Risky Business - Risky Business #748 -- New cyber rules for US healthcare are coming
Episode Date: May 15, 2024This week Patrick Gray and Adam Boileau along special guest Lina Lau discuss the week’s news, including: The ongoing Ascension healthcare disruption, and Whether... its reasonable for healthcare orgs to be pushing back Platforming cybercriminals for interviews Own the libs by… not using E2EE messaging? CISA’s secure by design, we want to believe! The $64billion scale of indusrialised fraud And much, much more. This week’s sponsor is network discovery specialist, Run Zero. Director of research Rob King joins to talk about the weird and wonderful delights in their new Research Report. Show notes Federal agencies assisting Catholic health network amid cyberattack After Ascension ransomware attack, feds issue alert on Black Basta group As White House preps new cyber rules for healthcare, Neuberger says backlash is unwarranted Stolen children’s health records posted online in extortion bid Guidance for organisations considering payment in... - NCSC.GOV.UK How Did Authorities Identify the Alleged Lockbit Boss? – Krebs on Security In interview, LockbitSupp says authorities outed the wrong guy A (Strange) Interview With the Russian-Military-Linked Hackers Targeting US Water Utilities | WIRED UK 'increasingly concerned' about Russian intelligence links to hacktivists Civil society under increasing threats from ‘malicious’ state cyber actors, US Elon Musk Weighs in on the Encryption Wars Between Telegram and Signal Encrypted services Apple, Proton and Wire helped Spanish police identify activist | TechCrunch Christie's Website Offline For A Fifth Day And The Company Is Still Silent On The Extent Of Last Week's Security Breach 68 tech, security vendors commit to secure-by-design practices | Cybersecurity Dive UK government urges caution over blaming China for Ministry of Defence breach Black Basta group spam-bombs victims and then calls to help Southeast Asian scam syndicates stealing $64 billion annually, researchers find The $2.3 Billion Tornado Cash Case Is a Pivotal Moment for Crypto Privacy | WIRED ADVANCED APT EMULATION LABS Download the runZero Research Report
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name is Patrick Gray. This week's show is brought to you by RunZero and RunZero's Director of Security Research, Rob King, is this week's sponsor guest.
And yeah, they finally released a report based on some of the data they collect. And if you don't know, RunZero is an asset discovery tool that you can use to identify what's on your network. It's also really amazing to use as a perimeter scanner as well in case you want to take a look at what your org is actually exposing to the internet.
But Rob will join us a bit later on to talk about what their data is telling us about what some of the bigger problems are out there.
And there are some weird ones too, like printers that break network segmentation.
That's actually a huge issue,
but Rob will be along to explain all that in a bit. But first up, of course, it is time for a
check of the week's security news with Adam Boileau and Lina Lau, who's back to co-host
with us again. Adam, Lina, welcome. Hey there. Thank you so much for having me.
And we're going to start off with more drama in, you know, ransomware drama in the US
healthcare sector. Adam, this Catholic health network called Ascension is apparently like
having all sorts of trouble. Yeah, they're a pretty large operator in the US and they have
had some kind of ransomware. I don't know that we've seen any real specifics as to what the
breakdown of like ransomware caused incident
versus incident caused by response to ransomware is but they've been turning people away from
emergency rooms and all of the things that you would expect from a large hospital chain you know
having disruption of their computer systems which is not great no it is not um i gotta say though
the last place i would want to be taken for an emergency is a Catholic hospital called Ascension.
I do not wish to ascend.
I am okay right here.
I think that is an awful brand.
Now, it looks like this particular ransomware campaign is being pinned on Black Buster. here from John Greig over at The Record talking about how the White House is looking at introducing
new security requirements for the healthcare industry. I'm in two minds about this because
I think, you know, for every dollar not being spent, being spent on security is a dollar not
being spent on patient care. And I think it's unfortunate if healthcare is going to have to
spend more on this sort of stuff. But Lena, I wanted to get your thoughts on this. What do you think about the idea that there should be sort of minimum security requirements for hospitals?
I mean, I think it's a difficult thing to push,
especially when a lot of these hospitals aren't super well funded.
And it's difficult putting the onus onto them.
But the article was really interesting because it talked about the question of,
are these hospitals victims or are they actually negligent? Not having basic
things like having MFA in place or even having backups of patient data. And I think one of the
things that they mentioned was encrypting patient data, where a lot of these ransomware groups have
come in and just taken patient data because they've just been sitting there unencrypted.
And if that is a sign of negligence or not. Yeah, I mean, it's a tough one, isn't it?
Because we would love to say that not using MFA is negligence,
but that would make an awful lot of organizations negligent under that definition.
I think the American Hospital Association hit back and said,
law enforcement should instead focus on takedown operations
instead of putting the onus onto the hospitals doing things.
But with that said, law enforcement are definitely doing takedown, you know, operations.
So maybe there's somewhere in the middle.
I'm not sure.
It's hard to comment on.
Yeah.
What do you think, Adam?
I mean, I think, you know, something like MFA and Neuberger makes the point that, you know, they've been up in people's business for years with, you years with some complicated security stuff, but also some basic things,
and like multi-factor auth on internet-connected stuff,
kind of on the basic side.
And I think at this point, it may be reasonable to call that it is negligent,
even if it does impact everybody.
I mean, this is obviously because of Change Healthcare, right?
The fact that it was a,
you know, non-MFA Citrix account that, you know, someone just bought the password for it off the
dark web and then took down, you know, 50% of healthcare billing in the US. I can imagine that
the, you know, various people at the White House like Ann Neuberger would have hit the roof when
they found out how this happened. Well, exactly right. And I think, you know, some pushback from
the industry, as Lena says, like not all hospitals are well funded.
You know, there are a lot of reasons why it's very difficult to do robust information security in healthcare environments.
But internet exposed single factor, like that's a bar that honestly anyone who's on the internet should be meeting, even if it's, you know, that rules out lots and lots of people who have bad times.
So, you know, whether or not and lots of people who have bad times so you know
whether or not there are better ways to handle it and i found the comments around you know well
law enforcement should be spending their time going and doing takedowns well you know they
kind of are yeah i mean it's early days though it is early days i mean i think yes you know one
thing that i find really interesting about this this came up in another interview i did that was
published into risky business news where you know being the number three in al-qaeda
like the director of operations used to be a really dangerous job that no one wanted because
as soon as you get promoted into being the director of operations for al-qaeda you know you tend to
get a drone on your head and i think it would be nice if we made being high profile and ransomware
kind of i mean obviously not drones on on heads but if we made it similarly profile in ransomware kind of, I mean, obviously not drones on heads, but
if we made it similarly risky, you know, so we've seen what's happened with LockBitsUp.
Now, blackbuster in the news and you think, well, could we see, you know, doxing an indictment of
this group or its leaders, you know, and what sort of impact will that have? So I guess I'm
partially sympathetic to the, know hospital association's uh view
here but i think both of you are right when there should be at least maybe some minimum standard
yeah i think it's a both not or situation right we should do both of these things yeah i think
though what's interesting is a lot of the techniques that black bastard group use are
the same techniques that ransomware groups have been using for like the last four years
things like screen connect any desk soft Scanner. I've seen them on
basically every single ransomware case I've ever worked. So these tools are still being used because
they work. The ransomware groups are still using similar techniques to infiltrate organizations
because it works. And so if you have the blueprint for how a threat actor is going to break in,
it's clear why MFA and these requirements are necessary.
Yeah. Yeah. All right. Well, we solved it right here.
Fantastic.
Now, staying with ransomware actor scumbaggery in the healthcare sector, there's some extortion happening at the moment in the UK.
Is that right, Adam, with stolen children's health information?
Yeah, this is pretty horrible stuff. This was, I think we talked about the breach a couple of weeks back uh this was uh
the national health service in scotland um had you know they were breached a bunch of data taken
it's now started showing up uh on the dark web and you know it's it's been compared to medibank
i guess in australia where we saw know, healthcare data leaked and used. That prompted a pretty stern response from the Australian government. And I think, you know,
the UK government has been making quite a lot of noises lately. So I wouldn't, you know,
I wouldn't want to be the people who did this for the same kinds of reasons.
Yeah. And meanwhile, the UK government has put out some guidance for ransomware victims, urging them not to pay.
I mean, sure, that's fine.
But I mean, if people need to pay to get their data back,
they're going to pay to get their data back, right?
Yeah, 100%.
I mean, it comes down to one critical factor.
Do you have backups?
And do you have the financial ability to have backups
because they're very expensive?
And so for a hospital, if they don't have backups, what are they going to do? Just leave the entire patient system encrypted and
rebuild everything from scratch? It's not feasible. And before we got recording too,
you were telling us that, you know, in tabletop exercises you've done with various companies
talking about ransomware, speed is often a huge thing. Like when they, when they look at whether
to pay or not quite often, it's about like speed time finance organization yeah because most organizations recovery time obviously it
differs based on how big the org is but typically it's like four to six weeks recovery time yeah
now one thing that really is interesting in this and um this came up when i was in the US as well right is that the UK government here is saying that it doesn't consider paying a ransom to be a
mitigation right so they're saying if you're paying a ransom in order to
mitigate harms if you're paying people to like delete data that they've stolen
we don't think this is a mitigation step now the reason that's interesting is
because when I was in the United States, you've got the federal government over
there really trying to disincentivize people from paying ransoms. But I spoke to some lawyers over
there and they said the problem is under some state regimes, if you've had a data breach,
you are expected to mitigate the impact of that data breach. And the standing sort of legal
interpretation of those rules, regulations or laws or whatever they breach and the standing sort of legal interpretation of those rules like
regulations or laws or whatever they are the standing interpretation is that means you should
pay the ransom so we've got this really odd situation where the feds in the u.s are saying
don't pay but the state legislation is saying do pay i mean adam you and i were talking about this
it's a it's a pickle it certainly is a pickle the british ncsc here specifically call
out that this is not a way to meet your regulatory obligations so i guess like kind of undercutting
that idea that you know you are required to because you have to take all reasonable steps
or whatever else like i think that's a you know a way to maneuver around that interpretation where
it doesn't line up with you know what's good on a you know on a national scale yeah i mean i just sort of wonder though in the united states where
you do have those different levels of regulation you know it's not like the federal government can
come out and just say hey you should ignore these state regulations like that's just not going to
work yeah no it is certainly the u.s is complicated for lots of reasons and that's that's definitely
one of them um I don't know.
If there were easy answers to these questions, we would already be doing them, right?
Yeah, yeah.
I think really what needs to happen is a bunch of attorneys general need to get together and have a powwow about this.
I mean, at the state level and the feds.
Yeah, yeah, that makes sense.
Brian Krebs has published, I guess he's taken a bunch of info that was released about LockBitsUp, the ringleader of the LockBit ransomware operation.
And he's done his usual Brian Krebs thing, pulling the threads and basically just laying out this guy's career in crime based on a bunch of selectors.
Yeah, it's a good quality Krebs thing.
Although it does highlight, at one point in this guy's career he switches identity he has an early life identity where he
does a bunch of you know of you know criminal stuff and sort of proto ransomware things and
then at some point he takes a break for a couple of years and maybe he gets a job maybe he has a
kid maybe what you know whatever it is but he comes back after that and you know a whole new
identity and even Krebs is like I don't have a link between these two identities.
And that's kind of, you know, it's interesting because we see so many Krebsings
where they do make newbie mistakes
and they do just like,
there's all of the mistakes they made early in their life,
carry on and haunt them for the rest of time.
And this guy has actually done it right.
So I guess-
Well, I mean, he took one step at one point in time
to sever a link
between an old identity and a new one but there's still a bit of noob stuff here right sure sure
there is but it's like most of them don't even do that one that one simple step um so that was that
was interesting um and yeah like i think you know the the guy in question you know when he shows up
with his new identity you know krebs makes the argument about his set of skills and experience from early on kind of clearly carry on, even though there aren't necessary technical indicators that bind them together.
I bet you had fun also reading this email, his email that he used to sign up to the forum to advertise his malware
and how he used it to register a blog about clothing
with a phone number that links to him.
And then he used another email
that he signed up to another forum
to try and sell a wooden staircase,
which by the way,
I think is a very strange thing to try and sell,
but that had his full name in it and his email.
Yeah, stairwell.ru.
And I wonder if that's like got anything to do with Stairwell,
the like malware analysis company.
I had that thought as well.
Like the timing doesn't line up, but it'd be very funny.
Yeah, yeah.
It's just weird that he just happened to have stairwell.ru.
But yeah, it's, you know, it's like I've been saying for a while now, right?
Like when the dark market stuff was all the rage, you know,
10 plus years ago with people like Ross Ulbricht running Silk Road.
Everyone was like, oh, these people have found a way to completely cloak themselves online and they'll never get caught.
You know, it's just once you actually start picking away at this, like these people de-anonymize pretty easily if you're prepared to pop shell in a couple of places, you know.
Yeah. a couple of places you know yeah the amount of money that he made from it must have been massive because if he is the lock bit guy because uh the article said that he keeps 20 percent of
the ransom that's yeah it was 100 mil it was 100 they alleged that he got yeah so that's a lot of
money better than a kick in the face as uh as we might say now look staying with the lock bit sup
stuff we got this report here from the record which is from uh dina temple rast and sean powers and jade abdul malik and i've got feelings about this so what they did is they
contacted lock bits up and like hey dimitri you know which is the name of the guy that the u.s
authorities have indicted and of course you know he's like oh it's not me blah blah blah blah
i honestly wonder and i don't like criticizing other outlets, right?
But I do wonder what the point of this is.
And especially, like, if it had great content,
I would be willing to kind of forgive it.
It's just this guy going, no, it wasn't me.
Yeah, like, it really has nothing much interesting to say
and, you know, gives them a mouthpiece with, you know, a major outlet.
And, you know And for what?
Like, what was the...
Yeah, like, why platform his denial?
Like, if he was bringing specific information saying,
it's not me and here's why.
Yes.
You know, if you could be having a conversation with this guy
while the Dimitri guy is having a conversation elsewhere or whatever
and you could sort of do something to separate those identities,
you know, that's one thing. but just interviewing someone who's just saying,
yeah, it's not me. I'm innocent. I just, I just really wonder what it brings. What did you think of this, Lena? I mean, I thought it was kind of dangerous that they did this because some of the
messaging in their response was things like, I wrote, I even wrote this down because it blew my
mind. Join my affiliate and get rich with me. Our goal is to attack 1 million companies.
Yeah.
And I'm worried that that would, you know,
be enticing to younger people thinking
maybe this is an easy, like, you know,
this guy's not found.
He's saying he's not Dimitri.
I could join them and get, you know,
it's like an advertising thing.
It's a bit of an advertisement
for the next phase of LockBit.
Although, you know,
one thing that was really interesting
is there was one of the reports that came out recently
looked at the quality and tempo of, like, LockBit's operations
after the takedown, and as much as they were pretending
that everything was still great, like, the quality went downhill
real quick, which tells me that the affiliates
that were actually good all bounced, right?
And we're just left with...
Can you imagine the type of affiliate you're left with
after there's, like, a complete infiltration from the Americans and the British? And what? They're just left with, can you imagine the type of affiliate you're left with after there's like a complete infiltration from the Americans and the British?
And what, they're just going to, you know, the ones who are left hanging around, I don't think they're the smartest ones.
Let's put it that way.
Not the cream of the crop, no.
No, definitely not.
Staying with Russia stuff, Andy Greenberg has a report up here where he is. Now, this is a different kind of Like I interviewed Andy Boyd,
who used to run the, you know,
Center for Cyber Intelligence at CIA.
We spoke about these attacks.
That's been published into the Risky Business News Feed.
For those who want to listen to it,
we had a live conversation in San Francisco.
And yeah, we spoke to,
I spoke to him about these attacks
and he seems very much of the view
that they are sort of state directed,
but it's all under this veneer of hacktivism. andy's reached out and asked these so-called hacktivists a bunch of questions and
i don't know that it's extremely illuminating but i feel like getting this on the record is at least
interesting what did you think adam yeah i thought this you know was a great contrast to the previous
one because you know the the answers he gets are chaotic and they're not super useful but
it is still insightful overall the big picture of it and there's a couple of bits of back and
forth where andy asks them about um they had claimed on their telegram that they had hacked
like a hydroelectric power dam in france which turned out to be like a small community's
repurposed water mill like water wheel from
back when it was like a you know corn grinding operation or whatever uh you know that was very
very small scale and they eventually said well okay yeah like we're still we're still learning
how to do hacking um as to you know whether or not they are state directed like they basically
make some allusion to you know we're doing this because we believe in russia and we all have one leadership and etc etc but it's really not conclusive either way but that's also kind of
the point right well get it on the record right like just get this on the record and see what
see how it unfolds and you know alexander martin over the record has a report up here
about british officials being and there's a quote here increasingly concerned about growing links
between the russian intelligence services and proxy groups to conduct cyber attacks, right? So
we've always wondered how closely linked Russian cyber criminals are to the government. I think,
again, Andy Boyd, in our interview last year, he described it as a, I thought it was a great
description. There's always been kind of a dotted line, but it feels like those dotted lines might be becoming a little bit more, a little bit less dotted, shall we say.
Increasing the percentage of dots.
Yes, the density, the dot density is increasing.
And I think reading this, I guess I was put in mind of that story about, I assume, the Chinese private sector hack and crew that were doing work for you know MSS and
other Chinese government entities and you know we'd always talked about those relationships
existing but it wasn't until we saw the specific insides of what it was like like kind of how they
put those contracts out etc that starts to clarify and I think you know we kind of need that for
Russia right we need someone to bust in and actually show us how these relationships work
and what the mechanisms are because you know we're still kind of left guessing because we don't have the local context
for you know the the uniqueness of russian cybercrime and activism yeah i mean i guess what
the uh what the brits seem to be saying here is that russia used to give tacit approval to these
sort of groups and that's changing and it's becoming a more active sort of relationship. Was that the vibe you got reading this as well, Lena? Yeah, I get the vibe that
because especially the cyber army of Russia, they said that their goal is to protect Russia from,
you know, Ukraine, EU and US, that it aligns with Russia's state goals. And as a result,
I don't think the government would be upset with it happening. But I don't think that they would come out and say that, you know,
we're happy with this operation, it allows them deniability. But this is a really common thing,
like, back in 2022, I did a case with the Iranian government with a threat group called Cobalt
Mirage. And it's a similar thing that happens there, where a lot of these APT groups are
allowed to also conduct ransomware ops on the side on other victims to make money because the state doesn't pay them as well.
It's a common thing, not just in Russia.
Yeah, I mean, the ISUN leaks really laid bare why these groups in China are doing this stuff.
And it's because they get paid like s**t.
Yeah, exactly.
You know, they get paid absolutely terribly.
So, of course, they're going to moonlight.
We've got another one here from John Greig at The Record looking at,
and, you know, this is stuff that, look,
the headlines of the last couple of years really bear this out.
But, you know, the headline here is civil society is under increasing
threats from malicious state cyber actors.
And this is a US government warning.
So, you know,
activists, journalists, think tankers, all these sorts of people, you know, they're plugged in,
they communicate with a lot of other intelligence targets, and they're the sort of people that bad actors really want to surveil. And, you know, soft targets let's just let's just be frank they
don't have a security apparatus around them that can protect them i've been scratching my head at
them trying to figure out well you know how do you begin to fix this problem and i think it's i think
it's tough it is really tough uh this piece from john grigg references a publication from sisa
which is a bunch of guidance for these sorts of organizations on what they should do.
And I was struck by how much the cross-sector cybersecurity performance goals, or CPGs, snappy name, aligns with what we saw from the Australian government, top 10, top four, mitigations.
It's all the same stuff.
Patch your things.
Use phishing-resistant auth.
Audit your accounts right this is not you know in the end it's not complicated and it's not unique to
these organizations but it is hard to do at scale at organizations that don't have specialist it
security stuff even though patch your stuff shouldn't need to be specialist it security
stuff it kind of is, you know?
Well, and just awareness is hard, right?
With this sort of stuff, right? So you've got lockdown mode for iOS from Apple,
which is a great thing.
And the challenge they've got
is convincing people to turn it on.
You know, finding the people
and sort of making them aware
that this is something that they should do.
I mean, Lena, what do you think
when it comes to these sort of civil society orgs?
It's hard, right? Because you can't, often these people are operating in places where they can't rely on their own governments. They can't like walk into their
ASD and say, hey, I'm a journalist and I need help. Not that they can even do that here, but I'm
saying they wouldn't want to do that there. So, you know, how do you even begin to chip away at
a problem like this in your view? Yeah, I feel like the first step is awareness, just like you said,
then being aware of the protective measures that, you know,
take no effort to kind of turn on.
But more than that, it's difficult for them because they're in a position
where they're faced with essentially like information warfare,
where they're disseminating information that could, you know,
impact society's views on certain things, which is a political trigger.
And so they're obviously big targets.
But again, the advisory is awesome,
but without IT staff, without funding, without support,
are they going to sit there and implement every single thing
in that 19-page advisory by themselves on top of their daily work?
Yeah, probably not.
Probably not.
Yeah.
Now, look, some of the standard advice for a long time
has been use Signal, right?
Signal's great.
Turns out, Adam, according to some people at least,
Signal's for the libs, man.
Signal is just, it's from the liberal elite.
You know, don't trust it.
You should all use Telegram instead.
At least according to Elon Musk and a bunch of like those weird,
very online ultra right-wing megatypes, right?
Like this is just so weird.
Like that Signal is now seen as this political thing
for the libs who are trying to oppress you
and they got government,
because they use government-funded encryption algorithms
or whatever.
It's like a deep state plot. Anyway, talk us through it. It makes no sense. who are trying to oppress you and they got government, because they use government-funded encryption algorithms or whatever.
It's like a deep state plot.
Anyway, talk us through it. It makes no sense.
It makes no sense at all, which I guess is the hallmark
of a lot of that kind of, you know, of those kind of people
is that stuff, we don't need to make sense anymore.
We're in a post-sense world.
I don't, I mean, when we've seen things like, you know,
horse paste for COVID or something,
like it's just very clear that that's not so.
And then when it's something like, you know,
encrypted messaging or whatever, it's very easy for,
like it's not intuitively wrong,
like probably horse paste doesn't cure your COVID.
I mean, I'm not a doctor, but I would agree that.
You know, it just like, it has that feel.
Whereas for most people, like the difference
between telegram signal is, you know, nerd stuff they don't care about and they trust elon musk right they
because he's he's pushing this real hard and there's even people uh out there on twitter
like matthew green is one of them kind of saying you know this looks like an organized campaign
to discredit signal and you've got to wonder really what the agenda is when it comes when it
comes to that in favor of Telegram, of all things,
which isn't end-to-end encrypted
and is controlled by Russians out of Dubai or something.
Yeah, like Pavel, whatever his name is,
is like out there trying to discredit Signal.
Lena, have you been following this?
Because it's been all over social media
and it's just weird.
Yeah, so basically their only argument
is that this woman called Catherine Ma
used to be a US-backed agent who ran comms initiatives
in Middle East and Africa for the US government.
And now she is the current chairman of the Signal Board.
And because of this connection of her being an ex-US agent
and also of her connection to the Open Technology Fund,
they're saying that, you know, there's a backdoor or, you know,
you can't trust Signal.
Did they manage to squeeze a mention of George Soros into all of this?
Because then it'd be like, you know, bingo, exactly.
I feel kind of bad for her.
I mean, just because of her past work experience, she's now like the spearhead of this anti-Signal
campaign.
It's real weird.
But I mean, you know, what would the agenda be?
Pushing people towards Telegram? I mean, Telegram, I think, you know, what would the agenda be pushing people towards
Telegram? I mean, Telegram, I think, you know, Adam, you and I feel the same way about Telegram,
which is that it's a social network that has that gives no security guarantees. It might be fine,
but it might not. And we've got no idea who's in there surveilling it, right? Like, it's just,
there's so many questions. I mean, the thing that strikes me about Telegram is it's such a juicy
target, because so many interesting things are there.
And like, you know, so many people use it for comms.
Like it would be irresponsible of governments
not to be up in Telegram.
Like the fact that you can intercept it
means that it must be intercepted
because Signal, there's not much point in going owning Signal
because you don't get anything in the middle.
So like Telegram must be being intercepted.
And so, you know, moving a bunch of people to telegram like
that's the only 4d chess explanation i can think of is that enough people are collecting the air
that maybe it's useful to me i mean it's such a cesspit though right like i saw someone describe
it as the dark web in your pocket and i thought that's it i thought that's actually a great uh
description lena are you all over telegram i've dipped in and out a couple of times i don't use
telegram i use it to join threat group channels and just watch what they're saying but that's it
yeah that's what i figured you'd do oh man ah but you know we got another related story here from
lorenzo over at tech crunch um so there's the way that people think you're going to get into trouble
by using these apps you know so weird connections between the open technology fund and former us
government people and, you know,
putting backdoors in and enabling global surveillance.
And then there's a way people actually get into trouble using this stuff.
And Adam, you can, you can walk us through this one because it's, it's,
I mean, it's just so straightforward that it's actually quite funny.
It is. It is this, in this case, the Spanish police were investigating
some Catalonian independence types,
and they were interested in getting into their,
identifying some people behind some encrypted comms.
They were using Wire as their encrypted messenger.
They went from Wire, got a registration address
from the Swiss organization that runs that.
They got the email address that was associated with it turned out to be a proton mail
they went to proton mail also in switzerland and said can you give us anything and they said the
only thing we have is this recovery email at apple and they went to apple and said please give us the
details and they got the you know person's phone number it was an icloud it was probably first
name dot last name you know yeah and you, billing details and whatever else. And that's how it actually happens, you know,
just straight up police work.
And, you know, all of the encrypted comms in the world
doesn't help you when, you know,
there is a straightforward tie to your real identity.
So, yeah, good job.
Pretty much.
You got any thoughts on this one, Lena?
Yeah, if you want to do anything illegal,
don't use your real name to sign up to things.
I mean, that's very simple advice, right?
It's very simple advice, but I think it holds.
You heard it here on Whiskey Biz,
Dean O'Loughlin, how to do crimes.
Now, look, we have seen a cyber attack this week
that I think might trigger the Illuminati, Adam.
Because Christie's, the auction house,
they had to turn off online bidding for an auction where they were going to do like $840 million in sales.
And there's also like an annual charity like watch auction where the best watchmakers in the world make a unique piece that they auction them off for millions of dollars to raise money for charity and whatnot.
And yeah, no online bidding.
So unless you had someone there,
you know, one of your minions,
I'm guessing if you're bidding on a $5 million watch,
you probably should have a minion there
and not be a peasant and use the internet
and do online bidding.
But, you know, I wonder what sort of response
we're going to see now that a cyber incident
is affecting the sort of people who buy art at Christie's auctions.
It's not clear if this was ransomware
or their response to some kind of other incident.
We don't have any specifics,
but for whatever reason,
they took a bunch of their stuff offline.
The assumption is probably they were instant responding
and needed to do that.
But yeah, pretty embarrassing for a
firm that's been around since 1766 to be taken out by presumably Russian criminals just for fun.
Yeah, especially when your clientele is super wealthy and probably very privacy conscious,
they probably don't want their purchasing history publicized and who's buying what,
whose house has what
because it just puts a target on your back yeah it's interesting you say that actually because
that is one concern here is that there could be some you know blackmail worthy info in some of
this stuff and information that could put people at physical risk yeah i'm going to break into your
house because you own a picasso yeah exactly although i mean you know a stolen picasso
there's a limited market for that right because it's it's not like you can, you know, it's not like you can post it on your Insta.
I found this in my grandmother's shed. seriously here. One thing that CISA has been pushing lately is this secure by design idea
that vendors should really be developing much more secure products. I did have a chance to
see Jen Easterly speak about this, the head of CISA at the Silverado Policy Accelerator Conference
in Napa, which was just held before RSA. And, you know, I think it's a great initiative. We've seen now 68 companies sign up to it.
Lena, what do you think of this, right?
Because, you know, you're in that phase of your career
where you're building stuff, you know, you're much more,
you're much closer to people who are actually developing software
than Adam and I are.
I mean, obviously this is a good thing, but I just,
I wonder how much good it's going to
do when there's just so many CVEs in this sort of enterprise software. And I think less CVEs is
good, but I just, I just wonder if this is going to have any medium term impact or make things
better. What do you think? I think the motivation and the fact that this is
happening is a good thing. However, the pledge is voluntary. So there's no roadmap in terms of what
these companies will be doing, what they promise that they will be doing. But I mean, there have
been things that have happened even with Microsoft in the past, which have been good things like them
deprecating basic auth and exchange, inclusion of other log sources,
you know. So I think... You just mentioned two things that they did, both of them like five
years too late. But anyway. But either way, it's good. At least it's getting the conversation going
around the fact that the owners should be somewhat on these security vendors,
since they are security vendors. Yeah. But Adam, I mean, you know, you and I have spoken about this
a fair bit. You know, what do you make of this? I mean, you know, you and I have spoken about this a fair bit.
You know, what do you make of this?
I mean, I think it's great that they got 68 orgs signed up.
I think it should be the expectation that people are going to commit to secure development.
But again, this sort of software is never going to get QA'd to the same degree as mainstream consumer software like, you know, WhatsApp and chrome browser and things like that so i just wonder how much better you can make enterprise software when the development qa budgets are
just never going to really be serious you know yeah but i like it as a concept and it's you know
it's a definitely a feel-good exercise but you know in the end it comes down to for me
one of the people who signed this is fortinet yeah right and is fortinet going to
fundamentally change its approach to software qa as a result of this honestly i would like it if
they would i don't believe that they will answer that i mean i don't know i mean they're a big
company right they're not like one of those they're not like the pulse secure vpn that got
sold off to ivanti you know and there's just nothing happening there. I mean, you know.
Ivanti's on this list too, by the way.
Ivanti is on the list.
Okay.
I take it all back.
I take it all back. I mean, in the end, the proof's in the pudding.
Like, I would very much like them to spend that money.
And maybe it's, maybe this is the thing that will make them do it.
But, you know, excuse me for being cynical.
Yeah.
We've been doing this a long ass time.
This episode, what did we say? 750, 748, excuse me for being cynical. Yeah. We've been doing this a long ass time. This episode, what did we say?
750, 748, something like that.
That's a long time talking about terrible enterprise software violence.
Yeah, exactly.
If this is the turning point, I'm very glad for it.
As people know, you know, I'm a big fan of stuff like Knock Knock,
which is more about like taking that stuff and making it unreachable.
Yes.
Than trying to fix it.
Because I think that's an easier thing to do. Like if we just start re-architecting stuff and it doesn't have to be knock knock i'm
not just trying to you know talk my own book as they say but like just getting this stuff away
from the internet i think is is probably a more achievable aim than trying to get it into a state
where you can just give it a public ip and say yeah it's fine we don't have to worry about it
because they're using a secure development
lifecycle, you know.
KiteWorks also on the list.
Yeah.
Okay.
But I mean, then again, they are the ones who need to change, right?
So is that good or is that bad?
I don't know.
Yeah.
And they certainly had a rough time.
So maybe, you know, maybe they're getting there.
So you got to start somewhere and, you know, yeah.
Good luck. Best of luck to you, sirs. God somewhere. Good luck.
Best of luck to you, sirs.
Godspeed.
Godspeed.
A curious situation emerging in the UK, Adam.
We spoke about the breach at a third-party contractor
that did work for the UK Ministry of Defence.
Is that right?
Yes.
And now we've got the UK Defence Minister, Grant Shapps,
coming out saying
we need to be careful in jumping the gun
in attributing this incident to China,
which is interesting.
You don't often see people trying to cool it, right?
And one thing that's really interesting that this story goes into
is the UK has changed the way it does these attributions
specifically to try to decouple the attribution decisions
from the expectations of politicians, right?
So maybe this one wasn't China,
or maybe they're just trying to slow it down
and be rigorous and do it properly.
It's hard to know which one it is.
Yeah, it is difficult to say.
I mean, you know, on the one hand,
it could well be something as simple as, like,
it turned out that it wasn't even nation-y like it was just common garden hack and and some
people jumped the gun we've certainly seen nation state at my homework you know as an excuse trotted
out very early on to try and make it sound more excusable that they got owned so it could be kind
of like softening the grounds for walking it back in that way. Or it could be a different country or, as you say,
like the political aspects get ahead of the technical investigation.
And, you know, anyone who's done incident response knows
that being pushed to answer those questions too early
leads to things going pretty horribly wrong.
Well, we happen to have an incident responder with us.
Lena, you know, what's your experience been like
when doing incident response and having management come down and sort of, you know, either demand immediate attribution or try to steer you in one direction or another?
I mean, does it often take on a political dimension like this?
Sometimes it does based on their expectations and they put the expectation onto the incident.
But attribution is incredibly difficult.
It's never as easy as you
go into a case and you know straight away this is, you know, X threat group or X APT group. And
what's interesting in the article is that they said that they can't release details around
attributions because of, quote, national security. So it's not clear if it is China or if it's not
China. And if it is China, you know, there's multiple APT groups within one country and
multiple, you know, hacktivist groups within one country.
So saying it is just China is a very umbrella term for something that's much more complex.
Yeah, I mean, there's a big difference to the Ministry of State Security doing it versus the PLA versus, you know, all of that.
And versus some of these groups like ISUN who go off and steal this crap even when no one's asked them to.
And then they try to sell it to the government.
And then the government either lowballs them or just tells them they're not interested.
But Beijing has come out and said, quote, completely fabricated and malicious slanders.
Well, in that case, I mean, it must not be them. It must not be them because China never denies
this stuff. That's got to be the first time. Got to be the first time. Now be the first time now uh we're gonna highlight some reporting uh that our
colleague catalan kim panu uh did this week adam and it's there's been coverage in the korean press
but nothing in the english-speaking press and this story is crazy yeah this story is pretty wild the
um some guy some nerd in korea uh came up with some bugs affecting building apartments, like intercom systems.
So if you live in a big apartment building and there's an intercom for the front door where you can check people who are coming in and allow them through the door.
There's a system in Korea, I think the brand name is Wallpad.
I'm not quite clear from the translation if that's a generic term. Yeah, we had a bit of fun trying to actually figure out what was a, yeah,
what they were talking about initially, but we got there.
Yeah, and so, and these also will do like video calling between apartments.
So essentially it's a thing on your wall that has a video camera in it.
It kind of looks from the screenshots like a repurposed Android tablet,
but anyway, this guy found some vulnerabilities in the
management software for that broke into them and was selling video camera footage from inside
people's apartments on raid forums which pretty gross yeah you think he had um actually gone
public with the bugs a couple of years prior like kind of white hat style but then no one
particularly paid any attention
and he ends up selling people's house footage on the internet.
He broke into 700 apartment buildings worth of these systems,
400,000 unique devices,
and he had camera footage from them all on his PC.
So he gets arrested for, I think think four and a bit years in jail
yeah which you know that seems pretty reasonable to me but it was just the sheer scale of it 400
000 people's apartments was just creepy it's creepy as well and i mean like you know i've
got a creeped out reaction to that even though i know no one wants to see my pasty middle-aged body
walking around in my apartment you know or walking around in my house.
But I got to ask Lina, you know, as a young woman, I imagine that, you know,
your reaction to hearing news like that would be even stronger.
Yeah, I find it really creepy. But I mean, notoriety is notoriety. He was previously
convicted of DDoS attacks. So it just seems like it's in this guy's DNA to do it again and again.
And if his POCs didn't get attention in the white hat community,
then maybe this is his way to get a ticket to notoriety.
You reckon he wanted the attention?
I don't know, man.
I think people who commit crimes like these ones,
they just have the touch of sociopath about them.
You know what I mean?
You think?
I do.
I think it's sociopathic to surveil 400,000 apartments looking for people walking around
naked. I just think you have to be like properly f***ed up to do that. I don't, you know.
Yeah. I mean, I definitely think it's mental illness, but for me, it sounds like a guy who
is obsessed with hacking into control pads, wanted to just do it for the rest of his life
and found a way to make money with a hobby.
And it just resulted in a very creepy.
Maybe you're right.
That's like weapons grade dysfunctional,
but I don't know that it clears the bar for being a sociopath, right?
Like it's just a different type.
These days the bar is quite high.
Like we've got some high standards.
Now, look, speaking of something that's quite high. Like, we've got some high standards. Oh, man. Now, look, speaking of something that's quite high,
the amount of money that is being made
out of these Southeast Asian,
by these Southeast Asian scam syndicates,
we've got some numbers here.
And these scam syndicates based in Thailand,
Myanmar, and Laos,
apparently are pulling in something like
$64 billion a year,
which amounts to 40% of the GDP of those three countries combined.
So this is an absolutely huge amount of money.
Once you have so much economic activity concentrated in operations like this,
the tail can begin to wag the dog.
Officials can be bought. Protection can be bought. It's a
situation that once it becomes entrenched, it's very difficult to pick apart. What's crazy is
you look at the ransomware numbers and they're quite low by comparison to this, like a billion
a year compared to 64. BEC as well is a lot bigger than ransomware. I think the reason ransomware gets
attention from us is because first of all, we're a cybersecurity podcast and this isn't technically
a cybersecurity issue. But it's also the disruption that ransomware causes. Whereas
you just look at where the money is, it's in BEC and it's in phone scams, right? I mean,
you were stunned. I know because we spoke about this you were stunned by the numbers
here yeah i mean 64 billion dollars a year and you think about how much how many column inches
we've expanded on this podcast talking about ransomware but because the availability impact
is flashy and then bc you know two or three times ransomware we're still talking a 20th
of what these kind of groups are pulling in if it's $64 billion.
And you're very right that the tail wag and the dog part, when there's thats we saw a couple of months ago now,
kind of even more startling that, you know,
because those happened in a region where the regular centralised government had fallen apart and been taken over by separatists or rebels
or whatever else who didn't presumably have that entrenched, you know,
corruption and so on that was shielding these operations.
That makes a bit more sense now, I guess.
Yeah.
But I was just stunned.
Like $64 billion, this ought to be the biggest thing on anyone's radar.
Well, China deserves some credit here for actually funding some of these groups
or assisting some of these groups, I should say,
in capturing some of this territory and dismantling some of these operations
that are in sort of regime-controlled areas.
But it is nuts.
And I'm totally not
surprised by the numbers. My mum got taken for about a grand. And she was really lucky because
this was at the early stage of one of these scams, where she'd done the first transfer of about a
thousand bucks. And this is the one where they just, you know, and then it's like they start
saying, oh, we've just detected that you need to transfer your money to keep it safe because we've just detected another problem. But
she cottoned on, thank God, right? This is a couple of years ago. But one thing that really,
and funnily enough, I just visited her on the weekend and in her apartment complex,
there was a sign stuck up in the elevator that said, you know, beware of online scams. One of
our residents has just lost everything over one of these telephone scams. And, you know, beware of online scams. One of our residents has just lost everything over one of these telephone scams.
And, you know, her apartment building is just stacked top to bottom with nice little old ladies, you know, who are now losing all of their retirement funds.
Like, gone.
Their life savings, their life work, everything gone.
And that adds up.
And it adds up to $64 billion.
Like, most of the victims of this stuff are over 65. One thing that stunned me though is the bank refused to refund the $1,000 that my mom lost
because she did pass on one of the codes that they app generated for her.
And the message on the thing says, don't share this code with anyone else.
Now, that's all well and good.
But the banks can scientifically prove that that warning doesn't work.
They would absolutely be able to prove that that warning does absolutely nothing to stop
people from actually sharing those codes when they believe they're speaking to someone who's
not who they're speaking to, right?
So for them to just wash their hands of it and say, oh, well, you did the wrong thing,
I think is ridiculous.
I think we need much more of an onus on the banks.
Another friend of mine, his mom, again, elderly woman, she lost something like 60 grand over a series of phone
calls. She rang the banks the next day, they recovered a third of it. The next day. So I
don't understand why we're not demanding better of our banks when you've got someone who's over 65, who's in an
at-risk category for this sort of stuff, and all of a sudden they want to do a wildly out-of-character
series of transfers, why are they allowing that? Why are they not putting a three-day hold on it?
Why are they not following up with a phone call? And it's because it doesn't cost them anything.
They can just wash their hands of it. It's disgusting. Lena, I mean, you would have heard
of this happening to people as well. I mean, it's, you know, again, this isn't technically a
cybersecurity story, but wow. I'm not at all surprised that it adds up to that sort of money.
I've had people contacting my mum pretending to be me, telling my mum that I'm lost and I'm
stranded and I need money. And she's like freaked out and called me and asked me, is this you? Which
obviously it's not but the
thing about the article that startled me because i had no idea that the people that are doing these
scams are human trafficking victims yes i had no idea that that was the case and that blew my mind
and i went and actually looked up numbers from the un because i was so confused by this and the un
estimates that 120 000 people are held in compounds in Myanmar.
And there's 100,000 human traffic victims in Cambodia doing scams like this.
Yep.
I had no idea.
And apparently, the human traffickers, what they do is they post job advertisements across Asia to lure people into fake jobs.
And then they get put into scam compounds.
They get black bagged and vanned.
So I know someone who worked security for a job listings website. And this was a, this was
something that they had to work on, you know, cause they were operating in some of these markets
and in, in the Philippines and whatever. And they had people who disappeared, uh, going to job
interviews. So they just get, they get vanned and they get whisked away to these compounds.
And that's that.
And it's not just pig butchering.
It's all of these scams.
Like they're taking over this sort of scam industry.
It's crazy.
I mean, Adam, I think there should be a role.
We've seen how, at least we've started extending
our law enforcement operations outside of our own borders,
right, to tackle some of these problems?
Like why do these huge operations,
which are extremely easy to locate and identify,
why do they have functioning routers?
Yeah, it's a great question.
And I think like the scale of, this is what startled me
about these numbers being at that scale.
Like I would have said, you know, 3x, 4x, 5x,
maybe on B, C and and ransomware not 20x
and i'm surprised that like this hasn't become a priority for for government it hasn't become
a national security issue in the way that ransomware was and you know we've seen some
moves like we had that when we talked about a while ago in the uk where they're trying to make
the banks like share the liability for these things that these transfers between source and destination banks and other banks to try and
make it more their problem which you know is baby steps but you know for a thing this big
we we clearly need more yeah we do something needs to be done about this because the people who are bearing the cost of this, it's tragic.
It's absolutely tragic the way this happens and what it does
to people's self-esteem, let alone their finances.
It's just shocking.
All right, we're going to wrap it up there.
But just before we go, Lena, the reason we haven't had you
on the show in so long is because you've been busy.
You have been a busy bee building up your Sintra labs.
And what you've done is you've created a place,
an online place where people can go and do a bunch of labs
around incident response, basically.
And you've got a bunch of stuff there already,
but the really cool stuff that I'm excited about that you're doing
is you've created like incident response interactive environments for simulated APT breaches in cloud environments right so you've
got the what are they called again the Chinese group that did the the stolen key attack what
are they called the midnight blizzard stuff so you've got that one going up I think tonight
and then you've got the SVR stuff.
Yeah. APT29.
Yeah. The APT29 stuff is coming in like a month. So the idea is you can go and you can pay a very
reasonable fee monthly and access these environments and all of the, all of the
chutes and the, and the content and whatever you have been busy with this.
Yeah. So I started this because when I was working in incident response, a lot of the IR people have
never performed an incident involving APT groups and they don't know how to upskill themselves.
So I thought the best way to train IR people would be to create multiple emulations of very popular breaches that have been publicized in advisories and allow people to actually work them firsthand and learn how to do it.
Awesome idea.
I think it's going to be a smashing success.
So I'm guessing it already is doing pretty well.
It's only been launched three weeks, but yeah, so far,
the community has responded really well to it.
Yeah, fantastic.
Congratulations on that.
Lovely to have you back.
Thanks for joining us.
And Adam, great to talk to you as well.
And I'll talk to you next week.
And Lena, we'll get you back real soon.
Thanks for having me.
Thanks very much, Pat.
That was Adam Boileau and Lena Lau there. And it is time for this week's sponsor interview now with Rob King, the Director of Security Research at RunZero. RunZero is an incredible asset
discovery scanning engine and platform created by HDMore. You set it loose on your network and
it'll find and identify basically everything in it. You set it loose on your network and it'll find and identify
basically everything in it. You can also get it to do cloud discovery by giving it access to your
cloud environments. And I personally also love it as an external asset discovery tool. This thing
can scan entire countries in a couple of days and it really is amazing. And there is a free version
too, so you can go play with it.
But yeah, Rob joined me to talk about RunZero's first ever data-driven report. So they crunched the numbers on a bunch of their scan data.
And here's Rob telling us about some of the cool stuff they found.
And for starters, they found a lot of crappy embedded devices
that are breaking network segmentation.
Here's Rob King.
We discovered a huge number of devices were capable of forwarding IP traffic when they
probably shouldn't be. So, you know, if you think about it, a lot of devices, you know,
you've got your printer and all these, they have multiple interfaces on them. You know,
your printer will have a wired ethernet interface and a Wi-Fi interface. And it turns out a lot of those printers, one of the things RunZero scans for is the ability to
forward traffic through a device. And it turns out a lot of those printers can do that. So if
you're worried about network segmentation, this can be, you know, something you might want to be
aware of. And so it was hilarious in that we started really digging into this and we found,
you know, printers, of course, and we found you know printers of course
and and obviously no routers and things like that but also things like thermostats and light bulbs
and uh points of sale and door locks that could all forward ip traffic and just you know potentially
break network segmentation and that was uh that was a lot of fun and a lot of you know we we had
a bit of a uh contest to see you know what's the what's the strangest device we could find that
could do this and uh i i think it's going to come down to probably the light switch i think yeah
it's funny right because if you put on your 20 years ago security person hat you're like all
that stuff should be on a vlan anyway but i think we can raise the white flag on that. That ain't happening. And you know, it never happened. Exactly. And that, that actually
leads to something else that we were able to talk about, which is this concept that, you know,
I'm a big physics nerd. I called it a network dark matter, you know, and it's the devices that are
on the network that, you know, their influence can be felt, but you may not actually be aware of them.
IT might not actually know or care.
And these are things like the aquarium pumps and the smart TVs and the projectors in the meeting rooms and everything.
And these are devices that are definitely there, but how often do you really update them? How much would IT really notice if one of these devices vanished
and reappeared or, you know, came up with, suddenly came up with a different name or something like
that? And so it was really fascinating to see just how much on a network is this network dark matter.
It was anywhere from, we saw as high as 80% to, you you know every now and again you get zero depending on
what you're scanning but it was usually around 20 percent or uh even as much as 60 percent
devices that were just this dark matter this stuff that you may not really know or care about
but that you should probably know and care about yeah but i guess is this is why we're all about
zero trust these days right is because of all of this cruft floating around on the network. Indeed, indeed. And there is a lot of cruft. It's
fascinating. You know, I love using Run Zero. Just I scan my own house, you know, and I've
discovered devices that I was like, oh, that's right. I did buy that. I totally forgot about it.
Yeah. So it's anytime my kids have friends come over, I'm like, oh, look, you know,
I've got another laptop, another three game systems. You know, it's always fun. Now, what about stuff that might be sort of
more alarming in a traditional enterprise security sense? Because I know that Run Zero is always
coughing up interesting stuff there. Well, so one of the more interesting things was the XZ
backdoor. And so Run Zero was able to dig into that and come up with some really interesting
ways to detect systems that might be affected by this backdoor. The backdoor itself doesn't really
talk any differently on the network. If you don't have access to the system, if you don't know what
to look for on the system, you might not know how to find it. You would never be able to find it. But we were able to come up with hallmarks
for systems that are running, you know,
recent enough versions of Linux
and correlate those versions of the Linux kernel
detected via traffic analysis
and how the TCP stack communicates,
correlate those with the known
vulnerable operating system releases,
and then if they're running SSH and all that
so that you could actually narrow down
which systems needed to be looked at immediately.
And that was a really, really fun
and important piece of research.
Did you have a lot of customers using that?
Yeah, that was part of our rapid response process.
Within a few hours, we had a query out that you could use
in Run Zero to find these systems. And that's one of the things that I love about Run Zero is this
rapid response process. So anytime there's a serious vulnerability, Run Zero will try to
publish a blog post and a query and let customers know that they can use this to find devices that
might be affected and might need
to be looked at by their information security staff. Yeah, I mean, it's funny, right? Because
volume management, we've definitely given up on trying to patch everything. And even, you know,
just even knowing which ones are going to burn you down tomorrow is hard these days, because
there's just so much, yeah, everyone's got so much crap. And we actually, that ties in a little bit with some of the more interesting research
that is going to be in the report as well.
We on the research team, we like to do math.
We're a lot of fun at parties.
And so one thing that we discovered is Run Zero can compute what's called an outlier
score for a device.
And so it'll look at all the devices on a network
or, you know, in a specific site,
and it will compute a baseline for these assets
across a bunch of different dimensions
and metrics and everything,
and then can quantify how different any given device is
compared to that baseline, so compared to its neighbors,
you know, and we call that an outlier, that baseline, so compared to its neighbors.
We call that an outlier, borrowing the term from statistics.
And then another thing we can do is quantify the risk of an asset. So risk reported both just by users and customers and run zero and third-party integrations,
antivirus, all that. And when we sat down and graphed the comparison, graphed the relationship
between the outlier score and the risk score, we found that it was almost perfectly predictive.
It was very strongly predictive. It was one to one. Yeah. Yeah.
So the higher the outlier score, the higher the risk on average and pretty strongly correlated. And I think what
makes that interesting is that it's predictive. So even if you are looking at an environment where
you don't necessarily have risk scores available, you know, maybe there isn't, you know, antivirus
software or bone detection available for this product, or you can't use it in that environment
or whatever, you can still compute the outlier score. and you can still say, okay, if this outlier score is high, that seems
like a good place to focus my resources. You know, even if I can't necessarily know it's risky,
that's a really strong predictor. That's just yet another way of providing visibility
into where, uh, you're often very limited information security resources can be direct.
Well, I mean, you know, mainstream stuff has gotten a lot better. I've heard a few people
say, well, enterprise software is going to get better too, because look at how much Android and
iOS and Windows have improved. But that just ain't how this works, right? Because they're
mainstream products. They've just got such amazing QA resources thrown at them. And you're just not
going to get that on a fortinet the just absolute
explosion the number of devices that are out there and that often just stick around for years if not
decades even even if they do have a good uh fixed cadence a good release schedule it it may not
matter in a lot of environments a lot of times they A lot of times they don't get updated or they can't be updated
or updating them requires capabilities that systems may not have,
teams may not have.
For example, there was the D-Link network-attached storage issue
where suddenly there's this end-of-life network-attached storage product
and a very severe vulnerability was found in it.
And it's been
end of life for a while now but there's still thousands of these devices out there and there
will be no patch coming so it's important to know what you have on your network because you need to
be able to defend it even if there isn't a patch yeah in route i mean that one's that one's
interesting right because i've always thought with run zero yeah you want to run it internally but
you also want to throw it at your perimeter as well
to find stuff like that.
Because finding that on your LAN,
eh, not a big deal,
but finding it accessible from the outside is a big deal.
Do you find that most of your clients
are doing external scanning as well with the product
or they're just sticking to internal?
No, they definitely, there's a good mix of both.
We have a very powerful mechanism for scanning internally,
but we do also have host infrastructure
and you can set it up to scan your external attack surface.
And what's neat too is you can even see those devices
that are present in both attack surfaces.
You can say, oh, there's this device
that's bridging this attack surface.
And some of those are expected. You've got web servers that may be inside and outside or whatever. But sometimes you see things like printers or maybe at the point where it is presenting genuine quantifiable
risk. But how often do we do incident response and someone's actually used, you know, tunneled
through a light bulb? It's not really something that we see all that often, is it? It's something
that I think we'd see more often if we looked a bit more. And there have definitely been documented
cases. A fish tank, there was an aquarium pump in, I want to say it was the lobby of a hotel,
and that was used as a data exfiltration mechanism for attackers who had gotten into this hotel,
which I thought was really, really a fun, well, a really, really interesting example.
No, you can say fun. It's fun. It's cool.
You know, we've got to still be able to look at cool stuff
and call it cool stuff.
All right, so I'm guessing people can go and seek out that report.
I'll drop a link to it in this week's show notes.
But Rob King, thank you so much for joining us on the show
to walk us through that.
Very interesting stuff.
Thank you.
That was Rob King from RunZero there.
Check them out at RunZero.com. And that is it for this week Zero there. Check them out at runzero.com.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back with more Risky Biz real soon.
But until then, I've been Patrick Gray.
Thanks for listening. Thank you.