Risky Business - Risky Business #761 – Telegram v frogs. Fight!
Episode Date: August 28, 2024On this week’s show, Patrick Gray and Adam Boileau discusses the week’s security news, including: Telegram founder’s arrest in France Volt Typhoon 0days some... SD-WAN gear Russia frets about Ukraine all up in Kursk’s webcams Cybercriminals social engineer payment card NFC relay attacks in the wild The slow burn of Active Directory name collisions And much, much more. This week’s episode is sponsored by Nucleus Security. Aaron Unterberger joins to discuss how vulnerability management starts out easy, but gets serious very quickly. You can also watch this week’s show on Youtube. Show notes Pavel Durov: Telegram CEO's arrest part of larger investigation Keep Pavel Durov LOCKED UP Internet mogul Kim Dotcom to be extradited to the US, NZ justice minister says New 0-Day Attacks Linked to China’s ‘Volt Typhoon’ – Krebs on Security Oil industry giant Halliburton confirms 'issue' following reported cyberattack Seattle airport confronts 4th day of cyberattack outages | Cybersecurity Dive Russia calls for restrictions on surveillance cameras, dating apps in cities under attack from Ukraine In a Kyiv hangar, Ukraine launches a cyber range for everyone U.S. military, on Tinder, says to swipe left on Iran-backed militants - The Washington Post CISA officials credit Microsoft security log expansion for improved threat visibility | Cybersecurity Dive Suspect in $14 billion cryptocurrency pyramid scheme extradited to China Android malware used to steal ATM info from customers at three European banks Novel technique allows malicious apps to escape iOS and Android guardrails | Ars Technica Local Networks Go Global When Domain Names Collide – Krebs on Security Attack tool update impairs Windows computers SonicWall pushes patch for critical vulnerability in SonicOS platform | CyberScoop “YOLO” is not a valid hash construction
Transcript
Discussion (0)
Hi everyone and welcome to another edition of the Risky Business Podcast.
My name's Patrick Gray.
We'll be chatting with Adam Boileau in just a moment about all the week's security news,
of course, and then we'll be hearing from this week's sponsor, which is Nucleus Security.
And Nucleus makes a vulnerability management platform that ingests information from all
of your volume scanners and asset inventory stuff and you know they put it in a big vat and stir it around and then help you to
do things like prioritize what you're going to patch that day and aaron unterberger is this week's
sponsor guest from nucleus and he's going to be talking about the evolution of vulnerability
management programs in enterprises from ad hoc which which is someone gets a Nessus license
key and does a bit of scanning, all the way through to properly managed risk-based stuff.
That is an interesting interview and it is coming up after the news, but let's get into
it, Adam.
And I suppose the story that everybody's talking about this week, we've even got heads of state
weighing in on this one, which is the arrest of Pavel Durov, the founder of Telegram.
He was flying into Paris on a private jet from Azerbaijan, as you do, and he was arrested
and he's being held on.
I think the way that works in France is he's sort of being held as part of this investigation
while they weigh charges.
But the charges that he will, that will be uh brought against him yet relate to all of the
the criminal activity that tends to take place on telegram we've referred to that app as the dark
web in your pocket on this program before you know it's used as uh ransomware c2 it's used to sell
drugs uh there's a lot of child sex abuse material that's distributed uh through telegram
and it looks like the french authorities have had enough of them not cooperating uh and have
arrested him he is a french citizen too he holds french uh citizenship by the way uh and yeah here
we are yeah i mean because we've seen like telegram is a funny like it's not just a messaging platform
like if you haven't used it but it may seem like
oh it's just a competitor to say signal or whatsapp but it's kind of a bit more than that
and we've especially seen in the conflict in ukraine kind of how it's used you know for all
sorts of broad group-based communication things more like a forum or a publishing platform, more like a marketplace than just a messenger.
And they've also famously said how few engineers they have,
how few staff they have involved in making this platform work.
And it is pretty amazing that with such a small team,
we've heard numbers, what, like 40 or 50, they've said,
running a platform that is at that scale
in terms of number of users
and amount of conversations and things.
But clearly they are not particularly friendly
to law enforcement or content takedowns
or other things that would try and police the content
on what is not just a peer-to-peer messaging platform now.
So it's interesting to see where this goes.
I mean, the French authorities,
we've seen a lot of kind of speculation as to what,
exactly how he's going to fit into their ongoing investigations.
But we kind of don't really know yet
more than the broad shape of that.
Yeah, I mean, we've had Macron have to come out
and deny that these charges were politically motivated.
There's been a unhinged reaction from the far right, which is saying that this is about freedom of speech, which, I mean, my joke on Twitter was like, yeah, it's eBay, but for heroin and CSAM, you know, freedom of speech.
Because it also has a blog, you know.
But it's an interesting one in so many ways,
right?
Because normally when we've seen people charged for operating things like, you know, bulletproof
hosting, for example, it's because those services didn't have any legitimate uses as well.
Whereas Telegram absolutely does.
The vast majority of Telegram users are not breaking any laws or engaged in criminal activity,
but it seems like his legal troubles are stemming from the fact that there is obviously a lot of criminal activity
taking place over Telegram, and they refuse to do anything about it. So, I mean, you know, here we
are. This is new ground, though, definitely. Yeah, yeah, it certainly is. And, you know,
how we deal with mixed-use platforms like this.
It is kind of complicated.
It isn't a straightforward, easy answer.
Otherwise, we've seen some comparisons with Cloudflare
because that platform has a whole bunch of users
and some of those users are protecting platforms
with hate speech and cybercr beyond that adam i mean they protect
you know they protect a bunch of cyber criminals who do ddos for hire they are known to be very
lax in tackling c-sam as well right in the case of cloudflare but i do think it's different so
this is one of the few cases where i'll acknowledge that Matthew Prince's we're just infrastructure argument has at least a tiny bit of merit, because in the case of Telegram, you know, they're just not moderating this stuff.
Right. And we're talking about CSAM. We're talking about drug sales. We're talking about like absolutely dark web levels of criminality that they're just doing nothing about. And you sort of wonder what this would look like if the same level
of activity was occurring on a platform like Facebook
and they were refusing to do anything about it.
Yeah, it's true.
It's a great question and you do wonder what that would look like.
And, you know, Twitter's not quite at that level yet,
but it's definitely going in that direction.
And that's, you know, I guess that's why Elon Musk
has been weighing in his opinion about this as well.
Because, I mean, you know, it wouldn't be too far of a stretch
to imagine, you know, a Twitter that looks a lot like modern Telegram.
But, yeah, I mean, it's a great, like, these are hard issues, right?
I don't know what the French are going to do
and where it's going to shake out.
And there is – some of the stuff you see on Telegram
is pretty horrific too.
So, yeah, I don't know, right?
Maybe it's complicated.
I mean, one thing I was planning on saying in today's show
was that, you know, it's like defending –
this guy is sort of like defending Ross Ulbricht,
and who'd do that?
And then I remembered that like a whole bunch of people do defend Ross Ulbricht, you know,
the operator of Silk Road for those not familiar. And that indeed, Donald Trump has promised to
pardon him if he wins the next election, which was, I think, to curry favor with the libertarians.
But, you know, this ain't about freedom of speech. Like, it's just not. Like, this ain't about freedom of speech. Like it's, it's just not like this hasn't happened because there's edgy discourse on
telegram or,
you know,
a lot of anti-vax groups or whatever.
Like that's just not it.
It's about the drugs.
It's about the CSAM.
There was also a really interesting post that our colleague,
Katalin Kimpanu posted to socials the other day.
And the reason I immediately clicked on the link is because the comment that he posted with
it, it was something along the lines of like, oh, I'm glad this guy said it, you know, that
Telegram could be a front for the FSB. And I thought, oh God, you know, is one of my team
members posting something a little bit crazy? And then I clicked through it and this blog post
makes some good points, right? Which is that Telegram seems to have some technical features that look like they were
developed to comply with russia's like sorm surveillance laws which i thought was interesting
so there's also the added dimension to this that you know this guy is russian he hasn't lived in
russia for a long time his story has always been that he left Russia when the government there wanted to start accessing a lot of details on users of VK,
which he also founded. That's like Russia's Facebook. Other people say, no, that's not at all
the case. He's very, very friendly with the Russian government. But there's this whole other
element to it, and you alluded to it before too, which is that Russia uses this, like Russian
troops use this to coordinate and whatever.
And indeed, we've already seen the Russian government
send official instructions out to government officials
to say they need to remove stuff from Telegram right now
and not use it anymore.
But that's not going to stop troops in the field using it, right?
Like, that's not realistic.
Yeah, this is absolutely an extra dimension, you know,
over and above the, know the comparisons to to twitter
or cloudflare it's telegram is important to russia as a technology and as a you know platform for
supporting um their operations in ukraine uh so there is absolutely a political dimension to this
and you know i'm kind of not surprised if that played into this, you know, like getting into the inside of Telegram, disrupting it,
even just making chaos.
Like we've seen how much Russia and China love, you know,
just sowing a bit of discord, Iran, sowing a bit of discord in the West,
like, you know, kind of going back in the opposite direction here
because, like, this is just going to cause all sorts of grief
for so many things in Russia that just use Telegram as a platform for i mean i'll just stop you there because this is what macron has specifically
said whether whether you want to take him at his word or not is up to you excuse me but he says
this is not politically motivated this is an independent judicially uh investigation into
crime happening on telegram which look you know you can choose to believe him you can choose not
to believe him but you cannot argue that that's plausible and the most likely scenario here no i mean i guess i
meant like no one's going to be sad about it causing chaos sure you know for for russia right
i mean even if it is a side effect of a regular law enforcement thing as opposed to the primary
motivation it's just like it's going to cause grief for them and that's you know we're kind
of into that so it's probably worth reiterating too that telegram is not an end-to-end encrypted service
so it has visibility i mean it has some sort of e2e that they wrote themselves kind of they're a
little bit sketchy about the details and don't forget too telegram ran a misinformation campaign
about signal a few months back saying that signal couldn't be trusted and was completely infiltrated
by the americans and blah blah blah, blah, blah, blah, blah.
And, you know, we saw Elon Musk get behind that one.
So, yeah, there's all nutty stuff.
But that blog post that I mentioned that Catalan posted,
you know, you read it as well and you were like,
hmm, because there's like this weird API level access that you can get to Telegram groups.
If there is a bot in a Telegram group,
you could just hit this like telegram api and
like dump all of its contents and stuff there's weird stuff there that really does look like it
was built to comply with russian surveillance directives yeah and the blog post is from um
some somebody i don't know who at uh thc the hackers collective which is uh i'll start the
hackers choice uh which is you know old school hacker crew and you know obviously you know
hackers have sometimes strong opinions that are not necessarily correct but there is some technical
detail here about using that API for example to get data out of group chats about the fact that
the disappearing message thing is kind of you know know, client-side user interface, not actually disappearing from the back end.
And, you know, a bunch of stuff that does smell pretty funny
and would be kind of what you would want
for some law enforcement interface or law enforcement access.
The blog post doesn't really go into how, like,
authentication works, for example, there.
But, you know, there's a couple of screenshots from
some group chat in there so you know it's hard to argue with a root shell as they say
yeah so wow what can you say like it's a it's a really interesting story and funnily enough like
i think his 96 hour hold is coming up like in hours from now right so by the time this podcast
goes out like he may have been charged formally he He may have been cut loose. Like we just don't know what's going to happen here.
Funnily enough, though, last week, Thursday last week, I interviewed the director general of Australia's domestic intelligence agency, ASIO, Mike Burgess.
He used to also run ASD, right?
So he's like a very important person in the intelligence community here.
He made some comments a few months ago about end-to-end,
well, encrypted messaging platforms at his press club address.
And I wanted to follow up and get a bit more detail from him.
It took me that long to get that interview organized
because obviously he's quite busy.
But yeah, I published that interview on Monday,
but yeah, recorded it just before this arrest.
And I did actually mention Telegram and the fact that the West,
countries like Australia have the Assistance and Access Bill,
countries like the UK have the Snoopers Charter
and the recent amendments to it.
And the fact that we have zero leverage
over companies like Signal,
over companies like Telegram,
turns out, yeah, I guess maybe we do have some leverage.
Well, at the very least, France has some leverage over telegram.
So, you know, I'm not sure what Australia and France are like
in terms of that relationship.
But yeah, it's just going to be really interesting
to see how this shakes out.
Because as you said, he might be cut loose this time tomorrow.
Who knows?
Yeah, yeah.
But what sort of undertakings would he have to give to do that?
Well, we know.
But look, just on the Burgess interview,
I want to talk
about that for a minute because i did find it very interesting because he really just seemed
so the comments in the press club were really like it seemed like he was having problems with
one of the major tech companies they were tracking a group of i think in the case that he was speaking
about at the press club was a case of like you know far-right Nazi extremists who
were planning violent acts and they wanted to be able to get into those group chats I don't know
if that's like Apple iMessage or WhatsApp or whatever and they weren't really getting much
assistance so I wanted to talk to him more about that and more broadly about well what do you do
when it's not a company that has a presence in Australia, when it's not an Apple or not a Meta? And funnily enough, when I started asking him about Signal,
it was kind of clear that he hadn't really thought about it a lot, which was really reassuring
because he's so focused, it seems, on this particular problem where a company is in a
position to help and isn't. And that's what he's so focused on that when you start asking him to
unfurl it from there,
different types of access, different apps,
you know, it didn't seem like he really had
a pre-canned response to that,
which, again, I found kind of reassuring.
Did you get the same take out of that?
Yeah, yeah, I think so.
It was a really interesting conversation
because, like, he is very careful about what he says
and you can see him kind of processing your questions
or hear him processing your questions
and you know giving very considered and thoughtful answers and and for people like you and I that are
used to you know reading the tea leaves around these things I thought it was very interesting
interview and you know he makes some solid points right around the requirements of you know, he makes some solid points, right, around the requirements of, you know, his requirements as, you know, being given these obligations by the Australian government to then go out and use the capabilities that he's got and where it makes sense to go and talk to platform operators versus, you know, having to expend ODA on people's phones and all those
kinds of things. But yeah, there was a lot of very careful wording. And it's a very fun listen for
that. Yeah. Yeah. I mean, I just thought it was interesting because he was like, look,
we can still get the job done, but the resourcing considerations are pretty significant right so
if you want to put a human resource in place you know do a human sort of infiltration of a circle
of trust to get into some of these group chats that's that's a lot of work you know it's a lot
of resources and they have to pull things from elsewhere uh likewise if you want to start spending
megabucks on implants again you know you know, this is a resource thing.
So really what he was saying is like, I think what really came through for me was that he's like, look, there's companies just not helping where they could.
And that's what we want to fix.
So, yeah, look, I posted that one to the main feed on Monday.
I would encourage all of you to have a listen to it because it was a very interesting interview.
And I guess we'll talk again next week
and find out about what's happened to Mr Durov over there in France.
Oh, and one thing worth mentioning,
we didn't mention it on the show a couple of weeks ago
when the news came out,
but it's worth mentioning now in light of this arrest,
which is Kim Dotcom,
who has been residing in your country for a number of years, Adam.
He's been fighting extradition for something like, what,
13 years or something?
Yeah, yeah, well over a decade now.
Yeah, over mega upload.
He's finally, like his extradition order has finally been signed
by the government in New Zealand,
and he is going to be stateside real soon,
if he doesn't try to escaping on a yacht
or something yeah I mean he's been posting on on x and saying that he's not going anywhere but you
know good luck with that buddy uh and the thing that's funny about this is just how little media
coverage this got New Zealand because we don't like we're so bored of Kim dot com like he injected
himself into our domestic politics a few years back,
a couple of election cycles ago.
And like he just made a total, you know, fool of himself.
And no one here cares.
So, you know, stay, go, whatever, buddy.
Just, you know, don't let the door hit you on the way out.
I think people mistake clout among a certain sort of political niche
on platforms like twitter as something that
translates to real world power and it just doesn't like we see it time and time again
um so i think yeah he's he's off i funnily enough i don't see his uh tweets because he blocked me
years ago he said that when his house was raided it was like his wife had been, you know, sexually assaulted or something like that.
Like he made that comparison.
And I think my reply was get some perspective.
And then the next word started with D and ended in head.
And yeah, he blocked me.
He blocked me back then.
So, you know, snowflake.
Good work.
Pretty fragile guy.
Now let's move on to some more bread and butter infosec we've got a
great report up here from brian krebs over at krebs on security about some zero-day attacks
that have been linked to vault typhoon what's the go here so there is a vendor of like software
defined wan equipment called versa which is used in managed service providers and other
other big networks there was a bug in one of their network-facing services,
I think like some load balancing management component,
something like that.
And yeah, some researchers from Lumen
spotted an ongoing campaign,
which they've attributed with moderate confidence
to Vault Typhoon.
And this was getting Code Exec on these devices through like a
file upload and then they dropped the web shell and other like Java tooling that could steal
credentials some quite nice tooling actually and then Lumen wrote up a blog post about it
where they figured out how to spot this campaign from just traffic patterns so a connection for a short
period of time to the high port where this like load balancing service runs followed by a long
connection to port 443 as they were establishing c2 and they went back through their data set and
matched a number of other places where that pattern had occurred and spotted you know some
intrusions, which they then
subsequently communicated and attributed.
So solid detective work there.
The bugs themselves, super boring.
It's just like file upload leading to presumably dumping a JSP or a JAR file or something into
the web route and onwards from there to code exec. exec um it did look in the vendor's advisory like the bug was post-auth um but the vendor is also
basically saying look you should have all followed our hardening guides why didn't you do that and
then he wouldn't have gone home which is a little bit rude um but yeah definitely vault typhoon uh
keeping busy yeah i mean they just continue to go out there and harvest access across all manner of you know anywhere where you can get access where you can especially if you've got
like some odai and something like this and you can turn one bug into multiple shells i mean they're
just doing it right they're just out there shell collecting yeah exactly and if you can do it in
service provider networks um or you know things that give you a lot of onwards access then it's
great return on investment you know for a bargain even where it gets burnt
you know patched and burnt uh in a month you know you you can do a lot once you're in you know big
environments like that well there's onwards access but there's also a lot of bandwidth in those sort
of places as well which i thought would also be handy right yeah and also like if you're building
relay networks you know orbs that kind of thing like you if you've got control of a you know of
the control plane of a distributed WAN solution,
then it's a VPN platform, basically.
SD-WAN is just another word for VPN.
And you can use it for a lot of good stuff.
Happy days, as we say in this part of the world.
We've got a couple of reports now
about some mystery cyber attacks.
We're not really sure what they are.
There's Halliburton, the American oil field company, has been having some drama, according to this report from Reuters. And also the Seattle airport. Limited disruptions like its email and Wi-Fi are down and its websites and phones and whatever, but the airport is still functioning.
But I guess what's interesting about these two stories
is we don't really know what the nature of the attacks are.
Is it some sort of incident response triggered by espionage?
Is it ransomware? Is it DDoS? We have no idea.
Yeah, we don't really understand.
And the fact that the airport's up and running, I guess, is good.
I think it's also the same company runs the, like,
shipping port in Seattle as well.
So, yeah, disruptions to big things,
but it's kind of interesting that we don't have much detail
about is it dead net ransomware,
is it something else who can say.
But, you know, Halliburton, you know, I don't know about you,
but I think I would feel a little funny wrecking Halliburton because, like, that's a, you know, Halliburton, I don't know about you, but I think I would feel a little funny wrecking Halliburton
because, like, that's a, you know, messing with Texas is a bad idea generally
and messing with people who've got, you know, like.
They've got, like, Eric Prince on speed dial, right?
Yeah, it just seems a little scary to me, but, you know, I don't know.
Do you want to get blackboarded?
This is how you get blackboarded, right?
That's how you, yes.
You get blackboarded. Speaking of things that aren't confirmed, I'm just going. Do you want to get blackboarded? This is how you get blackboarded. That's how you, yes. You get blackboarded.
Speaking of things that aren't confirmed,
I'm just going to float a little rumor.
I just heard this from one source, right?
But it is a pretty detailed rumor
about a company that makes, among other things, firewalls.
And apparently there's been a massive leak
of config files for their customers,
which is interesting
because I think someone had stuck
them in sharepoint and then resigned went to their next job then they the company did mfa enrollment
for everybody like after that and of course because this person had left and never logged in
it looks like they never got enrolled in mfa someone eventually got the creds discovered that
they worked at this security place got in there and found all these customer configs on SharePoint
and it's turning into a bit of a thing.
I'm not going to name the company at this point,
but yeah, that could be a fun one to talk about next week.
We just have to see.
I think they're trying to keep it quiet,
but yeah, let's see how that works out for them.
I mean, if I'm hearing about it,
like they're not doing a great job, right?
Yeah, exactly.
Oh, that sounds messy.
Yeah.
Sounds messy.
Now, we've got a couple of pieces here from darina antonik in fact we've got like four or five pieces from her this week she works
at the record she's based in ukraine she's just done a tremendous job over the last uh over the
last week so well done darina uh the first story here is uh the russian government is calling for
restrictions on surveillance cameras dating apps uh and, and whatnot in cities that are under attack by Ukraine.
So the reason I find this interesting is because CCTV cameras,
we always thought the risks from CCTV cameras,
and indeed they are, right?
The risks are they can be used as a vulnerable staging point
to propagate attacks further along in the networks
that they're connected to.
They make good hot points, whatever.
But we're just seeing time and time again,
stories emerging from places
where there's actually armed conflict
that these insecure cameras are being used by adversaries
to actually track fires
and see if their stuff is hitting the right places. It's
also being used to do things like monitor troop convoys, gather intelligence and whatnot. And,
you know, we've seen this in Ukraine, we've seen this in Russia, we've seen this in Israel.
And, you know, I just find it really interesting that this is something that I think governments
need to be on top of now. They need to have a really good understanding
of what their exposure is here.
So should there be some sort of military action against them,
they're in a position to move quickly
to remove that access from their enemies.
Yeah, it's a really interesting twist
because when you see in movies some hacker
who takes over cameras and looks at things, typically it's framed as a creepy surveillance state thing.
I'm thinking of all the movies where you can hack into any camera in the city and track people around.
But it's framed as creepy government surveillance or creepy law enforcement or that kind of thing.
But seeing it kind of turned around and used by an adversary for directing fire, for recon, for all those sorts of things, like it's an interesting twist on it.
And it makes all of the conversations we had around some of the Chinese camera brands, you know, Hikvisions and whatever else it was, Dahua, kind of brings a bunch of that into focus in ways that perhaps during
that debate people didn't really think about because we didn't have great examples of it.
Now we do, and we see how useful it is.
And yeah, I mean, I think you don't want to be in a position where the Russians are now
of scrambling to have people not post, you know, access to their camera, not have their
cameras available, or post updating apps with pictures in the background of where they are.
Yeah, it's probably a pretty important thing for nations to be aware of
and how their exposure looks.
Yeah, so Russia's Ministry of Internal Affairs has said
that Ukrainian forces are remotely connecting to unprotected CCTV cameras,
viewing everything from private yards to roads and highways of strategic importance.
So, yeah, it used to be we'll hack into the cameras.
The Hollywood paradigm was we'll hack into the cameras and we'll follow this person.
Whereas really it's like, oh, look, I'm on this traffic cam and there's a convoy there.
Let's HIMARS it, right?
Or, Bob, your artillery missed.
You know, aim to the left a little bit.
Okay, you got it, right? So that's, you know, just artillery missed. You know, aim to the left a little bit. Okay, you got it, right?
So that's, you know, just fascinating stuff.
Absolutely fascinating stuff and a real risk for everybody.
And another one from Doreenatu is that Ukraine
has launched this like massive cyber range.
What's the purpose of this?
Is this for training, for talent discovery?
What's the go here, Adam?
So this seems to be a range that has been set up
for all sorts of purposes.
They describe it being used for training a bunch of vulnerable equipment
and a bunch of things that people can get their hands on and play with.
Some of it is being used for defensive training,
for having people experience.
They will replay
some Russian intrusions and then have people, you know, throw out the attackers or, you know,
respond to their attacks, but also for offensive stuff. And her reporting is a little more vague
as to what the offensive training looks like, but it makes sense. If you've got gear, you've got
equipment, you've got it set up, you know, you can do both of those things. And it makes sense,
in fact, to do both. But I think it's a, you know, it's both of those things and it makes sense in fact to do both but i think
it's a you know it's a really interesting idea to extend this uh you know beyond just people who
manage critical infrastructure and into you know students and citizens and um and whoever else
well that's interested and willing and able right yeah that's the interesting thing here right is
that this isn't restricted really uh if you're a student, if you're a researcher, a state official, a critical infrastructure
employee, whatever, you can go and get involved.
And I just think, you know, often good policies, good policy ideas come from crises, right?
And this is probably an example of that.
I look at this and I just think, why aren't we doing this?
We should be doing this, you know?
Like, why aren't we setting up? I mean, in this, you know? Like, why aren't we setting up?
I mean, in this case, they've set it up in a huge hangar somewhere, right?
Why don't we have something similar to sort of surface talent and just learn?
You know, it's a great way to meet people, to discover talent.
I just think we should be doing something like this.
I think, you know, all countries really should be doing something like this.
Yeah, no, I completely agree.
I know when I have read about, say, some of the test labs
that were stood up during the Huawei mobile phone system
where people were getting Huawei thrown out of their countries,
and there were a bunch of places that had test environments
with telco gear that they were using for research,
and it's like, well, I like telco gear, I like hacking,
but actually standing up a full-scale telco test lab,
beyond my budget, beyond my skill set,
but I would totally go spend a weekend or two, you know,
whaling on some Huawei kit and popping some shells.
That sounds like fun.
So, you know, there's plenty of people like me, I guess.
Well, I reckon you're more likely to be one of the people
walking around with a clipboard, right?
Like making notes on who's doing cool stuff as you watch them, you know, at their concerts.
Yeah, these days, yes.
Once upon a time.
Once upon a time, that's right.
Funnily enough, you know, I did mention that this Russian communique from the Internal Affairs Ministry talking about the cameras also said that, you know, the troops really need to get off the dating sites near the front lines, right?
Within Heimar's range, maybe't use uh dating sites uh which seems
like good advice but um the u.s military is doing a information campaign using tinder at the moment
uh i think targeting like hezbollah uh militants and it's interesting right so you know you just
swipe it along swipe swipe swipe swipe
swipe and then along comes a message in arabic with a picture of like a u.s war plane saying
you know america will defend its allies uh you know basically saying don't take up arms against
us because we have planes nearby and we're going to blow you up um so whatever like the efficacy
of this i have no idea if this will work but I just think it's an interesting contrast between this and the stuff we talked about a few weeks ago, where the US was doing like COVID misinformation in the Philippines.
Like, this is much more along, you know, this is the US DOD staying in its lane.
I dig it.
Yeah, I mean, you know, it does, like the jokes write themselves, you know, about hot cluster munitions in your area or whatever.
But yeah, I mean, I guess this,
I don't know if it's going to put anybody off
who was going to fight against the, you know, imperialist Americans.
But yeah, I mean, why not?
I can't imagine it was particularly expensive.
I think the Washington Post reached out to Tinder
to ask about the campaign.
They've since pulled the ads.
But, I mean, you know, of all the crazy things
that happen in the world, this seems like one of the more,
one of the less crazy things.
Yeah.
I mean, if you're Tinder, you don't want people thinking
about being blown up when they're swiping, right?
Well, no.
It's probably bad for business.
It's supposed to be a good vibes platform.
What else
have we got here? We got one from David Jones over at
Cybersecurity Dive where CISA has
come out and said the improved
Microsoft logging that the US
government kind of demanded after the
State Department intrusion.
They haven't really said much, but they're saying that
it's really helped, right?
Which I find interesting to have CISA come out and say, we are using this new expanded logging that Microsoft was sort of cajoled into providing to stop real world attacks.
So I think that's just a nice little data point.
And I thought it was worth mentioning.
Yeah, that's nice to have some kind of positive sounding news.
And, you know, I guess Microsoft has been getting a lot of stick lately.
Is there maybe a little bit of carrot doesn't go too far astray?
Yeah.
Yeah.
Thanks for doing that thing we made you do.
It was helpful.
Yeah, I guess.
Is that a carrot?
I don't know.
Is that a carrot or is it just rubbing it in?
I don't know.
And yet one more from Darina here.
This isn't really a cybersecurity story, but just the scale of it I thought was worth mentioning.
A guy has been extradited from Thailand to China.
Apparently this is the first time this has happened
under their extradition agreement,
for a financial crime at least, right?
So it is a sort of unusual sort of extradition.
But this guy, China identified the suspect only as Zhang,
but news reports said his name is Teddy Tiao and he's a Malaysian businessman.
And first of all, Teddy Tiao is just like the perfect name for a Malaysian businessman.
You and I both spent a lot of time in that part of the world, right?
And, you know, you can picture him when you hear Teddy Tiao. Yes.
You can absolutely picture him.
But apparently they were running a scam, like targeting Chinese citizens.
And it was like just a pyramid scheme,
but with a cryptocurrency dimension.
But he made 14 billion US dollars in profit, right?
Which is why I thought this one was worth mentioning.
Like why bother with BEC?
Why bother hacking exchanges?
Why bother with ransomware
when you can just trick people into sending you money?
Yeah.
I mean, that's a hell of a big pyramid scheme
of 13, 14 billion dollars. Like mean, that's a hell of a big pyramid scheme of $13, $14 billion.
Like, I guess China has a lot of people,
so you can make the pyramid pretty big.
But yeah, I mean, we don't like to just hand it to them,
but $14 billion, it's pretty good work.
Yeah, and I think the upper end of what people were bilked for
was like $34,000.
And you're like, wow, how many people were in this?
Yeah, 10 million.
10 million members.
10 million, yeah.
That's incredible.
Absolutely incredible.
Good job, Teddy.
Teddy aimed high.
And, you know, it worked for a time.
Flew a little too close to the sun.
Flew a little too close to the sun.
That's right.
Now we've got yet one more from the record.
This one written by John Greig.
And really, this was an interesting one, right?
Because I had to talk to you a little bit to figure out exactly like how this worked.
But it's basically a Android malware campaign that involves a social engineering component to do NFC relay from the victim to an ATM withdrawal. And I'm like, but how does that
work? Are they trying to like clone the card or, you know, that shouldn't work. And it's like, no,
no, they were doing real time relaying. And the reason they got pinched is because yeah, one guy
was like hanging out near an ATM all day, looking really suspicious. So that, you know, when there
was like someone on the hook who was doing the thing, holding their card near their phone that happened to have this malicious app
on, they could then hold their relay device up against the ATM
and like get cash out.
So like a pretty clunky scan, but also funny because,
and we also spoke about this earlier, I think it was at KiwiCon 3 or 4?
Maybe 5, I think.
Maybe 5, yeah, a long time ago anyway we saw uh uh nick nick vd um doing a
talk about exactly this right doing doing nfc relay attacks and then here we are i don't know
15 years later or something and someone's actually done it yeah like it's interesting because they've
assembled all of the parts of the scheme into a working end-to-end model and clearly it
was not flawless as some of them have ended up in jail um but like the social engineering side of
it is quite interesting they would uh ring people up and i think this was um in the czech republic
they'd ring people up and they would say your credit card has been defrauded, you need to change your PIN number to protect yourself,
download the bank PIN changing app,
and then they would social engineer people
into downloading this like sideloading or whatever,
their fake PIN changing app,
which then had half of the NFC relay.
And then they would say, okay, you have to get your card,
hold it up to the back of your phone
so that you can do the PIN change process.
And of course it would ask for the old PIN. so now they have the card in the sense they can relay it
they've got access to the pin and then the accomplice is standing next to a point of sale
terminal or an atm or whatever else and can go and relay with another android app i'm assuming
to the point of sale terminal and buy goods or withdraw cash um and you know it's it's clunky but also like it it
clearly works um which yeah well i mean it worked until the guy who was hanging around the atm just
looked so sus that someone called the cops right like this isn't this isn't something that you're
gonna scale real well i just thought it was interesting to see a real world nfc relay attack
right because i can't think of this i've seen this before yeah i mean the only other places we see
this kind of thing in the world is car theft right where you're relaying to you know but that's
different because you know that's passive you don't need the user to be doing anything you know
you just hold up that big antenna near someone's front door until you can lock onto the key and
then relay it to the car it is different yeah yeah and like i am surprised we don't see more you know small scale uh like pay wave you know
tap to pay fraud you know in like bars or something where people are in a crowded situation and you
know you could go up to the bar and pay for a drink and your associate just holds you know the
the other half of the phone you know to someone's pocket on the other side of the bar like i would
have thought that we would see more of that i mean mean, I think though that there's a few natural defences in that,
which is when you've got an NFC capable card in your wallet,
it's typically in there with a bunch of other cards.
Well, yeah.
You know what I mean?
So I think it's just like that sort of,
like if you're walking around, yeah,
with just one card in your pocket and someone knew where it was,
but you know, when it's wedged in there with a bunch of other cards,
and of course, most people these days,
they're using their phones
with Apple Pay or whatever Google's equivalent's called,
and you need to do, like, a biometric authorization before that works.
So I think we've just sort of managed to stumble through this period
of, like, risk and come out the other side where the only people
who are doing this are, like, weird dodgy types who hang around
shopping mall ATMs, right?
Yeah. Waiting for their mate to get someone on the hook yeah they've been artificial pen test situations like i mean i
know we we once um when i worked at insomnia we paid someone to break into our office and they
like cloned uh brett moore's like building access card uh offer and this wasn't like nfc this was
like low frequency you know other um rfd tech
um they cloned his card in a bar and used it to walk into our office so like people you know you
can absolutely do this in the field but it's just yeah actually doing it practically usefully at
scale you know it hasn't been the big thing that that we thought it was going to be it's not what
you know nick reedy thought it was going to be when he wrote you know wrote it up and demoed it at kiwicon so it's still a cool demo
though but i gotta ask who was who was the pen testers uh who were the pen testers who got you
uh can't say probably shouldn't say okay right australians australians you know i'm it's fine
yeah yeah yeah i think i know who um yeah. Anyway, moving on. We do have another one here from Ars Technica.
Dan Gooden wrote this up, which is about portable –
what are they called?
I always call them portable.
Progressive web apps.
Progressive, yeah.
I used to call them portable.
I realized I got that wrong.
But progressive web apps, attackers using them to, like,
socially engineer people to install progressive web apps
onto their mobile phones to do shady stuff. Now, the reason I find this one interesting is because I remember having
conversations about these with Alex Stamos years ago about how eventually they were going to sort
of be a problem for Apple, which tries to do this walled garden thing, right? And PWAs can basically
do everything that an iOS app can do.
So eventually people were gonna move on to doing this.
And I think Apple's response to this
has been to make using them kind of clunky and difficult.
So there's like this real path of resistance.
There's real resistance in the path to users
actually wanting to use these, which makes a lot of sense.
So people still can use them, but it's fiddly.
And of course, where there's a fiddly process
is a social engineering opportunity.
And that's kind of what we're seeing here.
So can you walk us through this one?
Yeah, so the idea here is that progressive web apps
and the equivalent, like it was a standard
called WebAPK on Android,
is where you have an application that is just a browser,
but packaged up with a user interface
that feels like a like a mobile application and and the idea is that you know the modern web
tech stack in the browser is sufficient to do a lot of things and if you don't need access to
specific hardware if you don't need specific kind of capabilities then you know why not just have a
mobile version of your website which is sorry to cut you off but
that is what the vast majority of apps on people's phones actually are they are just a browser can
you know hitting a web app there might be some local storage for like authentication and you
know session information i'm guessing you can do that with pwas as well yeah there's a degree of
integration but it's less full feature because it's cross-platform, I guess.
Yeah.
But, yeah, most mobile apps are just a thin skin around a web app.
Yeah.
Or around a web browser and the web app.
So where you have a tightly controlled app store like Apple's environment,
if there's some other way that can make things look and feel like an app,
then why not use it to trick people?
And, you know, other than nerds like, you know, you and I and our dear listeners,
no one cares whether it's a real app or a progressive app. If it looks and feels the same,
then, yeah, why? It seems weird that we haven't seen this before because it's kind of so obvious
in retrospect. Anyway, so people are making applications that pretend to be your bank,
pretend to be a password manager, whatever it it is and then tricking people into installing them without having to go through all of the hoops of getting it through the apple app store review or
the google play reviews such that they are so kind of smart and you know on some platforms like Chromos, for example,
the way that the applications integrate,
it's a little more clear that they're a progressive web app
whereas on other platforms it's pretty seamless.
So it makes a lot of sense that people with social engineering.
Yeah, so we'll link through to that write-up.
It's worth a look.
I mean, I think this is one that, as I say say like stamos flagged this to me as a risk years ago and he said eventually
you know pwa is a big part of the sort of app app app future um but i guess you know apple can make
decisions here right they can make the process even more clunky or whatever it is there's there's
there's there's going to be things that they can do here to really have that walled
garden approach,
you know,
remain.
Right.
I think that's,
that's the thing when you realize these app stores,
they actually do deliver us some,
some value quite a lot,
actually.
Another one from Krebs on security.
And this is a story that we've talked about in one form or another over many,
many years,
basically. is a story that we've talked about in one form or another over many, many years. Basically, so the issue here is that Windows networks tend to try to reach out to domains.
Brian's written this up.
What's the go here?
What's the risk?
What little bits of Windows internals are still doing this?
So this story talks about if you've got your windows domain like your internal windows
active directory domain name is also an internet name so in the old days before the internet you
know back when windows active directory like in the n4 era, when they introduced it, the names of your Active Directory internal Windows domain wasn't really in the same namespace as the Internet, Internet DNS names.
.network was not a TLD.
Once upon a time, right?
That's right. And so there is the strange situation where people have chosen Windows internal domain names that previously were not also Internet DNS names, but even now are because we've registered so many crazy extra top level domains like.ad.
For Active Directory is also what like Andorra and a lot of people who set up Windows Active Directory
back in the day never really thought about that.
And so we're kind of in the same position as WPAD
where some Windows things that weren't ever really meant
to be connected to the internet now are,
and now the internet has changed underneath it,
and that has some security impacts.
The most notable of these, I guess, is, you know,
there's so many top level things like you know
dot global or dot cloud or you know dot limited that people would have used for names internally
and if you now control one of those domains you basically start getting connections from
people's internal Windows systems and depending on how those are configured,
the impact of that can range from you just get a lot of network traffic, all the way up to you can,
you know, apply group policies, or, you know, make yourself a proxy, or, you know, all sorts of crazy impacts. And actually, we've seen some examples, like in my Pentest career, where we had companies
that, you know, had a name that they were using, but they just never registered.
And so you could go off and buy it.
And I know we have one notable example where we did that,
and then boy, oh boy, did it go horribly wrong.
And it just ended up bricking a whole bunch of stuff
or making things really not work and impacting their production environment,
which...
I'm sure that made for a fun call with the customer
and that your boss, Brett Moore, who we mentioned earlier, I'm sure that made for a fun call with the customer and that
your boss brett moore who we mentioned earlier i'm sure he was thrilled well the funny thing was
that was when it was kind of like when i was in charge of the pen testing team so that uh yeah
ended up being on my plate and boy oh boy yeah that was a that was a fun day at the office but
yeah we had some other examples where like you could actually do this in the wild to gain control of stuff um anyway so um brian has written this up and i think you know
it's an issue that's been around for many many years but people genuinely don't think about it
and it's not well understood so i was really pleased to see brian write it up because it's
a thing we've tried to explain to customers over the years but it's also very very hard to fix
because changing this is difficult.
And that's the real crux of this problem is if you are in this situation,
what do?
Yeah.
Because in the old days it didn't matter because all of your corporate
Windows machines and servers and whatever were on your internal network
and you controlled the DNS and you could provide different answers.
Now, especially post-COVID, everybody's off network,
everything's moved into the cloud.
All these things that used to be on your internal network
are now just on the internet.
And all of a sudden you don't control the DNS
and things can start talking to stuff that you don't expect.
Yeah.
And it's crazy too because in this write-up by Brian,
it does go into WPAD.
WPAD's a thing again, which is amazing.
I mean, I made a lot of noise about that based on a KiwiCon talk years ago.
I wrote that up and it went, you know, quite viral at the time.
And, you know, Microsoft tried to fix it and it just turned out to be really hard because
you basically need to maintain like a really active block list of like the verboten WPAD
domains.
And like, I think even Dan,
I vaguely recall Dan Kaminsky trying to do some work on that,
like back in the day.
And it's like, it's hard.
Look, we've got to move on
because we're kind of running out of time here.
Real quick, there was some research out of Sophos.
You spotted something interesting in it
when we were preparing this morning's
Risky Business News podcast news bulletin,
which is that Threat
Actor kept getting busted using stolen certificates, stolen driver signing certificates when they
were in this environment.
So they just kept pulling out new ones out of the top drawer, re-signing stuff and going
right back in there, which, and your point, I totally agree with, just shows us the woeful
state of the driver signing ecosystem at the moment yeah this
particular actor so far looked at uh you know one intrusion and these people used uh nine different
certificates over the space of 18 months after they spotted them you know initially you know
they got blocked by some so far software because of the certificate they were using was marked
and they came back you know was it 30 seconds later uh with the same driver sign with a different certificate so
you know that suggests a they either have them all on the shelf or b that they're very agile
very used to having to re-sign everything and that's just kind of normal operational practice
so yeah i just thought that was an interesting nugget yeah the windows microsoft's driver
certificate like block list thing,
I'm not super confident that that's going to get you very far.
I mean, it's yet one more reason,
again, huge fan, Airlock Digital.
They can actually take care
of that problem for you.
Like if you start noticing
allow list requests
on the same box for,
you know, like eight different
driver signing certificates,
like I think you're going to,
you're probably going to notice that, right?
Yeah, you're having a bad time if that's the case.
There's some yet-to-be-disclosed bug in SonicWall.
They've pushed a patch out for a vulnerability
in their, what is it, SonicOS platform.
The only reason we mention it is because it has a CVSS score of 9.3,
which I'm guessing is why we don't have details in it,
because it's going to be something extremely dumb
that's trivial to exploit.
Security vendors, way to go.
Good job, good job.
And finally, there was a bit of research you posted.
Disclaimer, it comes from a sponsor of the show,
which is Trail of Bits.
But Opal Wright at Trail of Bits
has written a big post on hashing algorithms.
Yeah, this is just like if you are interested in how people use hashing algorithms to build
their own cryptographic structures, to build stuff and all the ways that can go wrong,
it's a great read.
So if you're a pen tester or if you work at a place where developers are likely to invent
stuff out of hashing algorithms,
then you should put this blog first in front of them.
It's called YOLO is not a valid hash construction.
We do not YOLO here, I think is the vibe.
All right, mate, that's actually it for the week's news.
Thanks so much for joining me.
Great discussion as always,
and I'll catch you again next week.
Yeah, thanks so much, Pat.
I will talk to you then. It is time for this week's sponsor interview now. And this
week we're speaking with Aaron Unterberger, who works for Nucleus Security. Nucleus Security
makes a platform that ingests data from all of your vulnerability scanners, code security scanners,
asset discovery tools and whatever. They put them all in one place. And then from there,
they can help you to sort of normalize that data.
So if you've got multiple findings from multiple scanners,
it winds up being one thing, not multiple.
And, you know, they can help you cross-reference a lot of this vulnerability information with, say, threat intelligence.
Like, is this bug being exploited in the wild?
That sort of thing.
And really help you to sort of prioritize
your vulnerability remediation
efforts. So Aaron joined me though, to talk about how vulnerability management programs typically
evolve. They start off very ad hoc, which is maybe someone starts with a, you know, doing some Nessus
scanning or whatever. And you know, the evolution just sort of kicks on from there until it becomes
a very complicated maintenance program. So here's Aaron Unterberger with all of that.
Yeah.
Well, the first stage is like you said, it's the ad hoc stage.
And that's usually where there might be pockets of scanning.
It maybe isn't a enterprise-wide practice, but it could be in response to, you know,
maybe there are headlines there's you know software
that an organization uses or in a similar you know in a similar sector it could also be
in response to compliance requirements what have you but you know for one reason or another an
organization is doing scanning you know within within some part of the business or organization.
And there's like one person who's responsible for taking the output of that scanner and
then, you know, figuring out who to hassle to patch.
And that's kind of how it goes, right?
Yes.
Yes.
Yeah.
And there might not even be awareness of, you know, what's going on, right?
Like, oh, we're scanning, you know, what's going on, right? Like, oh, we're scanning, you know? And usually that next stage
is kind of bringing more deliberate action into scanning. So it's usually consolidating and
standardizing, making sure that you have scan coverage, having, you know, strong asset inventory,
asset discovery, knowing what you have and making sure that you're scanning
it. And it might also start to include moving towards shift left and starting to secure your
applications before they're deployed into production. So people starting to use stuff
like Snyk and whatever. Yeah, yeah. Snyk or Veracode or checkmarks or what have you. Basically,
you know, trying to catch vulnerabilities earlier,
but then also scanning what's running to see, all right, what's making it into production,
what have you. And usually making that transition is, what visibility do we have into our assets?
And how do we know that what we have are scanning? So having an asset inventory,
having a way of keeping that updated. and then also as findings are discovered, who's responsible for that?
So it's starting to build out processes for understanding what does this workflow look like from discovery to verification and assignment remediations.
And there could also be other processes like exceptions.
So systems are end of life. And so what also be other processes like exceptions, right? So, you know,
systems are end of life. And so what do we do for systems like that? You know, so there's all these
processes that start getting built out because it's now a more deliberate practice for the
enterprise. So that's kind of the transition from the, you know, the ad hoc to enterprise wide.
You know, there are other stages of maturity as well.
So as you start to build out those processes
and you start getting really good at knowing what you have,
then the next stage is,
well, now we actually have too much information.
We don't know what to do with it.
And so that's usually once an organization starts to see,
all right, now we're getting friction
with our remediation teams
because now we do know where to send an email or send a ticket or what have you to get something fixed.
And they're pushing back because they're like, you know, you know, what's this?
Why do I need to fix it?
And so that's where you take the risk of the vulnerability and you also look at the risk to the business.
You know, do we have assets that have sensitive data on it that have, you know, critical
vulnerabilities?
Do we have publicly facing assets, things that are, you know, out there in the wild?
Do we have assets that are mission critical to our business?
And it's different for every organization.
So I'll see, you know, a credit card company might say, well, we care a lot about PCI
compliance. A credit card company might say, well, we care a lot about PCI compliance, and that might be our number one risk metric that we track.
But an airline might care about ticketing or booking or flight operations or sensitive data.
So different organizations might prioritize things differently. And so this next stage is really, if you're going to be asking work of the different
parts of the business, this is where you can start to translate and speak that language.
You know, this is a threat because it is on one of our publicly facing systems or on a mission
critical system. And then we can also look at what the risk is of the vulnerability as well.
And that's actually another interesting problem,
because if you look at the overall data set of CVEs, the distribution of risk is highly
concentrated in just a few. So, you know, the analysis varies, but it's typically between,
you know, two and five percent of CVEs have been exploited. And so, you know, how do you also target those vulnerabilities so that way you're
not missing them, right? And often they can kind of get obscured by just the sheer volume of data.
This one team that we're working with said, you know, we're swimming in an ocean of data
and we're trying to find where the risk is. And it's difficult to know unless you have additional intelligence on what's
going on with the vulnerability, right? Scanners are usually looking at technical risk, but not
necessarily things like what's going on in the wild, right? What are threat actors doing?
And so having this approach allows you to be really targeted with, you know, what is going
to be really impactful to our business and then what's going to be, you know, really high likelihood of exploit
and then having that common language that you can speak with the organization. And that starts to
reduce that friction of, you know, you know, you're sending all these things to be fixed,
but not necessarily a lot of context, right? Yeah. I mean, it's, it's interesting that you
mentioned airlines because it just occurred to me that fundamentally patching computers it's a maintenance task right you
know it's like the airlines they maintain their planes they know that they've got to inspect the
fan blades after so many operating hours they know that this seal needs to be replaced these
things need to be checked you know and what makes it different in a you know it cons context is like
i guess if we're going to extend the metaphor the first step is like finding out how many planes you have and what the models are and then figuring out who's
going to maintain them. And it's like, you're trying to essentially build, you know, vulnerability
management, essentially you're building a maintenance program from scratch when you
don't even necessarily understand the scope of what you're trying to maintain. So, you know,
like even just having you describe going from scanning all
the way to that, like it's stressful. It's stress inducing. Yeah, it's a lot. There's,
so actually you just reminded me. So just having an inventory, you have shadow IT, you have OT,
there's massive sprawl because it could be everything from a smart plug to an embedded system, you know, or a cyber physical system, something that like really is running the business. And so having a grasp on inventory is, it's not a typically a single solution problem. It has different solutions across different domains right then
you've got the issue where you've got you know where you've got a scanner that'll tell you
you know say if we extend the metaphor right you've got a scanner that'll tell you that there's
a problem you know with an aircraft which only affects an option that's not being used or
installed on that aircraft and like so you know then then it becomes a context issue right which
is like which are the maintenance tasks that we actually have to do which are the ones that we don't and whatnot but
just i want to ask you though like you know one of the things we're going to talk about we talked
about like the evolution of a program how it goes from someone firing up nessus for the first time
to all of a sudden you know defined roles and responsibilities for various assets that you've
discovered with other platforms and you know then you're doing prioritization and whatever so what are the biggest pain points in
along that journey right from being you know i've just used nessus for the first time to
now i've got it all singing all dancing you know risk-based understanding and complete context of
you know all of my systems and where they uh and where they fit in what are the biggest speed bumps
along that journey and how do people get over them?
Because there's got to be a few that come to mind.
Yeah. Oh, absolutely.
So there's going to be pain points and challenges
that are specific from stage to stage
because they introduce new processes and new problems.
And then there's also kind of common themes that I'll see.
And this is really, I think, why we got into the space
of unifying
vulnerability data is because at all stages, when that data is kept separate, then whether your
process is, hey, you know, we're scanning and we're sending an email out to IT so that way they know
what to fix. Or if you're all the way at, and automation, right, you're at the most mature stage.
If the data is scattered, it's more difficult to progress between stages.
And it also introduces more manual effort.
Regardless of what stage, if the data isn't unified, then that's going to be
one of the greatest challenges to maintaining and maturing the program.
At every stage of the way, getting that complete view, bringing it together,
that's the hard part. I mean, you would say that given that you make a platform that does that,
but I would also acknowledge that that actually does make sense.
Yeah. And there are different ways that you can do it. Right. You know, I see a lot of organizations that have built their own. The challenges that that brings about is one, one of the first program halters that I'll see is if data can't be trusted, then a remediation team is just as likely to say, hey, well, you know, I can't trust this data. So I just need to stop altogether. I'm not going to even make the effort.
So data integrity is a really big challenge just on unifying your data,
making sure that it's trustworthy and it's correct.
Also just maintaining a changing landscape,
keeping loosely coupled, right?
Those are other smaller challenges.
But once you've created a unified data set,
then it's much easier to change between phases,
but you still are going to encounter challenges. So let's say, you know, you're going from, you know, you're scanning, but now you need
to start layering and prioritizing. And so, you know, where are you going to look for prioritization
or vulnerability intelligence? You know, so vetting sources and looking for information that's
going to be useful to your organization.
So if you're in, for example, in the United States, if you're in critical infrastructure, then you might care about SysEcav or, you know, critical infrastructure APTs.
Right. So there might be certain feeds that are relevant to you.
You might also want to have information that helps understand exploit likelihood, because that's one of the big challenges with CVSS base scoring is how do we start to layer in what's happening historically as well as what might happen in the future. I like to call it the crystal ball, a little tongue in cheek, but it is a forecasting model,
EPSS, which is a probability estimator that looks at, it's a machine learning model,
but it's been around for a long time. And so it's had a lot of opportunity to be kind of
hardened and verified. And so it does a really good job of predicting what is going to be exploitable in the
future so you'll have times where sysacab says a vulnerability is not exploited or maniant uh or
other threat intelligence says well there's no historical precedence of this being exploited
but it still has a high estimator because maybe we're seeing mentions of it in dark web
epss says well it is a you know trivially easy to exploit, you know, remote compromise
that requires one string of whatever to be sent over.
Yeah.
Well, look, we're going to wrap it up there, but I guess, look, the main theme, the theme
that we just keep coming back to is it's really about data, handling the data.
You know, once you go from, yeah, that very early baby steps towards doing your first Nessus scan
up to having to handle, yeah, all of that context
and be able to do it meaningfully.
Great stuff.
Aaron Unterberger, thank you so much for joining me
for this conversation all about the various stages
of maturity and vulnerability management programs.
It's a lot.
Thank you.
Yeah.
Thanks, Patrick.
Appreciate you for having me.
That was Aaron Unterberger there from Nucleus Security.
Big thanks to him for that.
And big thanks to Nucleus
for supporting the Risky Business Podcast.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back tomorrow
with an edition of Seriously Risky Business
in our other podcast feed.
But until then, I've been Patrick Gray. Thanks for listening. Thank you.