Risky Business - Risky Business #746 – Microsoft takes your security seriously*
Episode Date: May 1, 2024On this week’s show Patrick and Adam discuss the week’s security news, including: Microsoft reassures* us that they take security very seriously* Cisco ASA fir...ewalls get sneakily backdoored, but no one’s quite sure how Change Healthcare was 1FA Citrix all along The FTC, FCC and other government sticks get waved at tech Lizard Squad Finn who hacked the Vastaamo therapy chain gets sentenced And much, much more. This week’s sponsor is Zero Networks, who make a network micro-segmentation product that is actually usable. Zero Networks CEO Benny Lakunishok joins us to talk through why firewalling everything everywhere is finally workable. * You’ll forgive us for being… a tad sceptical. Show notes 'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks | WIRED Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO | TechCrunch Microsoft CEO says security is its No. 1 priority | Cybersecurity Dive TrustedSec | Full Disclosure: A Look at a Recently Patched Microsoft… Vintage Microsoft flaw resurfaces, threat actors attack with golden GooseEgg | Cybersecurity Dive FTC commercial surveillance rules could arrive within months, sources say FCC takes $200 million bite out of wireless carriers for sharing location data | CyberScoop Know-your-customer executive order facing stiff opposition from cloud industry Tech companies must help the fight aganst extremists using encryption: ASIO boss Josh Taylor on X: "Yess, excellent question from @Paul_Karp on why AFP et al aren't using the powers they already have. They say one technical assistance or capability notice has recently been issued. https://t.co/pEXrvjK5Q4" / X (720) IN FULL: ASIO and AFP respond to X chairman Elon Musk, issues social media warnings | ABC News - YouTube China-linked PlugX malware infections found in more than 170 countries Belarus secret service website still down after hackers claim to breach it Man Who Mass-Extorted Psychotherapy Patients Gets Six Years – Krebs on Security Sweden's liquor shelves to run empty this week due to ransomware attack Congress picked a direct fight with ByteDance and TikTok. The privacy implications are less clear. Telegram blocks, then unblocks, chatbots used by Ukraine’s intelligence services Elon Musk’s X takeover crushed Twitter’s profit to just $4804 in Australia Australian court orders Elon Musk’s X to hide Sydney church stabbing posts from users globally | Australia news | The Guardian After the Christchurch attacks, Twitter made a deal with Jacinda Ardern over violent content. Elon Musk changed everything - ABC News World on the Brink: How America Can Beat China in the Race for the Twenty-First Century - Kindle edition by Alperovitch, Dmitri, Graff, Garrett M.. Politics & Social Sciences Kindle eBooks @ Amazon.com.
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name's Patrick Gray. This week's show is
brought to you by Xero Networks, the company that has made micro-segmentation something
that you can actually implement. Benny Lukunashok is the co-founder and chief executive of Xero
Networks and he'll be joining us later on in this week's sponsor interview to talk about
why people are actually doing micro-segmentation now. And long story
short, he says it's because ransomware has cost insurers so much money that they're starting to
demand their customers do it. And yeah, people are actually having to take their pen test reports
seriously these days. That's another factor, particularly when a key finding is this network
is wide open. That is coming up later, but first up, of course,
it is time for a check of the week's security news with Adam Boileau.
And Adam, of course, I was off last week,
which meant, you know, another crippling border device bug.
This time there was some drama with the Cisco ASAs.
Yes, we saw some reports of nation-state attacks,
and particularly attributed to Russian GRU, the fancy bears, up in people's Ciscos.
And we saw Cisco releasing some patches, which sounds kind of normal looking. you know, the Russians were breaking into people's Cisco ASAs and then like essentially dropping remote access Trojan
for the Cisco devices on there
that they could then deliver payloads to via like shell-coded,
embedded in certificates for VPN authentication,
which is a pretty cool backdoor technique.
But interestingly, these were reported to Cisco by the NSA
and we don't really know what the actual initial intrusion vector was
the two bugs they reported uh one of them is a like admin on an asa to code exec on the underlying
box but you have to be admin and you have to be able to connect to the admin interface and so on
it's in the thing that allows you to upload like packages for vpn clients that people then download
when they're when they're connecting
and there was a way that you could kind of path traverse I guess out and right into the file
system of the device and the other bug was a denial of service leading to a reboot so neither
of these were an actual like initial access bug so there must have been a bunch of you know admin
creds that were nicked at some point to gain access to these to these devices so it's a little bit you know the reporting that we've seen has been
oh look more cisco bugs but it is a little more nuanced than that yeah yeah so i guess what you're
saying is we don't really know the full story here no we don't and it seems to have some you
know trails back a number of years so like c said, they saw some preparation for this back in 2023.
So like it's been kicking around a little while.
And the fact that the Five Eyes intelligence agencies were over it
suggests kind of what it was being used for.
So interesting.
But you're right, shell coding certificates, that's pretty sneaky.
It's pretty sneaky, yeah.
Yeah, so we've got some data about some of
the like the backdoor components that they were dropping so you can go and look for you know
indicators of compromise but yeah are more interesting than usual edge device hacks
yeah although i mean it's just amazing how often we're talking about these sorts of things now
right like whether it's the citrix or the fortinet or now cisco it's like this has become just such an you know such an easy way right like i think depending on your target you're
going to get better results with this than you are by trying to spearfish and then getting detected
and you know not going anywhere well especially when there's you know dot dot slash bugs in your
palo altos right yeah that's a way easier life than having to go fish for creds but yeah this
one was just injured because it wasn't that straightforward.
So anything on the edge of the network is a great target.
And if you can backdoor it and hide in it
and use it for pivoting onwards and stealing creds
and all these things are often domain
or centralized authentication integrated,
like it's the place to be for doing hacking.
You know, it's funny with the Cisco stuff though,
like access to the underlying operating system.
I got a good friend who found a bug and it was like you had to connect to the device
through serial to exploit this right but you could actually punch through it was some cisco
gear that had like a linux base operating system and you could punch through trojan the crap out
of it and then no one using the cisco like cli interface would actually find that stuff so i think in response to that bug
being disclosed to cisco they just eol'd like a whole bunch of products which was not quite the
response uh but it was some sort of like shell punch through or something it was so easy to
exploit and they just eol'd everything yeah i mean embedded systems are just a really interesting
place to find those kinds of bugs because it's often not really meant as a security boundary.
Like between the CLI interface of the, you know, the company provides and the underlying operating system, which often isn't like a real operating system.
But it is like Linux-y enough or it's, you know, kind of, you know, it's not meant to be user, you know, end user serviceable.
So they don't really care about it that much.
And, you know, I've dug through a few of those in my time,
and it's always great fun seeing how these things work on the innards
and then abusing them.
Well, I think it's just a lot of people who are punching commands
into a Cisco interface probably think that they're interacting
with an operating system, and you're not.
You're not.
You're interacting with a thing that pretends to be,
but underneath it's something entirely else. else underneath the mask it's a penguin
now look uh let's talk about a turducken of fail here because this involves a border device
and uh you know an absence of mfa no bugs were exploited apparently but we've got some info here
on how change health care you know managed to take down
a substantial chunk of billing services for the entire u.s healthcare system and uh it's it's it's
as depressing as you would think it is just as grim as you imagine so the uh the ceo of united
health which is the parent company of change healthcare uh he provided some testimony to the
u.s house uh and he said yes they got in through single factor Citrix
with creds that they had got from somewhere we don't know
whether they were stolen or whether they were gassed or whatever
else but yes single factor
into the Citrix on the edge of the network
and then onwards to as you
said let's disrupt the you know half
the healthcare or more than half the healthcare
system in the US which
is not how it's meant to be
yeah
I mean I think increasingly
something that vendors like Cisco, like Fortinet need to think about, and I know that this isn't
going to solve for all of the cases that we've discussed here, but I think increasingly they
need to start gating network access to these things via SSO. They need to do SSO integrations.
I mean, we're working with a startup that do this as a third party, but really I think the
vendors should be building this as a native functionality. I mean, the problem is we can't
trust the vendors to not make a mess of it, right? Especially when these are firewall vendors. I mean,
Fortinet is the sort of people that ought to be selling you a firewall that can sso integrate but do you really want them to be the one doing it and then doing it
as a third party is provides you some lag controls but at the cost of you know of some added
complexity and so on but i just feel bad like if you said to citrix we need you to put more
auth into citrix it's probably not going to solve the Citrix problems
that we've got.
Probably not going to go your way, right?
Yeah.
They're just going to add more complexity and therefore more bugs.
And what we want is simplicity and a single purpose, you know, packet filter.
I don't know though.
I just, I mean, I think if you can really restrict that, those boxes, their interaction
with the outside world, just to only talk to the the idp
before they open a port i mean i think that's you know that's hard to mess up adam yeah yes yeah i
agree completely and the knock knock style approach of doing this certainly makes me feel better about
you know our content management system not being on the internet yeah uh anyway not didn't mean to
turn this into a knock knock plug fest i fest. I'm just saying that, like,
vendors should probably be doing this themselves.
And, you know, knock-knock shouldn't need to exist for major,
you know, for equipment that comes out of companies worth tens of,
you know, billions of dollars.
But anyway, moving on.
Speaking of companies with a lot of money that should know better,
Microsoft, this is funny, right?
So we've got a headline here from Cybersecurity Dive
where Satya Nadella has come out and said cyber security is our number one priority right it was
during an earnings call uh last thursday and uh you know this is something he said now you know
100 we're fully you know behind security and whatever but it was funny because you and i had
a conversation with our colleague tom uran about this and tom's like yeah i read the transcript
and that part was like one paragraph,
and then he just went straight back into talking about Copilot.
Which is funny because you'd think if it's your number one priority,
it might account for more than a couple of paragraphs in your speech.
Yes, we would certainly like it to be number one priority,
but I don't think that it is.
And, you know, obviously their actions are what's going to matter here
rather than the words on the earnings call, but, you know, obviously their actions are what's going to matter here rather than the words on the earnings call.
But, you know, I think we are rightly sceptical that, you know,
this is not the turnaround that Microsoft kind of needs to take on board
and go do.
And, you know, we will see.
It would be nice if it was number one.
I mean, you would admit that it's encouraging, you know,
even though limited time and space was given to that comment, you would agree that it's encouraging when a chief executive of a company like Microsoft says that.
It is.
Like, yes, it's better than nothing.
And it's better than security is not a thing that we care about at all.
But, you know, we just got to see some concrete action from them and you know when we were putting together the news list for this week you know there's a couple of stories about microsoft fails that are the sort of thing that if it was a number
one priority probably should happen less well i think i think it means it's a number one priority
starting now yes starting now and then you know after the next thing starting now yes i don't
know if you've ever seen barry but yes he's like i'm gonna stop killing people
starting now um but yeah talk about this uh trusted sec one this is a this is a microsoft
graph api vulnerability that allowed brute forcing against 365 accounts like this is
you know i mean you expect to see these sorts of bugs affecting cloud services but you really
would hope a company like Microsoft could do better.
Yeah, so this is quite an interesting one
where you can brute force passwords, you know,
against Microsoft identity services through the Graph API
and you can do it in such a way where it doesn't show up in the logs.
Basically, you brute force somebody else's cloud API through your one and at some point that doesn't
make it through the logging so the net result is you have I'm not clear about the what the rate
limiting situation is here but essentially yeah you can try credentials and they just straight up
doesn't show up in the logs presumably if you buy extra logs maybe it does I don't know but yeah
this is the kind of thing that cloud services are so complicated and there's so many moving parts
you can totally understand how it happens.
But this is also Microsoft, who is now the auth provider for half the Western world.
So yeah, we do kind of have to expect better from them.
And I think that this was a really interesting contrast with the other thing we're going
to talk about in a sec, which is a very traditional, you know know like on-prem windows bug like the classic
microsoft style of bug and then this one which is there's just so much complexity and it's all
hanging out there on the internet in azure and you know they do gotta do better like this is
yeah you know it's it's a it's a dumb like it's not straight up code exec it's not something
you know fancy or sophisticated but it's the kind of workaday thing that hackers use.
I mean, they do mention, to your point,
that you can still get locked out of an account by doing this,
but apparently if you vary the source IP address enough,
you can get around that a bit.
So it's not like open slather brute force,
but certainly a little bit more open than you would hope for and expect.
Yeah, and also the fact that you just don't see it in the logs
makes it difficult to understand what's going on
and why your environment is being like it is.
I mean, if you've got a huge residential proxy botnet
and enough time, this sort of thing would be quite useful, I'd imagine.
Yeah, or indeed other cloud providers, right?
Because there's plenty of moving your IP around
when you're coming out of a cloud service somewhere else
or even Microsoft's own, you know, spinning it up on Azure,
doing the brute force from there, moving around.
Yeah, but I mean, that's going to look shady.
You know what I mean?
Like, I don't know.
I mean, people are owning all the D-links for a reason, right?
Yes, yeah.
But I guess it's hard to look shady if you're not being logged.
Yes.
I mean, it'll look shady on the infrastructure side
when you're spinning it up to do this sort of thing.
But yeah, talk about this other old school
Windows print spooler flaw.
Yes, warms my heart.
So a Russian crew, I think also GIU, Fancy Bear,
were using a bug called Goose Egg,
which is a local privilege escalation in Windows
through the print spooler which yeah
that's a thing that we have seen many times before this one got patched I think a couple of years
back but they have been using it since 2020 and it was Microsoft patched it quietly without saying
that it was being used in the wild so it's now on the sysarchev list but yeah this was a you know
a pretty classic bug and the sort of
thing that you know when we've seen bugs in the principal or in the past they're all about the
fact that the principal handles files from low privilege users to print them and writing that
into the space where the principal stores them and then they're parsed and operated on in a
different security context like as system and windows? That's a place that there has been so many bugs
that you kind of want to fix it at root cause,
not fix it point fix every time there's an implementation flaw.
Yeah, just band-aids every time, right?
Is what they've been doing for so many years.
And it's a great example of if security is number one priority
and you see a couple of bugs of this style in one place,
it's probably time to go overhaul it.
So we will see whether
or not we see overhaul to the print spooler in the future i mean stuff like this you know looking at
it from a glass half full point of view i mean stuff like privets through a print spooler is
the sort of thing that edr is going to catch yeah i mean yes it's the thing that we are you know
because it's been happening for so long we are pretty well equipped overall to spot this kind
of thing it's just it would be nice if these bugs were there in the first place it would be nice if we didn't have to rely on edr to maybe
catch it and uh for someone to maybe respond to it yeah i'm with you pal don't worry uh now we got a
bunch of stories to get through now looking at uh regulatory actions in the united states and um you
know it's a bit of a theme isn't it, over the last couple of weeks,
which is that governments gradually seem to be getting a handle on quite a few of what I'd call
the sort of Wild West tech issues. And the first one we're going to talk about is some new rules
that the FTC is going to introduce, which look a little bit like, you know, a regulator having a
bit of a crack at a sort of data protection, you know, a set of data protection rules.
But the FTC is certainly planning on cracking down on some of this open slather sort of commercial consumer surveillance stuff.
Yeah, I mean, there's so many businesses whose business models rely on collecting data about consumers and then packaging up and selling it.
And the FTC is working on some rules that will basically apply a set of guidance for what they can do, how they have to notify people, what kind of consent you have to get. full-blown you know privacy legislation and when there's been some rumbling about perhaps an
overhaul of american privacy law in lines of gdpr which you know that will take a little while to
process and maybe we'll supersede some of these things but the fdc you know is a place where they
can you know apply some regulatory stick to you know what has been especially you know in the us
which is such a big economy a pretty unregulated free-for-all
with selling location data from mobile phones
and data from ad SDKs and all those kinds of things
in ways that people didn't really understand
when they signed up for those things.
And I think this is a place
that they can use their regulatory powers.
Yeah, and meanwhile, the FCC has fined T-Mobile,
Sprint, AT&T and Verizon 200 million bucks for selling their customers' location data.
Yeah, so this stems from a number of years back.
They have been packaging up and selling it to data brokers. to the case where you know some like american law enforcement person was just regularly using
a service that would allow you to track people's phones by to kind of cell tower level granularity
to deal with you know like bail violations and other you know relatively small scale things like
that which then kind of opened the floodgates for quite how much location data was being used and
sold so the telcos have now finally been given a you know a pretty clear spanking for
it although none of them are particularly repentant uh spokespeople from i think three of those four
telcos basically said hey look we gave it to somebody else and contractually we told them
they had to do the right thing and they didn't and that's not our fault but yes the fcc does
not seem to accept that argument i would say tell it to the judge, but in this case, tell it to the FCC, buddy.
Well, exactly.
So, yes, they're having a whinge, but, you know,
that's to be expected.
Now, we got one here from The Record by Suzanne Smalley,
which is talking about how cloud compute firms
are having a good old cry about a government plan
to introduce KYC requirements for, you know,
cloud services. And, you know, I mean, I kind of see this one both ways, right? Like from one
perspective, one of the reasons threat actors like to get into US, you know, launch attacks from US
cloud computing providers is because like NSA can't really look at, you know, domestic stuff in the, in the U S uh, and it's just one less thing to worry about,
you know, being detected because it's funny foreign traffic or whatever. Right. So attack
is going to do that. So yeah, you know, maybe KYC is good. It's an extra hoop for people to
jump through, but on the flip side, it is just a pretty small hoop, you know, or pretty large hoop, I guess we would say, to jump through.
Pretty easy hoop to jump through, especially for, you know, foreign intelligence agencies.
And so you wonder if the juice is worth the squeeze on introducing this as a requirement.
What do you think about this, Adam?
So I think overall I am in favor of of better kyc for cloud providers i
mean i've certainly abused cloud providers in my time like it does always seem a little weird that
you can just plonk down a credit card and be using someone else's computer somewhere else in the world
you know with so little friction and you know well now you'll have to upload a fake license as well
now i'll have to upload a fake driver's license which you know at least i'm doing two crimes now um but no like i i understand your you know your reservations
and and one of the trade groups representing a bunch of cloud providers like this is going to
be so much overhead and admin and certainly like having had to go through kyc for like a commercial
paypal account and stuff like it is a real pain for legitimate users to have to go
through some of this process. But I think one of the things that struck me was there was an interview
with the boss of the UK Bank Standard Chartered, and he was talking about how cybersecurity is so
important for them and such a big deal and how they work so hard at it. And then at some point
through this interview, he says the quiet thing out out loud which is we did this because the regulators made us and now it's super important
to us that we you know take all this stuff very seriously we have such great controls
but ultimately if you had uh you know i'm sure that there would have been uh trade groups for
the banks saying the same thing about kyC for money laundering in the financial
environment 10 years ago as well.
Now we take it as granted that that's just a thing we have to do in finance, and it's
been driving a bunch of other improvements.
So I would like to see cloud providers have to get a bit more regulation because I think
it will just improve things overall, and they already charged us so much money.
I think you're probably right that it will do something to keep a lot of abusive activity away
from US-based cloud providers, right?
Which is, I guess, an effect that we would like to see
or that the Americans would like to see.
I'm just sceptical that it'll do much for foreign-based,
you know state
backed threat actors right like that's the bit where i'm like well this is the reason you're
giving for wanting to do this but yeah yeah like i don't think obviously state backed groups are
capable of a fake driver's license right they've you know and especially when you know so many are
sanctioned or have other controls in place or ready for them yeah not a big impediment for them but i think there's just a whole mid-tier
of non-state you know cybercrime that would be impaired by this even if it's only a little bit
like every bit's going to help and i think the the improvement it would drive for cloud vendors
is probably going to be worth it yeah especially because we're gonna be other regulatory sticks
too so i reckon those databases that they have to put together with everyone's kyc information you know one of them
gets popped and then everybody just uses those driver's licenses from there to eternity i don't
know you know that's that's the sort of stuff people will be selling those identities for 20
cents on some tour hidden service somewhere you know that's just i mean yeah i want to believe
though i want to believe that there is some good news.
KYC bypass package, $100, you know, find us at, you know, anyway,
whatever.onion.
That's how I see that going.
So, look, I mean, you know, I'm open to the idea it might do something,
but I'm also open to the idea it will do very little,
except provide some business opportunities to people
who happen to steal enough of that sort of identifying information and license scans and stuff. Maybe. Now look, turning our attention to some goings
on in Australia and the head of our domestic intelligence agency ASIO, Mike Burgess. Now,
Mike Burgess used to run ASD as well. So Mike knows a little bit about computers.
He gave some comments at a National Press Club address.
It was him and the commissioner of the AFP talking to the media.
And he basically came out and said they are having some problems with end-to-end encryption
and that they would like vendors to be more cooperative.
Now, one interesting thing that emerged from this National Press Club address
is the AFP guy, that's the Australian Federal Police, said that they had actually issued one
of the stronger notices under that assistance and access bill that was controversially passed,
you know, some years ago, where people said, you know, this bill could be used to demand that
people who make end-to-end encrypted software or whatever, like, you know, this bill could be used to demand that people who make end-to-end encrypted software or whatever,
like, you know, grant them access somehow by some mechanism that, you know, the government determines.
And it looks like one of those notices has been issued.
So I think there is going to be a bit of a showdown.
There's a showdown coming between the Australian government and US-based tech
providers on this stuff. And Burgess specifically was talking about what sounds to be a cell of
quite radical Nazi types who are communicating with people based overseas and they are having
trouble getting access to their communications. Here's some
comments from Burgess at that press club address. The reality for us is that most of our counter
terrorism and counter espionage cases, encrypted messaging apps are being used and that's a problem
for us and we have to expend considerably more resources to deal with these threats,
which limits the number of threats we can deal with at any one time. And right now we're as busy as we've ever been in our 75 years of history.
We need their help. I think it's a reasonable ask. I'm looking forward to that conversation.
I recognise there'll be people who will light up and share their views on how wrong we are.
Isn't that wonderful in a democracy we can have that conversation and listen to all views
as well. So I'm looking forward to the conversation and maybe the rebuffs that will follow.
Of course, we're here to ask for their help.
We have good relationships with these companies.
I'm here to ask for their help.
And I will use the law if I need to, but I'm asking for their help
because, as the Commissioner said,
it's the way they design things we need their help on.
Almost 100% of my priority counter-terrorism,
counter-respionage cases,
we can't bust through this encryption when we have the warrant.
That's got to be a problem for all Australians, not just my people.
So there you go.
I mean, it's, look, you know, I get flack for generally being on the pro-access side of this debate.
But, you know, by the time ASIO's got warrants to go and intercept a communication, I mean, you are talking about something pretty serious going, being cooked up, right? And it's, it's the sort of thing where
I think most reasonable people, if they were given the full brief of why this access was
being requested, they would probably be quite alarmed by the fact that it could not be granted.
Yeah. And I think, you know and I think there are places in the world
where that kind of right to privacy is a bit more enshrined
as absolute, like in the United States,
whereas other countries like Australia, like New Zealand,
we have a slightly more pragmatic approach to it,
and that's a conflict between American-based companies
where this stuff is seen as, you know, sort of automatically, you know,
a thing to push back on, whereas, you know,
we've got laws that say, actually, no,
this is a thing that they should help us with.
And we don't necessarily have to say exactly how,
but, you know, I think, you know, as you said,
Mike's a reasonable person.
I'm sure he would listen to any suggestions from,
you know, whichever tech firms he's dealing with
about ways to solve problems for him.
Well, I mean, it's clear that they've reached an impasse.
Like, it is extremely clear from his comments that they've been through that process and
now they're at loggerheads.
And that's why I think there's going to be some sort of showdown.
Yeah, and it would be interesting to see the details.
And unfortunately, we probably won't see them.
I don't know how much transparencyian law has about those requests i imagine we don't get to see you know
all of the grubby details but i'm yeah i'm super curious right as to how this is going to play out
i mean i think you know you just touched on it there as well you know in the united states
there's the fourth amendment sacrosanct and whatever and just generally americans are very
very suspicious of their government they don't trust them i mean i think there's in some cases
they have reasons for for not trusting their government. They don't trust them. I mean, I think there's, in some cases, they have reasons for not trusting their government,
particularly like, you know, lower level law enforcement,
which in, you know, Australia and New Zealand
is handled very differently.
Like all police here are either state or territory police.
We only have a handful of those sort of police agencies,
not thousands of them, like in the United States
that lack uniform training and, you know, ministerial
accountability and whatnot, right? So it's a very different environment where there's just a lot
more trust, I think, from the average Australian in the government and a belief in doing this sort
of thing. So, but, you know, these companies are not based here and they don't have
to do what we say and we've got another story we're going to talk about a little bit later on
that touches on that theme as well yeah and resolving that conflict is one of the like you
know the challenges of globalization of using everyone else's technology stack and you know
that kind of decoupling of china and the u in terms of their technology stacks, you know, in part is about resolving these differences, you know,
between our societies and yeah. I mean, this is, this is hard stuff.
Yeah. Yeah, no, it really is. And it's like,
I just feel like this was always coming.
The can has been kicked down the road about as far as it's going to go.
And this is going to get spicy.
Yes. Yeah. I think you're right.
Like this stuff is important and ingrained. Yes, I think you're right.
This stuff is important and ingrained in so much of society and the challenges we face,
where every sort of crime group or terror group
or whatever else is now using tech
that they can't just bust into like they could 10 years ago.
Well, I mean, as he's alluded to there,
it's a question of resources
and for some high priority things they can,
but it's just so expensive.
And you just ask yourself,
should the cost of that access be borne by the taxpayer
when these tech firms that do make profits
from our countries,
shouldn't they bear the cost here?
Wouldn't that make sense?
Wouldn't it be funny if we introduced some sort of access tax on them
so that we tax their profits and use it
to fund the development of exploits in their tech?
And then it turns around like what was the profit of Twitter
in Australia last year?
Like $4,000?
Yeah, yeah.
Well, I don't think intercepting off twitter is uh is a huge
challenge uh to be honest but we're going to get to that in a little bit uh but let's talk about
some more bread and butter infosec now and the plug x malware uh which is used uh it's linked
to the chinese ministry of state security uh someone grabbed a c2 uh and just you know sink
hold it and stuff but they collected telemetry and just it's everywhere yeah the plug x was the one that has amongst other things like usb spreading and has been
used by various chinese groups for a number of years now and it's i think mostly abandoned
because it's just kind of too high profile in terms of detection now to be still in constant use by Chinese groups. But yeah, Sequoia managed to buy the IP address of one of the C2 servers
off some hosting provider or whatever.
Seven bucks.
Stood it up and started receiving millions of connections
from PlugX infections.
And apparently PlugX does have like a kill switch
where the command and control
server can send a like please terminate and shut down and remove yourself thing and sequoia have
been going around talking to various national certs to see if anyone would like them to you
know kill plug x you know in a particular country's address space or whatever which
sounds like a nice thing to do much of anyone's sure if anyone's taken them up on it. Yeah. It's like the ghost of malware past, basically.
Yes, yes, yes.
Do you still get code red when you plug a box into the internet now?
I wouldn't be surprised.
I mean, people who run up Honeypot's very right in and tell us,
but those boxes turn into hives of scum and villainy in milliseconds
once you put them on
the internet but it's pretty funny isn't it because i remember i remember like i was around
when something was plugged in and i've you know just looking at some logs and i'm like holy crap
that's code red and this is like a classic you know 10 15 years after it first spread so
um it's just all it's i don't know is it does it make you feel good that it's still out there
it kind of does in a way.
Like, you know, watching logs on almost anything internet connected,
like you do see so much old classic stuff going past them.
And yeah, I don't know.
I feel nostalgia.
It's like an old strain of flu that can't make you sick anymore,
but still just sort of circulates, you know?
Yes.
Yeah, exactly.
Moving on.
And the Belarusussian cyber partisans
have pulled off another caper adam yes they hacked the website of the somewhat poorly named
belarussian secret service agency the kgb i guess they didn't google the name before they picked it
well no they just left they just never changed the name they just left the wall came down it's
still the kgb you know yeah well anyway thegb in belarus got their website hacked by the cyber partisans who
helped themselves to a bunch of data in it uh they got uh their access thrown out uh relatively
recently and then they launched they took the data that they had taken from it and they launched a
telegram bot which you can upload pictures to and it will check in the id card database for the
belarusian secret service that they've stolen and tell you if someone is a you know is a belarusian
spy uh which like that's pretty stylish um cyber partisans have done a lot of a lot of funny
funny things but i guess also like it's pretty serious situation in belarus so i'm
loathe to make that much light of it but uh yes but they've done a
lot of stuff that is genuinely going to make life tough yeah for the Belarusian government right so
you know this sort of data theft and then just making this stuff available to all and sundry
you know which is going to help foreign adversaries of Belarus like just know an awful
lot more like I think this is the only hacktivist group I can think of
that might actually be moving a needle.
Like eventually, maybe not all that far,
but most hacktivism doesn't seem to do all that much,
whereas this lot seems to think a little bit
about how they can inflict proper damage.
Yes, and certainly some of their previous hacks
have been pretty significant and had some actual legit impact.
I mean, what the future of Belarus looks like, you know,
it's kind of hard to say, but, I mean, it's one of those countries
where, you know, the old dictatorship, you know,
Soviet-era government, you know, I can't imagine can last forever.
Well, we say that.
We say that, but then here we are with Putin, so who knows.
Yeah, and Kim and Xi and, you know, I don't know.
You know, I think the, I sometimes wonder if these systems
will sort of implode the same way they used to.
Times may have changed a bit.
Now let's talk about a psychopath now.
Alex Santeri Kivimaki, this is the guy who hacked
into the Vastamo Psychotherapy Center in Finland and was trying to blackmail, essentially, the clients of those clinics because there were a lot of clinics under this umbrella.
He's been sentenced to six years in prison.
We'll probably only serve half that i'm used to talking about how prison
sentences handed down to people who've done hacking uh you know excessive and in this case
i'm going to say it's the other way like honestly he'll be out in three years i would be amazed if
we're not talking about this guy again in five because you know he's just clearly a complete shithead, and this ain't enough.
Yeah, no, this did seem a little bit low,
and, you know, he, yeah, I think you're right about, you know,
the chance of reoffending seems pretty high.
I mean, this guy's been hacking since he was a kid.
He was Z Kill in the Lizard Squad crew,
and he had a number of convictions already in Finland,
but they were from when he was underage.
And so per the Finnish judicial system,
he's being treated as a first-time offender,
which is one of the reasons the sentence looks a bit smaller
and that he may get out earlier.
The kind of impact of this crime is hard to overstate, right?
I mean, there were tens of thousands of people in Finland
who were blackmailed with their therapy records.
And, like, this was a, that chain of therapy clinics
was like a provider to the national health system.
Like, this was not a, you know, a small or, you know, niche provider.
There were 25 clinics in a country of, what, like 5 million people?
Yeah.
You know, it was a big deal in Finland,
and we saw quite a lot of comment from Finnish politicians and stuff.
Anyway, I think, unfortunately, yeah, we will see him again.
And he's going to appeal as well.
He does seem unrepentant at this point.
So, yeah.
Yeah.
I think it's a fair assessment.
I think too.
I mean, there's a few things just about this guy
that set off some real alarm bells.
Like the fact that he went on the lam
with a fake passport, got picked up in France.
You know, he engages in extremely risky behaviours.
He just has all the hallmarks of an actual psychopath.
And I think anyone who commits this sort of crime
and then shows no remorse for it,
he just seems like a psychopath.
Yeah, and I don't think you're wrong
the there was a few small pieces that did make me feel good about the story one of them was
part of the way that he got arrested was he posted a selfie with a bottle of evian water
with his fingerprints visible and the finnish police just zoomed in and went yeah okay that's
that guy um so yeah that was a OPSEC fail that was briefly entertaining.
And then they also correlated some payment records to, like,
OnlyFans back to him, and then he used the same card
to pay for attack infrastructure.
So through Know Your Customering with cloud providers,
they were able to kind of join his accounts back together.
Wow. So he's actually in horny jail.
Yes, he is literally going to be in horny jail.
So anyway, there's
some small pockets of amusement in what is
otherwise a horrific story.
Yeah, anyway, I hope your
appeal fails, dude.
And you have a bad time in prison.
That's about all you can say,
isn't it?
Now, look, you and I have both noticed that ransomware,
major ransomware incidents seem to have abated somewhat.
I mean, you know, this is not scientific.
We just go based on what gets reported, you know,
and we're always scouring the news headlines and whatever.
But a very serious incident in Sweden, Adam.
Very serious, yes.
So in Sweden, there is a national monopoly on alcohol supply
and the state companies like alcohol distribution providers,
people who actually truck the booze around to all the shops,
they got ransomware and are unable to deliver booze.
So if you want to buy liquor in Sweden, you may be in trouble.
Yes.
The shelves may be empty, although the company does say
they've got some other logistics company that may help them out.
But yes, serious business.
Well, look, the government doesn't want to be overthrown,
so I'd imagine they'll mobilise the army if they need to
to get the booze flowing.
But yeah, basically, if you want to sell like the
only a state-owned company can sell uh anything with alcohol by volume of over 3.5 percent which
i think is funny you know yes i mean they seem to do that in the scandinavian countries like a
number of the nordics have that sort of state control alcohol supply because you know in the
middle of winter there's really nothing to do except drink uh and that's one way to try and
stop them you know try and control the populace so all they can do is you know sit around
and record black metal in the forest uh in the middle of winter because the only other thing to
do is drink and they can't get their booze now look one thing i want to touch on briefly is
tiktok so i think since we spoke the bill has been passed by both houses
where I think that ByteDance has nine months to divest TikTok
or the United States is going to yeet it from the app stores.
It's going to be entertaining because already ByteDance said
they would rather shut it down than divest it.
They'd rather shut it down in the United States,
which is a totally normal thing to say for a profit-motivated company.
I'm sure you would agree.
Yes.
So that gets us to the point where at that point I think the United States
would then ask companies like Apple and Google to delist TikTok
from app stores, and I'm sure there's going to be legal challenge.
Well, I mean, Alex Stamos in some recent comments on another podcast
that he gave, you know, he seems to think that apple will challenge that
uh because that is really an issue of sort of state control over their affairs uh this thing
you know either bite dance is going to blink and divest because they want the money or this thing
is going to turn into an absolute show.
Yeah, it's going to be a mess.
And, you know, we've been waiting for this kind of interaction between, you know, social media and national control
of these things for a while.
But it's going to be a hell of a ride.
Like, I don't know how it's going to go.
And I think that probably the Biden aunts blinking
is the most likely, but.
Well, but, you know, they might be getting instructions.
Yes.
Well, exactly right.
Which is kind of the point.
Which is kind of the point.
And, you know, this goes back to like, I think it was like a year ago where, you know, we were on this show saying, look, the issue here isn't about TikTok, you know, security concerns around surveillance and, you know, popping shells on people's phones.
The concern here really is that they're a gigantic media company.
Their share of screen time among Americans is extraordinary,
absolutely extraordinary.
So by any measure, they're a huge,
one of the biggest media companies in the United States,
and it's foreign-owned.
And that's never been something that governments tolerate.
If you look at Rupert Murdoch, the only reason he became, he's Australian, he became a United States citizen so that he could buy media assets in the United States. He was not able to do that previously. finance and they wound up taking it from Carlos Slim, the Mexican rich guy. And the reason that
they chose to pay a little bit more for this money from him is because being a foreign national,
he didn't present as much a threat to the ownership, right, of the Times if he decided to,
you know, make a move. So, you know, there's always been a restriction on foreign media
ownership in a lot of countries. So this is just one of those weird situations where it started off
as a, you know, Chinese controlled app. I mean, a lot of the shareholders aren't Chinese,
but it is a Chinese controlled app. And then, you know, it just sort of blew up. I think really
the thing that pushed this over the edge
was a lot of the stuff that was going around
after the October 7 attacks in Israel,
when you had 19-year-olds doing TikToks saying,
yeah, Bin Laden had a point.
And, you know, a lot of pretty grubby stuff
being elevated on the platform.
And, you know, I think a lot of u.s politicians looked at that
and said yeah okay no we got to do something here yeah and like the examples we've seen in the past
of this kind of thing have been pretty different right and i'm thinking like you know huawei or
zte or what was it the grinder the dating app was owned by somebody else was that china i can't
remember and they got forced to
divest and it was done pretty quietly like it was not a it wasn't a big deal in the way that's
because they're not one of the biggest media companies yes exactly and so this one is just
like it's at such a scale and you know the nature of tiktok is that you know they're that using it to motivate political response
to this is exactly the sort of thing TikTok is very,
very good at, whereas, say, doing the same thing
with Grindr might be more difficult, right?
So I think it's just going to be an interesting show,
and, yeah, I don't know what's going to happen.
I'm looking forward to it.
I mean, I've just realised the theme of the entire show
this week is governments versus tech.
Yes. Because we've got two more examples to talk about now. One is
Telegram. Telegram briefly blocked some Ukrainian government bots that are used on the platform to
do things like report UAVs and whatever. They restored them, but I do follow some Ukrainians
and they were furious when this happened justifiably so i think but
we don't really know why they were blocked and then reinstated but you know it's a mess and this
is the thing right we've got a a tech firm here you know a messaging platform that's become
important to national defense uh in ukraine even the russians use it too right so so man it's like
the starlink thing it's like this it's like tiktok it's like the Starlink thing. It's like this. It's like TikTok. It's like, you
know, all of these issues are just coming home to roost now, it feels like, in a big way.
Yeah, yeah, I think so, right? I mean, we've moved away from platforms that were, you know,
kind of neutral in the sense that they weren't that involved in the content, you know, with phone
networks and, you know, kind of old school internet. And I think the content, you know, with phone networks and, you know,
kind of old school internet.
And I think like, you know, WhatsApp in Brazil, for example, there's places where, you know,
tech firms have an outsized involvement in a particular country, you know, in a particular
set of interest groups or whatever else.
And we don't really know how to navigate that boundary between what state, what's private
sector, you know, and when it's
other countries involved. I mean, Telegram is funny because it's, you know, sort of originally
Russian, but now not, but, you know, so involved in both sides of Ukraine and Russia. And it's,
you know, it could absolutely be in this case that it, you know, wasn't really political in the sense
that it was on purpose. Like it may have just been some abuse system went wrong or something,
you know, there could have been reasons that, you know,
this kind of spiraled into a bigger issue than it was intended to be.
But we don't know.
We don't know.
And that's the problem, right?
Because these companies need to think about this stuff
and then they might come up with a policy
and voicing that policy might get them into trouble.
So they can't.
So they do stuff just, it appears to be arbitrary, but it's's not you never know and yeah it's it's tough right and and i just
want to you know finally talk through this uh other issue that's happening in australia it's made
plenty of headlines around the world where the e-safety commissioning it we had a couple of
stabbings uh in australia we had one attack where a very seriously mentally ill man went and stabbed and killed six people at a
shopping center in an eastern Sydney suburb called Bondi. And, you know, just absolutely horrible
stuff. Initially, you know, people were very concerned that it was a terrorist attack. It
turned out, as I say, just to be someone who was very, very, very sick. And, you know, just an
absolute tragedy. And then a few days later, there was a 17-year-old boy
stabbed a priest as he was giving a sort of live-streamed sermon,
an Orthodox priest who's very popular.
And, you know, he just ran up to him and stabbed him
and it was all streamed.
It was on video.
And thankfully no one was killed, which was extremely fortunate.
The government did declare that one a terrorist incident,
which I think is setting the bar a little low, if I'm going to be honest.
But I guess that enabled them to do some things like round up some of his cohort
and whatever and search their properties and stuff.
So I'm sure there was actually a reason why that was done.
Now, the eSafety Commissioner here wrote to Twitter
and demanded that they take down
videos of that stabbing and they geo-block them for australia which personally i think is enough
the e-safety commissioner has gone now a step further and is insisting that in accordance
with australian law those videos are removed from twitter globally i think that's going too far. I do. I understand the thinking behind it, which is
that this is material that may promote terrorism and terrorist-related ideologies, and it shouldn't
be on the internet. Now, that part I agree with, but I don't think it's the place of the Australian
government to try to insist on a global takedown. I think that's insane, personally. What did you make of all of this?
Yeah, I mean, it is such a complicated set of –
well, I mean, it shouldn't be complicated, right?
Like, you know, I don't want to see videos of people
being stabbed on the internet.
But, you know, like I'm thinking back to when in New Zealand
we had the terrorist attacks here in Christchurch,
which were videoed and live streamed, you know,
and released on the internet. And getting to the point where you could stop that footage
propagating and getting it taken down, you know, took a whole bunch of work and reaching out to
contacts at, you know, at Twitter and other places, you know, in the US ecosystem. And,
it was a hard process. And there was a lot of nice words at the end of that process that you know tried to make this a thing that we could we could do more globally and perhaps less
based on law and more based on like let's be human beings about this and no one wants to see
you know their relatives being killed in a live stream like that's just horrific
and we can kind of agree that's a bad thing. But it is hard to deal with cross-jurisdiction, you know,
and especially, you know, between Australia and the US
and New Zealand and the US,
like, we have similar sets of values, right?
But when we're dealing with, you know,
countries that do have very different sets of values,
you know, that whole process, I mean, you know,
clearly the Chinese government is not going to respond well to Australia telling, you know, that whole process. I mean, you know, clearly the Chinese government
is not going to respond well to Australia telling, you know,
Baidu to take something down in China.
Well, and we wouldn't respond well to the Chinese government
asking us to take down something as well.
But I think really the perspective here from the, you know,
from the Australian government side would be,
hey, this is terrorist material.
Take it down, you know.
And I think that that is an effective
and appropriate thing to say. I don't
think it's appropriate to use laws
to try to do it. That's my position on this.
Yeah, you know, if there were easy answers
we'd be doing them. Governments
versus tech. Fight!
Basically, that's
the theme of the week. Well, mate, let's
wrap it up there. Great to chat to you. I
will be in the United States next week when we record the show.
I regret to inform you I'm going to RSA.
Yes, well, I hope you enjoy San Francisco.
I'm sure you'll meet a bunch of listeners there
because obviously there are a lot of people.
And so, yeah, if you're in the hood there
and you happen to see an Australian wandering around,
like it might be Patrick.
There you go.
Yeah, no, I'm going to a mostly spending my time at a side event being run by
Decibel VC, the VC firm. We, you know, a lot of their portfolio companies are our sponsors and
we're meeting with some other founders there and stuff and talking about 2025 sponsorships and
advisory agreements and all sorts of exciting stuff. So that's why I'm headed over. We will
be doing a show though next week and I have done a press registration for the main event so
I will wander through the
halls at the Moscone Centre
very exciting
Well I hope you enjoy
and I hope you make it out of San Francisco live
Alright mate, I'll catch you next week
Yes, certainly will. See you then Pat
That was Adam Boileau there with a look at the week's security news.
And before I forget, everyone should go check out the most recent Snake Oilers podcast I published.
It's just the one before this in the feed.
It's an absolute cracker.
Push security.
They do identity-based stuff with a browser plug-in.
It's actually a really compelling pitch.
Knock Knock, who do the SSO
to dynamic firewalling integration
and iVerify do mobile security.
Enterprise security gold.
So do go have a listen to that one.
Oh, and before we move on,
I just want to say a quick congratulations
to a good friend of the show,
Dmitry Alperovitch.
His book came out today.
It is called World on the Brink,
How America Can Beat china in the race for
the 21st century and you can buy it wherever you buy books it is time for this week's sponsor
interview now with benny lakunashok who is the co-founder and chief executive of zero networks
and i've seen demos of zero networks and if you're looking to do micro segmentation it definitely
looks like a way you can do it without hating your life
it's agentless it does a lot of learning and then switch to enforcement that sort of thing
but as i said to benny nobody buys stuff because it's cool they buy stuff because they have to
and with zero networks doing quite well the question becomes well why and in short benny
says ransomware costs insurance companies so much money that they're
really helping to encourage their customers to adopt these sorts of controls.
Here's what he had to say.
Insurance companies providing cyber insurance are losing a lot or lost a lot of money on
that.
And there is one thing that cyber or insurance companies don't like.
It's losing money, yeah.
On their insurance.
So what they did, they started a lot of stuff.
They started to say, okay, I'm apping up the game of what I require.
And they have various requirements.
Some of them are driving micro-segmentation.
And there's more compliance in the market today because of that.
You know, governments and various bodies responsible for these audits, for these compliances are
like, okay, you need more stuff.
So because of all of that, there is rise for more prevention controls, not just micro-segmentation.
Because everybody understands, you know, we were in
prevention 30 years ago. Let's do a perimeter firewall, let's put an antivirus. Then it didn't
help in 2010 with the rise of APTs. Okay, the attackers are in, what do we do? And then we
started with the proliferation of detection solutions and visibility, which at the top of
that, EDR came and, you know and won the detection space, let's say.
And then in 2018, 19, 2020 as well,
because of that rise in ransomware and other, let's say,
simple attacks that make a lot of damage
and the business model for attacker for that,
we're like, how do we stop it?
We came back with that mindset because EDRs are not stopping them.
Like if you think you can stop, I mean... How do we stop it? We came back with that mindset. Because EDRs are not stopping them.
Like if you think you can stop.
I mean, you can hope. I mean, EDR is stopping them.
Like properly configured EDR is stopping ransomware actors, right?
I led, you know, a bunch of stuff in the Microsoft EDR team.
And I have friends in, you know, something or other one.
And I know people at CrowdStrike.
And like I know customers all across from,
they get even while having an EDR,
one of the, you know, the top ones,
those even that I named.
So, I mean, that's usually when they're not using the,
you know, when they don't have someone watching it, basically.
So I think that's always the caveat with EDR is unless you've got someone watching it
and able to actively respond to it,
it's not much good.
So you just mentioned one star of the many stars that need to align
for the EDR to be effective.
First of all, the EDR needs to be installed everywhere,
then configured properly.
Then you need to have a SOC.
The people of the SOC needs to be vigilant.
You have a few that are really good and you have a few that are not.
You want to hope that the attacker is on the shift of the good ones.
Then they need to be vigilant and note what they're doing.
You need to hope that the attack is not as automated and fast because then you,
regardless, the human response will be always slower.
So if all of that happens and you actually do something,
anti-detection is not false positive, no false
negatives, it detects within a
minute, not within hours as it
can do that as well, like if all
of that, then maybe you have
a chance, what I mean by that
is that while everybody needs an
EDR, must
here's the thing, I mean
I'm provoking you here, but I agree
with you, like people have viewed it for too long as a preventative control and it's not very
good at that.
Right.
Like, and it's not, it's not even that it's not very good at it because considering it's
not what it's designed to do, it's actually very good at it.
Right.
But it's not what it's designed to do, which is why, which is why stuff, you know, again,
everyone hears me talking about airlock, you know, allow listing software, fantastic control, really good for prevention.
And, you know, less alerts to pump into some seam somewhere because attackers can't really do anything.
And I think this is similar, right?
I mean, this is a fundamental control that just makes life quite tough if you're on a network that has it.
Yes, exactly. So that, you know, allow listing of executables to run,
great, that's a good thing to have.
And then same thing on the network,
doing allow listing on network is extremely difficult and hard
and it's called segmentation and then that evolved
into micro-segmentation, which historically has been
really difficult, but because of everything that's happening,
the market is saying, okay, can you really do it not us but generally speaking
i think the way that you've just you know described this as a need being born of like
ransomware becoming such a big deal it's it's hard to remember that we were really complacent
until ransomware actors came along and turned absolutely everyone into a target.
Like the amount of uplift that's happened over the last like eight years is just extraordinary.
Right. You had major corporations who were still running pretty clunky AV, not really doing much logging.
And they were fine. They were fine.
I mean, you know, if an APT wanted to get data out of there,
they could, but they wouldn't even notice it.
But, you know, we didn't have these marauding bandits
coming in and burning stuff down every day, right?
So it has fundamentally transformed the landscape.
So it sounds like you've just really been a beneficiary of that.
Even before that started, I came up with the idea of zero netbook.
So it's not like because of that but it came at
a good time but i mean it's cool right but no one buys stuff because it's cool you know they're not
buying it because it's cool they're buying it because they don't want to get wrecked by ransomware
no 100 so the timing was good it created more pull from the market towards let's call them
prevention 2.0 solutions that given us a lot of push towards what we do
which is great yeah so these insurers like how standard is it now for some form of micro
segmentation to be baked into policy you know policy premium calculations because that's usually
how it works with with these insurers they say you know your policy is going
to cost you this much unless you use yuba keys for your administrators and then you get a discount and
is that the sort of thing that happens yeah yeah so they have like tons of checkboxes first of all
some of them are major ones some of them are smaller ones and if you don't want to pay like
10x then you need to comply with a lot of stuff you need multi-factor they also want
multi-factor for all privileged activities which is very difficult to do and we also deliver on
that because our micro segmentation also has identity built-in identity capabilities to
segment them mfa them do stuff to them not just human also service accounts so some of the
insurance companies depending on how big you are and what
you do they also actually also have well do you have service accounts then do you know what they
do because many attacks yeah start moving and then people say yes but they don't exactly that's
but by the way that's a problem if something happens then they come and check and if you don't
you lose all insurance. Yeah.
What are some of the other drivers, right?
Because we've talked about ransomware and the whole impact that's had on insurance
and premiums and various compliance regimes.
But are there other drivers of people
just looking at it purely from a,
well, this fits our sort of security objectives standpoint?
Yeah, I mean, I think also some organizations
are already at a point where, how do we really prevent
regardless of compliance? They see what's going on outside and
we derive one from another thing. Some of them
fail a pen test and they start thinking, I heard
some others are actually doing well in the pen test. What are they doing? And they're looking
and obviously, you know, proper micro-segmentation,
real one that can do it for everything in an easy way,
that's going to, you know, stop an attack.
Yeah, I mean, I'm guessing like a lot of the people
who have a bad pen test result and come to you,
like the pen testers have specifically highlighted
the open nature of the network as a problem, right?
Like that would be usually how this happens?
Yeah, that's exactly one of them.
So typically when we are there, you know, the pen test becomes from a red report to a green report,
meaning almost nothing is being able to be done by an attacker or by the pen tester.
So yeah, that's another driver.
Can you think of incidents where you have come up
against some of these ransomware crews
and tested the product against them?
I mean, I'm guessing not though,
because stuff like this, it's happened.
Because I'm guessing they just might land on a box
and then just try to get out like a rat in a burning maze
and just fail.
So we had various attack groups.
I don't want to name them, actually.
I'm not sure if that's a good thing to do.
But we had various attack groups attacking our customers.
Obviously, they didn't know we're there.
And they couldn't do anything.
And then after a few days, they just moved on.
Because what they do for them, again, it's a business model.
So if they cannot do anything for a few days
Okay, something is properly done here from a security perspective. I'm moving forward because
99% in the next one I'll be able to do something as an attacker. That's the thinking I'll make wasting time here
When I can go to another one
another poor schmuck, you know, that's typically not as
Protected with various real prevention controls.
And then they do what they do.
So this happened to us many times where our customers actually emailed us,
thank you, you saved us.
By the way, the interesting thing is that they discovered this
only a couple of days later because then the EDR graciously alerted
something weird is trying to happen from one machine
but it's all prevented already
it means blocked
at the port
level and nothing could move. That'd be pretty funny though
going back to the network logs and going
oh yeah look at this
like a couple days later after they've
given up and gone home
actually one of them brought Mandiant, and they looked,
and they said, well, good for you.
You're properly micro-segmented, and nothing happened.
In other companies, they come in as a red team, either Mandiant.
I know CrowdStrike has a red team that actually tried to hack
an environment that we protected.
And there are other boutique ones, really good pen testing companies.
There's also a lot of pen test automation tools out there.
And all these companies, when we are there,
the report is green.
That's it.
So that's a big testimony, I think, to what we do.
Obviously, then the question is, is it easy to do?
How much will it cost?
And other questions.
And I am also proud to say that's why we productize in a specific way,
that it's simple and easy.
And that's the point.
If it's not simple and easy, anything that in life, at least to me,
I hate logistics.
If something is hard, I don't do it.
If something is simple and in front of me, I do it.
And we have that in the company, the same concept. If it's simple, let's do it. And I have that, we have that in the company, the same concept. If it's simple, let's
do it. If not, let's make it simple for our customers so that it's easy for them to get
protected. That's our ethos. Sounds like a reasonable one to me. Benny Lacunashok,
thank you so much for joining me. Lots of fun. Appreciate your time.
Awesome. Thank you, Patrick.
That was Benny Lacunashok there from Zero Networks. Big thanks to him for that. And you can
find them at xeronetworks.com. Z-E-R-O networks.com. And that is it for this week's show. I do hope you
enjoyed it. I'll be back next week with more security news and analysis. But until then,
I've been Patrick Gray. Thanks for listening.