Risky Business - Risky Business #738 -- LockBit is down but not out. Yet.
Episode Date: February 27, 2024In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about: LockBit gets back up after takedown Russia arrests Mediban...k hacker… for something else ConnectWise gives out free updates, but customers aren’t happy Microsoft gives in to demands for more logs Sandvine gets entity-listed And much much more. Dmitri Alperovitch also joins the show to discuss Starlink, Starshield and a row with Congress about its availability in Taiwan. In this week’s sponsor interview, Airlock Digital’s Daniel Schell talks about his adventures with WDAC, and Dave Cottingham predicts Windows 12 will go all in on signed code. Show notes LockBit group revives operations after takedown | Cybersecurity Dive Lockbit ransomware group administrative staff have released a lengthy response to the FBI and bystanders FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga. – Krebs on Security Russia detains hacker behind Australia’s Medibank attack Russia arrests three alleged SugarLocker ransomware members Change Healthcare incident drags on as report pins it on ransomware group Ransomware Groups Are Bouncing Back Faster From Law Enforcement Busts ‘Alarming’ cyberattack hits Canada’s federal police, criminal investigation launched ConnectWise ScreenConnect faces new attacks involving LockBit ransomware | Cybersecurity Dive Microsoft rolls out expanded logging six months after Chinese breach | CyberScoop Sandvine added to US Entity List Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections FACT SHEET: ONCD Report Calls for Adoption of Memory Safe Programming Languages and Addressing the Hard Research Problem of Software Measurability Risky Biz News: Backdoor code found in Tornado Cash House China committee demands Elon Musk open SpaceX Starshield internet to U.S. troops in Taiwan The UK Is GPS-Tagging Thousands of Migrants | WIRED How the Pentagon Learned to Use Targeted Ads to Find Its Targets—and Vladimir Putin | WIRED New Biden order would stem flow of Americans’ sensitive data to China - The Washington Post
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name is Patrick Gray. Adam Boileau will be joining me in just a moment to walk through the week's news and we'll also be joined by a special guest this week, my good friend, Dmitry Alperovitch, who will be talking to us about the latest Elon Musk slash Starshield slash Starlink Taiwan flap. Per press reports, a US House committee has fired off an angry letter to SpaceX
claiming that the StarShield service the company provides to the US military
has been disabled over Taiwan in breach of contract.
It's supposed to be a global service.
So yeah, more Starlink drama for the Starlink drama gods, basically.
This week's show is brought to you by Allow Listing Company,
Airlock Digital, and its founders, Daniel Schell and Dave Cottingham,
joined me this week to talk through a couple of things.
Daniel has spent a couple of months pulling WDAC apart
to see if Airlock could instrument it.
That's Windows Defender Application Control.
And that would mean they could launch a driverless version of their software,
and they got some mixed results when sort of pulling this thing apart.
Dave Cottingham, meanwhile, chimes in with his prediction that Windows 12 is going to involve mandated signed code everywhere, basically.
And, you know, he makes a pretty compelling argument on that one.
And we'll sort of talk through about like what that will get us and what it won't.
Because that is an interesting conversation.
That's coming up later. But first up, it's time for a check of the week security news adam welcome hello there pat uh let's start off with a bit of a follow-up on lock bit lock bit is
dead long live lock bit yes after the law enforcement takedown of lock bit what we discussed
it last week which was you know quite flashy and, you know, had all of the right
ingredients. LockBit seems to have bounced back pretty quick. We've seen a number of organizations
being hit with LockBit. I mean, presumably those are campaigns that were in flight already as the
takedown was going on. But the LockBit admin, LockBitSup himself, or if it's a group, have come
out with a very long and almost unreadable diatribe
against the u.s government and you know saying he'd vote for trump and so on and so forth
but the net result is uh you know lockpick has hidden services up and running and appears to
be still providing lockpick as a service service uh and it's all rather a mess so we've seen i mean let's hold our horses for a moment
shall we uh it's only been about a week or a week and a bit and i just don't know how much
confidence i'd have in lock bits you know freshly restored infrastructure at this point this sort of
reminds me of back in the day where it's like oh silk road's down and look silk road too just like
the other silk road except with more feds yeah silk road too is back up and running uh you know
and that didn't last long at all and if you read through the diatribe that lock bits up has
published i mean there's a there's a i think i said this on on twitter which is you know there's
there's really strong this is fine vibes you it, you know, where they're like,
oh, we think they got us through PHP.
We're not entirely sure, but we've spun everything up
with patched PHP.
It's like, well, if you're not sure that's how they got you.
I mean, what's to say they're not in there again?
I don't know.
And I think it was last week you made the joke.
It's not like they could just hire Mandiant or CrowdStrike
or someone to come and help with the incident response.
And as we know, incident response is legitimately hard.
And throwing a motivated actor out of your environment is hard.
And when that actor is, you know, nation state capability, like you're in for a rough time.
So like there's a lot of bravado here and there are organizations still being ransomed. And so, you know, as metrics go,
the fact that there's still crime being done in their name,
I guess, is not great.
But, yeah, it's just been a real mess.
Look, I think it's premature.
I think it's premature to say Lockbit is back.
You know, this could be like, you know,
I guess I'll steal a term from finance here.
It could be a bit of a dead cat bounce.
Yeah, yeah.
And for example, Andy Greenberg has a piece over on Wired
entitled Ransomware Groups Are Bouncing Back Faster
From Law Enforcement Bus,
where he looks at the Lockbutt One
and the Black Cat ransomware gangs takedown
and said both of these groups are back up and running very quickly.
Therefore, this process doesn't work anymore,
which I think is a bit
one-dimensional in terms of of an analysis but you know these groups are distributed and made up of
all sorts of different groups of people and there's no doubt that the lock bit takedown did pick up a
lot of affiliates and people who were you know involved in this overall process like there's a
lot of people and a lot of moving parts uh so it is still as you say
kind of too soon to say but that's probably not you know super reassuring for the organizations
that are being lockbitted this week and no of course not but i mean another thing that the
the lockbit you know admin has has claimed is the reason the British, you know, pulled the trigger on this operation when they did is because they have
court files from Fulton County, Georgia, and they're going to release them
and, you know, and there's Trump stuff in there and blah, blah, blah, blah,
blah, blah, blah, which, you know, seems like a coincidence to me.
But now, of course, they still have that material and it looks like they're
going to release it.
And Krebs on Security has a great report up here
where they've looked at the sample set that they've released
and it looks like they certainly do have the goods here.
So we might start seeing all sorts of juicy, you know,
sealed court information coming out of Fulton County
and onto the internet, including, like, you know,
stuff that should be sealed to protect, you know,
sources and identities
and whatnot like this is a pretty big deal yeah it's certainly going to be a mess and the lock
bits up persona you know really did seem to be picking a fight with the us and picking a fight
with um you know the feds and the people who've been busting him and you know we've all seen isc
well not everyone those of us who are old enough to have
seen isc seen wars you know this can have all sorts of collateral damage that spills out into
other people's systems and environments but i think you know ultimately if you're a russian
crime gang trolling law enforcement it's just not in your best interests right and if they are
serious about continuing on with their line of work
because they've got enough cover from Russian law enforcement
and they feel safe where they are,
then the rational thing to do is to not go out trolling, right?
It's to quietly move somewhere else and just get on with your life,
collect your money, buy your Lamborghinis.
You know, when it starts to get emotional like this
is when you make mistakes yeah yeah i
mean we did see the the countdown too to the lock lock bits up identity which was excellent trolling
from law enforcement and of course when it was time to unveil the identity they didn't i mean
you remember in slack i was predicting that they'd just replace the countdown timer with a poop emoji
right um and they did something similar which is they you know they
posted a thing that said lock bits up has claimed to live in the united states he doesn't lock bits
up has claimed to live in the netherlands he doesn't lock bits up has claimed to drive a
lamborghini he drives a mercedes though parts may be hard to source which says we know who you are
we know what car you drive and we know you're based in russia where mercedes parts might be a
little bit difficult to source at the moment and then we've got uh you know a follow-on message we know who he is we
know where he lives we know how much he's worth LockBitSup has engaged with law enforcement
smiley face and you know I mean people took this as to mean that oh LockBitSup is now talking to
the cops and it's like well maybe they that that's a bit of a troll there but you know i took it to mean as like engaged uh you know in one direction i guess yeah engaged in the looking at your webcam
direction perhaps yeah but yeah like we as you know as you say we are not gonna know for a while
and maybe we will never know exactly how much you know drama there is going to be because you know
the chances of being arrested in russia when you a cybercrime operator, even when you've been identified,
is still pretty low.
However.
However.
However.
Now, this is a great story that I'm very happy to report on.
And finally enough, our colleague, Katalin Kimpanu,
actually predicted this would happen.
So Alexander Ermikov, who is the gentleman who is believed
to have hacked Medibank, the Australian private health insurer,
this is the guy who was sanctioned back in January, back last month,
he's been arrested.
Arrested in Russia.
Arrested in Russia for ransomware crimes.
Now, what's interesting about this is when he was essentially doxxed
by the Australian government, Catalan said, you know, in our Slack,
he's like, this guy is about to have a real rough time, right?
Because now he's been outed as someone who has a lot of money
and if he doesn't have protection, you know, he's just in for a rough ride
and now we find out that, you know, by the looks of things,
soon after he was named,
he gets scooped up on some charges related to something else.
My guess is there's a bunch of cops
just dividing up his Bitcoin stash right now
if he doesn't want to get sent to Luhansk.
Yeah, I mean, that seems very believable to me.
The reporting that we've seen so far
says that he was involved in a group called Sugar Locker
that had been doing some ransomware and apparently they had ransomware things in Russia.
Sugar Locker doesn't appear to have a leak blog or anything.
They appear to be just a ransomware without the leaking part of it.
So we don't really know what they might have hit or anything, what those excuses are.
But they sure do feel like excuses to pick him up
and rumble him for what he's got.
Yes.
So.
I mean, result.
Yeah.
I mean, yeah, it's a result.
And, you know, who knows what will happen to him after this.
You know, it may depend on how much money he's got lying around too.
He may be able to bribe the cops that have got him,
or as you say, he may end up, you know,
contributing to the special operation.'s the special military operation as a um
yes as a part of one of those meat waves yes frontline latrine cleaner alexander ermenhoff
yeah so you know this doesn't quite vibe with what andy greenberg wrote in wired which is that
doing this stuff is pointless because they just reform.
I mean, here we've got a case where, you know,
my strong feeling is if this guy wasn't named by the Australian government
as a wealthy cyber criminal,
he would not have been scooped up by Russian authorities.
Yeah, and, you know, I guess it's probably a chance
for the Russian authorities to remind everybody else who's doing this
why they should be paying their, you know, top cover bribes and so on.
You know, encouraging everybody else is important.
And, you know, regardless of how effective
taking out ransomware gangs, you know, through legal methods has been,
this one particular guy,
probably not likely to tussle with Australia again.
And, you know, even if it's just one person not doing it,
that's, you know, still a very small success,
but success nevertheless.
For some reason, you know, every time I'm thinking
about this Ermakov guy getting arrested,
I keep thinking of Jimmy Pappas from The Departed.
You remember The Departed?
Oh, yeah, yes.
Jimmy Pappas.
I got the clip.
Here it is.
What happened to Jimmy Pappas?
Jimmy had a rough month.
Jimmy had a heart attack in jail,
and then he got himself knifed at Boston City Hospital.
I believe it's been in the papers.
You seem quite happy with that result.
It's a f***ing result.
Yeah, but but Qui Bono
Who benefits
Qui gives a shit
It's got a friggin bow on it
And that's
You know that's kinda
That's how I feel about this guy
Like
You know
Result
Result
Yep
Now
From Nation State
From
We was hacked
By a sophisticated Nation State
To Well It was actually ransomware.
We've got this group Change Healthcare,
which is a healthcare IT platform, I believe, American?
Is that right?
Yeah, they're the people that provide services
for a significant number of pharmacies in the United States.
Them being offline has caused some very real grief for people
trying to get their medications.
But in their SEC filing, I think they said that this was
like a foreign nation state group, and now it looks like it's ransomware.
Yes.
So they did an 8K filing in February, like a week ago now,
where they said, yes, this suspected nation state associated
cyber security threat actor
did it to them.
But unfortunately for them,
the Black Cat slash Alpha V ransomware crew
stuck them up on their leak side.
So that's not a great look.
And yeah, we've, you know,
it's been a while since we've seen the like nation-state ate my homework
excuse being used by people who've been ransomed.
And, you know,
I'm dubious about their claims of nation state attackers now.
Yeah, yeah.
I mean, it could just be that they got it wrong initially.
Of course, yeah, absolutely. It could be, you know, they saw a Russian IP address and off they went.
But, you know, if you're going to tell the SEC and your investors that,
then you kind of need to at least be reasonably sure.
And yeah, it's not a great look.
I don't think they would have just seen a Russian.
I think we're past those days.
I mean, I want to believe that we're past those days.
I would like them in a good quality incident response teams.
Yes, clearly past their point, but we don't know who's doing their incident response.
You know, it may be Jim's mowing an incident response, right?
I mean, I don't think that's a franchise that exists outside of Australia.
But, you know, Jim's mowing is a lawn mowing franchise of some repute.
The Mounties in a bit of trouble, Adam.
Yes, reports are that the Canadian Mounted Police,
their feds, have some sort of cyber incident.
They haven't said ransomware.
They haven't said it was nation state attackers.
They have asked that cops who work at the RCMP be vigilant
and they have reassured people that there is no, you know,
like safety or security impact to Canadians.
But, you know, having your federal police owned,
however it goes down, it's probably not a great look.
Lock bit revenge?
Could be.
Could be.
I mean, that's what you do when you get taken down by the Brits and the Americans.
You flail around looking for anyone you can smack that looks vaguely like it.
That's pretty much right.
English speaking.
English speaking.
Part of the Five Eyes Alliance, that'll do.
Yeah, close enough.
Close enough.
Now, let's talk about ConnectWise Screen Connect.
So this was the CVSS10 that we talked about last week.
A couple of interesting things have happened here.
First of all, ransomware crews of all stripes
have just piled in to exploit this bug,
which I guess is not so surprising.
But the company, the vendor itself,
like initially handled this really, really badly and has since turned around and actually got it together.
Probably too late for most of the customers still running on-prem versions of their software.
But walk us through exactly what happened here because it wasn't pretty.
No, it really wasn't.
So ConnectWise is a company that makes Screen Connect as a product.
They've been around for a while and they sell this kind of desktop support interface used by a lot of managed service providers to provide desktop support to fleets of people.
And this product's been around for a while and it was originally licensed in a mechanism where you bought it once, you got a perpetual license to use it, but you had a subscription for updates. So many people bought it, it was relatively inexpensive, provided good
features, and then they would pay for upgrades to be continue to be current with it. At some point,
that company was bought out by somebody else, the new owner moved to a cloud model where,
you know, previously, you had on prem appliances that-prem appliances that people would phone into and your
support people would connect into and get screen sharing. The new owners moved it to a cloud
service with a subscription model and they removed the perpetual license plus upgrade model and
replaced it with a you just pay per month. And for many managed service providers that change was a
10x increase in cost.
So there were a lot of people who kept using the on-prem ones
that were perpetually licensed,
but were not paying for the upgrades.
And so when this bug comes out,
there was no upgrade path for these people
who were out of license.
And there was, so then the company initially said,
if you don't have it tough you know you don't get
an upgrade per the original license agreements that obviously didn't go well when it's a cvs s10
that leads through my code executor system uh they released uh quietly released a free upgrade to
an older version sort of like the last maintained one of their previous release and
said you can upgrade to that but they were very quiet about the fact that you could do that and
everyone else who showed up basically got upsold to the new versions and then they changed their
mind after that and decided they were going to make it available for everybody to download and
use but net result was very big mess,
a lot of very unhappy managed service providers,
because this was used a lot by kind of small,
medium managed service providers that are very price sensitive.
And in the meantime, everybody's getting owned who doesn't patch.
Well, but then they went out and they bricked,
well, they disabled all unpatched appliances as well
for people who hadn't patched.
I think they only took that step when it was possible
to upgrade them for free.
But that feels like oddly, you know,
it feels like the right thing to do actually
because there would have been some people who were unaware
that that was happening.
So the security boss of ConnectWise showed up on his LinkedIn
and had a bunch of posts.
And honestly, they read pretty well.
Like he seemed sensible.
He seemed smart it
felt like there had been a you know a fight internally about this it feels like someone who
someone who's in a bad situation who is like someone who you and i would sit down and agree
on most things with yeah like that's what that was that's what it felt like it felt like after
a while he had convinced them of the you know the company of the pr risk that they were facing they
had decided everyone
upgraded free they released a new upgrade that disabled the license check during the upgrade
process and yes they their licensing mechanism allows them to temporarily revoke a license
so they revoked anyone who phoned home with an old enough version to be vulnerable
and then there was a process that if you patched it your license got automatically re-enabled which you know smart solution you know stopped some of the bleeding but in combination
with the previous history about how the licensing used to work and so on there was just a lot of
very angry customers that were confused and mad about the whole process and they could have
perhaps handled it a little bit better yeah so all in all all in all
just i think this is a story that to me just sums up where we are with a lot of this type of kit
you know and it's stuff that's been around a while it's changed hands a couple of times
you know it hasn't really been modernized in any particular way. Some of the businesses have some funny approaches.
I mean, a lot of this stuff winds up bought by larger companies
that are just, you know, it's almost like the PE model, right,
which is to just squeeze as much money out of this existing client base
as possible while the thing dies.
I mean, not all PE companies do it that way.
Some of them bring in companies and then revitalize them,
but often it's just squeeze the last drop of blood out of the stone.
Yeah, like the open text, Broadcom, you know, that kind of thing.
The VMware thing, like what we're seeing with VMware right now, right?
And this is sort of like the end stage of what that looks like.
But look, again, I got the same vibe out of the LinkedIn post
from the CISO as you did, which is like,
here's someone who's trying to do the right thing in a bad situation yeah and i saw some other staff members from the company
posting and reddit threads and so on and they all seemed pretty genuinely upset around the situation
the customers were finding themselves in so like clearly there's still some good people there but
yeah the you know the world appears to have changed around both users of that software and probably some of the people who work on it.
And the prevalence of a model where you could sell
perpetually licensed software and then charge for updates,
that business model I think is dead, right?
Security has meant that that's just not a viable way
to sell your products anymore.
Yeah, no, agreed, agreed.
Staying with vendors behaving badly
or bad vendor situations, I guess,
because I think we kind of landed
that the people who were charging for the patches
were all trying to do the right thing,
which is an odd place to be
when you're talking about a story like that.
But it looks like Microsoft
has finally turned on some additional logging
after this incident that involved
a stolen signing key that allowed Chinese APT
crews to just fabricate and mint valid tokens that would be accepted for auth.
Oh my God.
Anyway, can't wait for that CSRB report because that's going to be a cracker.
It's going to be such a good read, yes.
It is.
But yeah, so finally, here they are.
They've turned on some additional logging.
You and I had a conversation about this yesterday.
And it's interesting because I actually do understand the dilemma when it comes to
microsoft offering to retain this stuff for everybody because the volume of data you're
talking about if they're to offer comprehensive logging to every single customer i can kind of
understand why they think you know some customers should pay more um i disagree with them but it's not a trivial amount
of storage it's not a trivial amount of compute to sort of pull all this all this stuff together
it's good that they've come through in this case but you know a mom and pop store probably doesn't
need as detailed logging as the state department yeah i think where where it got ridiculous is the
idea that they would want to charge an organization like the State Department extra for keeping rudimentary logs, right?
Like that is ridiculous.
If you want to do business with US government federal agencies or mainstream large enterprises, you need to be able to offer them those logs for free.
And that's kind of where we landed, isn't it?
Yeah, I agree completely. isn't it yeah agreed completely and you know anyone who's ever tried to ingest windows logs
normally like just off a you know off a domain controller even off windows workstations right
that logging is messy to start with like it's high volume pulling signal out of that noise is real
hard storing it for a long time is hard and i cannot imagine how many logs azure makes you know
and so you could yeah i think you're you know you're absolutely
right there are volume concerns a bit performance concerns like even just searching and indexing
that stuff's expensive um but clearly it's necessary uh and so what they've been what
they're doing now is they're offering extended logging to federal agencies and they're increasing
the log retention period from 90 to 180 days and i assume without charging more but you know obviously that
involves more cost for microsoft and doing that for the whole platform i mean go fire up um you
know your your chrome um web inspect and look at how much noise just using teams makes all day
every day right i mean so many api calls so much stuff to do like comprehensive logging of that platform
you know at a useful level is going to be hard and expensive and big and you know i don't know
i mean i i think even rudimentary logs would be useful here right and i think microsoft is in a
pretty good position and now they've got an incentive now that they're expected to offer
this stuff for free they've got an incentive to do some tuning here and actually figure out
like what really do we need to keep and uh what what do we not need to keep and if you're you know spending
a million dollars a day on hard disks or whatever store logs then you've got budget to go do log
tuning because all of a sudden it makes sense whereas an individual you know consumer of azure
has no very real incentive or means to be able to go tune that stuff.
Like only Microsoft can do that.
So yeah, if it pushes them towards it, then hell yeah.
Yeah.
Now moving on, let's talk about Sandvine,
which is a company based out of Canada
that does network-based kind of spooky collection gear.
I remember back in 2020, they pulled out of Belarus
when it was revealed that their technology was being used
to crack down on protesters and whatever, and they said,
well, you know, butter wouldn't melt in our mouth,
we're out of there.
And they were trying to do business with the US government
at certain points, like the DEA and whatever,
and US government didn't touch them, largely because
they'd done business with a bunch of undesirable
places. This has, you know, obviously they have been doing a lot of that because they just got
sanctioned. And you have to be behaving real bad before you get hit with the sanction stick,
especially as a Canadian company. Tell us about this. Yeah, so they've been placed onto the entity list along with people like NSO Group and so on for their,
the one that's been cited as them selling surveillance gear to the government of Egypt.
Bloomberg reported, I think, back in 2020 that they had done business with a whole laundry list of countries.
So Algeria, Afghanistan, Qatar, Russia, Thailand, Turkey, the UAE, Uzbekistan, Kuwait, Pakistan, like a whole bunch.
And they've been clearly shopping this gear around.
So sticking them on the U.S. entities list,
along with a whole bunch of their subsidiaries in other countries,
means that U.S. technology companies are not going to be able to do business with them,
not be able to sell them services, which, you know,
I don't know where Sandline gets their hardware from
or whether they, you know, use Azure.
They kind of have a rough time, I guess,
with the US ecosystem being pulled out from under them.
It's a pretty big stick to hit them with.
Yeah, it is, it is.
Now, just quickly, we've got a bit of a follow-up
on the iSoon leak that we spoke about last week.
Trend Micro has a post-op sort of that ties some of this iSoon stuff
to some activity it's seen targeting people in Taiwan.
Yes.
Trend Micro has linked it with a group that they track as Earthlusker.
This is a group that they've seen most recently interfering
with elections in Taiwan,
and they've looked at the overlap of some of the targeting information places.
They've seen Earthluska and data we've got from the Isun leak
that had details of some of their victims.
There's also overlaps in tools.
And they had previously said that Earthluska operated out of Chengdu,
which is where Is soon seem to be operating
from so a number of indicators that kind of pointed together which is you know we figured that
there was enough information in that leak to tie them to yeah like i mean i said it last week over
time we're just going to get more and more linking and whatever you know so we're seeing some of that
happen now um the white house i mean it is just you know it's awesome to see this on a white house
you know press release um you know oncd report calls for adoption of memory safe programming
languages and addressing the hard research problem of software measurability so the
office of the national cyber director has published a technical report uh called back to the building
blocks a path towards secure and
measurable software and they're saying you know that's it everybody needs to use memsafe languages
and you know again you and i were talking about this one through the week and we agreed that this
was the best advice that they could have given anyone 15 years ago yeah exactly i mean it's it's
as you say it's nice to see it on white house letterhead but you know mem corruption bugs have
been on the downward trend for for a long time uh although it but you know mem corruption bugs have been on the downward
trend for for a long time uh although it is you know it's just kind of rewarding I'm trying to
imagine you know as a as a teenage kid reading Smashing the Stack and Frack you know back in
93 or 4 whenever it was and we you know first got introduced to to buffer overflows in the more
general you know beyond the Rob Morris worm kind of world, like, it's wild that it's,
you know, we've finally got to the point where this is a thing that,
you know, the White House is, you know, weighing in on.
But, as you say, rather too late.
I mean, we're going to really have to see what steps the US government
takes to put, you know, we're going to have to keep an eye on what sort
of demands they make from industry, right?
Because I think there is still a little bit too much thinking along the lines of if we
just get them to do this, do you know what I mean?
Like a lot of problems are going to go away and you just, you know, it's like squeezing
a balloon in a lot of ways, right?
You just push the problem somewhere else.
So, you know, this won't save you from all of the dumb logic bugs and it won't save you
from all the sort of, you know, cross-site save you from all of the dumb logic bugs and it won't save you from all the sort of, you know,
cross-site request forgery in admin interfaces on appliances
and, like, there's just so much here that it won't touch.
And I do worry that eventually we're going to wind up
with a bunch of checkbox prescriptive rules
that don't actually do anything.
And, you know, that often happens when you introduce rules.
Although, you know, you see other ones where, you know,
things have to have a mechanism to be updatable and things like that.
So some of it's quite sensible, some of it's not.
And, you know, I have no problem with the White House saying,
encouraging the use of memsafe languages.
That's great.
I just do worry that, yeah,
I just do worry about the bigger picture here
and where it's going to wind up.
But, you know, I'm prepared to be pleasantly surprised.
Let's just leave it at that.
At the very least, we get to have a whole bunch of jokes
on InfoSec Mastodon about how they're taking our pointers.
That's right.
That's right.
They're taking our pointers.
What have we got here?
Ah, finally, Adam, Tornado Cash.
There was some weird, like someone was having a go at Tornado now this is of
course the sort of you know standalone blockchain app that launders bitcoin for people you know
mostly ransomware actors and like the worst type of people imaginable um you know people have been
sanctioned over it like I think as soon as your bitcoin touches this thing it's automatically
added to some sort of list right uh but there's been some sort of supply chain attack against it. Is that right?
Yeah.
So Tornado Cash is these days an open source implementation
of a cryptocurrency mixer that you can run on different blockchains.
North Koreans have been using a lot of Tornado Cash over the years
to obscure their stolen crypto.
In this case, a developer or someone who was operating an instance of Tornado Cash on IPFS, the interplanetary file system, which is kind of a sort of blockchain adjacent, I guess, in this context.
And they had backdoored the front end where you submit your funds to be mixed such that it basically could then, they basically kept the private keys of the mixed funds so they could later steal them
or track where they went or whatever else.
In this case, I think it was just a developer
attempting to make profit.
Personally, I didn't feel any more sophisticated than that.
It's just the usual, you know, kind of snake pit
that is the cryptocurrency world.
But yeah, we've seen at least one case of mixed funds then being subsequently stolen and
used but i mean i mean it did give me some ideas yeah yeah i mean there's there's some value in the
overall thinking of uh you know there being no good cryptocurrency mixes that aren't operated by
feds yeah yeah so i'm thinking you know maybe if you if you're one of the you know u.s treasury or good cryptocurrency mixes that aren't operated by Feds. Yeah, yeah.
So I'm thinking, you know, maybe if you're one of the, you know,
US Treasury or FBI or, you know, NSA or Cyber Command,
you might want to, you know, just put your little thinking caps on and have a bit of a read about this.
I've linked through to Catalan Kimpano's write-up on this one.
Yes, yeah, Catalan did good work on this.
I didn't see much other coverage of this anywhere else.
Yeah.
All right, Adam, that is actually it for the week's news,
but let's bring out our feature guest now.
Dmitry Alparovitch is best known in the cyber community
as the co-founder of CrowdStrike,
but he's been out of that for years now.
And these days he runs a think tank called
the Silverado Policy Accelerator.
He also has his own podcast called Geopolitics Decanted,
which I help to produce and sometimes appear on as well.
And yeah, Dimitri's interests these days are less about the cybers and more about geopolitics.
Dimitri, welcome to the show.
Thanks for having me on.
Now, tell us about this latest Starlink slash Starshield slash SpaceX flap,
because it looks like some sort of, what is it, committee on the ccp has written an angry letter to spacex saying our star shield terminals aren't working in taiwan
you know this is a breach of our contract this is outrageous blah blah blah blah and meanwhile
then you've got spacex on twitter saying that's wrong why are you going to the media it's a mess
but can you walk us through exactly what's happened here oh boy starlink geofencing is like
the saga that never dies we spend so much time on this podcast on my own podcast talking about ukraine now we
have taiwan right so here's what happens so mike gallagher who's the chairman of the uh committee
on china in the house of representatives uh on the chinese communist party uh just went to taiwan
this past weekend and got back from Taiwan learning apparently from talking to
presumably U.S. servicemen who are there that the Starshield service, which as your listeners may
recall, is the separate service that the U.S. government has just procured this past summer,
which probably relies on a lot of the same infrastructure as Starlink, but is dedicated
to the U.S. military, supposed to not have any geofencing
whatsoever is supposed to work everywhere that the Star Shield service apparently is not working in
Taiwan so Representative Gallagher wrote a letter to SpaceX demanding to know why and when that's
going to be turned off accusing them of a breach of contract. Look, my own view here is that SpaceX probably messed up.
Starlink almost certainly is geofenced in Taiwan because Elon wants to have a good relationship with China.
And probably because of the shared infrastructure,
they didn't anticipate or they forgot
that they were also geofencing StarShield.
And given that they do have a contract
to provide a global service,
and given the fact that Elon really
is the world's richest defense contractor, right?
I mean, SpaceX basically lives off US taxpayer money,
both NASA and various intel agencies
that are sending up satellites through SpaceX.
He really can't afford to piss off the US government.
So I think you're probably gonna see a resolution
to this coming soon.
I think you're probably right.
But the thing that surprises me about this is that it got to the point So I think you're probably going to see a resolution to this coming soon. I think you're probably right.
But the thing that surprises me about this is that it got to the point where a House committee felt that it needed to write a letter
and then leak it to the media.
Like, why could this not have been resolved more directly
and in a simple way?
You know, it just suggests to me that the relationship between the US government and SpaceX, which is now a major, you know, as you point out, it's a major government contractor, is not particularly good.
That the lines of communication are not particularly clear.
And, you know, and then this sort of mess happens.
Like, it just, it's weird.
Yeah, I mean, part of it, of course, is Elon and his own interesting ideas, shall we say, that he expresses on his ex-service.
But part of it is also, I think, that SpaceX really is not a traditional defense contractor.
They're not sort of the Beltway Bandit, as we call them here in America, where people come out of the government.
They're embedded in these companies.
They know and have very good relationships with the U.S. government. They're sort of a California Silicon Valley firm that also happens to do a lot of U.S. government
work and defense work, but really wants to treat itself as a Silicon Valley company. And Silicon
Valley traditionally has a lot of disdain for Washington, D.C., doesn't want to learn how the
city operates and how to work with politicians. So I think that's part of the problem. But look,
I think the other reality here
is that there is tremendous amount of concern
amongst the grunts, if you will,
inside US government,
inside of Space Command
and other units within US military
about the reliability of SpaceX.
I can tell you that I've heard
sort of discussions going on
about the use of what's known as DPA,
Defense Production Act
Authority, which is our way to compel companies to act in service of the nation. So we did that
famously during COVID, where we asked a bunch of people to produce ventilators, when we thought we
were running out of ventilators. And it's used actually now fairly frequently in a lot of national
security purposes. And there's sort of rumblings of like, well, maybe we should use DPA on Elon if he's not going to cooperate and do what we want,
because that's a way that we can force the issue. So I think SpaceX really needs to figure out
how to make a better relationship with all elements of the US military. Obviously,
their NASA relationship, I think, is actually quite good. But on the US intelligence side,
military side, perhaps not as good. I mean, we saw a recent flap in Ukraine as well
where there was a geofence introduced along the front lines
and there might have been some good reasons for that too.
For example, stop Russians from being able to use the Starlink terminals
on their side of the lines and whatnot.
But the Ukrainians were like saying,
look, we can't really push forward anymore
and maybe you could turn this geofence off
and it looks like Starlink's done that, which great but now russians are in fact using starlink and you know
the conversation has shifted to well you know maybe you could uh help us uh ban certain accounts
that we know are used by russians or or whatever it just seems like like spacex isn't very responsive
in these sort of situations the The fact that this Ukraine thing
has turned into a flap, this Taiwan thing has turned into a flap. You know, as you say,
you know, I'm not surprised that people within, you know, the US defense and intelligence
establishment are sort of questioning the company's reliability. Yeah, although I would
separate Ukraine because it's one thing to say no to US government, which SpaceX really can't afford to do at the end of the day. It's another thing to say no to Ukraine, which, you know, is getting a lot of these terminals as Adam, I know you did a bit of research on this this morning
to see if you could actually figure out
whether this infrastructure is shared.
And it looks like Starshield, which is the military version,
the ultimate goal of Starshield is that there'll be
a couple of hundred satellites that offer Starlink-style capability,
but they're going to be completely controlled,
owned, operated by the US government.
But they ain't up yet, by the looks of things. So there's probably some shared infrastructure,
which would support what Dimitri was saying earlier, which is this is probably a mistake.
And just because Starlink service isn't available around the Taiwan area, that might be why the
Star Shield stuff isn't working. But that's what this looks like, right? Where there's a little
bit of shared infrastructure happening
until they can spin up the US government's very own.
Yeah, I mean, the contracts for Star Shield are still pretty fresh.
And there's like, what, $1.8 billion US dollars worth, I think,
signed for SpaceX to put Star Shield-related gobbins up into the sky.
But people who keep track of Starlink launches
and kind of other spacex launches with
u.s government stuff on it have got like maybe a half a dozen satellites that they can attribute
to being you know plausibly starshield related and some of those have been on other non-starlink
launches for some of their transporter you know know, rideshare launches up to orbit. So like right now, my guess is that this, you know,
the StarShield service such as it is,
is probably just running as a, you know,
a virtual service over the top of Starlink
whilst they put satellites up.
And part of the plan for StarShield
was to also provide, you know,
hosting space for other payloads,
other USGov payloads on spacex's satellite
buses that are that are going up and so all of that takes time so i mean my guess reading this
is that probably there was just a miscommunication about how the service is provided in taiwan
obviously according to spacex's kind of you know retail presence you can't just go buy Starlink in Taiwan. It's listed as unknown on their ordering page.
But I imagine in the interim,
they provided the US government
with a Starlink service branded Starshield
that just uses off-the-shelf Starlink
everything in the meantime.
And perhaps that's not working in Taiwan
for whatever reason.
Given Elon's business relationships with China,
I can imagine that
being a sore point but we don't know that well all right i think we're going to wrap it up there
gents adam barlow uh thank you very much for everything this week uh always great to chat
you and we'll catch you again next week thanks so much pat i'll talk to you then and dimitri thanks
so much for being our you know our special guest to talk about all things Starlink and StarShield.
Always great to have you on the show
and we'll have to get you back
for a full news slot later this year.
Cheers.
Great to be with you guys.
It's time for this week's sponsor interview now
with David Cottingham and Daniel Schell
from Airlock Digital.
They make an allow listing solution
that's actually usable at scale.
So, you know, a true Australian success story, these guys.
Lots and lots of happy customers all over the world.
And yeah, Daniel, who is Airlock's CTO, has spent some time with WDAC lately,
which is Windows Defender Application Control.
So Daniel was curious to see how easy it would be to instrument allow listing policies via WDAC.
And currently, Airlock uses its own kernel driver, but Daniel's going to talk about whether
or not they can use WDAC in lieu of their own kernel driver.
And Dave's joining us with a prediction, and his prediction is that Windows 12, there's
going to be a big push to only allow signed code to run on Windows 12, basically.
But here's Daniel to kick things off by talking about his journey of WDAC discovery.
Enjoy.
I guess when I look at WDAC, I'm looking at comparing it against Airlock's feature set
because I'm trying to do a mapping, right?
Because I'm thinking like, hey, maybe there's some ability that we can actually manage like
a driverless Airlock where we manage the WDAC policy.
You know, how feasible is that and where the limitations around that and that and that's been really interesting journey because we've really found
um that we can actually implement some of our functionality into wdac yeah in a funny way so
we can like we can actually add some of the exception heading we have a feature we call
a one-time pads which is like exclusions where the help desk gives them a code that lets them
unlock their pc for temporary for a period of, lets them get on with it, you know, then a workflow to trust those files afterwards,
and then apply that to policy.
We can actually do the same thing in WDAC, but it's not saying that WDAC itself can do
natively, I guess, you know, because what it's missing, I guess, at the end of the day
is the orchestration to, you know, collect those events back to the server, do the management,
et cetera.
I guess, and, you know, we were talking actually before we got recording
and this isn't your roadmap, right?
We shouldn't tell customers that,
hey, you know, the next version of Airlock
is going to be doing, you know,
all of its actions on a box via WDAC.
But, you know, is that something do you think that,
you know, do you think you could actually use WDAC
in lieu of a driver to get done what you
need to get done on a box? Yeah, we definitely can. Technically, I don't think there's any reason
you can't. But what we found is, you know, just some core ways that WDAC works a little bit
differently than we do today. But it really, at the end of the day, just means that we have to
collect a little bit more information or different types of information to make trust decisions on,
because, you know, they'll use different hashing algorithms
for certain use cases.
Publishers are treated
a little bit differently.
So we just need to make sure
that we can operate the same way.
So at the end of the day,
we have to be able
to generate the XML.
So all the information
that we need to put in the XML,
we need to collect
from that operating system.
So do you think there's a chance
that we'll see some other companies
and not necessarily pure play allow listing companies, but other security companies coming in and trying to do some level of instrumentation through WDAC?
Do you think that's kind of what it's for?
I don't...
Dave's got his hand up here.
Yeah, so it's interesting because in the Apple ecosystem, you have the import security framework.
Yeah, and that's what it's for
that's why i'm asking like do you think it's the same sort of vibe it's a nicely instrumented
here go consume this feed same with fa notify even on the linux kernel but on windows
wdac is really a closed system you know microsoft are building it as part of a defender offering
and it's kind of like powershell it's sort of kind of closed and you can hack things around
and throw things into the system
in order to influence it.
But it's not sort of API driven
and easily consumable.
It's not designed for that.
You kind of got to reverse engineer
what does this tag in the XML mean
and then...
Exactly.
Like, you know,
I still think even if we were able to use it in a driverless way, we'd still need some sort of agent.
Sure, that agent could be user mode, but it's not simple.
Unlike Apple and maybe a Linux.
Well, and we should point out too that you use that API on macOS to make your stuff work, right?
And I remember when you built that client, it didn't appear to take very long to get that one done.
No, it was far quicker to develop, you know,
and it was just interesting working
with the different ecosystems, you know,
what the changes were.
Well, it's a shame, isn't it,
that Apple's probably like 2% of the devices
that you allow list and, you know, Windows is like 98%.
It'd be nice if it was the other way around.
Yeah.
In your case, I'm not, you know,
this isn't supposed to be
I know that Mac OS isn't exactly
a business operating system but yeah
they definitely got that part of it right
yeah 100%
I'd add on top of just the WDAC
instrumentation
I've been doing a lot of this thing for a while
and the fact
that I sit here with looking at
XML files for months
banging my head against the wall
just screaming like, why?
It's
Yeah, so this isn't them making a play
to encourage an ecosystem
where people are going to use this
as an instrumentation layer
that's what I was wondering
Yeah, I think so
So then what the f*** are they doing?
I think what they're doing right now
is they're making it better into Microsoft Intune with the
idea being is that if your organization deploys an app through Intune it will be trusted on the
endpoint through a capability they have called managed installer yeah and then that's the play
like if you if you push software this way so this is like an Int-tune this is this is going to be some sort of in-tune integration so that like your soe is allow listed i guess yep yeah yeah and that's correct high five
microsoft that's a that's a wonderful thing to introduce to their product set but it ain't it
ain't really yeah again like it's not really yeah it's not really the full kit and caboodle is it
no no but it's really interesting how they've actually instrumented all that um
because what's actually happening is you have to actually turn on app locker again so you have to
bring that back and then you need to um make all these dummy policies so it can actually properly
start um and then there's a new type of sort of hidden policy called a managed installer policy
where you can then make a rule that says hey well this executable let's say it's the intune agent
is now trusted as a managed installer and you know of WDAC, you can even just turn off WDAC completely. And
what that means is that every time that this installer does actions on the disk, it's actually
tagging extended NTFS attributes of those files and saying, hey, this is a managed installer that
was installed by this app at this time. And then when you turn on wdac there's an option for wdac
which is like trust managed installer and then it trusts those ntfs extended permissions so what are
they stuffing are they stuffing like signatures or hashes into uh like ntfs alternate streams or
like how are they doing that no there's a feature called like extended attributes oh there's like
so it's not an alternate stream it's a a different feature. Yeah, that's what I wondered. My NTFS knowledge is like frozen in time from about
15 years ago. Yeah, and these probably existed back then for some reason.
Right. But the way that, and this is interesting
and there's been some research in the past where people have found out ways that you can sort of like copy these
files off and modify the attributes and then now you've tricked, you know, there's been CVs
in the past about people tricking systems
that rely on these.
But what Microsoft have done with WDAG is that when,
or I guess from the kernel now,
is that when you make extended attribute modifications
from the terminal, they actually are protected
that they can only be changed by the kernel.
So there's like user mode extended attributes,
and then there's kernel extended attributes.
So since WDAG's doing this stuff,
all this stuff's happening from kernel tagging with the app locker drivers
at that stage what's going on is that you can't remodify those i mean i think that's kind of cool
you know like having a massively overkill overly complex like that's one place where i'll accept
the complexity sirs oh yeah clearly the engineering. I mean, and also the, you know,
your database becomes the file system of trust.
You know, and that's pretty cool.
Long story short, I mean, it sounds like WDAC is interesting,
but you won't be ditching your kernel driver anytime soon.
I think that's where we're at.
No, yeah.
Yeah, so, yeah. soon i think that's where no yeah um yeah so it's yeah um so look dave you wanted to talk about
something else uh while we got you here which is a bit of a prediction and you think in windows 12
microsoft's going to do a big push towards you know only signed code but they're going to like
democratize code signing and there's going to be everything's going to be signed and what you described to me it just sort of sounds like you know let's encrypt but for
signed executables so when let's encrypt let's encrypt democratized you know uh ssl certificates
you wound up with like signed phishing pages and this sounds like what we're going to wind up with
is like signed malware hooray i mean what's that what's the plan here i mean look and in my
opinion all of this engineering that we've talked about in in windows core isn't for in tune
deployments right for businesses like you do this to build it into the operating system and and with
smart app control you know what i think will happen is in windows 12 that all uh user mode
code signing will be enforced and you
won't be able to run binaries without having signed code um and what that means is that there's
just more traceability on all code but i feel as though it will also cause a windows vista uac type
moment where people will upgrade to 12 and go oh my app doesn't run anymore why not and that will
just be mandatory and it will
sort of you know rise the tide make all developers sign their code if they want it to run on the new
version of windows and the way that microsoft's trying to get people to sign code is through this
thing that's been in preview for the last four years which is azure code signing which is they're
trying to give people a free way to actually, you know, have an Azure account through pipelines, get the code automatically signed through keys that are stored in their Azure account.
And, you know, it will give you spit out signed binaries in your build.
And also WDAC trusts Azure code signed code by default in the actual core policies.
So, you know, I really feel as though this is the way we're heading in the
ecosystem apple does this already you know you have to notarize everything that you yeah you run
and are allowed to run and i feel as though it's one of those changes what you said is true it it
introduces a sort of modicum of traceability for everything right it it does and and you know i i
don't think the the current ecosystem of software signing like for us to sign code, you know, we might have, you know, a system where we'll go to DigiCert or whatever, get a USB key.
We have the private keys and that doesn't work at scale if we're going to get all developers across the world to actually make sure their code is signed. So, you know, we need systems like Apple's notarizing service
where you can contact them, say, sign my code,
and it gives it back in an easy way.
And that's what Azure CodeSigning is trying to do.
Well, I'm guessing it's going to make, like in a lot of ways,
it'll make your life a lot easier too when just everything is signed
because that's one of the biggest dramas, right?
When you're trying to run an allow list is dealing with unsigned code.
And there's so many vendors out there,
like, because I know, you know,
you'll go into an environment
and then there'll be this some niche software
that they just don't bother signing.
And it's a drag is what I'm getting at.
So like Microsoft kind of forcing people to do this,
it's going to be great for you.
Yeah, definitely.
And I think that, you know,
we're still going to have a long tail on legacy, of course,
but, you know, it's really going to improve things overall as much as it's going to cause headaches, I think, in the short term.
And again, this is just our opinion and we will see how quickly it happens.
But it's inevitable, I think, that it will happen, you know, at some point.
And the engineering points to that.
Now, I guess the question is, if you democratize code signing how easy does it become
to sign malware and then we're just going to see malware side code but well we will but it's like
i guess you know from an auditability traceability point of view it's good from making your life
easier it's good as well so i think it's one of those things where yeah it's just it's worth doing
daniel you've been trying to jump in uh for quite a while we've got to keep it quick though because
we're going over time.
Yeah, no worries.
I guess just since you said let's encrypt, I guess the difference here might be to some degree is sort of that identity stage is still there, the Microsoft code signing.
So what I was just going to say is the Microsoft code signing is all code sign preview project.
What's interesting about that is you sign up for that or when you get that enabled, when it comes out preview finally, you then get your organization still does get verified as it does with other cas so there is that stage you know you still verify you own the domain and all this other stuff
and then yeah you can sign the code but the difference is at the end of the day is that
you know your code signing the signature private keys and such are protected by your azure credentials
right so they're not you know today there's a lot of situations where your certs are on disk,
developers have them, they lose, they get stolen,
they get uploaded to GitHub.
That whole attack vector gets gone.
No, I don't know though,
because then at that point, you know,
someone just needs to steal an Azure account, right?
Like instead of actually hacking into a place
where the keys are stored.
So I don't know that that's actually much of a game.
But I think there's a lot more controls there, right?
But there's additional access and all this other stuff, right?
At that sort of scale, I'm skeptical skeptical because you know microsoft can barely handle all
of the account takeovers on its platform already dave final comment does that give the ability for
code revocation globally what if this system is running like hey your stuff your account got
compromised there's malware out there signed or do you think that that's just antivirus? Would they
leverage this as... Well, see, I don't know.
And that's what I'm saying. There's going to be all sorts of
weird and wonderful ways that this is going to
go sideways, right? But Daniel,
Dave, always such a pleasure to
chat to you both. Thank you so much for joining me.
And thanks for your continued sponsorship
of the Risky Business Podcast,
my friends, and we'll catch you again through the year.
Cheers. All right. Thanks, Patrick.
Thanks, Patrick.
That was Dave Cottingham and Daniel Schell there
with this week's sponsor interview.
Big thanks to them for that.
And you can find them at airlockdigital.com.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back next week with more security news and analysis.
But until then, I've been Patrick Gray.
Thanks for listening.