security is in a terrific place right corporate and telco and whatnot but what they've
got good at is responding to incidents like this and mitigating them that way so yeah the fact that
they can rebuild a telco very quickly is is somewhat impressive i think i mean they were
back in service,
like, reannouncing their networks a couple of days later,
and, you know, 10 days later, I think,
things were kind of, like, people had service restored
and were back to functionality.
That's pretty amazing.
And that focus on resilience,
regardless of what your adversary is doing,
I mean, that's the thing that's going to really stand them
in good stead, and it has been and will continue to do, regardless of what, you mean, that's the thing that's going to really stand them in good stead,
and it has been and will continue to do,
regardless of what Russia throws at them.
But see, why would you do this
when you could take down the top three telcos all at once,
and all of those subscribers are now trying to route
through the remaining networks, and they don't have capacity,
and then you've brought the entire comms infrastructure of the country
to a standstill, and that's going to have a real impact,
particularly if you combine that
with some sort of big military campaign on the ground.
I guess it's a little bit late now
because we've got these frozen lines all around the country
and it's not like taking the telcos out
is going to give them some sort of element of surprise.
But you see my point, right?
They could have actually done something quite crippling,
quite devastating, but instead this just looks like a, you know, ha-ha show-off attack. And
speaking of, it looks like a bunch of pro-Ukraine hackers are now doing the same thing to a Russian
telco, right? Like it's like a tit-for-tat thing. Yeah, this was a Russian telco called M9com.
They're not a huge provider, but they appear to be getting hacked by some ukrainians for revenge and
i guess the tit for tat will continue as long as there are targets and there'll be targets for
for a long time the only real impact we tend to see out of these big russian hacks is when the
data gets nicked and leaked then organizations like bellingcat have a field day because now
they've got data that they can use
for investigating stuff and correlating and so on.
And, you know, that's a thing that may have a longer tail
than just, you know, turning off service to people.
It's amazing how much like really sensitive data
Bellingcat just gets from like BitTorrent.
It's incredible.
Like the Russian data sets that are out there,
it's just amazing.
Like who seeds that torrent?
Like anyway. Oh, so here's something are out there, it's just amazing. Like who seeds that torrent? Like, anyway.
Oh, so here's something that Russia's doing
that's quite smart from a, you know,
hacking and military perspective.
And, you know, we've heard reports about this before,
but this is a confirmed case from Ukraine's SBU agency.
Russia hacked a couple of, you know, security cameras
and were using footage from those security cameras
to adjust artillery fire
live, right? So this is something where, you know, I've spoken to a bunch of people in sort of
mil-cyber circles from a bunch of different countries at the moment, and this is actually
a real threat. Like there's a bunch of countries that are putting themselves in a position where
they need to be aware of where all the Hikvision
cameras are, for example, right? Either in preparation to pull them down later if something
kicks off or just, you know, just knowing that is quite good. And it can be a bit tricky because
some of these scanning services, they will find, you know, cameras that are directly connected to
the internet, but there's so many of them that like UPnP, they're way out onto the internet
through a Cisco router. And, you know, and if you scan that with most scanners,
it'll just show a Cisco device, right?
Rumble will find them.
Rumble will say that is a Hikvision camera behind a Cisco
because Rumble is magic because HD Moore created it.
At disclosure, I am, you know, an advisor.
I have an interest there, but, you know, it is magical.
But, you know, this is an example of, you know,
signs of brain cells in Russia actually, you know it is it is magical um but you know this this is an example of you know signs of brain cells in in russia actually um you know doing a bit of integration between uh their cyber
operators and uh you know artillery crews like being able to close the loop there is actually
a sign of of something going right yeah i mean that's the kind of maturity you need to make cyber
work well in the context of of a military operation or in doing effects beyond just the cybers.
You have to be able to act quickly.
You have to be able to close that loop.
And using it for artillery correction or battle damage assessment
or whatever else, that's pretty smart.
I think in this case, some of the cameras had Russian software on them,
so they may have had an easy way to get access to them.
Maybe, but it's probably password 123.
You know, like it's just –
It could just be bog standard Hikvision life.
Yeah, we've got a real funny default password story coming up later in the –
We sure do.
I've linked through to a story about the Optus outage in the show notes,
and actually, yeah, that's our next story of the week, password one,
which I'll just – we'll just mention it very quickly,
which is that a Spanish mobile carrier had an absolute disastrous outage because someone got into their RIPE, like Network Coordination Center account,
and the password for that account was RIPE admin.
Nice.
So someone just went in there and, like, you know, torched it all.
And, yeah, so this is the point, right? like telco outages can happen without people doing the hacking and things usually work
out okay so although in this case i think the outage was a result of whichever kid had found
the creds uh just kind of mucking around it didn't really seem well thought through and they managed
to figure it out and get it back it looks like the creds were stolen after some botnet was on a box inside Orange.
So, yeah, bog standard hacking.
Yeah, but I put this into the category of like arsonists in fire season, right?
So when everything's dry and crispy and if someone lights a match,
there's going to be a horrible bushfire.
Someone will always light that match, right?
It's pathological.
They can't even control it.
It's the same with this so um you know having those sort of passwords lying around um
you know is like the equivalent of a lot of dry grass i think uh but look let's turn our attention
now from the russia ukraine uh war to what iran's been up to and iran has been very naughty um of
course very busy they've been very busy right um surprising uh the scale of what iran's up to and Iran has been very naughty. They have been very busy. They've been very busy, right? Surprising the scale of what Iran's up to at the moment. And in this case, we're not even
talking about what's going on between Israel and Hamas and Hezbollah to a limited degree,
but we'll get to that in a minute. The Albanian government has been providing refuge to the
Iranian political opposition movement,
the MEK, who are, as we've already discussed on the show, not actually a pack of fluffy bunnies
themselves. But, you know, we've seen Iran attacking Albania in the past. And look,
that's continuing. There are some fresh attacks now against Albania, you know, attributed to Iran.
Yes, a group called Homeland Justice claimed responsibility for attacks against
the Albanian parliament, as well as some telcos in Albania as well. So we've seen some level of
disruption there as part of this kind of ongoing skirmish between Iran and the MEK in Albania.
It's not clear that there was any significant ongoing impact other than the fact that they're
in there and they got do response and so on.
But this skirmish has just been, you know,
it's been going on for a couple of years now
and doesn't look like it's going to slow down.
Yeah, now look, staying with Iran but shifting focus regionally,
it looks like Predatory Sparrow are back.
Now, this is, of course, the quote-unquote hacktivist group,
which is obviously, you know, an arm of the Israeli government.
So what they've done, they've basically redone an attack
that they'd previously done, which is to shut down
the petrol card system in Iran.
I saw some thread on social media where someone actually took
a bit of a look at this and said they basically just did
the exact same attack again and it worked.
Like Iran hasn't really re-architected anything
to prevent it from happening again.
So it's happened again.
And the reason people think this is, you know,
the Israeli government is because they do things
that look very much like legal checkboxy.
That's what they do.
Yeah, such as notifying Iranian emergency services
that they should stock up on fuel
and letting them know which petrol stations
will be unaffected and blah, blah, blah, blah, blah.
But yes, it looks like Predatory Sparrow is back in action and starting to target
Iran. We've also seen some hackers, quote unquote, disrupt the Beirut airport with anti-Hezbollah
messages. I don't know if that would be a, you know, Israeli government op or just activists,
you know, feelings are somewhat strong
at the moment in that region all over.
But, you know, there's a bit kicking off there.
Yeah, there certainly is.
And lots of, you know, lots of people muddying the pot.
I mean, the difference between, you know, proportionality
in gas station attacks versus some of the more indiscriminate stuff
we've seen against, you know, like water supply systems systems or whatever else there's so much churning over there uh and it's
you know it's disturbing to see but also kind of what we expect in that region unfortunately
well i'm surprised to see israel still notifying emergency services and whatnot because it seems
like this conflict is very much a gloves off time.
There is a concern that this conflict between Israel and Hamas is going to turn into a broader
regional conflict. I mean, to a degree it already has with the Houthis, you know, targeting
shipping in the Red Sea and whatnot. But there is concern that there could be a fully fledged conflict between israel and hezbollah and you know hezbollah is obviously has very deep uh ties to iran it's you
know arguably a creation or of iran and if that kicks off god knows what that's i mean it's going
to be it's going to look horrible uh on the on the front line but i think there's every chance
it's going to spill over and we're going to see like a bunch of crazy stuff happening on the internet as well yeah exactly i mean the next
story we have is exactly that right it's it's iran uh messing with telcos in egypt and sudan
which is kind of an area that's a little bit outside of iran's normal area of focus and
tanzania as well.
And Tanzania, yeah.
Seeing them branching out, and especially, you know, Sudan's conveniently located for
the conflict in Yemen and so on, and Egypt right on Israel's southern border, like all
pretty relevant to this conflict, but seeing, in this case, the Muddy Water group from Iran out there
doing things outside of their normal remit just kind of supports that argument. I mean, you would
think, though, that, look, if Western IC has been doing its job, it's got pretty good visibility
into Iranian groups. And if they really try to scale up and go a bit wild, there's every chance
that it will be possible to mitigate them in certain ways.
Or, you know, what are they saying?
Imposed cost.
Imposed cost.
They could impose cost.
But, yeah, like I just, you know, I mean, I don't want to see the Israel, Hezbollah.
I don't want to see them at war.
I don't want to see anyone at war.
But, you know, if that does kick off, you know, you really do.
Like that's going to be – I mean, cyber is such a massively distant concern,
but we are a cyber security podcast, so we are going to talk about that.
But look, let's talk about some other crazy news from around the world. We did mention that this was sort of – we foreshadowed this last year.
James Reddick has a piece up here for the record.
We said that there were some militias who were looking to take control
of some places in Myanmar where some of these pig butchering farms
are operating and they had the support of the Chinese government
in doing this.
That's now happened.
They've been able to take over these places and break up
some of these pig butchering rings.
Yeah, I mean, it's pretty wild that we have militias out there
with the stated primary aim of dealing with, you know,
what's a partly humanitarian but partly cyber kind of problem.
Well, I think there's a bit more to it than that.
I mean, Myanmar's, you know, in a state of pseudo-civil war.
But, you know, the fact that it's in the mix at all is wild.
It is.
It is wild.
And so the Three Brotherhood Alliance have taken Lokang,
which is where a bunch of these pig butchering call centers slash kind of like places where people are being held hostage
to do scamming, especially up into China.
So seeing that happen is, I mean, it's not a story that I imagine
we would have ever, like, we've been doing miscommits for a long time.
I can't imagine that that's a story we would have predicted
five years ago, 10 years ago.
No, I mean, it's one of the, I mean, when I first heard that people were being human trafficked
into doing this, I remember being actually quite surprised.
I was like, wow.
Yeah, me too.
Like, it's wild.
And it's not often we're surprised.
Yes.
We're pretty jaded after this long.
But I think it's a test of credibility for these militias as well
because, you know, the expectation is when a militia gains control of a, you know,
criminal organisation that is making millions and millions
and millions of dollars, do they disband it or do they, you know,
take it over?
Start paying, taking bribes, people paying bribes
to different people now.
Yeah, do they execute the people who were running it
and become the new people running it?
But, you know, I don't really know much about the militias in northern Myanmar.
So, you know, we'll just have to see.
No predictions to offer, Adam.
No.
Insightful.
Now, cue the Benny Hill music.
And we're actually into the Law and Order section.
Alf V had their sights seized by the FBI and then...
And then Alf V seized it back again.
So this...
Exactly.
Anyway, go on.
Yeah, I saw someone call this like a tug of tour
because both parties clearly have access to the private key material
and can point to the hidden service wherever they want.
So, you know, a bit of back and forth.
You do have to wonder, though,
like if you're an AlfV affiliate at this point,
do you feel like trusting the link
that the unseized website provides
for how you should interact with them and so on and so forth?
Yeah, because it could just as well be the FBI impersonating them
if they have the key, Matt, but yeah.
Yeah, either way, it's a rough ride for Alpha V,
which they kind of deserve.
They've been somewhat dicks on the internet as of late.
You know, remains to be seen whether this slows down ransomware at all
because there was so much ransomware while we were off.
Yeah, like we're not even going to talk about it.
And the funny thing is, you know, you go on break for a few weeks
and you come back and there's usually a lot of ransomware stories.
Like certain outlets really seem to focus on just writing up, you know, brief summaries of incidents.
Like The Record, they do an excellent job
of just covering incidents and cataloguing them
and putting them in the Journal of Record.
You know, it ain't exotic, but it's important work
and it's good that they do it.
And yeah, just so many.
And the Toronto Zoo.
Yeah, like who ransoms a zoo?
Like everybody likes tigers. Why would you ransom a tiger feeding system. Like, who ransoms a zoo? Like, everybody likes tigers.
Why would you ransom a tiger feeding system?
Like, who does that?
Think of the otters.
Exactly.
Why don't you think of the otters?
Those North American river otters, I like those.
Those are good otters.
Yeah, so there was Toronto Zoo, the central bank of Lesotho.
These are just a few interesting ones that we picked out.
And a bunch of hospitals that have had to transfer patients out.
And, like, you know, real impacts on emergency services and whatnot like it is just as grim as
ever and another interesting one was first american which is a real estate industry giant
in the united states it seems like ransomware actors have discovered that that is a industry
sector that is quite profitable to uh target and look staying with law and order, a Breach Forums,
what is it,
the Breach Forums admin,
what's his name?
Pompompurin.
Yeah, Pompompurin,
aka Connor Bryan Fitzpatrick.
He's been re-arrested
for violating his parole
because he was using a VPN
on an unmonitored computer
and he has now been thrown in prison
until his trial,
which, yeah, sucks to be him.
Yeah, exactly.
But, you know,
I guess he knew what he was supposed
to not be doing
and VPNing from a different machine probably on that list.
Yeah, now look, speaking of young teenage hackers
who can't help themselves,
this app, Arian Kurtage,
this is the young fellow who is quite autistic,
who was charged over a bunch of the lapsus stuff.
And then he was being monitored and whatever and got a fire stick
and tethered his phone to it and tethered a Bluetooth keyboard or whatever
and was getting into the slack of previous victims
through access means that he already had, like, keys or whatever,
and taunting them while he was on bail.
With the fire stick plugged into the TV in a hotel
while he's on bail.
Yeah, yeah, exactly, right?
But everyone thinks he was like using the fire stick
as a hacking thing.
I think it was just he was just streaming the image
from his phone.
But anyway, that's neither here nor there
because he has essentially been sentenced
to an indefinite stay in a psych hospital
because you cannot put a kid like that in prison.
And, you know, you just can't. And you can't let them go because they're just gonna you know
keep hacking people with their fire sticks yeah that's a tough tough place to be and
you know you feel bad for the kid because i mean you know autism is not a joke and i know plenty
of people who've got got that are on that spectrum.
Look, we've been in InfoSec for over 20 years.
We know plenty of people on the spectrum.
Come on, let's just not beat around the bush.
Yes, and I don't know.
What do you do with people like that?
So I guess put them in indefinite hospital care
is one of the ways you can do it, but I don't know.
It is terribly sad, but anyway.
Now let's talk about some bugs, Adam, and this one you and i can't figure out actually because it's ivanti and there's a critical like sqli
in their endpoint protection software and like you put this one in the in the run sheet this
week and i'm like hang on like i get that it's endpoint protection software but this would have
to be the server side component if it's sqli right and it's completely unclear it's it's completely unclear i mean are they actually putting sql on
the endpoint agent like what i mean i've seen people do crazier stuff uh the actual evanti
uh advisory is behind you have to be registered and signed up but even that like i've seen a
screenshot of it i think ours had a screenshot of And like, it doesn't make it at all clear.
One of the things that the advisory said was
that SQL Express is involved,
which is Microsoft's cut down version of SQL Server
that you use in embedded systems
or when you're deploying software that needs database,
but doesn't need a full featured one.
Network access to Avanti's endpoint manager agents
seems to be sufficient to, without auth, turn it into CodeXec.
Yeah, I mean, it doesn't even matter if it's in the endpoint
or in the server, because if you're on the network,
you can reach the server and then you get all the endpoints anyway.
Presumably.
And this is not quite a CVSS 10, but it probably should be.
Yeah, I was actually going to mention this to you,
because I find this real funny, which is that it's a 9.6 out of 10,
and there's a whole section of this piece, which is uh you know dan gooden who's done a good job with
it but there's this whole section about like oh they're downplaying vulnerabilities like 9.6 is
not downplaying like it probably lost 0.4 because you've got to be on the land to exploit it but
that's real funny that like all of a sudden 9.6 is like trying to be slippery you know trying to
be slippery and you should have called it a 10. Like, what?
Yeah.
I mean, a 10 is pretty rare just because the CVSS mechanism is not quite granular enough to really give us good metrics.
But yeah, 9.6 should just round up to 10 in everyone's mind.
There's no point quibbling about that.
Point four.
All right.
Whatever.
Moving on.
And the US government is sounding the alarm on an APT29 or Cozy Bear attempt to sort of supply chain infiltrate JetBrains, which is a Czech company.
Obviously, their software is everywhere.
This would be bad.
It doesn't look like they were successful.
But, you know, clearly when you've got Reuters coverage of comments by US officials, it means people are rattled.
Yeah, I mean, the JetBrains TeamCity product is pretty widely used
as a part of modern development, like it's a continuous integration
sort of platform thing, and necessarily means it has access to source code.
And so it would be a very natural place to leverage
for all sorts of supply chain attacks.
So it's a natural target we haven't seen
like there's a bug that has been being exploited it's not like patching has been pretty good for
it but the fact that cozy bear are nosing around i think is really what they're drawing attention
to here that this is not just casual exploitation this is real actors nosing about in a place that
could absolutely have impact beyond the organizations
being targeted something to look forward to in 2024 yeah uh real quick because we're running out
of time um there's some sort of ssh downgrade issue so if you if you're in the middle of an
ssh connection apparently you can do some sort of downgrade attack um you're actually a very
qualified person to talk about this
because you know SSH very well
because you've even done some hacking on the old SSH back in the day.
Walk us through this one.
Is it a big deal?
So short version, it's not a big deal.
Open SSH, which is the main implementation that people use,
is vulnerable in some ways,
but not in ways that really matter so much.
Some other implementations are vulnerable to this particular not in ways that really matter so much. Some other implementations
are vulnerable to this particular bug in ways that matter more. The really interesting thing,
though, is that this is a core protocol bug in SSH, the protocol, where in the middle,
you can kind of truncate some of the messages early on in the process before the crypto is
really kicked off and use that to disable some later more
optional security features and given the age of ssh it's not surprising that this protocol level
bugs in here but a lot of eyes have looked at this code a lot of times and missed this yeah
and didn't really glue this together so it's really really interesting research and it's nice
that there is some real world impact so we care but not so bad that it
melts the internet yeah yeah not so bad that you know it's not shell shock what was your ssh tool
you basically had a thing where you got on a box and you could essentially hijack a ssh uh connection
right or add an extra connection sort of invisibly what was it called yeah yeah i remember that man
that was that was
cool stuff yeah do people still use that or is that like completely redundant at this point uh
these days it's a feature uh back then you couldn't there was no user interface for using
that functionality nobody said subsequent to my thing they actually went and added it so you can
just kind of use that stuff normally now yeah right to to bring exploit tools to to do it but
yeah it's still a thing
it's a trick that people use especially for bypassing multi-factor yeah and when it's been
used in the wild that was one of the main use cases for it yeah so if you've been using if
you've been using ssh jack for you know if you use that a million years ago that was one of adam's
real quick uh last pass is now enforcing a 12-character master password length.
You know, I think they're still in the dark as to what the hell actually happened
and if those crypto thefts that we've spoken about were actually linked to the theft of password vaults
that may have contained seed phrases and whatnot.
So that, yeah, that whole thing, man.
What a mystery.
Love to solve that one.
The FTC is soliciting contest submissions.
This is a Suzanne Smy story for the uh the record
the ftc is calling for people to uh send submissions for ideas about how they how
organizations can combat uh voice cloning fraud because obviously you know voice-based biometric
identification is useless now thanks to artificial intelligence we did also see a bunch of images
going around social media the other day of people
like holding pieces of paper that were ai generated so you got a picture of someone you can feed it
into an ai and say give me a kyc image right so the idea of you know using a webcam to take a
picture for kyc like that's going to be redundant real quick as his voice biometrics and whatnot so
this is a space that we're going to have to watch this year. People really need to think about their KYC processes now.
Yes, they really do.
What else happened?
Last year we spoke about 702 sort of hanging in the balance.
It looked like the US Congress has sort of realised
it needed to do something,
and they extended it for like four months.
So that debate, we get to hear it all over again
in the next few months, right?
But yes, 702 has been temporarily reauthorized
until April 19.
And, you know, we'll see what happens there.
And then we've got a couple funny stories to end with.
One is that a crypto hedge fund CEO possibly didn't exist,
but managed to like scam a bunch of money.
This is a wild read based on, I think,
some reporting from The Guardian
where this guy's like a PhD and whatever.
And they paid people like Steve Wozniak on Cameo
to say that they were real excited about this project
and whatever and then put it in as an endorsement
from Steve Wozniak.
Looks like a really well-executed fraud
that got away with something like $1.3 billion
in customer losses.
Yeah, that's real money, man.
Yeah.
Real money.
And it looks like they just conjured this guy
out of thin air.
But I don't know if those losses are like on paper
or real, I don't know.
Who even knows in crypto world,
but good effort nevertheless.
Good effort, absolutely.
But yeah, we're going to end with a talk
that you watched, Adam,
that had some funny stuff in it.
Yeah, we talked last year about some research
into the
tetra radio protocol used by law enforcement and emergency services and critical infrastructure
and some Europeans had pulled it apart reverse engineered it found some bugs in it reported to
the standards body and predictably the standards body were like yeah those are not very real bugs
even though they totally are downplayed a bit. One of the arguments that they were using to downplay it
was that you had to use a GPU to do one part of the attack.
The researchers behind it presented their work at the CCC recently,
and one of the things they had done in response to that
was port their attack to run on contemporary,
like a Toshiba Pentium laptop from the 90s running windows a period
a period correct computer i think is the word you're looking for yeah for the standard and
yeah so then they crack it in a couple of hours on this beautiful old dashiba satellite which is
just like chef kiss work and like their whole talk is so good like the the research they did
and the work they had to do to crack Tetra was just beautiful stuff.
But I love a good conference talk and I especially love one that rubs a standard body's nose in it with the Windows 95 startup sound.
Well, I mean, I love that the Tetra thing is a 90s protocol and the people behind it
still think like it's the 90s.
You know what I mean?
That's what's funny about it.
Like, oh, who would do this?
You know, like it's just, it's so funny.
But mate, that's actually it for the week's news.
Thanks so much for joining us.
It's, you know, great to, it's great to be back in the saddle.
And, yeah, I'm not here next week, so no weekly show.
But, yeah, week after that, I'm back in earnest
and we'll be pumping out those weekly shows.
But, yeah, great to talk to you.
Yeah, thanks, Pat.
It's great to be back and so much good stuff to talk about.
That was Adam Boileau there with a look at the security news that we missed while we were on break.
It is time for this week's sponsored interview now
with Scott Kufa of Nucleus Security.
And Nucleus makes a platform that aggregates
and normalizes vulnerability scan information
from all around your org, all around your tools,
and it lets you do a bunch of stuff with that info.
You know, prioritize remediation, things like that.
Actually get a sense of what's going on in your org,
where most of the issues are coming from, things like that.
And, you know, what organizations do with that information
and, you know, with the Nucleus tooling,
it actually varies quite a bit.
You know, some prioritize patching bugs with high CVSS scores and that's their criteria. You know,
others might go deeper and try to understand context, really understand context, especially
if they're like a DevOps shop and they're trying to understand how, you know, like a library
vulnerability might impact their applications and whatever. But yeah, the point is it really varies.
So here's Scott talking about how everyone has their own approach to these sorts of things.
I hope you enjoy this.
We actually get to see all these different approaches and we have to really build in
to our product the ability to support all these different approaches. And so
to dive into your question specifically though, on the one hand, you have the way the government
is approaching it, which is the, hey, we want to use some sort of rating scale to determine the risk of a vulnerability, which, by the way, we all struggle with determining what the risk of a vulnerability is.
But based on this scale, if it meets a certain criteria, patch it as quickly as possible, right?
Because we determined that that's going to provide as much risk to the business as possible or it's going to reduce as much risk as possible to the business. On the flip side, you have folks, and this comes more
from the product security, cloud security area of the world, which is, hey, we actually do things
so dynamically, and we actually have like one vulnerability that shows up in a base layer
infrastructure piece of our entire tech stack, that actually we want to identify at the very
base level of what we're doing. And we want to identify at the very base level
of what we're doing.
And we don't really necessarily need traditional vulnerability scanning at all.
What we actually need to do is to build in VM practices further and further left into
the development process.
And I would say there's this undercurrent of, well, do we need to rethink vulnerability
management in its entirety?
And there's, I think, pros and cons, and we can get into what those might be. But
those tend to, they're complete opposing views. But I think this is where a lot of this confusion
is coming from, because you hear shift left, and everybody's like, yes, we want to shift left.
And then also, people want to be more precise and say, well, we do also want to
capture the events where a move it happens,
where we want to go. I mean, shifting left, I ain't going to help you patch your Citrix.
It is not. Your Fortinet, right? Like, so that's, I mean, I understand the thinking though. Like,
I think that those vendors should be shifting left. I don't think that their customers should
necessarily be responsible for patching that equipment. I think the vendor should do it.
I think they should build products that can,
you know, where the vendor can initiate the correction of vulnerabilities in that software.
But, you know, so I understand why these people
working with very modern infrastructure and whatever,
you know, see this as a great approach.
And it is, you know, it really is.
But it's, I mean, we ain't there yet, you know.
We're not.
And also, like, just from what we see, we're a long ways away from anything like that, right?
Like, it's, I don't want to overblow and overstate here.
But, like, it's, sometimes when you look at just the reality, we obviously have a lot of data about a lot of different customers and a lot of different industries of all different shapes and sizes.
And the theme here is that, like, let's look at this exact example you were talking about, right? We want to patch
within 48 hours on externally facing infrastructure. I can tell you that the average from what we see
is 128 days for that, right? So it's like, there's clearly a disconnect between what's reality and
what policymakers are trying to implement. So,
I mean, there's something inherently broken there for sure. And I think people just don't know,
right? Like how does... Well, but I mean, this is the thing, right? When ASD has come out and said,
well, okay, maybe you don't have to patch everything within 48 hours, you know, every
critical, but hey, the stuff that's internet facing, maybe you should do that. We have been
telling people that, and it only really occurred to me as I was having the conversation recently
with Adam Boileau, we've been telling people that for 20 years and it still doesn't
happen right so do we think if we keep telling them for another 20 years it's going to happen
or do we need to fundamentally rethink the way that we manage these types of things right the
thing that i keep coming back to is perhaps we need to re-architect you know some of our
some of our networks with things like dynamic firewalling enabled and provisioned and you know, some of our networks with things like dynamic firewalling enabled and provisioned and,
you know, managed via SSO and blah, blah, blah, blah, blah. But, you know, I just,
I think it might be time to raise the white flag on 48-hour patching. Like, I just don't,
I don't see it happening. Do you? I believe that there are two fundamental points here,
right? The first is that when I say, when we say we've been telling people to do that for years,
the question is who's been telling us and what are the consequences of not doing that?
I mean, ultimately, businesses are just not incentivized to patch all their stuff, really, right?
Look, I see where you're going with this, which is the calculations are changing now
that they're all getting ransomware for failing to do it.
That's exactly part of it.
Also, the SEC is now mandating requirements
for a lot of that to be reported, right?
And they're focusing on breaches,
but a lot of them are adopting
what the FedRAMP office is doing in the US as well,
which is like, hey,
anything that's a critical vulnerability,
we're actually gonna hold you accountable to that.
And so the calculus is changing.
And that's kind of the one aspect here
where I do think that does change the incentive structure. I get where you're coming from, right? Which is
that it's not that this is impossible. It's just that people haven't been correctly incentivized
to do it previously. And I think that's a fair point. I do think that there's validity to what
you're talking about, though, which is that how do we move folks into the future? And I think that
it does require a rethinking of vulnerability management itself, where it's really, what is it that we do, right? What we actually do is
VM is more of an audit function, right? Like VM-
You walk behind the elephant with the shovel.
It definitely feels that way, for sure. And sometimes you just look around and you're like,
man, I need a bigger shovel. So when we're looking at what we're actually doing, I mean,
what's happening in that case is you're shifting where the vulnerabilities and where the risks are
going to come from. And so ultimately, we might have to rethink what vulnerability management is,
but it transitions into more of a risk management process and procedure where you're auditing
what findings are coming out. It just shifts from CVEs to things like configurations
and things like what is your cloud provider doing? How do you actually hold your cloud provider
accountable to doing all of this patching? How do you hold the vendors upstream accountable to
doing this type of patching? So it's still shifting, but it causes other problems. It
kind of shifts in a different area. And you will have to rethink how VM is done, but it doesn't
eliminate the need for somebody to come in and actually audit and make sure stuff is happening the way
that it should, right? Now, you mentioned that 128 days. It was 128 days, right? That was the number.
I mean, you've been around for a few years now, right? Have you seen any interesting trends,
any meaningful signs of improvement among your customers? What are people actually getting better
at? Yeah, I mean, you know, obviously the shameless plug here would be to say,
once they start using Nucleus, it goes way down, which is a trend that we see, but I think-
Well, that's the whole point of the tool. So you would hope so.
I would hope so. I would probably have to go just cry in the corner if that wasn't the case.
I mean, you know, just for those who are unfamiliar, basically Nucleus, you know,
you replace all of the horrible spreadsheets that you're trying to do vulnerability management in with Nucleus.
That's kind of the – if you want to boil down the pitch to its most fundamental acts, that's kind of it.
That's it.
Exactly.
Yeah.
Productivity tooling for doing this.
So you would hope it moves the needle.
Absolutely.
Right?
I would say that on a larger level, the trend is that everybody wants to look for the shiny new object that they think is going to help them.
And everybody has focused on prioritization.
Prioritization, prioritization.
That's the answer.
And we saw this even like almost a decade ago, right?
Like everything that it's like how do we know what's the thing to prioritize?
I'm even hearing stuff like, hey, how do we use attack path mapping to like figure out what vulnerabilities to fix?
And sometimes I just want to sit there and throw my hands up and go, what about actually
fixing vulnerabilities?
Do we want to always look at the problem from 50 different angles and say, wow, this is
a really beautiful problem we have?
I'd rather start getting our hands dirty.
But I don't want to just be all gloom and doom, right?
I know I've been pretty negative Nancy today.
But where I do see a ton of progress is actually this mattering in organizations.
Right. So this has been elevated to the board level in a whole bunch of different prospects and customers and just industry peers alike.
I mean, we're seeing that that CISOs are taking a like a really close look at how the vulnerability management process is actually working now,
which is a huge difference, right? Five years ago, I don't want to say nobody cared, but it was like,
hey, are we doing tenable scans once a quarter? Check, we're good, right? Now, we're seeing a ton of investment in this area, right? We're seeing a ton of marketing fluff in this area, which is
great. Marketing bingo is a fire right now. But I would say that's a very positive trend, right?
Even though we're confused
about what it should be, what will happen ultimately is that this investment will amount to
meaningful outcomes. And I will say that we are seeing trends where folks have a desire and an
appetite to democratize the data too, where historically it's the security team says,
no, I don't want anybody to know about these vulnerabilities because they're risky, right?
It's risky if one of our developers knows about it.
Now we're starting to see a big shift towards, well, oh, my gosh, there's 50 million vulnerabilities.
We have 6,000 developers.
Maybe we can make the developers have some access to maybe they each need to fix 50 bugs next year.
And now all of a sudden we have a much more manageable strategic approach to actually fixing high volumes of vulnerabilities that are important.
Well, I think this goes back to what you were saying of like, do we need to analyze this
from 50 different angles to figure out how it should be prioritized or should we just
be putting a bit more effort into making this stuff easy to fix?
Exactly.
And I would say where we are, at least on the Nucleus side and me personally, making
stuff easy to fix is probably the thing that we have the biggest gap from where we are, at least on the Nucleus side, and me personally, making stuff easy to fix is the,
probably the thing that we have the biggest gap from where we are today to where we need to go,
but we'll have the biggest impact, right? And I think I saw a statistic somewhere.
So, I mean, sorry, it's interesting that you say that because, I mean, you know,
fundamentally your business does a lot of work around helping people prioritize.
It does.
And you're saying that's not the solution.
Well, yeah, I mean, prioritization is a piece of what we do, right?
But it's fascinating.
I was talking to a CISO recently
and it was one of those calls
where we're doing the dance of like,
hey, you're going to make the final purchase decision
of Nucleus.
And so I'm sitting there and I'm like,
hey, so why are we even having this conversation?
And eventually we're talking around in circles
and then eventually he's like,
you know what, Scott?
Honestly, I don't really care about anything
other than the fact that right now, today,
I have to go to the board and ask for money
or to the CEO and ask for money.
And I don't know how to do that
because I have no visibility in what everybody's doing.
Well, this is where I was going with that, right?
Which is that, you know, at least getting some tools in place, you know, and yours is
one of them where you can actually measure where you could best invest in improving.
Correct.
Patching and remediation, right?
Like, so you can do it blindly, but until you've actually got a handle on the problem,
you know, prioritization is great.
But once you've got everything coming in and, you know, you're slicing and dicing and you can see, Hey, we've got a big
problem over here. And if we invest money in, in trying to do some automation and stuff over here
and improve processes over here, then, then, then we're going to really go ahead, leaps and bounds.
Exactly. It's all about for everybody that I talk to now, it's all about that. We, we have the
ability to communicate effectively what is actually where we actually are.
Right. Like I think the metaphor that he used was, you know, it's like being lost in the wilderness.
If you're lost in the wilderness, where do you know?
Like, what's the first thing that you do?
The first thing you do is you try to figure out where you are.
If you figure out where you are, then you can make a plan to get out.
It doesn't really matter what the plan is because that has to adapt depending on where you are.
But everybody is struggling with really understanding like where we are today.
And like, ultimately, that's what a lot of folks say. Like, they're like, look, we love that
Nucleus does prioritization. We love that it automates away a whole bunch of manual labor.
But we really, for number one, we just want to know where we are. And that's, I think that's
something that we struggle with. But there's a desire to know now, which is a big difference.
All right. Well, Scott Kufa, thank you very much for joining me for the first sponsor interview of this wonderful year, 2024.
It's always a pleasure to chat to you, my friend, and we'll be speaking again throughout the year. Thank you.
You too. Thanks, Patrick.
That was Scott Kufa there from Nucleus Security. Big thanks to him for that. And you can find them at nucleussec.com.
And that is it for this week's show.
I will be back in two weeks.
But until then, I've been Patrick Gray.
Thanks for listening.