Risky Business - Risky Business #754 -- Assange pleads guilty to espionage, walks free
Episode Date: June 26, 2024On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news, including: Julian Assange finally cuts a deal, pleads guilty, and goes free ... USA to ban Kaspersky - even updates Car dealer SaaS provider CDK contemplates paying a ransom Intolerable healthcare ransomware attacks continue We revisit Windows proximity bugs via wifi and bluetooth And much, much more. This week’s episode is sponsored by enterprise browser maker Island. Crowdstrike co-founder Dmitri Alperovitch is an investor in Island, and joins on its behalf to discuss why an enterprise browser is really starting to make sense. Show notes Julian Assange released from prison and has left UK, WikiLeaks says US to ban Kaspersky Lab software nationwide later this year Cyberattack on CDK Global stymies work at car dealerships across US Almost 200 cancer operations postponed as ransomware group publishes London hospitals data UK government weighs action against Russian hackers over NHS records theft South Africa’s national health lab hit with ransomware attack amid mpox outbreak Ransomware victims are becoming less likely to pay up | Cybersecurity Dive Lawmakers in Philippines push for probe into Pentagon's anti-vax propaganda operation | Reuters Telegram says it has 'about 30 engineers'; security experts say that's a red flag | TechCrunch Two bluetooth vulnerabilities in Windows Thread on reversing the patch Basic concept for the latest windows wifi driver CVE
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name's Patrick Gray. This week's show is brought to you by Island, the enterprise browser company. And funnily enough, today's sponsor interview isn't with one of Island's staff. These days, he runs a think tank and writes books and all sorts of stuff.
But yeah, he chatted to me about why he decided to invest his hard-earned money into a company that makes an enterprise browser.
That is coming up later.
But first up, of course, it is time for a check of the week's security news with Adam Boileau.
And Adam, let's start off with the big sort of news this week.
I guess, mate, is it technically infosec?
Is it not?
Who cares?
Julian Assange has been sprung from Belmarsh prison.
Apparently, he reached a deal with the United States government agreeing to plead guilty
to an espionage charge in exchange for being sentenced to time served.
He was literally sentenced about 10 minutes prior to us recording this.
He's in a US court in the Mariana Islands,
and will be getting on a plane shortly
and heading back to his home country of Australia.
It's certainly been a very long time coming,
and I think the fact that he got time served
and probably would have gotten less time
had he gone to the US 15 years ago and faced the music there
well he wasn't he wasn't even being charged in the united states 15 years ago these charges came
under the trump presidency previously the reason he went to the the cupboard in the ecuadorian
embassy is because he was fleeing um like sex offense charges that he uh uh denied obviously
and and claimed were just a ruse to get him extradited to the United States.
But at that time, he hadn't been charged.
Yeah, yeah.
It's funny because the story is so long ago now.
And it seems, you know, I'm trying to imagine what we were talking about on Risky Biz in 2012.
Like, it just seems like such distant history because so much has happened for us.
And yeah, as you say, he's been in the broom cupboard and then in Belmarsh for such a long time.
And WikiLeaks just seems so not relevant anymore.
And yet, Adam, this is surprising because Assange's wife, Stella,
put out a tweet for a fundraiser last night because he, you know,
this release has involved
a lot of diplomacy between Australia, the United States and England where he was being held.
You know, he's wound up on a private jet for this transfer to the United States court and then
onwards to Australia. And that has been arranged by the Australian government, but they're billing
him for it. Right. And that's about half a million US dollars.
So his wife puts out a crowdfunding announcement last night that linked through to a crowdfunding page.
Look, I checked it, you know, maybe half an hour ago,
and they'd already raised 250,000 pounds.
And that's in like something like 12 hours.
Yeah, that's pretty wild.
And I guess, you know, maybe it is we who are in the niche
uh that think Wikileaks is you know struggling for any particular relevance these days and you
know clearly a lot of people do remember it uh and are willing to plunk down their hard-earned cash
but I don't know like it's it's it feels weird seeing you know the end of this story or at least
the beginning of whatever you know I don't know if there is a next chapter like what is he what
do you do and then he lived quietly ever after uh is not what's going
to happen here no it doesn't seem super likely does it so no yeah i mean he's gonna end up back
in australia and you know i assume there's probably quite a list of things to do after
you've been stuck inside for so long you know have a have a palmer now he's returned home you
know have a chicken parmigiano an austiana. An Australian delicacy for those who are unfamiliar.
Yeah, just on that point of like, you know,
we would have thought WikiLeaks had slid into irrelevance by now.
I mean, he certainly is a figure who is admired by a lot of people
for sort of sticking it to the man, right?
Rightly or wrongly, he has a support base.
And I think without that support base and without activists, the Australian government
wouldn't have found it necessary to make representations on his behalf.
I mean, he was accompanied on the first leg of his trip by Australia's ambassador to the
UK, Stephen Smith.
And then Kevin Rudd, the former Australian prime Minister and current Australian ambassador to the United States,
walked him into the courtroom, you know?
So this thing, there's been a lot of politics here,
a lot to unpack.
It's, you know, personally, I'm just happy it's over, you know?
Yeah, and I imagine he probably is happy
that it's coming to a close as well.
And, you know, it is interesting seeing the amount of, the amount of diplomacy that must have gone on.
You think about how many meetings there must have been.
But of all the stories that we would be talking about,
you know, 10, 15 years after they happened,
it just doesn't seem the most consequential thing.
But yet, as you say, there are a bunch of people
who have supported them.
And, you know, I'm thinking the amount of times
since I last saw a Free Julian sticker on something
is probably in the order of only months yeah so yeah well it feels like
everybody's everybody's getting what they need you know the doj is getting a felony conviction
for he's pleaded guilty to conspiring unlawfully to obtain and disseminate classified information
uh and you know he he got up in in in court in a a US court, was asked to sort of recite his
charge. And he said, working as a journalist, I encouraged my source to provide information that
was said to be classified in order to publish that information. I believed the First Amendment
protected that activity. I believe the First Amendment and the espionage act are in contradiction.
This is what he said at his own sentencing,
which is, you know, pretty cute.
But yeah, look, it's over.
And, you know, my joke was he's been sentenced
to time served and the rest of, you know,
Australians have been sentenced to enduring
Julian Assange appearing at writers' festivals
for the next 20 years, right?
Dear, oh dear, unfortunately you are right and I'll just end our discussion on this with a quote that the ABC
here in Australia obtained from Larry Pfeiffer who was a former CIA chief of staff and he is quoted
as saying I'm happy the man I think personally I, served more time in his self-imposed exile
at the Ecuadorian embassy
and his time in UK prisons fighting extradition
than he probably would have served
if he had come over to America
and faced a judge and jury and had been convicted.
So, yeah, again, I mean, that's, I think,
during our live show at OSSERT,
I said, he's got to stop fighting this extradition
and just cop a deal.
And, you know, he'll be sensitive.
And here we are, right?
So not an entirely unexpected outcome,
except for the people who are convinced that Pompeo was going to, like,
you know, Novichok him or something.
Well, there's still time, I guess.
Yeah.
Now, moving on.
And Kaspersky, the US government has dropped the hammer on Kaspersky.
And, you know, the use of Kaspersky software is essentially being banned in the United States.
From the 29th of September this year, Kaspersky is forbidden from updating its software on American computers.
This ban has been accompanied by a range of sanctions against various Kaspersky executives.
Interestingly enough, though, Eugene Kaspersky is not one of them,
which would suggest to me that perhaps the people who have insight here
realise that maybe he's not the problem.
I doubt it's just because he's a liked figure in InfoSec.
Generally, Treasury doesn't care about such things.
So I thought that was an interesting angle here.
So I guess the question is, Adam, that I've got for you,
is do we expect that a lot of the computers
that are going to stop receiving updates
will slide into a vulnerable state,
or do you think that people will be able to,
that most people will realise this is happening
and then find alternative solutions?
I mean, you do have to wonder whether the sorts of places that are still running Kaspersky
to this day are particularly well-maintained and up with the news when it comes to security
software. So I suspect we are going to see quite a lot of abandoned Kaspersky installations, but
those are also probably not really the ones that matter you know home computers and things that have just
had Kaspersky for years you know are probably already bit rotten so many other ways well that's
where that was going to be my comment which is that you know unmanaged boxes generally speaking
like this is the last of their troubles right well yeah yeah exactly and you know there may well be
you know corporate installations and
other use cases that are going to require a bit of lift to replace with something else and you know
because you know Kaspersky was a big AV vendor and you know for a technical point of view really
pretty good so there were some places that you know chose it on technical merit versus you know
McAfee in its you know in its heyday um so you know there'll be some people have to do
some work but like this writing has been on the wall for quite some time so yeah it has it has i
mean you know when we were all uh at our retreat last week uh or all at our big risky business
meeting uh last week overseas our colleague catalan kimpanu pointed out that kaspersky
software is pretty popular in ICS
environments which kind of makes sense because I feel like for most corporate machines we've moved
away from that AV you know paradigm and much more towards EDR and realizing that AV on its own
you know is only so effective so you know it makes sense that you know some of these more
niche environments are where you tend to find it.
Yeah, I don't know what's going to happen here, but it's going to be an interesting case study
one way or the other, right?
Yeah, it certainly is going to be interesting.
I mean, they were also pretty reasonably scaled
in things like, you know, mail gateways
and stuff like that,
because there are plenty of environments
that use the Kaspersky engine to, you know,
to scan mail, to scan web traffic, whatever else.
So, you know, there's going to be a bit of lift and shift that people have to do to scan web traffic whatever else uh so that you know there's
going to be a bit of lift and shift that people have to do to replace it with something else
but i mean usually usually those sort of gateways do use multiple engines though right you just like
tick the box and use a few yeah yeah and that you know totally makes sense but defense in depth is
good but yeah overall i mean i you know for the kaspersky employees there's lots of people who
work for kaspersky outside of russia um you know i've known a few over the years I you know for the Kaspersky employees there's lots of people who work for Kaspersky
outside of Russia um you know I've known a few over the years and you know it was a company that
many of them felt quite proud about because of its technical heritage and you know Eugene as you
said being a likable figure um but yeah like I I just can't imagine there's going to be a huge
impact from this you know big picture infosec-wide.
We're not going to see lots and lots of stuff being destroyed through unpatched bugs in Kaspersky software.
Although I noticed that Run Zero does have fingerprinting for a bunch of Kaspersky stuff.
So if you do want to discover what's in your environment that you need to fix,
then HD can probably hook you up with uh with their
kaspersky detection tricks that's a really good point actually i didn't think of that but yeah
if you want to do a search and destroy run zero is pretty good it was really handy remember when
everyone did search and destroy on exchange people were using it for that right like you
could actually scan your whole internal network like not for stuff i mean yeah okay stuff on the
internet that's going to be easy enough to find but it was like people had a lot of exchange internally at a lot of places and yeah run zero
was pretty good at like hunting it down so you could put a bullet in it yeah well that's definitely
time to do that for all of your k products now let's talk about what's going on at cdk global
this is a ransomware incident which has turned out to be actually quite interesting because it has affected a software as a service platform that's used by something like half of all car dealerships in the United States.
So car dealerships in the United States, according to car dealership guy who I follow on Twitter because I'm interested in cars and the car industry is just a little interest of mine.
You know, he was saying something like three% to 3.5% of US GDP
is actually car dealerships, right?
And now you've got this ransomware incident
that has, you know, knocked out half of them
and they have had to revert to manual processes and stuff.
You know, economic impact on this I don't think will be that great.
Again, talking to Catalan when we were all away, and he's like, yeah, you know, maybe they're going to delay some purchases,
but people aren't going to decide not to buy new cars because it's their purchase has been
delayed by a week. Right. So I think that the end result here is just like a lot of,
a lot of raised blood pressure among people who work at car dealerships for now. But I think the
interesting thing here is that the company is, has, reports say that the company has decided to
pay the ransom. And I just wanted to look at why that is. Now, why I think that's happening is
initially they had detected this attack against them and would mid eviction when the attackers kind of won, right? So they
were going hand to hand with these attackers, thought that got him out, and then they just
got owned sideways. Now, this is something that I forgot. I just forgot to mention. We've discussed
it, but I forgot to mention when previously talking about a ransomware payment ban.
One reason that people will often pay is because they can't evict the attackers. They lose.
They go hand to hand against the attackers and they just can't get them out. So there's no other
way. They can't even do the recovery because they're just, you know, the attackers are just
all over their network, right? So here we have a good example, I think, of a economically critical
supplier that needs to pay, otherwise
they're just not going to bounce back. And it's exactly cases like this why I think supporting
a ransomware payment ban would be a really bad idea. Yeah, and I think it's a really interesting
point because there's not very many people who have experience going hand-to-hand, as you say,
in environments like this, complicated environments, with attackers.
And even as attackers, it's not a super common thing to do.
I mean, we as pen testers, as red teamers,
we would often ask, when we were setting up the rules of engagement,
once we are detected, what should we do?
Should we call it a day, call off a meeting, stop everything, pull out?
Do we skirmish?
Do we carry on like a real attacker can do?
Do we RMRF the boxes of the people responding because we have domain admin?
Can we actively interfere with the response process?
And it was a very rare customer that was willing to do that.
So it's unusual for defensive teams, teams response teams to have to operate in those
environments and so for many people it is actually pretty new uh having to recover in a actively
hostile environment like that so like it's not surprising that it's a common it's a common thing
in ransomware well it is right but it's not necessarily a common thing for defensive teams
to have experience with and as you say when we're having that conversation around banning ransomware payments it's not a
common experience for people in the non-criminal world to have opinions about that because they
most people haven't haven't been through it so i think it is a really interesting angle and as you
say this is a good example of where just paying them to shut up and give you a few weeks to deal with it
um you know it sticks in the craw but what other options have you got so according to bloomberg
i'll just read from their piece here which was published june 21 uh the piece is cdk hackers
want millions in ransom to end car dealership outage a group that claims to have hacked cdk
global the software provided to thousands of car dealerships
in North America, has demanded tens of millions of dollars
in ransom, according to a person familiar with the matter.
CDK is planning to make the payment,
said the person who asked not to be identified
because the information is private.
So, yeah, watching this play out has been pretty full on.
It's been interesting watching the car dealership guy
who runs, you know, I guess kind of like risky business, but for car dealerships uh car dealership guy who runs you know i guess kind
of like risky business but for car dealerships similar sort of independent news yes yeah and
they've got like you know 25 crowdsource tips for dealers who are dealing with this and whatever
like they seem to have actually done just from a media perspective a really good job of covering
this reminds me of when the um what was it the the meat packing company j was it jbs or something
yeah i just remember
like you know the all the best media actually came from like beef journalists right like not so much
the uh the infosec media um but yeah just a just a fascinating case study and um and and a good
example of of of you know why a payment ban could get complicated. Yeah, exactly. I think it's a great example of exactly this problem.
And buying a car is probably as American as apple pie, right?
And maybe we'll see some other response options.
Maybe they'll pay it and we'll get the feds or the spooks or whatever
or go and steal the cryptocurrency back and give it to them,
like we saw in whichever one it was.
Colonial? Was it Colonial?
I think Colonial, yeah, they managed to get it back.
Yeah, in the end, whatever gets the job done
is probably all they're worried about at this point.
Yeah, that's right.
Now, look, staying with ransomware,
and we've talked about this case previously,
which was this pathology organisation in the UK
that does a lot of blood typing and whatnot,
being ransomwared and that having serious knock-on impacts onto hospitals.
The BBC has a write-up here, which is just incredibly depressing,
reading something like 180 cancer surgeries have been delayed because of this.
And the story starts by looking at this 14-year-old boy
who was due to have a tumour removed from his ribs,
and that's been delayed.
And, you know, interviews with the parents saying, you know,
it would be obviously infuriating if this were to impact on his health
in a lasting way.
Just some terrific journalism here that really brings home
what the impact of these sorts of incidents is and why these people need to be tackled seriously.
Yeah, I mean, if you were going to make an argument that this is a national critical
function, like be able to provide health care sick kids is what we have is why we
invented governments,
right.
So that we can have collective care for those in society who need it.
And yeah,
I mean,
well,
I mean,
that's,
that's the,
that's the non-American view.
Like I'm not trying to,
you know,
I'm not trying to make a,
you know,
I'm not trying to turn this into a criticism of,
of,
of us healthcare,
but I think it is interesting,
the difference in the mentality around healthcare being a sort of communal thing,
which it is in the United Kingdom through the NHS, and which it is in Australia and New Zealand
via our government healthcare systems. I think just the mentality is a little bit different,
which brings us to the next piece, which is also about this. It's from The Guardian, and the headline is, the UK government weighs action
against Russian hackers over NHS records theft, which is, you know, related to all of this. So,
they're thinking, like, do they go on a search and destroy mission to try to find and destroy
the data? But there isn't a universe in which GCHQ isn't getting some tasking here to find and destroy the data but i there there isn't a universe in which gchq isn't
getting some tasking here to to go and deal with this is my point right whereas in the united
states it's sort of i don't know they just think about this differently yeah no it's it's that is
actually it's quite a good distinction there um and i imagine that you know gchq people are chomping
at the bit um to be allowed to go you know take care of the people behind thisomping at the bit to be allowed to go, you know, take care of the people behind this,
take care of the data if possible. And the idea of being able to go and hunt down the data that
gets stolen and attempt to delete it as much as possible, you know, that's a hard thing to do
with any degree of confidence. But, you know, with something like this, it's like, well, you know,
whatever options you've got on the table are worth considering and if they've got the necessary access then why not right well and you can guarantee like beyond
any search and destroy for for stolen data uh you know data that was taken as part of this whole
thing you could guarantee that this is getting attention at the highest levels of government
just as the medibank private uh incident did. Yeah, and as well it should.
What's the point of having all of this spooky apparatus
if you can't then use it to protect your people?
Yeah, it looks like there's a government action too
against Medibank.
I think we talked about that recently.
There's been a little bit more detail
on how the attack actually happened.
It was interesting actually, because it turned out a staff member had used a personal browser profile on
their work computer that synced their creds to their browser on their home
computer. And there was an info stealer on it,
but really what did them in is they weren't using MFA on their VPNs,
which is, yeah, but it's just, you know, it's just,
I did find that browser syncing thing interesting
because how many people are aware of that
as something that can bring you undone, right?
Which is a staff member using a different browser profile
on a, you know, on a managed device
that then syncs that information elsewhere.
Like it's just, oh, what a way to get done, you know?
Yeah, no, it is.
It is a really interesting detail
because, you know, that kind of nuance of like,
where do I use separate browser profiles?
How do I segregate them?
What's the security impact?
Like people like us who are professionals at this stuff,
even, you know, it's not always clear.
Like, should I, you know,
like for example, in Twitter these days,
if I click on a Twitter link in my risky biz browser profile, I'm not logged into Twitter,
because I have a personal Twitter account, but I can't see the thread unless I'm logged in.
So now I have to take links from our internal Slack and paste them into my personal profile
so that I can see the unrolled thread. And like, you know, I've been doing this a long time,
I understand how it works and yet
you know crossing those boundaries is just so easy and you don't really think about the consequence
when you just want to get your job done so like yeah it's complicated and I have sympathy for
organizations that get popped like this because making a policy or making a you know process
making a sensible way to get your job done that covers all these kind of weird niche
edge cases like it's complicated and hard yeah i mean i've seen people making a lot out of the
idea that medibank could face a fine of like 2.2 trillion dollars which is okay cool it makes for
a great headline figure but that's nearing the GDP of Australia. And I don't think the Australian
government is going to want to literally bankrupt one of our most important private health insurance
companies. So I think we can let go of the idea that there's going to be a $2.2 trillion fine
here, you know? Yeah. It's like when you see American, you know, CFAA charges and it's,
you know, 40,000 years of jail time for, you know, whatever they were doing. So
yeah, that's not exactly how it works.
Not exactly how it works.
And look, we've seen another healthcare-related ransomware attack, again, targeting a pathology lab, this time in South Africa.
And South Africa is in the middle of an MPOX outbreak.
This is the disease formerly known as monkeypox, but we decided that that was a bad name.
So now it's mpox.
But, you know, again, like healthcare is where ransomware actors
seem to be doing the most damage at the moment.
Yeah, I mean, it's a place with, you know,
a super wide use of technology for really important stuff
and without really the budget or focus to do it right,
or even that it is clear there is a way to do it right,
you know, when you're balancing life and death situations and so on.
But I think, again, like in think, again, outside of US context, I think when you're doing this to countries where
healthcare is seen as a government function, it creates political pressure, and political
pressure to solve this is dangerous to you, the ransomware person. I think the ransomware people
are sort of making a bit of a mistake here by causing this much trouble to healthcare in countries where the citizens
rightfully see it as a government function. Because then they're looking at the government saying,
what are you doing about this? And they need to have an answer.
Yeah. And I think that's excellent advice from Risky Biz for ransomware operators to maybe think
twice about healthcare in places in the US.
Stick to the car dealerships, you know?
Yes.
And the oil companies and the meat companies.
I mean, you know, Timmy can't buy a Volvo is one thing.
Timmy can't have cancer surgery.
Hits a little different politically.
Yeah, it certainly does.
Jesus, what a world.
Yeah. So Cybersecurity Dive, meanwhile, has some data here from a company called Marsh, which is an insurer, looking at the percentage of people who are actually paying ransoms now.
And interestingly enough, it is going down. And the thinking seems to be that, you know, when this ransomware epidemic really first started hitting enterprises, they just weren't ready.
And now there is at least some
readiness among enterprises now. I mean, this is as much as you would expect, I think.
Yeah, yeah. There was a few interesting other tidbits, I thought, in this data set. So the
report is from a company called Marsh. They have something like 1,800 claims that they're basing
this data on. One of the things that was interesting is that the
percentage of companies that they insure who have a cyber policy who made claims has been pretty
constant over the years, but the value has changed in the breakup of like which particular industry
as you would expect, healthcare is at the biggest, but it's still like 20% of the claims they service are ransomware,
and that's been constant since 2020 in their data set.
So other things like BEC and privacy-related stuff
that's not straight from ransomware
still makes up the majority of claims that they're facing.
So we were having that conversation um i
don't want like a month couple of months ago about whether we felt like ransomware had
you know kind of backed off a little bit whether it had gone down a little bit and you know in the
end it was you know maybe there was a little blip maybe it was just a gap because lock bit who knows
but you know their data seems to suggest that it really hasn't changed that much in terms of volume
over the last few
years yeah sure but i mean the lock bit takedown was quite recent right and so was the alpha you
know or alpha or whatever you want to call them like that that's been pretty pretty recent and i
think you know as i as i as i as we talked about previously right like there's a million different
ways that you can look at ransomware in terms of is it going up or down or is it changing
like how do you measure impact is it the critical criticality of the companies that have been
impacted is it the uh median size of the ransoms is it you know there's so many different ways that
you can measure it that trying to just whack a single metric on it i don't think is particularly
productive i think we can say that we've observed changes in the ransomware ecosystem since governments have got more serious about disrupting them.
And I think that if they continue to disrupt, we'll see more change. And, you know, let's just see. Let's just see where that all goes. Tom Uren about this disastrous United States information operation that was targeting people
in the Philippines and elsewhere in Southeast Asia, which was trying to undermine the public
perception of China's Sinovac vaccine. Since Reuters published that exclusive report, which
was terrific work, by the way, so congratulations to the team there. We've got some follow-on
reporting here that says the government in the Philippines, some lawmakers there, are spinning up a probe into all of this. I would imagine, you know,
this has potential to get messy. The Philippines obviously is an important ally for the United
States, particularly with everything going on in the South China Sea. And, you know, as we said
last week, this whole thing was ill-conceived and i think we're going to get
a chance to really see why yeah i think this is going to be a real messy thing for them to unravel
the political situation in the south tennessee area absolutely is going to play into this because
we've got the dynamic where on the one hand you know it's pretty rude of the u.s to go mess you know this
campaign was it was was pretty inexcusable like it was a it was rude and nasty and they should
have done it well it was ineffective too like it was completely i think it was pointless is is you
know i mean if this did something if this achieved some sort of terribly important geostrategic goal
for the united states you might conceivably say it was worth it but it would have
to be something pretty big to justify discouraging vulnerable people in developing countries from
taking a vaccine for a disease that could kill them you know like yeah yeah absolutely yeah it's
i mean that would be hard to justify at the best of times yeah um but i guess where i was going was
the on the other hand
philippines versus china and they're trying to see you know if the philippines doesn't want to
end up on china's side then they kind of have to let the us you know do american things a little
bit because you know what's the alternative they also need to manage the politics of this right
like you know they can't they can't just govern based on geostrategic interests they need to manage the politics of this right like you know they can't they can't just govern based
on geostrategic interests they need to keep their people happy and that's going to be hard here like
this is it's just such a dumb idea the whole thing so dumb so so dumb what were you thinking
americans what were you thinking like yeah so watch that space uh let's see what we got here
now this one i think is pretty interesting actually it. It's a piece from Lorenzo Franceschi Becquerai over at TechCrunch. And basically what happened is a clip from a recent interview Pavel Durov, who's the founder of Telegram, but it had a bit of a semi-viral moment over the weekend.
And in it, Durov is saying, oh, we've only got 30 engineers.
We run really lean.
And I think, you know, it was sort of embraced by various sections of the online community
of, see, look at these tech people, you know, you can do more with less and whatever.
And Elon had the right idea, you know, sacking all of those people at Twitter.
You know, cut staff by 80%, also cut revenue by sort of equivalent numbers so i don't know if that was much of it much of a success
um but uh yeah so so really people have taken a look at that and said 30 engineers running
telegram doesn't seem like the flex you think it is bro uh basically it's it does raise questions about
the quality of the software and the infrastructure that supports it you would think yeah like this
does feel like a metric that has backfired a little bit because you know you're running a
network a social network you know platform for what like a billion users and if you're gonna
do that with 30 people i think
actually in the end telegram came back and told lorenzo that uh they didn't mean 30 they meant
30 core plus another 30 so even if it's 60 whatever like 600 would still be uh you know a
small number uh like how much security can you do with that how robust can your internal systems be
how do you defend you know those 30 or 60 or 600 people
or whatever uh you know from being bust into like that's not a lot of defensive options um and given
the architecture of telegram you know with that lack of proper end-to-end crypto etc i think it's
in that piece i didn't realize this uh the crypto for Telegram was written by Derov's brother,
which, you know.
I'm sure it's fine.
I'm sure it's fine.
Like maybe his brother is an excellent, you know,
there's lots of excellent Russian mathematicians and cryptographers.
So like it might be amazing,
but balance of probability is probably also not great.
Like it's just, it's such a juicy target for so many people.
Yeah, I mean, where is that?
You would think that their detection team
just on the infrastructure side should be 30 people.
I mean, you'd kind of hope so, right?
You know, let alone like how many people on code review,
how many people on safety, like how many people on this,
you know, you would think hundreds, if not, you know,
a thousand plus would be required to actually do this
in a way that matches how
important this app has become in all sorts of parts of the world. Right. So yeah. Odd flex.
Definitely very odd. And I was really glad to see that, like we, that it went with this angle,
like they flexed and then people were like, hang on a second. That means you've got what,
like one security guy, maybe two. That doesn't make me feel good like i'm pleased
that that was the response you know yeah yeah just going back on the twitter thing for a moment i
mean yeah people are like see elon was right twitter didn't fall over which on one hand so
he did manage to fire like 80 of the staff or whatever and the site has been remarkably reliable
which i think is a testament to the SRE that went into this
whole platform, right, to begin with. But I do just want to use my microphone here just to push
back ever so slightly and note that every time you click on a viral tweet these days, below it
is just bot replies with, you know, tangentially related videos or whatever that are obviously
being programmatically added, you know, to these threads. So Twitter has become really a lot less useful. So ignore the lack of
content moderation for a moment where you've got all of the Nazi stuff and like just absolutely
abhorrent racism, violent videos, whatever, right? So there's all that side, but that's a policy
choice. Fair enough. But the idea, you know, when he bought bought it he said he was going to tackle the bots and it's just you know bot central these days so yes sre sure uh the site didn't fall over but
the user experience has really deteriorated as a result of those staff cuts and it's just insane
to me that people are arguing otherwise yeah no i agree completely when the utility of the platform
has dramatically dropped and not just because of the network effects of people
leaving like what's left is also surrounded by trash and it's impossible to find useful
well you find useful stuff but it's just you know compared to what it used to be like
you know it's a lot harder to find good stuff useful things relevant stuff
just when we're hunting news for well and just a lot of people who used to post there don't anymore
and you know you really used to feel when you were on Twitter
that you were watching history unfold in front of your eyes
as world leaders would chime in and, you know,
clarify their positions on it as a platform.
And that sort of stuff just doesn't happen anymore.
So I do mourn a little bit the Twitter revolt,
even though it was always kind of a hell site.
But, yeah, like people who used to call it a hell site previously, it's like, oh, if only you knew it was coming kind of a hell site um but yeah like people who used to
call it a hell site previously it's like oh if only you know just you wait and see hold my beer
all right we're going to switch into some bread and butter infosec now and uh look at a write-up
on some historical windows bluetooth bugs adam so we talked like last week about wi-fi bugs and
like that led to kind of conversations about proximity
bugs uh in general and this guy is this guy who goes by i guess yin yin wax at proton uh wrote up
uh his analysis of some old windows bluetooth stack bugs so these are bugs from earlier this
year that microsoft had released and he went through, dug up how they worked, and wrote up some explanation of the bugs and exploitation.
This was if you are nearby and you can talk Bluetooth, then there was a remote code execution and a local privilege escalation via bugs in the Windows Bluetooth stack.
So one of the conversations you and I had had when we were talking about the Wi-Fi one
was like, what's the state of exploit mitigation?
How difficult is it to exploit
this kind of over-the-air bug
in modern operating systems?
And this one was interesting
in that the local previsc
was relatively straightforward to exploit.
The remote code exec,
he got to a point where he can trigger it reliably,
but actually turning it into a working POC
was still difficult. So there was some, you know, like heap spraying required to
make it work and, you know, probabilisticness, but got there in the end seems to be his take on it.
So I thought that was just an interesting, you know, like comparison to that Wi-Fi bug that we
were talking about. And when you read these write-ups,
one of the things that strikes me is
I really wish that Microsoft's advisors
have these kinds of details
because now we know a lot more about how the bug works.
We can draw better conclusions about it.
Like the use of this particular Bluetooth bug
in local privilege was really interesting,
the technique that they used.
So there's just so much to learn from these.
And it's a pity that security advisories have become so thin these days
compared to what they were in the heyday of bug track.
Well, but I think that's a volume issue, right?
Like there's just so many bugs these days and it's difficult.
Like it's probably better just to ship a patch.
But that Wi-Fi one, which we're going to revisit in a moment,
I was deeply suspicious on that.
I do just need to correct you though,
because the bugs that he was talking about,
they weren't from this year, they were from last year.
So they were from March 2023, and that's when Microsoft launched them.
Oh, yeah, it's 2024 now, isn't it?
It is 2024 now.
In my head, it's not 2024 AD.
Now, look, speaking of those Wi-Fi bugs that we chatted about last week,
we do have some more details on them now.
And, you know, it's sort of a little bit like those Bluetooth bugs, right, that we chatted about last week. We do have some more details on them now.
And, you know, it's sort of a little bit like those Bluetooth bugs, right?
Which is that exploiting them is probably going to be fiddly.
Yeah, yeah, it certainly is.
We saw a guy called Farm Poet on Twitter start to reverse engineer the patches and dig up some details about exactly where the bugs were.
And it came down to the bug is in handling Ethernet frames
with the Ether type of VLAN.
So if you're using VLANs over Wi-Fi,
then they get translated from 80 to 11 frames
back into regular Ethernet frames in the driver stack.
So he dug that out of the patches.
And then another guy has been going through the process
of building some code to actually trigger those bugs and get to the point where we can you know trigger it and then we can
look at exploitation so you know it's nice to have a little bit more detail it's nice to understand
some of the specifics so in this case like we are talking about ethernet frames being delivered
which is a post-auth thing but in the case of wi-fi if you know someone's looking for
an open network you can stand up a network that matches or if you know the creds then you know
the post-authenticated option is also there for you which is a detail that we didn't really have
in the Microsoft advisory but yeah so far no work in exploit and as to quite how difficult it is
still feels pretty difficult because we are talking
corruption and you know calculating the size of data that we're going to pull out of the packet
so we've got a slightly shorter run sheet this week which is going to give me an opportunity to
talk about a wi-fi protection that's that's interesting right because in this case the way
that you get to this bug to this attack surface to exploit it is you can either be on the same network uh as the as the vulnerable system or what the what the person doing the write-up
here has suggested is that you can listen for probes and spin up like an open network so that
the client will connect to it and then you get access to that attack surface basically now
the reason i i just want to talk a little a little bit about iOS lockdown mode and one of its limitations,
which I only discovered recently.
So I've been a happy lockdown mode user for a long time.
I recently bought a new car.
Some people who follow me on social media
would know I had a sort of classic Mercedes 500 SL.
I sold that, I bought a Toyota Supra,
you know, current model, six-speed manual, phantom gray.
Very nice.
Love it.
But it has an old...
It's a very nice looking car.
And a very nice car to drive.
Very fun.
But, you know, you have a look at the infotainment system in that car.
And it's actually not made by Toyota, that car.
It's actually made by BMW at Magna Steyr.
It's one of those weird automotive partnerships,
but they got the older style BMW infotainment system in that car.
BMW didn't want to give them their latest and greatest version
of their iDrive system.
Now, what's interesting is I took delivery of the car
and I could not make CarPlay work.
And I figured out eventually that the reason I couldn't make it work
is because if you're running lockdown mode, you will only auto-join WPA2 networks, right? So you,
if you're using like WPA with TKIP or WEP or just an open network, like it will never auto-join and
that is required for CarPlay to work.
So I just found that interesting
that the reason lockdown mode introduces this protection
is specifically for instances like this.
So it's not, some people think,
oh, it's about confidentiality.
So you're not connecting to a vulnerable network
where your content can be sniffed.
That's not actually it.
They do this so that someone who's got some ODE somewhere along the Wi-Fi stack can't just sidle up next to you, force a connection
to a network where they've previously cracked some key mat or whatever, or one that's just open,
and then start throwing exploits at your phone. But it also means that I can't use CarPlay in my
Supra. And I would very much like it if the people at Apple
are listening, if we could have a lockdown mode that's just a tiny bit more configurable, because
you know, I love lockdown mode, but I don't like, you know, and I don't really care about this
physical proximity attack against my device, because I live in a regional area. And I figure,
you know, if someone's going to make the effort to travel all the way to where I live to own me, they're probably going to get me
some other way anyway. So it would be really super nice if you could just make that a bit
more configurable. Do you think that's fair enough, Adam? Yeah, I do. I mean, Apple loves
having a, you know, one button that fixes everything kind of approach. Like they like
that sort of magic, but yeah, there is nuance in these trade-offs and you know it
would be a pity to have to throw out all of the other goodness of lockdown because you can't listen
to you know something in your car because you can't car play because you know because of this
right it's one of those like butterfly flaps its wings and here's the downstream consequences kind
of thing so yeah it would be nice for a little more configurable like I also was running lockdown and the thing I found that made it difficult for me was plugging in a Thunderbolt
dock to my Mac requires you to click a yes I would like to connect to a Thunderbolt dock which you
know Thunderbolt shares RAM it's pretty risky in this case like every time I dock my Mac I have to
click a button and I have to do that after it's docked
or the screen's not in the right place and it's hard to find the button
because anyway, it's...
Yeah, it would be nice to have a little bit more configurability.
Because if you're not worried about like DMA attacks
by plugging into a Thunderbolt thing, which I'm guessing you're not, right?
So yeah, that would be nice.
I doubt they'll do it.
It would have been such a politically difficult thing
for the folks to actually get that done.
And the last, you know, the last thing they want
is to introduce a bevy of new options, right?
Because it just runs counter to the Apple ethos.
But, yeah, we did get an answer too on your concerns
around HomePod last week when you were like,
well, how does that work with Keychain?
Where apparently your iphone needs
to be on the same wi-fi network because it actually relies on the iphone's access to the
keychain to do these privileged things so again it just shows that apple really is thinking about
these security and trust boundaries when it comes to the interaction between their products which
is reassuring but again they can only go But again, they can only go so far, right?
They can only go so far unless you're running advanced protection.
But anyway, that is it for the week's news.
Adam, thank you so much for joining me for that conversation.
Fabulous as always, and we'll do it all again next week.
Yeah, thanks, Russ.
Pat, we certainly will.
I'll see you then.
That was Adam Boileau there with a look at the week's security news.
Big thanks to him for that.
It is time for this week's sponsor interview now with a good friend of mine,
CrowdStrike co-founder turned think tanker and national security commentator,
Dmitry Alperovitch.
This week's sponsor is Island, the company that makes an enterprise browser.
And I will admit that when I first heard about Island, I was actually a bit skeptical.
And it was Dmitry who convinced me that this idea and company had legs.
And he was the one who actually made the intro between Risky Biz and Island.
So he joined me in this interview
at Island's suggestion to talk through why he invested his money into the company. And here's
what he had to say. All of us are spending most of our time in the browser, right? Doing email
in the browser, accessing websites, enterprise websites, consumer websites. So having full
control, being able to rewrite those pages based on enterprise
wide policies, being able to ping the endpoint and see, does it have a CrowdStrike installed or
Sentinel one? What is the security policy? Get the user information from the AD, figure out what
rights they have in terms of not just accessing pages, but even what data they can provide to a
website, right? then which website and
within an application should that user be able to do certain things like you know initiate a wire
transfer for example or should we pop up you know on the fly another uh step up on their authentication
to do that type of action even though the original application doesn't let you do that you can do
that by rewriting literally the javascript on, right? So the power that you have in controlling fully that browser footprint,
as well as having that tie into the desktop, because you know, if you control the browser,
of course, you can check what's going on on the machine itself, presented so many opportunities,
both security opportunities, and broader productivity opportunities that I became
convinced that this was going to be one of the biggest companies I've ever seen in security,
perhaps the biggest. Yeah. I mean, it's funny, right? Because so much of this we can already do
with other bits and pieces, right? Some of this you can get through like Zscaler or whatever,
and you've got some of those DLP use cases and you've got the endpoint health attestation
through Okta and whatnot.
But like fundamentally,
that all sounds like a pretty big project.
Whereas when you can actually just do this as the browser,
all of a sudden it's much simpler, you know?
Like you can do this with other things,
but it just makes so much more sense
to do it with the browser.
And it's so much more elegant. And because you have control of the webpage, you can rewrite that
webpage. You can control what user enters into that website, right? You can just have many more
possibilities. And also, you know, this has become for them a huge consolidation play where they're
taking budget away from Citrix. They're taking budget away from VPN providers, in some cases, even DLP providers, because they do all those use cases.
And you get one solution instead of a whole bunch of vendors.
Many of them will get you hacked anyway, as you cover on your show.
Yeah.
I mean, one thing that occurs to me, though, right, is there is still some of these core enterprise applications that aren't web-based, right?
There's still a lot of these thick client things.
I feel like that's finally dying off.
You know, I'm not as in touch as I need to be with this.
I mean, obviously, you know, your engineers and whatnot
are going to need to access various protocols and whatever.
But the idea of using like thick client apps in the enterprise,
like is that actually dying off yet?
You know, you talk to more CISOs.
You talk to as many CISOs as I do.
Yeah, mostly.
I mean, there's always going to be that one legacy app
that's going to be around for 20 years, right?
But you can massively reduce the number of people
that need to use it, right?
So, you know, they were just telling me
about a use case they have with a huge bank
that is literally cutting their Citrix spend in half.
And by the way,
that Citrix expense goes into tens of millions of dollars, like really, really massive,
because they're saying, you know what, we don't need people to access all these applications
through Citrix. Most of them will just go on island. Now they're not totally eliminating it
because there are a few use cases that you still need it for, but it's still a huge saver. It's
reducing your tax surface, right?
You're literally saving a lot of money here.
And the CIOs love it.
You know, the sooner that people get rid of Citrix, I think the better the world will be from a security perspective, at least.
But, you know, even just the user experience is so terrible.
And, you know, they do a lot of work with these call centers that are around the world that are connecting to all these customer networks. And just the ability to use a browser with a good internet connection to connect to these key apps without having to be, let's say, in the Philippines connecting to a server in California and everything being so slow.
Like customers actually love it.
The users love it, right?
Because it's just a much better experience.
Yeah, I mean, that is probably one of,
you know, that's one of the drawbacks, isn't it?
With the sort of cloud, you know,
cloud web application connects, right?
Is that there is always going to be
that little bit of extra latency.
Yeah, and particularly, you know,
if you're going halfway around the world,
it's just very, very slow and people hate it.
And as a result, you know,
if you're in a call center or support, outsource support, you know, you're probably not providing the best customer service.
You know, we've all been on those calls where it's like, hold on a minute, let me pull your
account up. I'm waiting for my screen to load. Yeah, yeah, yeah. Exactly.
Yeah. So, I mean, what I find interesting here is that, you know, for years, and I've said this
on the show a million times, right? But for years, we've been saying the browser is the
new operating system. But the level of configurability out of
the mainstream, you know, and particularly edge, right? Like it's, it's really not made a lot of
sense to me that edge is just, you don't get much telemetry out of it. You don't get much
configurability out of it. You know, one thing I've always wondered about Island and people ask
me too, right? Because now that Island's a sponsor, people want to talk to me about it
and they say, well, surely, you know, Microsoft's just come along, going to come along and
crush it. Like, you know, where's the moat here, right? You're the investor. You put money into
this. Like, how did you, how did any concerns you had about, you know, competitive pressure
from the likes of Microsoft,
how did those concerns resolve for you?
Yeah, well, first of all, I wasn't really concerned about any other company other than
the companies like Google and Microsoft that build browsers, right?
Because they're really the only ones that can keep up with the scale.
Because this is actually very, very difficult to do technically, right?
It's built, obviously, on the Chromium browser.
And there are tons and tons of obviously on the Chromium browser. And there are
tons and tons of changes that they made to that browser. And, you know, enhanced security,
enhanced features, ability to write code on the fly, connecting to the cloud for enterprise
policies and the like. And, you know, you have to keep up with the Chrome updates, and they release
it as soon as Chrome releases there. So you have to integrate all of that code every time there's a new release.
So it's a ton of engineering work
that's actually fairly complex.
But you're right, you know,
the big browser companies could do something like this.
You know, Google is traditionally not huge
in the enterprise security space, right?
And I was less concerned about them
from a competitive standpoint.
But, you know, Microsoft could do something.
But you know what?
If you spend all your time worrying about what Microsoft can do,
you'd never invest in any security company
because Microsoft could do it all, right?
And the reality is that people still use Macs,
people still use Linux,
and you want cross-platform capabilities.
And also just the wealth of capabilities that they've built into
the browser. They've had years head start. I mean, they're even enhancing the capabilities
of the browser, right? If you think about it, this browser is built right now for billions of people
to use around the world with no inherent customization for the enterprise. So things,
for example, like having one copy paste buffer that we all have, well, that's done for simplicity. But you know, if you're a power user,
you want more, right? And Island has built 50 copy paste buffers into their browser, because
their users want to have more than one, right? So things like even that, you know, small enhancements
that, you know, users just love. See, for me, I just think of this as the bigger problem with
Microsoft and their bundled licensing, which is they'll develop something that mimics another
solution and at first glance looks good enough, but then when you actually use it, you wind up
tearing your hair out. That's my prediction for where that'll go if they start trying to play
this game. Already they've released already they've released their, you know, their Enterprise Edge.
And it's like, oh, you know, you can do DLP based on, you know, on Office documents based on their sort of the way that you've classified them.
It's like no one's got time to do classifications on Office documents.
Like some people have spun that up, but it's always a project.
It's always a pain in the ass, right?
You know what I'm saying, right?
No, absolutely. You got to be simple, but it's always a project. It's always a pain in the ass, right? You know what I'm saying, right? No, absolutely.
You got to be simple, but also very powerful.
And again, your audience may not fully appreciate it because it's a security-focused audience,
but I love the non-security use cases here.
One of the things they've built into the browser is a messaging system.
And it's really huge for places that are franchises like hotels or restaurants or whatever
where you have many owners and and the ownership changes a lot and you don't have a reliable way
way of actually contacting them except that every owner needs to actually connect to your reservation
system for example if you're a hotel or you know other systems within restaurants and you can pop
up messages to them to tell them about key updates for your brand or whatever else they need to know.
But you can also provide them with resources where, you know, you can rewrite the page on as an enterprise when you fully control the
browser and you can customize the delivery of that content for particular users without having
to rewrite your applications. One of the areas where people tend to push back on Island, right?
And I've experienced this and I'm sure you have too, is they say, oh, you know, for all the reasons
you've said, building browsers is really difficult, you know, like they're going to mess it up, right?
Because the only people who can build browsers are like Google and Microsoft and, you know, like they're going to mess it up. Right. Cause the only people who can build browsers are like Google and Microsoft and, you know, Mozilla and whatever. And it's like,
we're in a much better place now with like the open sourciness of browser guts these days. Right.
I mean, but was that, was that a concern that you went through as well when you first
heard of this, that like, Oh no, one of those enterprise browsers is going to be janky as hell?
No, the team here is really, really good.
Dan Amiga, one of the other co-founders,
he was the founder of Fireglass that was doing browser-based security
in a prior life.
So they knew how to do this.
And again, it's based on Chromium, right?
They didn't build a browser from scratch.
Obviously, every feature you get with Chromium that makes sense is integrated into Highland as well.
From compatibility standpoint, you got the same version.
So I wasn't really concerned about their ability to do it.
I was really thinking, like, you're creating a new category here.
Are you going to be able to convince people to adopt it?
Where's the budget for an enterprise browser, right? It doesn't exist. And at least initially, you know, in the
post-COVID world, they found this use case of BYOD replacing Citrix, replacing VPNs, but now
broadening it to be much, much bigger. Yeah. And the VDI things turned out to be sort of
unexpectedly quite huge, right? Like thanks Broad, Broadcom. Thanks, Broadcom.
And, you know, obviously all the vulnerabilities are being discovered,
all the hacks, all the ransomware that's leveraging those vulnerabilities.
That is driving the security guys saying, when can we get rid of this thing?
So thanks, Russian criminals.
Yeah, that's real good.
All right, Dmitry Alperovitch, thank you very much for joining us
to have a bit of a chat about Ireland
and why you chose to put some of your hard-earned dosh into it.
Appreciate it.
Thanks, Patrick.
That was Dmitry Alperovitch there.
These days he runs the Silverado Policy Accelerator,
but he used to be the CTO of CrowdStrike, of course.
And, yeah, he's also an investor in Island.
And you can find Island at island.io.
And, you know, as you heard, there's just so many good use cases there.
Everything from replacing Citrix and minimizing your Citrix spend to like call center application delivery, whatever.
Like there's a lot you can do with it.
So go check them out.
But yeah, that's it for this week's show.
I do hope you enjoyed it.
I'll be back in a couple of days with a Soapbox edition of the show.
But until then, I've been Patrick Gray.
Thanks for listening.