Risky Business - Risky Business #764 -- Mossad expands into telecommunications services
Episode Date: September 18, 2024On this week’s show, Patrick Gray and Adam Boileau discuss the weeks security news, including: Hezbollah’s attempts to avoid SIGINT with pagers ends in explosion...s The US shines many bright lights on RT’s disinfo role Australia counters Chinese bullying in the Pacific Valid accounts are the most prevalent entry point, says CISA’s data Ivanti and Fortinet vie for worst vendor of the week Krebs writes up the shift towards charging The Com with terrorism And much, much more… This week’s episode is sponsored by Push Security, who bring security visibility to where it needs to be these days – the browser. Luke Jennings joins this week’s show to discuss how phish-kit crews are driving the arms race forward, and how detection has to adapt and go where the users are. This episode is also available on Youtube. Show notes Israel planted explosives in Hezbollah's Taiwan-made pagers, sources say | Reuters How Hezbollah used pagers and couriers to counter Israel's high tech surveillance | Reuters Biden administration unveils new evidence of RT’s key role in Russian intelligence operations globally | CNN Politics Meta bans RT days after U.S. accused Russian outlet of disinformation U.S. to file charges in Trump campaign hacking case, officials say China suspected of hacking diplomatic body for Pacific islands region Chinese-made port cranes in US included 'backdoor' modems, House report says Stolen account info still chief risk for federal agencies, annual CISA audit finds Notice of Recent Security Incident | Fortinet Blog WordPress.org to require two-factor authentication for plugin developers | CyberScoop Multiple attacks force CISA to order agencies to upgrade or remove end-of-life Ivanti appliance Ivanti Endpoint Manager and Ivanti Endpoint Manager Security Suite and Ivanti Cloud Service Application (CSA) - End Of Life (EOL) The Dark Nexus Between Harm Groups and ‘The Com’ – Krebs on Security Feds sentence 12 crypto thieves behind SIM swaps, home invasions Ex-CrowdStrike employees detail rising technical errors before July outage | Semafor Post-CrowdStrike Fallout: Microsoft Redesigning EDR Vendor Access to Windows Kernel - SecurityWeek Apple seeks dismissal of its NSO Group lawsuit, citing risk of exposing ‘vital security information’ US hits Intellexa spyware maker with more sanctions (1) BolivarCucuta on X: "Encuentran muerto al ciudadano israelà Yariv Bokor en MedellÃn En un apartamento de El Poblado, MedellÃn, fue encontrado sin vida el ciudadano israelà Yariv Bokor, con aparentes signos de violencia. Bokor estaba vinculado a la empresa Sandvine, la cual tiene relación con NSO https://t.co/EeY1os1omW" / X Instagram to bolster privacy and safety features for millions of teen users Mastercard buys Recorded Future for $2.65 billion | CyberScoop
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name's Patrick Gray. We'll be chatting with Adam Boileau in just a moment about exploding pages,
Ivanti related drama, members of the comm being charged as domestic terrorists and a bunch of other stuff.
And then we'll be hearing from this week's sponsor, Push Security. To be transparent, I am
an advisor with Push Security. They make an identity security product that plugs into your
browsers to capture identity events as users initiate them and this can be handy for all
sorts of reasons. Luke Jennings from Push will join me this week to talk through some work he did tearing down an analysis-resistant phishing kit.
These phishing kits, the ones that enable MFA bypass, they're getting really sophisticated to the point where email security products have a hard time actually loading up the URLs out of malicious messages and seeing the payload that's being delivered to users. So we talk about the analysis that Luke did, and then we chat a bit about why passkeys
aren't a panacea for identity security.
That is coming up later, but first up, it's time for a check of the week's security news
with Adam Boileau.
And mate, we're going to start off with this story out of Lebanon, where it looks like
Israel has performed just an absolutely incredible supply chain infiltration,
shipping thousands of exploding pages to Hezbollah,
which they detonated today.
Something like 3,000 pages went bang, injuring a lot of people.
So far, nine people have been killed, including, according to reports,
a couple of kids, which is extremely sad it's very sad
but look let's walk through what's actually happened here it really does look like
straight up supply chain infiltration yes we saw when the story broke you know basically first
thing in the morning for me there was a bit of speculation as to exactly what was going on like
some early reports made it sound
like perhaps the pages had been hacked and their onboard batteries triggered to explode but as
pretty much as soon as you saw some of the footage like it became clear that this was beyond
you know a regular triple a battery in a pager like you're not going to get that much energy
out of it so it really does look like they interdicted a bunch of pages
fitted them with explosives and then were able to trigger that remotely in a coordinated fashion
and I mean that's like there's so many moving parts in an operation like that beyond just you
know there's the interdicting some shipping and fitting these things with bombs but then there's
all of the work you have to do to get to the point where you know that shipment's going to happen,
that they've decided to go with pages to start with.
Because, I mean, we've seen a lot of history in the conflict between Israel and its various neighbors
where Israel has used its technological advantages for, you know,
using surveillance of radio transmissions hacking cell phones
you know monitoring communications lines and fixed you know fixed fiber optic and fixed phone
networks like there's a like it's a pretty hostile communications like comsec environment there
so there's just so many moving parts to this operation and like it's pretty stunning to read
about yeah well i mean the thing i think
that the thing to point out is the reason we're talking about this on a cyber security podcast
that you know also touches on sigin is the reason hezbollah were using pages is it would make it
impossible for the israelis to track their movements they'd made the switch to pages
apparently after some of their commanders were killed over the last year following you know
the october 6th and related military action in um in southern lebanon and uh and gaza so it looks
like their solution here was to was to go for pages and somehow according to reporting uh the
israelis were managed to order something like 5 000 of these devices from the Taiwanese manufacturer and to place some sort of explosive device in them
that was not discoverable to Hezbollah. So, I mean, it's, you know, it is a remarkable operation
any way you slice or dice it. And to a degree, I mean, it's, you know, the targets are sort of
self-selecting as well. So there was a way to do this in a way that would cause injury
to enemy fighters while only killing a few of them.
And as I mentioned at the top, it looks like, unfortunately,
people unrelated to Hezbollah activity, a few of them,
may have been killed.
But this is a lot less civilian damage than would be caused
even by a single airstrike.
So you have to look at this and say, this is the type of stuff we would like to see
more of if the other option is things like airstrikes.
Yeah, I mean, it sounds horrible, but at the same time, you know, I remember when, back
when Israel was doing Stuxnet, there was, I think, Mike Piper, my colleague at the time, did a presentation where he showed a graph of the death rate of Iranian nuclear scientists.
And there was a real drop-off during Stuxnet because they had other ways to impact the nuclear program in Iran instead of motorcycle bombs whilst they're in their commute or blowing up their holiday houses or whatever else.
And once Stuxnet was snapped, then the death rate of iranian nuclear scientists
started to go back up again and you know so whilst you know the the human costs of these things are
tragic you know it's all relative isn't it right it's relative i mean unfortunately that's the way
it works with this sort of stuff is civilian casualties can never be entirely eliminated. But in this case, they can, you know, they were certainly as a ratio of and this whole conversation
just feels you know it feels icky discussing human life like this but it's the the harsh
reality i guess of the of the situation there no one wants to have a conversation about the
correct number of children who should die in a military action right so of course it feels icky
um but you know again it is it is relative. There are still
people who cannot live in southern Lebanon or northern Israel because of all of this. This is,
you know, there's rockets flying around. There's a lot going on. So this isn't a bolt from the blue.
It's an entirely legitimate action. I'm still curious. I mean, I'm obviously curious to know
how they convinced them to buy their pages from their source. That's incredible. But I'm still curious. I mean, I'm obviously curious to know how they convinced them to buy their pages from their source.
That's incredible.
But I'm also curious how the device side of this works.
As you pointed out, there's no way this was even a lithium ion battery explosion.
You look at the footage.
There's no smoke and flame that's sort of typical of those sorts of explosions.
I did see some speculation that perhaps they managed to squeeze some explosives into the batteries that were included in the device.
And then they were able to, you know, discharge enough current from the battery to make them, you know, explode.
We don't really know.
I think, you know, we will probably find out one day, but it's hard to say.
But, yeah, just all in all, a jaw-dropping operation.
I mean, I woke up this morning listening to it on the radio.
It's incredible.
Yeah, I mean, it really is a startling operation.
And, like, if you're Hezbollah or Hamas or, you know,
any group that's in operation in opposition to Israel,
like, what are you going to do about this?
Because, I mean, like, what communications mechanisms
do you have left that you feel like you could use,
you could trust, you could, like, what a hostile environment
to try and carry out, you know, communications and operations
and whatever else.
And, I mean, from that point of view, like, quite apart
from the people who've been injured and, and, you know,
are out of the fight because of their injuries at the moment,
like just the psychological impact of how do you function now?
How do you disseminate orders? How do you communicate?
Like that's a real blow.
Yeah. I mean, Hamas are known,
well known for using landline infrastructure as a counterintelligence
measure. Hezbollah were moving in that direction as well. Again,
you know,
Hezbollah figured out that that direction as well. Again, you know, Hezbollah figured out
that their senior figures were being targeted
because the Israelis were able to track their cell phones, right?
So, you know, they ditched the cell phones,
went to pages, that hasn't worked out.
So I guess they're back to couriers and cell phones,
and fixed-line phones at this point.
But you're right, their command and control at this point
is just a shambles.
Yeah, and I think you linked me through to a Reuters piece
that was talking about earlier efforts by Hezbollah,
and they had, with Iran's help,
deployed a fiber network around Lebanon for their communications.
But then they had problems with Israelis
breaking into that closed environment,
and now they have to splinter it up
into non-interconnected bits of network.
And, like, it's, yeah, I don't know what you would do
if you were in charge of
trying to provision that communication system like it's yeah i mean it's just a startling
operation and stunning unfortunately i mean unfortunately depending on yeah depending on
your point of view i mean i think most of us would agree that um you know probably when it comes to
israel v hezbollah um you know it, it's not tremendously difficult to pick a side.
But again, the point really comes down to the fact that...
Look, I'll give you an example.
Today, I was listening to an interview on BBC
with a doctor in one of the hospitals in Lebanon.
And the interviewer asked him,
how many of these people are coming coming in are civilians and he kind
of answered the question in a funny way which is he said oh it's difficult to
tell because they're coming in in civilian clothes and I would say a
better question would have been how many of the people coming in were military
aged males because that would give you a much more reliable indicator of whether
or not they were Hezbollah versus the clothes that they were wearing at the
time you know so I think this is a incredibly scoped,
well targeted operation that certainly does have impacts on,
well, that certainly does touch cybersecurity in SIGINT
to a degree because the only reason this happened
is because Hezbollah no longer trusted their phones.
Yeah, exactly.
And Israel's expertise at penetrating technical systems,
you know, pushes them towards lower tech things. But as we've seen with, you know, backdoored 2G,
you know, non-smartphones in the Russian market, you know, things that we think about as being dumb,
you know, even quite apart from supply chain, may not be quite so dumb, right? We've learned a lot
about InfoSec over the years.
And a 2G GSM baseband versus a modern SIGINT agency,
you haven't got a hope in hell with a non-smartphone either.
Well, that's why Bin Laden relied on couriers, right?
And that's what got him in the end.
Even someone turning up is enough if you can pin down the couriers.
So, yeah, just a very – look, this one is going to be in the history books forever.
You know, any sort of college doing war studies or intelligence studies,
this is one of the big ones for the ages, for sure.
Let's move on to some other news now.
And, you know, we said there was more to come last week when we spoke about this DOJ action against Russian disinformation.
They'd indicated that there was, you know, more to follow.
And then we got this incredible info dump about Russia's media company or, you know, state-controlled media company, RT. The US authorities are alleging
that RT is now fully integrated into Russian intelligence operations. And in fact, that it had
a cyber unit that was doing information operations. Now, we don't know exactly what this cyber unit
did, whether it was hacking information to be included in rt reports or was operating bot accounts but we do know that they had some sort of cyber unit um interestingly
enough to the doj has like doxed um other outlets in various countries as being under the control
of rt where that wasn't obvious so yeah this what we said last week is right which is this is a very
big operation from the americans to try to damage
russia's sort of misinformation and propaganda machine in the lead-up to the election yeah it
seems like a pretty comprehensive action and you know we're already starting to see some downstream
consequences of that meta for example have thrown uh rt's things off their various platforms so no more you know Instagram posting for them and then
we've also seen you know some of RT's tendrils in other areas of the world kind of outside the
outside the west so like in Africa for example kind of a whole bunch more attention being paid
to those so it's a you know this is the way that you expose disinformation, right, is by shining light on it and letting people see it for what it is.
And it feels like a pretty effective, I mean, so far,
it feels like it's going to be a pretty effective operation
for them against RT.
Yeah, I mean, you contrast this to,
and this is something we mentioned last week as well,
you contrast this to 2016 when the DOJ was caught flat-footed.
You know, 2020 a little bit better and
now it feels it just sort of feels like they're on top of this yeah yeah exactly and as well they
should be like we've had a number of years to get used to the various you know tricks and techniques
of this trade uh and you know we need good responses to this stuff to preserve democracy
and other things yeah i sort of wonder when they when they talked about RT having a cyber unit,
it kind of made me wonder about, you know,
the Murdoch tabloids when they were doing phone hacking.
Yes.
Does that count as a cyber unit?
Like what were they actually doing and was it different
to just like other shady media players or, you know,
just a thought that occurred to me anyway.
Yeah.
Like is it cyber or is it just search engine optimization?
Yeah.
Well, we don't know know but i'm sure eventually
we'll find out um staying staying with election stuff uh the doj is also planning to file criminal
charges uh in the against the people who hacked donald trump's presidential campaign this was one
that was attributed to iran so i'm guessing it's one of those you know essentially doxing them it's
like this guy who works for this unit in iran here's his picture, and he can't go to Disneyland anymore,
which I'm guessing he wasn't planning to anyway.
Yeah, yeah, exactly.
I think the Washington Post reported that there are charges pending,
but there's no details of exactly who they've charged.
But yes, I think you're right.
It's just going to be the usual kind of,
no holidays in Florida for you, buddy.
Yeah, now looking to some state-sponsored hacking in this part of the world,
there is a Pacific Islands forum that operates around the Pacific.
It's based in Fiji.
Apparently China had a go at them.
And Australia in response has actually sent some incident responders.
And this is part of a program that was spun up by Australia's Department of Foreign Affairs and Trade, specifically to assist Pacific nations that are experiencing cyber incidents, whether that's ransomware or stuff like this.
I don't think the Australian government hasn't actually confirmed that they responded to this.
But the Kiwis wound up confirming that the Australians responded to this, which is a bit interesting. So it is out there, but Australia's being discreet about it. But
we've spoken about this a few times over the last couple of years. This is terrific diplomacy
for Australia in the region when you've got China trying to pull the Pacific Islands into
its sort of sphere of influence. They were trying to sign all sorts of defence agreements
and whatnot with them a couple of years ago.
And I think it really just helps contrast China versus the West, right?
When you've got China hacking into their forums
and Australia sending the incident responders,
you know, it kind of perhaps helps to show Australia in a better light than China,
I'm going to say.
Yeah, like it sends the right vibes, as the cabinet said.
Yeah, exactly, exactly.
Yeah, yeah.
So good work, Australian diplomats and the foreign affairs team.
But, you know, China just has been being such a bully in the pacific so i you know i hope that
contrast is very clear to everybody yeah yeah me too and i think it's excellent value for the
australian taxpayer as well uh in terms of you know if you could spend i think the program's
worth about 25 mil uh aussie dollars and if you can spend that amount of money and get that sort
of diplomatic um effect you know that is going to save you a lot of money compared to China
getting much more influence and, you know,
like even a military presence in the region.
Yeah, amazing value.
So well done to the Australian government, I guess.
Plus a bunch of incident responders get to hang by the pool
at the holiday inn in Suva, which is the only place that you stay
when you're doing cyber work in Fiji,
because I have done the same thing.
So I'm sure they enjoyed it.
Yeah, I believe too
that they might be using external contractors for this,
but that's probably not something I should know.
But anyway, moving on.
And Chinese, we've got a report here
from Martin Matysiak here at The Record,
which is that Chinese made cranes in the United States.
So there's been this Republican-led study of the use of Chinese cranes in the United States. So there's been this Republican-led study
of the use of Chinese cranes in American ports,
which I think is a very good thing to do
to look into their use.
Funnily enough, though, one thing that they found,
one risk that they've identified,
is that there are cellular modems
that are attached to some of the computing bits and pieces
that ship with these cranes that aren't kind of documented, right?
And this report has found that they're an intelligence risk.
Fair enough, but I would be cautious in suggesting
that those things are there for sort of espionage
or, you know, fishy purposes.
It's just this sort of equipment comes with that sort of stuff, right?
Yeah, like one man's remote diagnostics is another man's, you know,
backdoor and intelligence access function.
And, you know, when we were having some of the conversations around,
you know, Huawei and ZTE and all of the other kind of Chinese supply chain concerns,
like it's very hard to differentiate between, you know,
what's just normal engineering function or in some cases
what's bad software engineering practice versus deliberate vulnerabilities like it's all super
murky and ultimately it's how you use it um and i you know i can totally understand why the us is
not keen on having you know having their freight cranes controlled by you know potentially
controllable by a third party especially when when the vendors, ZPMC,
they're actually really big.
Like I didn't realize like quite how,
like the US doesn't make cranes domestically anymore.
Apparently they got to start now with a,
I think it was a Japanese firm that was now joint venturing.
But, you know, there's all sorts of interesting niches like that
in, you know, the sort of globalized economy where you end up with these supply chain dependencies that no one ever stopped to think about until you don't have the heavy industry anymore.
Yeah, I mean, Tom Uran, our colleague who is our, you know, public policy and intelligence editor, he's written about the crane stuff pretty extensively. You know, his view is that it's a little bit different to Huawei
because the risks when it comes to cranes,
you know, you're more likely to be able to mitigate them
than when someone's operating like the core of your telcos, right?
And I certainly do agree with him.
And you can also see why a crane company
would install cellular modems to do diagnostics
because otherwise you're talking about a whole integration project
to get the people buying them to punch holes through their firewalls and like cable them up
or get them on a particular RF network or whatever. It's just so much easier to throw an LTE modem
into it so that if you need to do some remote diagnostics, you can. So, you know, I think
probably what you would need to do in this case is just be aware of where these devices are located and have a plan to disable them should you need to.
But I don't think this is a knockout blow against the concept of using Chinese-made cranes in Western ports, if I'm honest.
And as you point out, this crane manufacturer, I think they are the number one in the world.
Like, they're huge.
Yeah, I don't know where else you're going to buy gonna buy your cranes and yeah like layering controls around these things i mean
you know you've got you've got options here that you know as you write very rightly point out you
have options here that when your entire cell network is huawei like there's no way to not
have a huawei cell net if you have a huawei cell net yes but you can probably turn off some modems or take the SIM cards out
or have it connect to an APN that you control
and then can mitigate access
or can control access when support's necessary, et cetera.
There are options that are achievable
in ways that just not having a Huawei cell net isn't.
Yeah, yeah, 100% agreed.
We got a finding
here out of a CISA audit, which I think is interesting because I've seen a number of
people making the same claim. And it's one that I happen to agree with, which is that stolen creds
are still the number one risk out there to, to enterprise computing environments, right? Which
is, you know, we're on this show. We talking about sophisticated oday we love talking about the latest you know the latest ttps but fundamentally the way people are getting rinsed
and this is something that you know uh sponsor guests like ryan callum but from proof point
just love hammering away at which is it's still just stolen creds and cred stuffing and you know
that's the stuff that's resulting in most of the most. So it's good to see CESA put out some work on this
and sort of back up the claim.
Yeah, in their assessments, they found, I think,
41% of initial access intrusions were through, you know,
kind of valid accounts, accounts that already existed,
that someone had obtained credentials to.
Now, obviously, you've got options for layering,
multi-factor, et cetera, et cetera.
But, you know, the proof is very much in the pudding here that that's how people are getting in.
And that's a problem that you probably need to solve more than exotic zero-day,
much as it pains me to say. Yeah. Yeah. It's not as interesting to talk about,
but it is the real problem, right? And staying on that topic, we actually have a statement here
from Fortinet about an incident that they experienced i believe this is the one that i was talking about a couple
of weeks ago where i didn't name the vendor uh where someone actually managed to get into the
sharepoint uh access sharepoint via the account of someone who no longer worked there so i think
what they'd done is they'd pushed like everyone needs mfa but that person had gone and that
account hadn't been off-boarded someone managed managed to access that account, steal a bunch of firewall configs and off they went.
You know, Fortinet is downplaying it.
They're saying it was a small number, less than 0.3% of Fortinet customers.
That's still quite a few customers in my view.
But the thing that really annoyed me about this statement is they say an individual gained unauthorized access to a limited number of files Now, if it's your SharePoint, you're really going to call that third party?
Yeah, that's kind of stretching it a little bit there.
I mean, I see what they're doing.
Like, they're trying to walk that very fine weaselly line,
but we see you, Fortinet.
We see you.
We see you with your weasel words about third party.
Like, oh yeah, our third party, you know,
access to someone accessed our third party of our M365.
It's like, come on, that's not how this works anymore.
No, it is not.
It just ain't.
And also on the topic of stolen creds,
WordPress is now going to require two-factor authentication
for plugin developers.
This one's from Christian Vasquez over at CyberScoop.
Good move, well overdue.
Yeah, makes sense.
There's a few technical nitty-gritty bits
they have to worry about,
like how they're going to bolt it into their code repositories
and stuff, which I think they've done
through an extra set of credentials.
But yeah, regardless of the technical specifics, good there's still so much wordpress out there and
there's you know been so many attacks on the wordpress supply chain so good plan now let's
talk about the drama involving ivanthi and its use in the u.s federal government john griggs
written this one up for the record you know sisa is now ordering agencies to remove end-of-life avanti appliances
or upgrade them to new versions but it looks like those upgrades would be paid upgrades is that right
i'm not sure if they're paid but they certainly are very recent because there was a there was
some bugs in i think the product is their cloud service appliance, and there were some zero days that were out there being exploited,
and Avanti said, well, this version's out of date.
Go update your stuff.
It's your fault for running old out of date things.
And then I went and looked at the actual end-of-life matrix
for their products.
It's end-of-life two weeks ago.
Yeah, wow.
And they'll still sell it to you.
Product availability, December 2024.
Critical security fixes stop August 2024.
So, yeah, like I don't know that Avanti gets to, you know.
Well, that's where I got my wires crossed on the paid part.
So you can just buy the vulnerable end of life version.
You can still buy the vulnerable end of life one. But, yeah sell it to you but they just won't patch it so yeah yeah really
so so bad bad been bad vendor behavior count increments you know by another for this episode
yeah that's it no biscuit for avanti no for sure it's been a while since we've given out a no
biscuit isn't it yeah it is and i think Avanti definitely deserves to not have a biscuit.
Yeah, and we've linked through to that matrix that you mentioned.
Now it's time to talk about the most disturbing story of the week.
And I've got to say that I actually did feel physically ill reading this.
And I'm not exaggerating.
I felt ill reading this.
It is an absolutely top-notch wrap-up from Brian Krebs
over at Krebs on Security,
and I would recommend everybody read this
if you're going to read one thing this week
because it's a breakdown on the comm
and the associated actors and entities around this.
You know, these are these hyper-violent young cyber criminals
who are doing just awful stuff around sextortion and whatnot.
I mean, a bulk of the story is just really writing up a lot of the activity that occurs in this sort of crime ecosystem.
Very well researched, as you'd expect, and just very well written.
But the thing that I wanted to talk about this week is that the DOJ has done something
interesting here which is they're starting to use terrorism statutes to go after these actors and
there's an interesting bit of analysis in this article which says that it gives investigators
more options when they're putting together a brief when they want to charge these sort of people but
it might backfire on them when they get to court because the magistrate or the judges, I'm sorry, might
just say, look, this is not what these statutes are for. And the burden of proof to, you know,
convicting someone for terrorism offences is very high. Now, initially, when you and I spoke about
this before I'd read the piece in its entirety, I thought, gee, that's not what those statutes are
for. This is really horrible.
Why would the DOJ do such a thing?
But then you read the entire story, you read what these people
are actually doing, and you think, geez, maybe there is some legitimacy
to using terrorism statutes to charge these guys.
That was the journey I went on as well because, yeah,
there's just a whole bunch of really, you know,
just horrible details about, you know,
the kinds of things that they were doing.
And, you know, it's not just financial crime, right?
I mean, some of these are, you know,
deeply personal exploitive sextortion and all sorts of nasty stuff,
along with, you know, violence and thuggery and things.
So I can, yeah, initially, yes, it felt a little bit strange
because we've seen so much overreach in computer crime prosecutions
over the years where, you know, kind of laws have been used
very bluntly, and so there's a natural kind of, you know,
worry when you start seeing other laws being pulled in. But I think in this case, honestly, it's probably a pretty reasonable choice. I'm
assuming that they can pull together the necessary burden of proof to, you know, to press these
charges. You know, some of the powers that they get when investigating terrorism may be useful
for dealing with people who are trying to avoid, you know, using good OPSEC practice and all sorts of things
that are more terrorist-like in terms of how they operate
versus just kind of regular criminals.
So, yeah, I mean, we will see how it works out for the DOJ,
but, I mean, the Krebs piece, you're totally right,
it's worth reading for everybody just to kind of get a handle
about quite how gross some of the stuff is.
Yeah, Brian quotes actually from a piece from uh wired's ali winston uh so the quote is victims
have flushed their heads in toilets attacked their siblings killed their pets and in some
extreme instances attempted or died by suicide uh so this is you know this is the level of
depravity that we're talking about i mean there's sexual coercion and
manipulation here there's violence you know and i think the the doj is arguing that there is a
racially motivated violent extremist ideology at play here as well which is probably why they can
invoke the statutes because a lot of these people are Nazis so you
know have at it I say overreach away yeah I mean but ultimately ultimately
it's the courts who are going to decide right like the DOJ and this is every
time I've talked to people like experienced lawyers and legal scholars
about things like
material support for terrorism charges which always felt a little weird to me
like you know you could be a someone who analyzes Isis for example you could
translate one of their statements put it on your you know Pat's terrorism studies
blog and that's perfectly legal you translate the same message and it's and planted on your you know Pat's terrorism is great blog and and it's perfectly legal. You translate the same message and plant it on your, you know,
Pat's terrorism is great blog and it's a crime,
which always felt a little bit funny to me.
But, you know, these people always put me in my place,
which is they're like, well, you know, there's a question of intent there
and whether or not you're trying to further the activities of a terrorist group.
And ultimately the judges decide, and they have bounced charges previously
in exactly instances like that,
where people have just, you know,
translated something or whatever.
You know, the judges just say,
look, you just haven't met the bar here.
So it'll be interesting to see how it plays out in the courts.
But again, you know, if you want to just feel sick,
go read that story.
Yeah, absolutely.
And the next example we have is actually
some convictions some sentencing as a result of people doing in this case like sim swapping
and this was the group we talked about a while ago that was like home invading people to steal
crypto after they'd kind of leveled up from just regular sim swapping they decided they were going
to go do physical violence so they'd home invade leveled up from just regular SIM swapping. They decided they were going to go do physical violence.
So they'd home invade people and force them
to hand over their cryptocurrency,
use the blockchain to figure out who had cryptocurrency,
et cetera, et cetera.
This crew, one of them got a 47-year jail sentence.
Yep.
And some of his co-conspirators are like 20 years in jail.
And once again, these are horrific crimes
that have kind of transcended out of cyber
and grew out of communities like the comm
that start doing cybercrime
and then turn into real physical violence
and other crimes as well.
So these guys I don't think were being done
under terrorism-style laws,
but 47 years in jail, like that's serious.
Well, that'd be the home invasions that got on that,
less than the, violent home invasions will tend to get you uh sent to prison but even then i mean you get
less for killing people right so yeah uh i think that the courts are certainly trying to send a
message there um now let's move on to a bit of a discussion about uh uh the mop up after the you
know the the crowd strike event back when was that was that July? I think it was July. So recently, yet so long ago.
Exactly.
So we've got a piece here from Semaphore.
And I've got mixed feelings about it, if I'm honest.
The headline is CrowdStrike ex-employees, colon.
Quality controller was not part of our process.
And what they've done is they've talked to a bunch of ex-CrowdStrike employees
who have, you know, they've complained about the company basically, right?
And they've said things like their cloud security product was nowhere near ready for prime time and they pushed it out anyway.
And they had a whole bunch of people, you know, actually manually doing work in the background until the detections were up and working properly. And they just sort of paint a picture of a company where QA is not really a massive priority.
But that said, it doesn't really seem like they spoke to people who are directly involved
in the core product.
And it also just seems like a lot of what they describe is business as usual at a software
company, especially a growing one right
and i i just i don't know whether or not this is the knockout blow that the people who wrote the
piece think it is yeah that's that was exactly my takeaway from this as well like a lot of this
sounds like have have you ever been to a you know like a modern tech firm like seat of the pantsing
it and you know mechanical turking behind your cloud product and, you know,
skipping a bunch of QA because speed to market is more important.
Like that's just what we do.
Like it's not good.
We're not proud of it.
But like that's, you know,
there's a reason we have so many bugs in our products, right?
And the security industry in particular, a whole bunch of complexity,
a whole bunch of corners get cut to compete and get to market so I mean I don't I'm sure that the employees that talk to
the people writing this article absolutely have you know strongly held beliefs about
how it could have been done better but you know we all know areas where our employers or whoever
could improve things given more resource given more time given a slower pace like everyone's got ideas like that so yeah like you know not everybody has the luxury of doing it
properly like we do here at risky business week nice save there guy well done um yeah and i mean
you know you've got to realize too that the the the core product it's actually pretty well
engineered right and they did do a lot of work to make sure.
I mean, the fact that it wasn't like blue screening devices constantly for the last
10 years is amazing, right?
Considering the amount of stuff it's doing in the kernel.
So I think, you know, and obviously the QA was insufficient.
Otherwise what happened wouldn't have happened.
But I think this might be a bit of a reach because you've got your core CrowdStrike agent
and then, you know, CrowdStrike agent and then
you know CrowdStrike as a company it's going through what I call the semanticification
process where they try to just acquire all sorts of features and new stuff and plug it into their
platform and a lot of it's not very good you know I don't mind saying that I think their core product
is amazing but I hear terrible feedback based on some of their other some of their other stuff so
you know no surprises that around the periphery of their other stuff. So, you know,
no surprises that around the periphery things look pretty ghastly. But, you know, we've linked through to it in this week's show notes so people can take a look for themselves. We've got another
related story here from Security Week. Ryan Narain wrote this one up and it's looking at how,
you know, Microsoft has had a series of meetings with the EDR vendors and it looks like they're really doing the right thing when it comes to trying to re-scope the type
of access that EDR companies will require their own sort of kernel solutions for. So it looks like
Microsoft is trying to listen to them and say, well, you know, what are some of the things that
we can put in an API for you so that you can just start getting some of this risky stuff out of the kernel.
And I think this is the best possible response
that we could have hoped for out of Microsoft.
We talked previously about how we'd heard
that this is what they were planning to do
and it looks like, yeah,
they're turning the handle on this now and that's great.
Yeah, no, this is great news.
There isn't any specifics about
what it's gonna look like,
but I think we can imagine,
we've seen like eBPF, for example in the Linux world and some of the Mac systems for
for hooking the kernel for various security functions like it makes sense that Microsoft
would engineer something sensible and you know you know for all of Microsoft's flaws they have a lot
of really smart engineers who will come up with I'm sure a good solution especially given the
scrutiny that this is going to get. But what was their crazy Windows recorder thing
a few months back that they wound up killing off?
The recall, yeah.
Recall, right?
So these are the people who bring us recall, right,
which was just daft and terribly implemented.
And now they're doing this in a really sensible way.
It just seems kind of arbitrary, right?
Yeah, there's pockets of competence.
Yeah, don't take it for granted, I guess, Adam,
is what I'm saying, right?
Because they are just, yeah, stochastic competence.
I don't know.
It's just bizarre.
Apple is trying to dismiss its lawsuit against NSO Group
because it looked like they were about to have to cough up
all sorts of information that they didn't want to in court. They've, you know, taken their bat and ball and
gone home, but they've said, look, we did a lot of damage to NSO. The industry has kind of moved
on from there anyway, so it wouldn't really, you know, help anyone to continue this lawsuit.
Suzanne Smalley had the write-up for the record and, yeah, you know, I don't know that there's
too much to add here. No, no, that's pretty much, that's pretty much it, you know i don't know that there's too much to add here no no that's pretty much that's pretty much it you know it's been a while since they filed that lawsuit and
the world has kind of changed around them yeah yeah indeed uh and we've also got some new sanctions
john griggs written this one up again for the record uh the treasury department on monday
sanctioned five people and one entity tied to the intellects consortium a notorious holding company
responsible for the predator spyware so yeah i think what
happened is there were some sanctions that went down on intelexa and then they sprung up new
business units or companies or entities or whatever to continue to sell it and now it's just like i
think treasury is just going to play the sanctions whack-a-mole game for a while yeah that seems to
be pretty much it i mean we've seen like there was some i think it was the cytrox arm and cypress and a few other bits and pieces that uh you know were kicking around and still still doing business
so yes bang goes the whack-a-mole hammer now let's talk about a news item out of medellin in colombia
where this fella uh yariv bokor who worked for uh sandvine which is a you know surveillance tech
company i mean they do other stuff as well they're like a network tech company. I mean, they do other stuff as well.
They're like a network tech company that also offers a lot of surveillance capability around
the place.
He was found dead, apparently, in Medellin.
I saw a couple of tweets saying that perhaps his watch was stolen.
But this has blown up in the Colombian media because the president is investigating the
prior administration's use of
uh nso group uh spyware and sandvine at one point uh um francisco partners the private equity based
in the united states uh held uh sand shares in san francisco i don't know what the precise ownership
is if they still own it or whatever but they also had an interest in nso so the local media there is is is kind of like trying to paint
this as some sort of assassination of someone due to a connection to nso that in my view is tenuous
at best yeah i mean i imagine that walking around town with a rolex uh admitting in maybe not the
best move in the world i know you're into watches maybe you notice what sort of yeah no that's not
the best move in the world so like there's plenty of other plausible explanations here but
also you know like we've seen these spyware scandals really get pretty big and involved
in other parts of the world so who really knows yeah it could be i think walking around any city
uh flaunting an expensive watch is a terrible idea to be honest doesn't matter what matter
whether you're in sy or Medellin,
but I think it's riskier in Medellin for sure.
Probably, yes.
And now this isn't technically a cyber story,
but I do think it's an interesting one.
I think it's actually a good idea,
which is Meta is spinning up an Instagram account type
just for teenagers
that has a lot more protections built into it and i think this is a superb idea
yeah this does seem to be a real smart move uh these teen accounts i think by default are
not public uh so you know your friends will see your content but not the rest of the world uh and
then changing a bunch of the kind of core privacy and and you know kind of settings for
your account requires parental approval uh and then there's also like a sleep mode where at
night time it will just like turn off your dms and other things and stop alerting you and auto
reply to your messages um and you know as someone with a 16 year old daughter myself i can understand
why that is quite a good idea uh so yeah i I think they're going to turn these on for anyone under 18 that have meta accounts.
So yeah, it's weird seeing Facebook doing a good thing.
Yeah, I mean, my kids are six and three
and it's just my hope that by the time
they get to sort of social media age
where they're hassling me to spin up accounts
and have devices and stuff,
that this is largely a solved problem.
Yeah, I hope so.
Yeah, we can can hope can't we
uh we got one here from cyber scoop which relates to the record uh because recorded future which
operates the record uh which as people would know is a news service that we all admire tremendously
here at risky biz hq uh you know indeed our our news editor catalanpanu. He used to work there. Mastercard has bought Recorded Future for $2.65 billion.
And, you know, it makes me wonder what the future is going to look like for the record.
I'm not saying this in any sort of sense of, gee, it'll be great if the record goes
away.
Like, we absolutely do not want that to happen.
It's one of the last mastheads where really good infosec journalism gets done.
And I saw this news and I just thought, oh, God, I hope they hang on to it.
And I just, you know, I think in the short term, it's going to be safe.
But I just I worry about the long term future of the record now that the company that operates it is owned by MasterCard.
Yeah, unfortunately, I am with you.
And it would be a pity to see them go because we've seen a few other outlets you know kind of wind down uh over the years the places that we would often
have content for the show from uh and it's always concerning when you you know when you you see
people whose you know mastheads you read all the time and getting wrapped up in a thing like this
because it's very easy for it to be you know it says right now, we will remain an independent and open intelligence platform
for, you know, Recorded Future as a whole,
but, you know, a line item for, oh, and by the way,
we own a media company.
Yeah.
It doesn't take very many years for that to go,
but why exactly do we do that?
Can we just, like, delete that line item and, you know, let them go?
I mean, we saw Symantec do that to security focus a million years ago.
You know, we saw Kaspersky shut down ThreatPost.
You know, it's just these things, they come and go.
But I think what's changed is that, I mean, these days we track InfoSec News.
It's a big part of what we do.
We really closely monitor the news.
And these days we tend to track individual journalists more than we track individual mastheads, which is something that kind of changed over the years
because you'll have some people
who write about security at Wired or at Ars,
you know, Dan Gooden
and you've got Andy Greenberg at Wired and whatnot.
But in terms of pure play cybersecurity news outlets,
there's not many left that are really doing good work.
You know, you've got CyberScoop,
which largely covers a lot of government stuff
and big picture stuff.
You know, you've got CyberSecurity Dive,
which does a little bit of industry news sort of thing. But The Record is one of my favorites because they have a decent
breadth of coverage. I think they had a period where they focused a little bit too much on
writing stories about individual ransomware attacks that may or may not have been successful,
but they've got some incredible talent over there and they do great work. And yeah, as I say, I'm
thinking of all of you out there and I hope you're not nervous about this. I hope I haven't made you nervous about this by mentioning it. But yeah, that was just something I thought of. And yeah, as I say, I'm thinking of all of you out there, and I hope you're not nervous about this. I hope I haven't made you nervous about this by mentioning it. But yeah, that was just
something I thought of. And before we sign off, Adam, I just wanted to mention too, that I heard
that the Politico story we spoke about last week, involving an Iranian organization in the financial
sector being ransomwared, and the government sort of insisting that they pay. I've heard there's
some question marks on that story
around two things, two points that Politico wrote,
which was that the government encouraged payment of the ransom.
I've heard that that's like in dispute.
And also the amount that they were ransomed for
was more likely to be closer to half a million dollars
than $3 million.
So just wanted to put that out there,
that that one, some details there might've been some details there are disputed.
Let's just put it that way.
Yeah.
I can certainly get a little bit murky,
you know,
in a place like Iran where we don't necessarily speak the native language and,
and,
you know,
we do have to rely a bit on other people's reporting.
Yeah.
Yeah.
Anyway,
that is it for this week's news segment,
mate.
Thank you so much for joining us.
And it's just, isn't it crazy that last week, you know, it was such a slow week segment mate thank you so much for joining us and it's just isn't it
crazy that last week you know it was such a slow week and this week so much going on it's just uh
it's just how it goes uh but yeah great to chat to you and we'll do it all again next week yeah
thanks for us pat we certainly will i'll see you then that was adam blilo there with the check of the week's security news.
It is time for this week's sponsor interview now with Luke Jennings from Push Security.
Push Security makes an identity security product that plugs into your browsers and can do all sorts of things like tell you which SaaS apps your staff are using, whether they're using MFA and so on. You can also do things like prevent your staff from entering their SSO passwords into
anything that isn't your SSO. They can also enforce MFA across SAS apps that
your staff are using but a big feature for push out of the box is just plain
old phishkit detection and blocking. So why would you need this in your browser?
Simply put because these phishkits are doing a So why would you need this in your browser? Simply put because
these phishkits are doing a lot of work these days to evade detection in addition to doing things
like mfa evasion by doing one-time passcode pass-through. But yeah on evasion these days if
a mail gateway pulls a link out of a message and then tries to render it a lot of the time the kit
can just detect that and not render. Push will see it in the browser though, so that's why they're in the browser.
Luke Jennings is with Push Security and did a teardown on one of these kits.
They're using Cloudflare features extensively to avoid rendering for non-human users.
So yeah, here's Luke talking about all of that.
You know, I look into attack on the middle fish kits sometimes and this one was just an
interesting example it was an example of naked pages which is one family um and it just sort of
occurred to me just how many steps are in place now to try to frustrate detection and investigation
so you know it kind of pretty much you have to go through this whole series of steps as a
you know in a user browser to get to the fish.
It's hosted by Cloudflare workers, so it's a legitimate domain.
That's already getting on one control.
Then you've got Cloudflare Terrestrial in place.
That's them doing the bot detection, and that's making it difficult for automated scrapers
to actually get through to it.
It's just a series of steps that goes on from there.
You then need to send the right URL parameters, the right JavaScript needs to execute, and
then go to the next stage.
If it fails at any point, it will redirect off to the legitimate domain and then just
sort of end.
It'll mask referrers along the way.
It will load balance to new domains.
There's a whole series of steps that you have to go through.
And only once you've met all of them will it finally try to phish you.
So it's like, you know, it's the sandbox evasion techniques that we've seen in the past to
deal with sort of malware desolation.
It's just the identity world equivalent for that that we're seeing with phish kits now.
Yeah, I mean, was uh when you first
suggested to me that we talk about you know the state of the art with uh you know um mfa um you
know bypass fishing whatever you want to call it um attacker in the middle kits you know i thought
and then you sent me a write-up and i started reading and i'm like oh okay right like they're
really they're really doing stuff now to to beat this sort of evasion.
I mean, I imagine the purpose of most of the obfuscation here is to defeat things like your email security gateways, right?
Yeah, I think a lot of it is.
It makes it very difficult for you to catch something early
and just identify that it's malicious.
It's very difficult to know that it's malicious
until the user's been through those steps.
So yeah, for something like a gateway solution,
that's difficult.
It just buys them enough time to get value out of it
until they then move on to the next iteration.
So it just, it changes the economics of the situation
and it makes it very difficult
for a gateway solution like that to work.
Now I'd imagine too that like, okay, so, you know, you're in the browser, so you're seeing
what the user sees, which puts you at a real advantage straight out the gate. But I'm wondering,
are you expecting you're going to start to see at least some obfuscation attempts that are designed
to defeat browser plugins as well, like the way you operate? I mean, I'd imagine it's always going to be harder, isn't it,
to try to obfuscate something that the plugin can see
just as the user can see.
Yeah, I mean, I think obviously security is always a cat and mouse game.
We will see that eventually.
I haven't really seen much focused on that yet,
but it's much harder to do that against the browser, I think.
Because if you consider the equivalent with, say, what a proxy sees, back in the day it
was HTML going back and forth and there's inspection going on.
Now you're pretty much dealing with a downloadable JavaScript application where most of the things
going on are actually within the browser and the proxy isn't seeing that.
Whereas in the browser we can instrument at different steps.
We can sort of see every event as things unpack, as things are deobsticated.
We can, you know, look at user click events and typing events.
So, you know, of course, I'm sure there will be a battleground there.
But, you know, inherently, the browser is very powerful for observing what actual user
behavior occurs, and that gives us a lot of flexibility.
Yeah, I mean, worst comes to worst, you can screen cap it and OCR it, right?
I mean, as long as you are there seeing what the user sees, you're operating already at
such an advantage.
Now, I want to talk a little bit about like, you know, solutions to enterprises being phished, right? Because this is one way to really make it very hard for adversaries to phish users in your organization, because you've got the phish kit detection as part of the plugin. about that on previous episodes but essentially that will prevent a user from entering their sso
password into anything that isn't their sso because you'll just sort of straight up you'll
just shut that down in the browser um but you know there might be people listening to this or
watching this who are thinking well you know surely the solution here is you know for an
enter shop for example to use um pass keys with Microsoft Authenticator, right? Why is that
not the preferred solution here? Because, you know, I know you're doing well, I know you're
closing big deals, right? Like, what is stopping those people from relying on something like
Authenticator passkeys, and they're going for this sort of solution instead?
Yeah, I mean, I think, obviously, issues like pass passkeys are new and there's a cost associated
with deploying them all.
And then you have to consider what happens when people like lose devices or lose passwords.
There's obviously a cost associated with that as well.
And in terms of support, yes, we see the major platforms having added support for them.
But if you're talking about the broader space of all the different downstream SaaS applications
you might use that might not even support SSO, for example, let alone passkeys, you've
got that broader problem to deal with too.
So, you know, one of the things we thought about was that, hey, the passwords have been
used for a long time.
They're not going away completely.
But what we can do by pinning them to applications they're
used for is effectively almost turn a password into a parski as best we can and derive some of
those benefits you know the reason parskis are not fishable is because they're locked to the website
they operate for and that's what we're uh that's what we're enforcing the browser our solution to
so it just makes it a very easy quick way to make a big jump up straight away.
Well, not to mention too,
I mean, the other thing
that I thought you were going to mention
because we talked about it the other day
is that we have seen like MFA downgrade attacks
targeting users as well, right?
Like, you know, a passkey is only effective
when it's the only authentication flow
available to a user.
But because of those issues that you described earlier, when it comes to provisioning and
passkey gets destroyed, phone gets lost or whatever, usually there are workaround procedures
and attackers treat that as an opportunity to run downgrades, right?
Yeah. I mean, that's another thing. I think that's going to be similar to what we saw with SSL downgrade attacks in the past.
People use passkeys, but they're not enforced on the server side.
There's always that option to click to verify something else.
There are phish kits that already take advantage of this that just force the authentication to go through a phishable means.
It depends on the kit as to whether it's supported, but yeah, that's going to be an ongoing
issue. That is one of the things people do to deal with the downsides of someone losing a passkey or
being in a situation where they can't use it, is supporting other MFA methods as fallback when they
need to. But then of course, that immediately opens up that avenue for attack to actually
downgrade or force those things. So yeah, unless you absolutely require that
and make sure that nothing else is accepted,
then you've got that threat there.
Well, another thing you point out, right,
is you might be able to do that for your SSO, right?
Even if you're going to make this big, bold step
towards pass keys, which I think people should.
But you can do that for your SSO,
but that's not going to help you
when it comes to all of those extra SaaS apps, right? That companies might not even
have a good understanding of like how they're being used. So, you know, Snowflake being a
perfect example. I mean, one of the things that you're doing with your product is you're actually
doing like MFA survey to find out how many non-MFA accounts are in an org and where they are,
but you can also do MFA enforcement, right? And can you even get as granular with your enforcement to find out how many non-MFA accounts are in an org and where they are.
But you can also do MFA enforcement, right? And can you even get as granular with your enforcement
as forcing people to select the most robust,
like phishing-resistant authentication methods?
Or is that a little bit beyond what you can do at this stage?
That's not something we're enforcing in the product at the moment.
We'll provide the visibility of those MFA methods and then we'll put the controllers incing in the product at the moment. We'll provide the visibility
of those MFA methods and then we'll put the controllers in place and not on the password
issuance. But it's something definitely, obviously as we move into the future, we're going to
be wanting to look into more controllers for looking at down.
Yeah. So let's go back to this analysis that you did um of that kit i'd imagine you were seeing you know i'd
imagine you've got some pretty good telemetry now uh with the with the product you know what are the
top kits out there and where are you seeing the most i mean what are the orgs that you're seeing
being targeted with the good stuff um i mean i think we've just generally seen a much bigger increase in the last few months, especially.
And we've even seen examples of ones that are clearly only targeting businesses.
I mean, that particular example that I wrote about in that blog post would, if you entered like a personal Microsoft account, it would actually just redirect off to something legit and not continue.
So that one was clearly sort of B2B target source specifically.
Not even interested in somebody's hotmail, right?
Yeah, exactly.
It would just redirect to the legitimate live.com website,
which I thought was actually quite surprising in that one.
But yeah, that one was clearly business focused.
And yeah, we first saw it because it hit a customer of ours.
But yeah, I've like just in terms
of stories like people we know in the industry we've had calls from people that really haven't
paid attention to attacker individual phishing uh until fairly recently and then have like
messaged us you know a month later saying oh we just even hit three times over the last month we
weren't prepared for that so um you you know, I think in general...
Sorry to cut you off, but is this due to sort of uptick in activity
or is it because some of this evasion stuff
is really starting to get around the ESGs and whatnot?
I mean, I think it's a mixture of both.
And now it's being successful.
It's like, obviously, attackers lock in on something that works.
Once they realize they've got a new technique that's working,
they're going to focus more on it.
So I think that's where we've seen a lot of these increases coming from.
Yeah, yeah.
So let me ask you this.
Besides the obvious answer,
which is to go out and buy as many push licenses as you possibly can,
what is it that you think anyone listening to this should be doing to try to minimize their risk to, you know, some of these campaigns, which, as you point out, are really targeting business right now? And look, as we know from stuff we've seen over the last year, people are turning phished creds into code execution in all sorts of weird and wonderful ways.
And it can really go from phishing to ransomware, right?
Which is nuts, depending on configuration and whatnot.
But what are you recommending people actually do at the moment about this when some of those
traditional controls like the ESG-based scanning are not working as well?
Sure.
I mean, I would say know if i'm talking sort of
independent for our products like the first thing to do is testing uh you know people normally have
their red teams they have their pen testers like in this space like evil jinx is an open source
attack in the middle kit which is becoming more and more popular but my view is evil jinx is cobox
strike now it's it's of this era.
It is the new Cobalt Strike.
If you're not doing it already,
you should have your internal red teams
or external red teams conducting these attacks
against you as an organization
to see how well they work
and if you're able to detect or respond to them.
That's always a good first step.
But how would you detect something like that though?
You know what I mean? Because our current, this is what drives me insane is like EDR is not really
set up to detect malicious stuff being presented to the user through the browser. Even though if
you're in the browser, you can tell it's this kit, right? You can tell. They can't. So how on earth
are you going to have a detection stack that can pick this up? I mean, I know I'm just sort of basically reciting the whole, you know, founding principle
of your company here, but like, is there another way?
Like what else in your detection stack is actually going to find that?
Yeah, look, it's tough.
I mean, I think in general, I always like to think of things in terms of the pyramid
of pain and trying to apply it to this space.
So like, yeah, if you're reliant on threat intelligence
and bad domains and IPs and that kind of thing,
you're going to be backwards looking.
You've got to pick some things up,
but most of the new stuff's going to get through.
If you can look into the sort of tool detection side,
that's a bit better.
You know, we do that in our space,
but where we really try to focus is on the behavior.
You know, the behavior that can't be changed,
like a user entering a
password into the wrong website, that being phishing. That's why we're in the browser,
because we can see that more easily. But yeah, I mean, it's tough to give sort of independent,
easily replicable advice there, because, you know, we've gone into the browser to do that for that
reason. Yeah. Because I mean, your advice Because your advice there was a little bit like,
yeah, you should detect it.
That's like, well, with magic, you know,
like what are you going to say with your magic detection stack?
It's tough.
Yeah, I think that, you know,
the principles I said there about the period of pain apply,
but yeah, realistically,
there aren't that many great options to deal into this
right now um you know it's an evolving area we've gone into the browser because we think it's the
best place to observe them um but yeah it's it's tough to do with existing uh an existing stack i
think yeah are you sort of surprised that the edr vendors aren't there as well i mean even just with
something cut down like some you know forget about something as powerful as push, but just even something with
basic fish kit detection. Like, it boggles my mind that we've got these companies out there
worth tens of billions of dollars, and they're just like, lol, not our problem.
Yeah, I guess, you know, often with large companies, they get so focused on their one
product, and it's harder to, like, separate out. not code exec execution it's not it's not on us right like that
seems to be a bit the thinking yeah but yeah i mean you're right um you know so many things have
moved in into this space that it's it's surprising we don't see war already happening in the browser
with some of these some of these vendors because uh you know we've got a big shift in attacks and
in this direction.
EDR just doesn't have the right
level of visibility for this.
So it can't really solve the problem
when it's saying.
I think if I'm making famous
last word predictions, I'm sure
in general we're going to see a lot more
happening in the browser from
different vendors across the space
in the near future. It just seems space you know in the near future it
just it seems to me to be the obvious way things are going to go yeah i mean i 100 agree with you
uh 100 like it's just it is it is amazing to me that we haven't seen more in there and i think
yeah it's uh it's on uh but we're going to wrap it up there luke jennings thank you so much for
joining me for that conversation. Very interesting stuff.
I'll link through to the blog post of your teardown of that adversary in the middle.
Kit, very good stuff.
Great to chat to you.
Thank you.
Thank you for having me.
That was Luke Jennings there from Push Security,
and you can find them at pushsecurity.com.
And that is it for this week's show.
I do hope you enjoyed it. I'll be back next week with more security news and analysis.
But until then, I've been Patrick Gray. Thanks for listening. Thank you.