Risky Business - Risky Business #762 -- Brazil nukes X, Iranian APTs deploy ransomware
Episode Date: September 4, 2024On this week’s show, Patrick Gray and Adam Boileau discuss the weeks security news, including: Brazil’s supreme court bans X-formerly-Twitter, Iranian cyber te...ams cooperate with ransomware crews While North Koreans wield chrome-windows 0-day Yubikey cloning attack is impressive, but doesn’t have us binning our keys quite yet The White House is coming for your unsigned BGP announcements And much, much more. This week’s episode is sponsored by Okta, and specifically their Identity Security Posture Management product. Okta recently acquired Spera Security, and co-founder Ariel Kadyshevitch joins to talk through the messy reality of modern identity. Pat even gets the giggles at how terrible everything is! You can also watch this episode on Youtube. Show notes Brazil X ban: Top court judges uphold block of Musk's platform Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations | CISA Malicious North Korean packages appear again in open source code repository North Korean threat actor Citrine Sleet exploiting Chromium zero-day | Microsoft Security Blog SEC.gov | SEC Charges Transfer Agent Equiniti Trust Co. with Failing to Protect Client Funds Against Cyber Intrusions Chinese ‘Spamouflage’ operatives are mimicking disillusioned Americans online Researchers uncover ‘SlowTempest’ espionage campaign within China City of Columbus sues man after he discloses severity of ransomware attack | Ars Technica Bypassing airport security via SQL injection Cyberattack hits agency responsible for London’s transport network German air traffic control agency confirms cyberattack, says operations unaffected White House calls attention to ‘hard problem’ of securing internet traffic routing Cambodian scam giant handled $49 billion in crypto transactions since 2021, researchers say YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel | Ars Technica CrowdStrike takes a revenue hit as global IT outage reckoning lingers | Cybersecurity Dive Owners of 1-Time Passcode Theft Service Plead Guilty – Krebs on Security
Transcript
Discussion (0)
Hi, everyone, and welcome to another edition of the weekly risky business cybersecurity podcast. My name is Patrick Gray. And just a reminder for those listening, this podcast is now available on our YouTube channel, risky business media, and you'll find some stuff there that you can't get in audio form as well like product
demos and the like so i do hope you'll head over to youtube and subscribe adam boileau will be
joining us in just a moment to talk through the week's news uh there's yubikey cloning
iranian apt operators hitting the us with ransomware the twitter ban in brazil there's
so much good stuff to get through.
And then, of course, it'll be time for this week's sponsor interview with Ariel Kadyshevitz,
who is the co-founder of the identity security posture management company Sparrow,
which was acquired by Okta and is now an Okta product.
And he joined me for what turned into a very interesting and fun conversation about the disaster,
which is the average enterprises identity security posture.
And yeah, we even got the giggles talking through
some of the stuff he's seen.
That's coming up later with thanks
to this week's sponsor, Okta.
But let's get into the news now, Adam,
and I should point out too, you're joining us
not from home, you're currently travelling Southeast Asia, and I should mention that you
have spent the last night experiencing what can best be described as some gastric distress.
It's a classic Southeast Asia story, and I mean, you know, I grew up in Southeast Asia,
so I'm not at all surprised. But yes, it's not the world's best time.
No, and you made a critical error too, which is when we had our staff retreat in Southeast Asia, we mostly ate street food.
And you got in trouble because you ordered some food from the very fancy hotel you're staying in.
So, yeah, don't do that.
Don't do that.
No, bad choice.
It needs to come out of a roadside cart or it's all sorts of risky.
So, look, let's kick off this week's show with a bit of a discussion about what's happening in Brazil.
And, lordy, the takes Supreme Court has banned Twitter from Brazil when it refused to block certain accounts that a Supreme Court justice asked to be banned.
Twitter refused on free speech grounds.
They also refused to hand over information about accounts, identity information about accounts, just generally not cooperating.
Brazil started threatening Twitter's local staff. And in response, Twitter just shut its Brazilian office. And so in response
to that, the Brazilian Supreme Court has said, okay, well, if you're not going to name a local
representative, as per our laws, we're just going to ban your entire platform. And that's what they
did. They've also frozen SpaceX's bank accounts because, according to the judge, you know, both SpaceX and Twitter are under the control of Elon Musk.
So they can be treated as one and the same. And, you know, SpaceX is refusing to block Twitter as well, which is going to further the drama for SpaceX operating in Brazil, which is a real shame because it's being used to offer services,
internet services to very remote regions,
you know, schools and stuff near the Amazon.
So, look, the whole thing's just turned into a mess.
We've got Elon Musk just on a war path on X,
just, you know, really antagonising the Supreme Court,
which I don't think is really going to improve the situation.
But, look, let's get your take on this. I mean, this seems like, yeah, I mean, it's, it sort of
connects a little bit to the Telegram story last week, right? Which is where we've got this
situation where there's serious legal trouble for a, you know, online platform that isn't
cooperating with the government. Yeah, I mean, I think we have talked so many times over the years about the intersection of cyber and computers
and sovereign state power.
And ultimately, the fact that Elon Musk specifically
would get himself into this kind of mess,
I don't think anyone is surprised about that.
But it's, I don't know, because twitter is pretty big in brazil it's not
like a small platform there like it is widely used and you know this is the sort of thing that's
going to play out in a bunch of places in the world uh as you know things just get kind of
more polarized and also as as technology you know is so important to daily life that extends it's
not the thing that just happens in the internet.
It's not a separate place anymore.
It's real life.
And, you know, a lot of nerds forget that.
Yeah.
You are subject to the power of the laws of the countries that you operate in.
And, you know, I remember,
it reminded me of the BlackBerry versus the Indian government
with intercepting BlackBerry passengers
back when they were a thing once upon a time.
And the Indian government said, you know, you can't just not give us intercept capability.
You have to put servers in India and make it technically available, blah, blah, blah.
Or you GTFO the country.
Yeah.
And, you know, some organizations, Google out of China, for example, that's the thing that they end up doing, GTFO.
Yeah.
Well, you have to decide, right?
And I mean, in this case, as you point out,
there's a lot of Brazilians on Twitter, right?
There's 7% of Twitter.
So he's nuked 7% of Twitter
because he refused to withdraw service
to something like seven accounts.
Now, is there a free speech argument?
One of the accounts that the Supreme Court asked to be suspended
belonged to a serving senator, right?
I mean, this is also a senator who's had his house
raided in connection with some stuff right there's a saying and i'm gonna i'm gonna have to repeat it
here um which is that the saying is brazil is not for beginners now a lot of listeners would be
aware some would not that my wife is brazilian i spend a lot of time there and it's a politically
it is just an extremely complicated place.
So a few things to make clear.
First of all, this isn't the government doing this.
It is the Supreme Court.
Musk has spent a lot of time maligning the one judge who's been spearheading all of this.
But his decision to block Twitter in Brazil has been upheld by one of the chambers of the Supreme Court.
So I think it's now five judges out of the 11 have now backed this decision.
So that makes his attacks just against this one judge look like they're going to be a
little bit ineffective.
But we might want to ask how we got here.
And really, it's because Jair Bolsonaro tried to stage a military coup after he lost the
election in 2022. He also tried to stage a military coup after he lost the election in 2022.
He also tried to really interfere in that election.
He set up roadblocks in parts of the country where people were more inclined to vote for his opponent, Lula da Silva, who is now the president.
Those roadblocks were disassembled by state police, but it was the federal police setting them up.
And then afterwards, of course, there was the January 8th, which was sort of Brazil's January 6th. And a whole bunch of stuff has come out later where Bolsonaro had actually
approached various people in the military and wanted them to get on board with a military coup.
He's always talked about fondly about the days when Brazil was a military dictatorship. And of
course, that dictatorship ended in 1985. A new constitution was written. And importantly, a lot of power given to the courts to make sure that they never found
themselves in that situation again, right? So that's something you've got to understand about
Brazil is that it wasn't that long ago that the place was a military dictatorship. And when you've
got actual fascists trying to steer the country back in that direction, this is something where
a lot of people over there take that very seriously. Now, that's not to say that this whole thing doesn't have
implications for free speech. It absolutely does. But that's just some important context that people
need to be aware of. Also, municipal elections are coming this year in Brazil. And they're a very,
very big deal because it is a big country, 220 million people. And the municipal elections there are a very big deal.
And there's a lot of people in Brazil who see Twitter as, I mean, you know, Elon Musk is closely aligned with Bolsonaro.
They're mates.
They're ideologically very much aligned.
And a lot of people in Brazil see Twitter the same way that a lot of Americans see TikTok, which is that it's a malign foreign interest with an agenda.
So it's been interesting for me to discuss with some, you know, national security hawks
who are very supportive of the TikTok ban, but who see this as being just this absolutely
terrible thing.
And I'm like, well, what if you're the malign interest?
What if you Americans in the form of Elon Musk are actually the malign foreign
interest trying to put your thumb on the scale and interfere in Brazilian politics? So the whole
thing starts to look very complicated. So again, I'm not expressing my opinion here. I'm just
pointing out how both sides are seeing this. And of course, on the far right, they're seeing this
as an attack on freedom of speech and it's the worst thing in the world and elon musk come and save us and blah blah blah so that's sort of the the state of play
um initially the court banned people from trying to use vpns to access uh x uh you know by penalty
of huge fines and whatnot the you know the hearing among the the full, a full chamber of the Supreme Court there, threw that out.
So people can still get on Twitter via a VPN without facing a fine.
But this is where we are.
It's a complicated situation with a lot of moving parts.
And I think the discussion around this so far has mostly been pretty binary.
And it's complicated yeah i
mean it certainly sounds that i've never been to brazil but i've lived vicariously some of through
some of your you know holiday snaps and yeah it's a it seems a complicated place and i don't know
like i mean having globalized communication systems in a world that isn't globalized because
you know you've got to remember a lot of these internet systems were built in an era where we
thought globalization was the way forward you know, you've got to remember a lot of these internet systems were built in an era where we thought globalisation was the way forward.
You know, that trade and integration would bind all the countries together
and we would end up in one kind of, you know,
consensus around how things like free speech and democracy
and whatever should work.
And it's just not that.
That's not how the world is.
Yeah.
And, you know, we have to adapt to the reality of the world we live in,
not the one we imagine, you know, on internet forums.
Yeah, and I mean this judge's argument is that people
who are plotting military coups and trying to spread disinformation
to bring that about are a bigger threat to democracy
than trying to ban seven people from a platform, right?
Now, you know, again, I'm not expressing an opinion there.
I'm just saying what the argument is and trying to fill in a bit of the context. Obviously, this has been a tremendously controversial thing in Brazil. Mrs. Business did some research for us on this. And, you know, there's some pretty big protests planned for September 7, I believe. And I mean, Brazilians love to protest, right? Like there's always a protest going on in Brazil.
But this has turned into a big issue.
And meanwhile, some people from the ruling party are still using their accounts via VPNs and whatnot.
And the president has kind of supported the court by setting up a Blue Sky account.
And that's where Brazilians are going too.
They're just jumping on Blue Sky.
Because I guess unlike when Twitter went weird, now blue sky can sort of absorb a lot more users. So Brazilians are just going en masse to blue sky, including the president. But by and large, the government's kind of staying out of this because it's an election year and it's very contentious and blah, blah, blah, blah, blah. So that's basically where things are now. We have seen Brazilian courts do things like block WhatsApp previously,
but that only lasted a few days.
So this might be overturned.
I don't know what's going to happen with the SpaceX stuff.
It's just so complicated.
But I would just encourage people,
particularly Americans who are commenting on this,
to realise that a lot of Brazilians do see Twitter
as a foreign influence with an agenda, and that's
the lens through which they're seeing it. Yeah, and absolutely fair enough too, right? I mean,
I think the comparison with TikTok is just, it's quite apt in a way, you know, and I think that's
worth keeping in mind. Yeah. Oh, and I should point out too, just one last thing, is this judge
is the one who was sort of appointed to pursue people who were involved in planning that coup.
So it's all part of that.
It's all part of the response to Jair Bolsonaro's attempt to sort of take over the government, right?
And now people are asking, has he gone too far?
Whatever.
Now, I know we're a cybersecurity podcast.
The reason that I've gone into this is because people have asked me to because they know about the Brazil connection. But let's move on. And we've got
this release here from CISA. It's a joint release between the FBI and CISA, which is looking at what
Iranian APT crews are getting up to in the United States. And it looks like they're doing ransomware and separately from their espionage activities
yeah the reporting says that uh they've been kind of operating as initial access brokers
and you know providing access in the networks they've broken into selling it to ransomware crews
and then you know facilitating i guess um the ransomware crews as they go about their business you know
in return for a cut um and i mean i guess it makes some sense right if you need a little bit of extra
money on the side you need some way to fund some of your operations then you know that's one way
of doing it um it does seem to have extended a little beyond just access broking but we have
seen we've seen some reports that they are you know like actively providing technical support to rats we're affiliates uh who've bought access to then go
and deploy their stuff so that's it's pretty messy and you know the iranians are not to be trifled
with in terms of their skills right they are a skillful actor uh so i mean it's it's a funny
old world that state you know state-backed operators can moonlight,
not just in China, moonlight as cyber criminals.
Well, so that's the bit that's not clear.
I just want to read from the release for a moment.
It says,
the FBI further assesses these Iran-based cyber actors are associated with the government of Iran
and separate from the ransomware activity
conduct computer network exploitation activity
in support of the government of Iran,
such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan.
So it's said that it's separate from the ransomware activity, but is that moonlighting?
I think the piece of information we're missing here is where does the money go when they get it, right?
Is it going into their bank accounts is it going to their division uh in
their agency is it going straight into government coffers that's the thing that we don't seem to
know here and i think that's a fairly important data point that we don't have right yeah yeah it
is it is i mean because you can totally imagine like just having some cryptocurrency to pay for
bulletproof hosting or whatever else that you need to kind of do your day job.
But if you're actually now raising revenue kind of beyond the staff,
I was going to say the beer fund, but probably not in Iran,
raising money for the sports club, local, whatever social things they have around the office versus actual revenue raising
for the government a la North Korea.
That's a distinction yet.orea you know that's a
that's a distinction yeah we don't know the details yet yeah and uh you know we we just find
ourselves talking about the iranians and the um north koreans more and more and we've got a couple
of north korea stories here uh it looks like they're back up to their old tricks of infiltrating
uh npm and dumping like malicious packages there that's one
story we've got here from Darina Antoniuk over at the record on a big
shout out to the record too this week because they did a done some really
great coverage over the last week and also so that's you know going after
cryptocurrency and stuff but also they were using a chrome Oday to target, like, people involved in the cryptocurrency trade.
And that's been caught in the wild and now squashed.
But, you know, we've got North Korea rolling around, you know, drop it like an Oday shark, dropping Chrome Oday on people to get their Bitcoin.
I mean, this is – they'll definitely keep you on your toes if you're responsible for securing one of those environments.
Yeah, absolutely.
I wouldn't want to work security at a cryptocurrency exchange.
It seems like a – I guess some people love a challenge.
You know, they like skirmishing with North Koreans.
But this particular bug, actually Microsoft wrote it up, attributed it to North Korea,
and said that it was actually a combination of two bugs.
There was a Chrome remote code exec that got code exec inside the Chrome sandbox, and then
they were chaining that with a Windows kernel zero day to escape out of the sandbox, up
in its kernel, drop their tooling, and then go about their business stealing cryptocurrency,
funding nuclear weapons, et cetera, et cetera.
And yeah, I mean, that's, you know, it doesn't get more, you know,
it doesn't get better than that in terms of hacking.
Like, you know, browser bug in the best browser on the biggest platform,
escapes the sandbox, full code exec, up into kernel mode.
What more in life is there than that?
Yeah, I mean, the old thing, you don't got to hand it to him.
But, you know, when you hear that, when it's like, yeah,
they're using a Chrome ODA and then a, you know, Privasc.
I mean, that's it right there.
Beautiful.
Yeah.
It's got a bow on it.
Yeah.
Chef kiss, right?
But, you know, it's just, you know, it just makes you wonder what else is being used for more serious stuff than crypto.
Well, exactly.
Now, we got an SEC release.
This was sent to me by a listener.
Forgive me.
I can't remember who sent it to me.
But, wow. So the SEC has announced that it's settled some charges
with a company called Equinity,
which was formerly known as American Stock Transfer and Trust Company.
This is a really interesting attack.
It just looks like a business email compromise.
It happened twice to them.
But what the attackers actually did once they got access here
was, I think, just fascinating.
What they did is, so this company essentially operated like share registry services for publicly traded companies.
And they just wrote, they just jumped in on this email thread and said, hey, we want you to issue more shares, then sell them and put the proceeds in this bank account in Hong Kong,
and they did it, which is incredible.
So essentially they triggered an on-market capital raise
for a couple of companies and got away with millions of dollars.
Equinity actually paid back.
They recovered some of the money.
They recovered about 2.6 mil out of 6.6 mil,
and I think they used their own money to make their customers whole in that case.
But now they're paying a civil penalty of 850 grand as well.
But I think this was just interesting to me because, you know, we've got just access to
an email thread being used to trigger an on-market capital raise, which means every
single shareholder in those companies would have been diluted a little bit, right?
It's funny because, I mean, it's funny for a number of reasons,
but I find it funny because of the parallels
with the cryptocurrency world
where this happens every day in crypto land, right?
You break into somewhere, you mint a bunch of tokens,
you flog them off.
And now we're seeing the same kind of crime type
being done in the real financial system,
which, you know, it makes me wonder
what other crypto crime, you know,
kind of innovations we're going to see,
you know, applied back into the real world as well.
But yeah, it's, you know, when we originally-
This is what happens when the cryptocurrency world
starts mimicking the real financial system
is you up the financial literacy of attackers
exactly right exactly uh which is you know because when we were putting together the run sheet i had
skinned past this one looked at the numbers and went like you know we've got a 48 billion dollar
story in this week's run sheet so you know 6.6 but then you were like no this one you know is
actually interesting because of what they did with it. And it's pretty entertaining.
I mean, there's two sets of people, right?
There's the people where you explain to them,
well, a token is like an equity and this is how it works.
And then there's other people where you explain,
well, a share is like a token.
So it's a bit of a side of the times.
By their powers combined.
Yeah, exactly, exactly.
We've got another one from The Record.
James Reddick wrote this one up.
And this is looking at a Chinese disinformation group
or influence operation group known as Spamouflage.
They're really ramping up their operations
on the sort of American internet in the lead up to the election,
you know, posting things like,
look at me, I'm just a humble
firefighter and I'm voting for Trump, that sort of stuff. It is interesting seeing China do this.
I've noticed it on the Australian internet. There seems to be an awful lot of users with very odd
posting history who have a real problem with the AUKUS pact between Australia, the UK and the
United States. So I think just gradually we've seen China ramping this up
and ramping this up.
And, you know, this is just a great report.
This is a write-up based on a report
from the social media analytics firm Grafica.
Yeah, it's great to see some specific examples too,
because, you know, you read about influence campaigns like this,
but, you know, show me the nuts and bolts,
show me the meat of it.
And yeah, it's just so dumb and it's it resonates like the content is dumb but it also resonates very much
with what you legitimately see on social media so like it's dumb but it's not dumb like it's not
dumb if it works and i guess it you know we'll find out whether it works or not um they've also
been doing this uh you know basically against all sides like they've just been you know their goal
seems to be making trouble
as opposed to supporting specifically Trump
or specifically Biden-Harris or whatever else.
We've just seen weighing in and stirring up some of the existing issues
is good for them regardless of who gets in.
So kind of easy target in a way.
Yeah, and they're going hard on stuff like the TikTok ban and stuff.
And that's what you find with those Chinese operations
is they tend to throw just like general chaos,
but there'll be a couple of key issues
where they're kind of swimming as one, right?
Yeah, exactly, exactly, yes.
Now, China's got some problems of its own.
John Grieg, again, at The Record, wrote this one up.
Having a look at a campaign called Slow Tempest,
which looks like a really
sophisticated and highly coordinated operation uh targeting uh organizations in china but not just
for espionage right like this looks like a really interesting campaign targeting china yeah i mean
the technical side of it is kind of, you know, not that outstanding.
It just starts off with phishing emails with zips and link files and normal kinds of things
that you would expect.
But it's organized.
But it's organized.
And also, it either is native Chinese speakers or it has, you know, linguist support of some
sort.
And there's plenty of other countries in the region that are, you know, have either Chinese diaspora or, you know, are native Chinese
speakers themselves, Singapore, Taiwan, where, you know, you could get those skills. But it's
just interesting because we don't often see, you know, in the open literature, I guess,
discussions of, you know, well-executed Chinese language foreign operations inside China.
Yeah, yeah, exactly.
So we'll link through to that report.
But, I mean, I would point out too that there is a Chinese diaspora
basically everywhere.
That's true, yes.
So, I mean, you're saying, okay, there's a Chinese diaspora regionally,
but I'd say, you know, you'd have a pretty good chance
of standing up something like this anywhere in the world. Yeah's true that's very true yes and i guess a lot of people got a
bone to pick with china so yeah could be anyone no hints uh from risky business for chinese and
you'd find that opinion on the chinese government among the diaspora are pretty divided right so
it's not too hard to find people who would do this sort of thing uh now we're going to talk about a story written by dan gooden over at ars technica which
is the city of columbus is suing a guy city of columbus got data extorted right they refused to
pay um the crew i was like rice cider or whatever um they wound up posting something like 45 of the
data uh the city of
columbus came out and said no big deal there's nothing sensitive in any of this and then this
researcher uh what's his name uh i can't remember but yeah he wound up downloading a bunch of the
data and saying no look it's full of social security numbers and this and that so in response
um the city is suing him there's been a temporary restraining order granted against him uh you know
to make him stop sort of downloading this information and interacting with it and whatnot
this really just does look like it should be thrown out because it looks like the city is
going after him for embarrassing them yeah it definitely feels like a you know shooting the
messenger kind of case here um i think the guy's name was David Leroy Ross,
who went by Connor Goodwolf on the internet.
And yeah, he makes the point of that.
He's the only person in the world who's now not allowed to go there
and read the data from Residers Dark website.
He's the only one in the world that can't look,
which, you know, great, great response there.
The city had made some claims about it being encrypted
or whatever else that were being used to kind of downplay it.
So, like, you know, actually going and looking and verifying that
seems like a public interest to me.
But, you know, what a mess.
And just, I don't know, like, you know,
we've seen so many dumb responses to people getting hacked uh over the years and you
know obviously that's going to continue for some time we haven't run you know run the gamut of all
of the available dumb things we can do um so yeah good luck to him i guess well look staying on the
topic of sort of dumb responses to disclosures we've got this great post here from ian carroll
and sam curry looking at a SQL injection bug
that could have allowed people to bypass airport security.
I want you to walk us through the research here
and what the systems were that were involved
before we talk about the disclosure drama.
But I thought this was just a fascinating read, this one.
Yeah, it really is,
because airport security is an interesting
and very integrated system.
There's a lot of moving parts.
They all have to work really, really well together.
This particular system was,
so there was an overall mechanism
where pilots and air crew and other airline staff
that have business being airside
can basically have a thing that
allows them to bypass security screening because they're already trusted and vetted.
And there is a system where they show up at the security screening.
They present a credential of some sort, which I think is like a barcode.
It's a barcode or they can provide their employee number and that becomes important later.
Yeah.
And so then the system, so there's a system that the TSA agents can verify that this person is currently employed by the airline and pulls up their photos so they can verify that the person matches and then they get waved through without screening.
Big airlines implement their own kind of system for this, but for smaller airlines, there are some companies that provide, you you know like an as a service implementation
of this and one of those is called flycast flycast.com and apparently yeah they had straight
up like not you know vanilla sql injection in their web-based interface which you could use
to gain admin access like literally all one equals one in the login box
kind of level SQL injection, gain admin access,
and then enroll new people
or change the photos of existing people
such that you could, if you then wish to,
go and bypass security screening,
which, you know, security screening has one job
and that's clearly not it.
Now, interestingly enough, they made the decision not to report this directly to the vendor
because they realised that the company
that they were doing this research against
was likely just like one person
and they thought this is not going to go well
if we get in touch with this person
and then just disclose the bug.
So I think that was a sensible decision.
They reported to the FAA and another body
and then I think a day later wound up talking
to dhs uh to sisa and then sisa wound up getting this done which is fantastic but then put out
sort of put out releases that kind of minimized what the impact was here and you sort of get the
impression even though it was fixed that they didn't quite understand the impact yeah so they made some statements about how um there was a photo that
you have to you know have to provide with the system and there's a process for enrolling new
users and that that process of enrolling would have had some other validation that would have
made this not viable in the real world but uh the researchers just said, well, you can just change the picture
of an existing already enrolled user and carry on.
There's no impediment to that process.
So it got downplayed a little bit, and I suspect that's just when you've got
so many layers of communication involved in vulnerability disclosure
and communicating the effects.
The nuance can get a little bit lost, but it's disappointing when we're talking about, you know,
CISA, Department of Homeland Security, you know,
people that absolutely have the resources available to them to get it right.
Yeah.
I mean, I know we've got a lot of listeners at CISA, some of them senior.
So, you know,
check out this week's show notes and have a walk through this because I think
it's something that you'll read it and you might think, hey,
maybe there's some processes we could improve here.
Because that's really what you don't want
is someone being able to SQLI their way
into inserting themselves into that sort of database.
Cause that would be, you know,
the possible impact to that is really quite serious.
Alexander Martin, again at the record has a report up,
we'll just touch on these quickly some sort of cyber
attack has hit london's transportation network looks like back office affected you know trains
are still running and whatnot but we've also seen a report again from alexander looking at
the german air traffic control agency also experiencing some drama but it looks like perhaps this one might be linked to russia's
apt 28 yes we have seen some reporting that it was you know gu martian military intelligence
and this didn't appear to have a well from the reporting server it didn't appear to be like a
ransomware kind of thing like it felt like incident response here and you know i gotta say a traffic
control probably a legit target for you know, I've got to say, a traffic control is probably a legit target
for Russian intelligence gathering
and understanding what's going on
or pre-positioning or whatever else,
which doesn't make you feel good,
but that's the world we live in, right?
Yeah.
And the White House,
this one, Joe Wominski at the record,
the White House is having a look at BGP security.
So we've seen, was it the FCC recently announced that it's going to
ask telcos to sort of at least report to them what they're doing about BGP security and whatnot.
And now the White House is sort of backing these efforts. And it looks like we finally might see
some movement towards, you know, BGP not being a a horror show i don't think people realize quite how bad
the state of you know internet-wide routing actually is um that said it's a lot better
than it was 10 years ago but now now we're seeing you know sort of like a more whole of government
um effort to try to get some sort of pki into into bgp Yeah, we've had a number of the technical components
in place to do this for a long, long time now
because BGP hijacking has been happening for 30 years,
40 years maybe.
But as with any PKI system,
the devil is very much in the details of deploying it
and as with regular web TLS, a lot of the issues you cause,
DNS, a lot of the issues you end up causing
tend to be availability stuff rather than integrity.
Like you break it because you misconfigure your PKI
as opposed to an attacker actually doing it.
So there's just a lot of fiddly bits in here.
And network operators are kind of used to moving in a relatively slow pace
because they didn't need to move particularly quickly on this stuff because you know the pool
of attackers is relatively small etc etc but you know we've seen bgp hijacking being used to steal
cryptocurrency you know in the last couple of years like so it's a real thing now the u.s
government is attempting to lead by example a bit here. Something like 60% of federal IP address space
is going to have certificate-based authentication
of their routing advertisements by the end of the year.
So it's a place where the US government can lead by example.
And once you've worn those paths
and worked all the best practice,
then other people will follow when it's easier.
Well, I think also there's a real advantage
to having the government involved here
in that when it comes to stuff like these types of PKI programs, you kind of need someone to operate them.
You know what I mean?
It's an authority to, yes.
You do.
You just sort of need, like, who else is going to do it?
Who else is going to say, well, I'm going to stand up the PKI and sort of work on the standards and try to be that central, you know, trust authority for these sorts of, you know, PKI projects.
Like it's one of those areas where I feel like if the government doesn't do it,
no one else is going to, right?
Yeah.
I mean, I guess like the standards bodies have tried, but yeah,
it's just kind of a thankless job and operationalizing a PKI is more than just
making the standards work, making the software work.
Well, that's kind of what I was getting at, right?
Like you need to have maybe someone who's going to handle that,
you know, the overall trust of a PKI system.
Yes, or at the very least the incentives
for him to be able to go do it.
Yeah.
Now, you alluded to this one earlier.
This is a piece by John Grieg.
At the record, Some online marketplace in Cambodia apparently handled
something like $49 billion in cryptocurrency transactions just in the last three years.
And a lot of that money has been tied to pig butchering scams, which as we know,
tend to operate out of Southeast Asia. And what's interesting here, though, is that this
marketplace has been linked to all sorts of elites in Cambodia, right? So the thing that I found
interesting about this is it's just a further illustration that there's so much money in pig
butchering that it has absolutely the potential to corrupt the highest levels of a lot of these
societies. I mean, you
know, we talked about how, well, it was a Cambodia, Laos and Myanmar, the pig butchering there, like,
is equal to like something like 40% of the combined GDP of those countries. It's just, you know,
when you've got something this profitable, it's going to, you know, that criminality and corruption
is going to worm its way everywhere.
Yeah, well, exactly. And I think with the name, this company, Huiwan,
they provide like escrow services.
And we've talked about them in this context a bit before,
but Chainalysis have been looking at the flows
and the various blockchains in and out of these environments.
And that number, like $49 billion over a few years,
it's just ludicrous.
And they also point out that in terms of ties with the elites,
one of the directors of the company behind this
is a cousin of the Prime Minister.
So you can kind of see that much money,
you can end up buying a whole state in some respects.
So what a mess, eh?
Well, not so much where we are now,
I just wonder where we'll be in five years, you know,
and what sort of drama is this going to stir up for the countries
where this activity takes place?
Yeah, well, I thought like that story we covered about the Chinese
doing basically a cross-border raid to go arrest a bunch of people,
repatriate people back to China, you know, which they were able to do
because the local kind of government had been taken over you know, which they were able to do because the
local kind of government had been taken over by rebels, by people that weren't aligned
with the government and didn't have so much interest in protecting these people.
And then they cooperated with the Chinese law enforcement.
And, you know, like that's a wild story, right?
And...
Well, I think actually in that case, it was the scammers were operating in areas of government
control and the Chinese backed the rebels, not the other way around.
Yeah, that's what I mean, yes.
Yeah, yeah.
So, I mean, that was just – that whole thing was, yeah, nuts, right?
Yeah, exactly.
But what – you know, we've just seen throughout history what happens
when organised crime gets a real stranglehold on governments, right?
And it ain't pretty.
No, it's really not and you know there are you know
there's so much you know human cost to this in southeast asia you read about some of these
some of the conditions you see like this marketplace had ads for you know things like
shock collars and other you know like electric batons that you would use to imprison people to
make them work in these um you in these pig butchery farms.
So it's easy to look at the number,
and it's easy to look at the complicated political
and economic aspects, but also there are just so many people
having their lives destroyed on both sides of the scamming process by this.
So, yeah, I don't know.
Sometimes I'm lucky.
I'm glad that we live you know in
places where this is less likely to happen yeah it's uh that's cheery that's real cheery yeah
um let's move on to a really business let's move on to a really interesting bit of technical
research now and some researchers have figured out how to use specialized hardware to clone Yubikeys. So the Yubikey 5, which is the most widely used
token in the world, if you've got the right hardware and physical access to a Yubikey,
apparently using these techniques at some sort of side channel attack, you can clone them. I'm not
terribly surprised that that's possible with specialist hardware. I would think this research
would be a lot more damaging if you were able to do the
cloning process via usb uh but because it's a side channel attack that relies on measuring
you know electrical signals as the thing is performing various operations i i tend to think
the real world impact of this is not going to be uh so great but still yubiKey you had one job yes exactly exactly yeah the um the underlying
flaw is actually a cryptographic issue in a software library from Infineon who make
the embedded like secure element microprocessors that are in the YubiKey 5s and a bunch indeed a
bunch of other devices as well and the people who looked at this crypto library because this
crypto library is super highly protected from a confidentiality point of view you have to sign all sorts of
documents um to get hold of it even the api is not published like it's really you know pretty
tightly held by infinion and it looks like this particular bug goes back something like 14 years
and as you say it requires physical access they you know drop an emf probe like over the chip
in the right place and measure the magnetic flux or whatever else as it's doing some particular
part of the elliptic curve process and the particular library they're using doesn't do it
in a way that's kind of constant um you know energy use so that you can leak key material so
yeah not particularly real world,
but if you are building your entire HSM,
because, I mean, YubiKey sells products other than just FIDO tokens for consumers, right?
They also sell HSM products for businesses
and they're used by governments and all sorts of things.
And these libraries have been reviewed
and certified a bunch of times already.
So a little bit embarrassing for everybody concerned,
but I have a YubiKqi 5 on my keyring right now and i'm not too worried about it i guess like
i'll replace it at some point but no i think they need to get your creds first and then physical
access to the yubiqi and then they've got to use 11 000 bucks worth of specialist hardware and
you know i think um okay yeah it's a bug in the library, but it's also like, you know, it's one of those things where software meets physics, right?
And produces something measurable.
And, you know, I think, you know, these sorts of attacks are always going to be doable.
You know, it's just going to be a matter of the level of research that's required to get the insight you need to extract these sort of keys.
If you've got, yeah, as I say, physical access,
the creds and a bunch of specialist gear.
Yeah, exactly.
Like there's amazing attacks from a research perspective,
but, you know.
I should say too, some people might be thinking,
well, Yubico does occasionally sponsor Risky Biz.
I mean, I'm not downplaying this
because they're a minor sponsor of the show.
I just think, again, this is interesting research
and they should fix this.
But I just, you know, it's so much effort.
YubiKey have released updated keys.
So like you can't fix existing keys.
It's the firmware is not a thing that's field upgradable.
And they fixed it. The thing that's field upgradable um and they fixed it
the thing that did concern me a little bit was the fix involves throwing out infinity on script
their library and writing their own which i mean you know i'm sure they've done a good job but
you know writing your own crypto library is one of those things that you know you get right the
15th time you do it well i think when you're an encryption company it's a little bit different
you know we'd hope.
You'd hope.
Like, you know, I hold out hope.
But I'm just saying, you know, anyone who says,
well, we fixed it by replacing the crypto with our own,
you know, you just like, you know,
you scrunch your toes up just that little bit.
You're like, you do.
Yeah.
Various body parts tighten.
Yes, exactly.
We got one here from Matt Capco over at Cybersecurity Dive,
which is looking at how CrowdStrike is taking a bit of a revenue hit,
mostly from the looks of things because they're having to do
some pretty steep discounting to make things right with customers.
I mean, this is very much along the lines of what I was expecting.
We've seen some recent comments.
We haven't discussed them in the show previously,
but we saw some recent comments from Sentinel One
and Palo Alto Networks where they're like, yeah, we've got an influx of CrowdStrike customers who
are asking us about our services and stuff. And they've been saying this on earnings calls and
whatnot. I have a feeling most of those people are doing that so that they can then go back to
CrowdStrike and leverage it into a discount. I think probably the big winner out of CrowdStrike's woes
is going to be less likely to be Sentinel 1 and Palo Alto
and more likely Microsoft, I would think.
If you're looking for people who know how to be in the Windows kernel,
probably the Microsoft one is going to be the choice there.
But look, I don't expect this to turn into an existential crisis for CrowdStrike,
despite the fact that they're going to have to shell out
a lot in terms of discounts over the next 12 months.
Yeah, I mean, you know, in the end,
they broke the internet for, what, a couple of days,
a few days, like we recovered, life's moved on.
No one's going to remember like outside of our field.
No one's particularly going to remember it, you know,
in six months time.
So yeah, I don't think it's going to, you know,
I don't have any CrowdStrike stock, but if I did,
I probably, I don't know, maybe I would huddle.
I don't know.
Yeah.
I mean, it's, they've already recovered.
They've already made up some ground from the lows and whatever.
So things seem to have leveled out, but yeah, I just, I just,
people predicting the demise of CrowdStrike over this over this like frankly they just did not know what they
were talking about you know because i mean i even spoke to customers when it all happened
you know a week later i'm like well are you going to ditch it and they're like hell no
so you know their core edr product and again they're not a sponsor right but their core edr
product is pretty good it's um you know they've made some questionable decisions in terms of like some of the other products
they offer like just acquiring everything they can because we're a
platform now but you know in terms of just running EDR you know they're pretty
good I mean they're all pretty battle-hardened right I mean that's them
has caught a lot of caught a lot of Chinese yeah hundred percent but I think
they're all pretty good now like Microsoft's is good sentinel one's good
CrowdStrike's good I think you know it's good now. Like Microsoft's is good. Sentinel One's good.
CrowdStrike's good.
I think, you know, it's a mature tech, right?
And we've got options there.
So yeah, anyway, moving on.
This is the last thing we're going to talk about this week.
And it's an absolutely hysterical report from Brian Krebs about this service that was called one-time passcode
where you could basically trick people into giving you
their one-time passcodes over telephony over voice but they they just had no opsec and indeed
like we're looking at chat logs here between these people saying oh look we should probably delete
the messages that we send each other about all of the fraud we're doing because they were trying
to operate with like a veneer of like we're a legitimate anti-fraud service but yeah these
guys have all pled guilty but this is just like talk about like really like unskilled criminals
in this case and i felt bad when i was reading this piece because like you read the story and
you read some of the the chat log exits and then you scroll down to where their mugshots are and they just look exactly like you expect.
And I feel bad for judging people based on their appearance,
but I mean, they look like low-rent cyber criminals.
Yeah, they're like 20 years old sort of thing.
And I think their company was called OTP Agency.
And how did it work?
Like it was, you'd trigger a phone call
that warned them about activity on their account
and please, you know,
generate an OTP and, you know, enter it with your number pad
or something like that.
So it was one of those services.
Yeah, that's the basics.
Yeah.
It's pretty straightforward.
And they had a control panel thing where you could kind of orchestrate
your campaigns and collect the codes you got.
So it was kind of like it worked.
It provided that functional service but not very good at crime
not very good at conspiracies and we haven't seen any sentencing yet but i mean you know not not
master criminals no and it was they got busted by the uk national crime agency like if you're
gonna do this like doing it in england i don't know yeah not not gonna go well for them it doesn't
seem smart doesn't seem smart well mate that's actually it for the week's news.
Thanks so much for joining us despite your troubles.
I was, yes.
I hope you'll be able to rest up and enjoy the rest of your trip
and we'll do it all again next week.
Yeah, we certainly will, Pat.
I will talk to you then.
Okay, it is time for this week's sponsor interview now with Ariel Kadeshevich.
Ariel co-founded Sparrow, which is an identity security posture management company, which was acquired by Okta last year.
Sparrow is now Okta's ISPM product, and Ariel joined me to talk about ISPM
and the sorts of issues they tend to uncover in large
environments. And you know, what a horror show. I let this interview run long because it's a really
interesting conversation. So here's Ariel kicking things off with a brief description of how Okta
is tackling ISPM with what was Sparrow and is now Okta's ISPM product. The main thing about the ISPM product
is actually being able to map and understand
what are the different identities
all across IDPs, cloud environments,
SaaS environments,
the main crown jewels of the company.
And understanding from a mindset of an attacker,
a mindset of a hacker, what is the loophole or easiest way in to getting into this company?
And the way and what ISPM is basically doing is correlating between those different identities
all across the systems and helping you understand what are the biggest loopholes in your attack
surface from an identity perspective.
And having the visibility not just into the IDP, not just into the cloud provider, but having an holistic view of all of them together.
It makes it very interesting for CISOs, for security leaders to understand their issues.
So let's talk like tangibles here, right?
So what are the sorts of issues
that you're likely to uncover with this thing?
I mean, we got talking before we were recording
and you said one thing that it's just extremely good at
is finding MFA gaps,
where that could be, okay, a policy was applied
that people, you don't need to enroll in MFA,
but some staff member got off-boarded who never did that.
And there's an account just sitting around with no MFA.
So MFA is a big one for you, isn't it?
Just finding where those gaps are, insecure MFA methods, actual enrollment as opposed to intended enrollment.
That's a big thing.
Yeah, exactly.
I think today a lot of people use the term MFA in a very binary way.
But MFA have so many configurations and so
many things that can go wrong. You have phishing resistant, non-phishing resistant, you have
enforcement, but what about enrollment? Sometimes you can make a policy of like, okay, is this range
of IPs can log in without going through MFA? Do I feel safe about it? Maybe put the entire gcp ip range in it like um and and and there's so
often sorry i'm sorry to interrupt you but how often do you see something like that because
yeah i imagine probably more than you should right yeah yeah too much and and and what
actually helps is to understand all of those things together and map what's the current issue of,
I'm an attacker from the internet.
By mistake, I have one password of some account.
What can I do?
And having Sparrow actually analyze from the moment you think you switched on some enforcement somewhere
to the fact of, okay, my MFA to all of my crown jewels of the company are really safe, there's a very long way.
And Sparrow helps understand, analyze, and monitor it. And I think a very interesting
research we did that shows how important this ability is, is we had a customer that had this
breach. And they were pretty surprised how the MFA they thought they enforced
didn't help them with the breach.
And what we found out, looking into the logs and everything,
is that, and we, by the way,
we were installed just a few weeks after the breach.
So it was interesting to see how the things that we would show,
would it help them, you help them to prevent the breach?
And actually, we show them there's tons of service accounts
brought from Active Directory,
synced automatically, 18 years old accounts
with 18 years old password,
automatically synced to their Entry ID.
And they think they enforced it,
but what actually happened is that the attacker logged in,
they enrolled their own MFA.
They didn't have MFA hijacking.
They basically enrolled in virtual phone number as an MFA,
and then they controlled this account in a very easy manner
because, you know, it's their own MFA.
Yeah.
But, I mean, that's exactly what I was talking about before, right?
Which is, it's one thing to say,
okay, all of these users must enroll.
But like, there's a bunch of accounts that just aren't going to do that.
People who left the company, long forgotten, temporary, you know, in quotes, temporary
admin accounts, stuff like that.
So that's really the thing that you're, you know, that people are most interested in,
I guess, when it comes to your stuff.
Yeah, exactly.
So one big
thing is the MFA part, just as you mentioned. The second thing that people, that customers and
people love about a product is also having the visibility, not just through the lens of the IDP,
but also what's happening in other major systems. And one of the things that we're seeing is a big
issue with non-federated accounts. big issue with non-federated accounts.
Now, with non-federated accounts, a lot of time people ask, like, why is it happening?
Like, I wanted everything to be federated.
Like, come on.
Someone decided, let's stop using those.
And what we see is that there is good, we call it the good, the bad, and the ugly.
The good use cases of, you know, non-federated account is things that make sense, like break the glass accounts
or service accounts where you can't implement
a machine-to-machine connection without them.
There are some cases of that.
Then there's the bad case of some policy violations.
For example, I don't know some some smartest engineer decided to keep
his own iam account in his aws without going through the federation because he wants i don't
know why and then there's the ugly case of sometimes we even find apps that offer this
side door url to enable users to authenticate directly to the app, even though you configured it and you thought you
enforced it. So, well, but I mean, that one, that one I imagine is super common, right? Because
all of these app makers, they're like, yeah, we got Okta integration. And usually SSO integration
is the thing that they do that all of the enterprise customers ask them to do, right?
So they've built this, this thing and it's never something, well, I suppose these days it's a bit
different, but it used to be that no one would ever start off doing something as as
sso integrated and it's something they do towards the end but then not every customer wants it so
they've got all of those auth paths through their clunky self-rolled horror code as well as the idp
friendly stuff and so yeah i can i can i can imagine there's a lot of cases
where even if someone enrolls you know they just want to be using an idp they want to be using sso
i'd imagine that yeah it's not too hard to imagine that they haven't handled that all that elegantly
and there's probably some horrible stuff happening in the background to to make that all work and
there's probably cred pairs sitting around somewhere that can access the same accounts.
Is that about right?
Yeah, yeah, for sure.
You're completely right.
And it's very interesting to see how a lot of times with security leaders, the shock, you know,
the shock when you realize that you have so many non-Federated accounts and so many, we call it auth paths.
Like we actually, one of the main thing in Sparrow is that we have this identity graph.
We make a graph of all the authentication paths that you can make across the organization.
So from the person until the resource, like an S3 bucket.
And we can, we actually calculate, you know, I can go maybe through my Okta to my AWS to this S3 bucket. And we actually calculate, you know, I can go maybe through my
Okta to my AWS to this S3 bucket, but I also have another authentication path where I go directly to
the AWS and I can assume some role that can give me access to something. And I think security
leaders being very shocked when they see how much access in the company still goes non-federated
still non-go from the front door that they invest so much time in um okay okay but let me ask you
this right so now you're a part of octa octa is the front door so hey where are you getting this
information from right like how can you tell that there are all these unfederated accounts being
used in an organization when
Okta is not going to have that visibility necessarily, right?
Yeah, exactly.
A great question.
And the answer is that in many cases, you still need to integrate to other crown jewels
to understand those issues.
So Okta can see a lot of things and can protect a lot of things.
But eventually, until you're not connecting to your cloud provider
or, you know, some main SaaS app that you see as a crown jewel,
you need a product that can correlate and understand, like,
this is the things I'm seeing in the IDP.
This is what I'm seeing in the downstream apps
and showing the difference and helping you understand
and mitigate those issues.
And that's the part that I'm curious about, right?
Because you're going to actually have to be getting some sort of telemetry from the downstream
apps.
So that's going to be the tricky part with this, I'd imagine, is actually doing all of
the instrumentation and getting those logs and all of that stuff, right?
Yeah, so you're right.
So the way that Sparrow works is basically we're integrated to the IDP.
This is the first part.
And then we usually integrate to a few major crown jewels,
like your AWS environment, GCP, your Salesforce, your GitHub.
So integrated to the thing that you consider as the crown jewels.
But we already support it.
So Sparrow can integrate to those applications.
We do it in a very... We try we do it in a very we try to do it in
a very safe manner like API only for read only for the things we need so helping our customers to
integrate it quickly it's it takes about 10-15 minutes to to integrate an application so it's
not such a big of a hassle but yeah it's uh but there's the the technical um the technical side
of of getting all those telemetries of all of those applications correlating them it's uh it's
a big technical uh issue but we we tackle it every day and uh yeah that's part of part of the magic
yeah i'm guessing it's hard which is why octa uh deemed your company worth buying right
a different story.
But I'm guessing too that there's going to be the issue.
So what I was curious about I guess and it makes sense that you would have you know a
lot of this sort of a lot of these sort of connectors built for as you say like AWS GCP
probably some major SaaS apps as well.
But I guess where it might get a little bit tricky is in some of the more custom
enterprise stuff, right? Like how easy is it to take something that, you know, that has its own
logging schema and sort of get some meaning from it through a product like this? Is that something
that you've encountered before? Or someone says, hey, we'd like to instrument, you know, this
through to this horrible enterprise Java pile of crap.
Do you just tell them, well, good luck with that?
Or is that something that you actually help them with?
Yeah, so you're completely right.
It's a question that comes not with every customer, but with some of them.
So the thing that we see in that is, first of all, they get a lot of value already from the, let's say,
the major crown jewels, the known ones. Then what we sometimes offer is to having an API to being
able to push data from, you know, homegrown apps, as you mentioned, to push them into the system. So it's not out of the box, it's more let's say on like to fully
support it, it's later on the roadmap, but it is something that we get asked by customers sometimes.
Yeah, they have this, just as you mentioned, sometimes they're like, wow, what you just showed
me on my AWS is eye-opening, mind-blowingblowing I want to see that on my homegrown crappy app that
serves I don't know half of my customers as half of my employees you know yeah some java
monstrosity that's been gradually developed over 30 years some bank right they're like help us with
this and you look at it and um but you know I suppose that's the gig uh but i notice also that you yeah some
of the sas apps you support out of the box are things like i mean snowflake right uh is one of
them um what else you got here you got github salesforce you know the majors um talk to me for
a second about snowflake though right because i'm guessing you would have found yeah some pretty
interesting misconfigurations i mean i i'm still a little fuzzy on exactly what happened
in that instance of all of that data getting scraped out of Snowflake.
But, you know, I did do a bit of Googling around
and read about a lot of the tools.
And, you know, there are so many of these like command line tools
that either use like API tokens or you can just plug creds into them
and off you go.
And there's two cases where you're sort of not using MFA.
What have you found when you're looking into people's
like snowflake tenants or whatever the hell you'd call it
or whatever you'd call them?
You know, what are you finding there that's interesting?
Is it people using a lot of these sort of command line tools
or API tokens?
You know, how did we get into that state
where all of that data walked?
I'm asking you to speculate, but you know,
I figured you'll have a good answer for this one.
Yeah, yeah, no, no, it's a great question.
It's something that we actually like,
we already support few of the use cases you mentioned.
So I'll tell a little bit about it.
The way we see it is just as you mentioned,
there is a lot of issue with personal access tokens, people putting their
credentials in some CLI and entering in. And what we see in the market is that there is systems
where the way that systems integrate through API with other systems is by first creating what we
call a human-born account. So account that can be used by a human.
And then we attach some access token to it to be used in CLI and, you know, different things.
And then there are systems that said, okay, no, let's in advance think of how we differentiate between, like, human accounts, human interaction, you know, interactive interaction with the system and created different
types of identities for the non-interactive interactions, the non-human interactions.
And what we see is that everything is mixed, like there is just mayhem, just mayhem of...
And you know, you're talking about it, so one thing there is you're talking about it like
it's a service account like it's machine to machine and quite often it's not right and that's
the thing because it's like one of these data science tools so it's some dev who just grants
themselves an api access token and bang off they go uh just just doing their thing right and it's
yeah that's a tricky one though
because I don't think any one vendor
has the complete solution to that problem, right?
Because it's just too multifaceted.
Yeah, so one of the things that we developed recently
which was amazing for our customers
is think of all of those human-born accounts, right?
You have a lot of those accounts
and then some of them are being used for human interaction,
and some of them are called, let's say, Jira integration, right?
When you see the name Jira integration,
though it looks like a human account by definition,
both you and me understand that it's probably not being used
by this one human person.
It's probably going to be a service account or a shared account or something of that matter.
And what happened to our customers is that they say,
listen, we need help with, like, we can't go over 10,000, 50,000 accounts
and tag ourselves what we think is service and not service, right?
Because it was born like a human account.
So it's not something you can do automatically very easy.
And one of the things that we help our customers is actually we now already have in production
the ability using an LLM to tag for our customers what we think in the high probability is a
service account.
And they just love this feature because instead of going on to 50,000 accounts,
we tag with an LLM
what we think is a service account or a human account
and our results so far are amazing.
I'm sure they are,
but you could probably do that with machine learning.
You don't need AI pixie dust, LLM pixie dust,
but hey, whatever works, right?
Yeah, but you're right.
But the thing is that LLM is so good
in taking a problem and try to solve it quick.
Like you can invest a lot of times
with creating a very sophisticated AI.
Sophisticated.
And you can get it to apply the same sort of methodologies
across different account
types and different log sets and all sorts, right?
So it definitely makes it easier for you, for sure.
Yeah, yeah, yeah.
But hey, look, I just realized, Ariel, we got to wrap it up there.
I know we're right in the groove here.
We had so much fun.
Yeah, we're out of time.
We're out of time.
Thank you so much for joining me to have a discussion about all of this.
You know, I find this a topic that, you know, I find this a really interesting topic.
And yeah, thanks for joining me to talk about, yeah, the tech you develop, which is now part of Okta.
Thanks again.
Thank you, Patrick.
That was Ariel Kadeshevich there with a chat all about Okta's identity security posture management product and the sorts of things that it finds.
I do hope you enjoyed it.
And that is it for this week's show. I do hope you had fun with us and I'll be back soon with
more security news and analysis. But until then, I've been Patrick Gray. Thanks for listening.