Risky Business - Risky Business #766 – China hacks America's lawful intercept systems
Episode Date: October 16, 2024On this week’s show Patrick Gray and Adam Boileau discuss the week’s infosec news, including: Chinese spooks all up in western telco lawful intercept Jerks rui...n the Internet Archive’s day Microsoft drops a great report with a bad chart The feds make their own crypto currency and get it pumped Forti-, Palo- and Ivanti-fail And much, much more. This week’s episode is sponsored by detection-as-code vendor Panther. Casey Hill, Panther’s Director Product Management joins to discuss why the old “just bung it all in a data lake and… ???… “ approach hasn’t worked out, and what smart teams do to handle their logs. This episode is also available on [Youtube].(https://youtu.be/86zy6DcwtbE) Show notes White House forms emergency team to deal with China espionage hack - The Washington Post DDoS attacks on Internet Archive continue after data breach impacting 31 million Microsoft Digital Defense Report 2024 Ransomware encryption down amid surge of attacks, Microsoft says | CyberScoop Russian court websites down after breach claimed by pro-Ukraine hackers Ukrainian anti-corruption agency reportedly finds no violations in disclosures of top cyber official Trump campaign turns to secure hardware after hacking incident | Reuters FBI creates its own crypto token to nab suspects in alleged fraud scheme District of Massachusetts | Eighteen Individuals and Entities Charged in International Operation Targeting Widespread Fraud and Manipulation in the Cryptocurrency Markets | United States Department of Justice Critical CVE in 4 Fortinet products actively exploited | Cybersecurity Dive Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024 Palo Alto Expedition: From N-Day to Full Compromise Ivanti up against another attack spree as hackers target its endpoint manager | Cybersecurity Dive 1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies · GitHub Recently-patched Firefox bug exploited against Tor browser users Two never-before-seen tools, from same group, infect air-gapped devices - Ars Technica A Single Cloud Compromise Can Feed an Army of AI Sex Bots – Krebs on Security Opinion | The Cyber Sleuth - Washington Post
Transcript
Discussion (0)
Hey everyone and welcome back to Risky Business. My name's Patrick Gray. I of course just took a couple of weeks off for the school holidays here in New South Wales, Australia and forgot to tell you all I was taking a break, which led to a few emails saying, did you just retire or what's going on? But no, we are back on deck and we've got a great show for you today to catch up on
all of the news of the last few weeks.
This week's edition of the show is brought to you by Panther.
And in this week's sponsor interview, I'm joined by Panther's Casey Hill.
And we're going to be talking about the future of SIEM, really, because, you know, SIEMs
are not really about firewall logs these days.
You know, we're talking high-volume log sources and things like that,
you know, huge volumes of data.
The seams of the future are going to have to deal with that,
so Casey's joining us to talk through all of that.
But first up, of course, it's time for a check of the week's news
with Adam Boileau. Hello, Adam.
Hello, Pat. It's nice to have you back.
It's good to be back, but I must say I had a wonderful break,
took the family to Brisbane, which is a terrific city, did some camping as well out in the wilderness, swimming in beautiful rivers, and yeah, it was very good.
Not thinking about computers.
I managed it. I actually managed it. But it is good to be back, and we do have, of course, after any break, we've got a pile of stuff to get through. Let's start with this salt typhoon story. It looks like some Chinese APT actors managed to
gain access into at least some components of some American telco like
Kalia interception rigs. The reaction on social media seems to be well they must
have been using this stuff to do wiretaps on Americans.
But if you actually pause the reporting carefully, it looks like the chief concern here is that they would have been able to identify who, like the FBI, might have been wiretapping.
So from a sort of counterintelligence perspective, you know, that's what the Chinese might have been up to as opposed to trying to you know task uh wiretaps on people is that your reading as well yeah that
that seems to make sense the um like the early reporting talked about three telcos i think was
at&t verizon and lumen but subsequent reporting has talked about you know like 10 to 12 and
you know if you're going to break in if you're
going to task lawful intercept um then you know you kind of need more access and those systems
are going to be different between the different telcos so like doing that across a dozen telcos
is a lot of work during like you know two or three i can imagine you know would make sense but
the way it's being described you know the idea that they
had access to a system that could see who was being intercepted or who was being monitored
like that's more believable because some of those could be shared they could be you know that's kind
of a lesser degree of access so I think your theory makes sense with you know as a slightly
closer reading of the reporting so far but you, you know, either way, access to lawful intercept, you know,
is a thing that, A, very powerful,
B, a traditional target of intelligence agencies.
You know, we've seen these be targeted by Western intelligence agencies,
you know, going back quite a long way.
Well, and by China previously in, like, Operation Aurora
all the way back in whenever that was, 2008, 2009.
Yeah, yeah.
It's going back.
So like, you know, these are long, you know, sort of traditional targets of intelligence people.
And it kind of makes sense that they're a little bit, you know, the government in the US is a little bit worried about it.
But yeah, some of the rhetoric around this on social media has been a little bit doodally, in my opinion.
Well, yeah.
I mean, people are saying like
look these are the risks of legal interception and whatever and it's like okay it is a risk
right but are we going to argue seriously that the fbi shouldn't be able to tap phones with a
with a warrant like is that your argument yeah yeah which just exactly which seems a bit silly
and and my question is if they weren't tasking wiretaps with these systems, why not?
You know, is it that they were scared they were going to get caught because there's solid auditing in place?
Or did they just not have that level of access?
I'm really curious.
Or whether or not that just wasn't the brief, right?
But I'm hungry for more details on this one.
Let's put it that way.
Yeah, exactly.
I had exactly that reaction.
I want to see the meaty details of what they were doing, how they were doing it, in what systems.
Because getting to the point where you can see Lawful Intercept tasking or selectors or whatever else, that's kind of one thing.
But getting to the point where you can make your own requests or get the data out of existing requests, you know, is a bit more involved. And, you know, if you get to the point
where you've got, you know, root or admin
or, you know, sort of maintenance level gear,
access to the gear that's doing it,
then obviously, you know,
the kind of the world is your oyster.
But there are a whole, like any other IT system, right?
There are a whole other level of, you know,
systems involved in places
where the data gets put out to
and web portals for putting in the requests in
and authorization by legal. And, you know, there's a bunch of places where you could get into these systems
and they're all interesting and i'm nosy about all of it well i i feel like maybe they got access to
the portals where people submit the paperwork the warrants right like that's what this feels like
based on the reporting but ultimately we don't know i should also point out too that it's not
just american telcos. No other countries
have come forward to sort of acknowledge that their telcos had these problems, but they have
said it's not just America. But they're the ones talking about it right now, which is a positive.
You know, this does raise questions about sort of lawful intercept against other technologies,
say WhatsApp, were to provide some sort of, you know,
CALEA-like, you know, intercept capability to intelligence and law enforcement,
you know, we could see attacks against that sort of infrastructure.
But again, is the argument that we shouldn't do any level of targeted surveillance
because this might happen?
I don't think that's necessarily an argument that stacks up,
if I'm honest.
But perhaps we do need to consider what sort of scale
these interceptions should run at,
because the larger the scale,
the more potential for this sort of thing happening
and being very bad is.
Yeah, the bigger the collection,
the more kind of collateral damage there can be.
And I think you're right to say,
you know, this is not just telcos anymore.
Like this particular case might be, we don't know.
But, you know, there are so many other communications mechanisms
and there's so many problems in how we provision that access.
And all of the things we have,
the challenges we have in regular computers
like identity and authorization,
all those sort of things matter.
And a while ago, you had like a sponsor interview
or a snake oilers or something with a guy
that was running like authentication
for lawful intercept requests as a service business.
That was just for like all sorts of requests,
not just interception, right?
So that was like for dealing with,
yeah, for dealing with law enforcement.
So if you're a company
that has to manage law enforcement requests,
it's sort of like bug bounties, but for that.
So they deal with them for you and can tell you,
well, yeah, this person is legit
or this person, we've never seen them before.
And then they can go out and verify.
Can't remember the name of the company.
Sorry, sorry.
That was very interesting.
Yeah, yeah, exactly.
And that's the sort of, you know,
those sort of problems exist in this infrastructure. And that's kind of a regardless of how we, you know, position law we're talking about national intelligence agencies here, the Chinese going after Americans or whoever else,
the idea that not having this infrastructure would make them decide not to then go and use it. Like
if you can break into the gear underneath, it doesn't matter if there's lawful intercept or not.
You just do your own intercept.
Do your own intercept.
Just a few more hops, right?
I just looked it up, by the way, and the company's name is Codex.
But at this point, Adam, we're going to have to move on from this quickly.
But I did want to ask you to share with the class,
because one of my favorite war stories from your days as a penetration tester
was when you actually did some testing on a on an interception system which was very well set up and you still got it in the end and i want you to tell the class how
you got it because this is this is a story that back then when it was more recent you know had
to be told quietly usually after we had you at a conference and filled enough beer into you right
like i could i could poke you and get you to tell the story because it's a great one.
But if you would share with the class,
I sure would appreciate it
because it's been long enough now.
It has been, it's been a long time.
So I was tasked with Lawful Intercept.
Well, actually, to be fair,
I was tasked with breaking into important bits
of some telco infrastructure.
And Lawful Intercept seemed like the right thing to go for.
So I went for Lawful Intercept,
got there without too much drama,
wrote it up in the report, shipped it off.
Turned out that I had got the test Lawful Intercept system, which I thought was production.
And I was embarrassed and they all were like, you know, you didn't get what you said you
did, son, you know, blah, blah, blah, you know, talk down to me a little bit.
And so I had a, you know, a bee in my bonnet about getting to production Lawful Intercept
the next time against that same target.
And this involved me breaking into the camera systems for all their data centers so I could see inside the physical data centers, try and find the racks, try and find the actual equipment that I wanted to get to.
Because this stuff was behind biometric auth in dedicated rooms with like really robust controls and eventually after I
had compromised all the desktops of the system of the people that put loaded up the warrants
etc etc I learned like I found all their process documents I figured out how they did it and it
involved like getting a laptop out of a safe and signing out the crypto keys and two-man rule and
all sorts of like in a secured room you know they had really
done that well um and so i was you know i was frustrated uh eventually i got there by finding
like the data center's design documentation and i found the documentation for how they did the
physical install of the gear in the racks and it included top of rack management with serial consoles
and it turned out that as a standard rule they plugged in the serial and it included top of rack management with serial consoles and it turned out
that as a standard rule they plugged in the serial consoles to these top of rack management units
and i went and looked at the cameras and i could see the cables so you basically wound up jumping
an air gap over serial i jumped the air gap via a serial connection using creds that i had stolen
from the desktops of the people that used the gear but didn't have access without going through all these hoops.
And I got there in the end on the console, root access to production Lawful Intercept.
And at that point, it took me a long time.
Yeah, but it was a matter of like you having a bee in your bonnet and something to prove.
Well, exactly. You know, it may be a character flaw that, you know, that proving someone that I can do it was the thing that motivated me
for like whatever it was, nine, ten weeks of fairly robust hacking,
to be honest.
I got there in the end.
Probably went a little bit overboard on that one.
But, yeah, just such a good story that I'm happy you can now share
with class.
So that's good.
All right, we should move on to
other stories because we've got a lot to get through this week. The Internet Archive had a
data breach impacting some 30 million plus users. And then they're getting DDoSed. It looks like
it's a group of Russians who are claiming to be motivated by the Palestinian cause.
And my first question,
cause I did drop into Slack briefly when this was going on
and I'm like, what are you gonna do with this data?
I can't imagine that it's that sensitive.
And you pointed out,
well, it's just a really good corpus of passwords,
but aren't they like B-crypted?
Yeah, yeah, they're pretty well hashed.
So probably isn't the world's most useful password corpus, but 31 million you're still going to get enough that fall out even at bcrypt speeds
to be useful for something but what are bcrypt speeds these days because it used to be just
non-viable like not that long ago like dictionary is viable but like not huge dictionary but like
so like in the thousands a second i think but you know there's a bunch of settings depending
on how you configure your bcrypt But like it's viable for dictionary words,
but not much beyond that.
And this has been loaded up into Havre Impone.
So a bunch of people have got notifications.
But overall, I just,
I feel like internet going after the internet archive
is just puppy kicking.
It's rude.
Yeah, I mean, it is like what like what you know but they're like it's
american and the americans support the israelis so down with the internet archive it's like okay
right you know this seems like one of those reverse engineer justifications after they found
shell right yeah it does it does and just you know because the internet archive does somewhat
so much really good work and i feel bad for them having to deal with this kind of bs but hey that's it's the internet that we live in that's just how it be right and uh also just a funny note the bbc
in just one paragraph in like a news brief accidentally reported that the hackers were
called have i been pwned and we're published like it was just so funny so troy's like bad man do i
know anyone at bbc who can take care of this i I'm sure it's sorted out by now or very much on the way to being sorted out.
The other thing that I wanted to talk, another thing I wanted to talk about today is Microsoft's latest big threat report.
You know, huge document, 100 plus pages, some interesting stuff in it.
There's always interesting stuff in these big Microsoft reports. One of the most interesting things, and that's what Catalan really zeroed in on for his coverage with us, was the fact that
China and Russia are increasingly relying on criminal tools and criminals themselves to get
stuff done. So I do think that's a very interesting trend because, I mean, that wasn't always clear
and it didn't really look like it was happening i
don't know necessarily all that much but it's becoming clearer and clearer that this is becoming
uh strategy which is interesting because you know we're used to it going the other way
right which is early sort of cyber capabilities are cobbled together from from odds and ends
including criminals and whatever china did this famously with their nationalist hackers 20 years ago. But now it looks like they're sort of moving back in that direction.
So that's interesting. The other thing though, now this is really weird because they've done a
terrible job on their ransomware section. Terrible. So what they've done is they've argued that successful encryption in ransomware attacks is down,
but ransomware encounters are up by like, you know, 2.75x. But, you know, the ones that actually
successfully deploy encryption, very, very low. Now, the problem I've got is they've said that
there's been a threefold decrease in ransom attacks reaching encryption stage
How do you decrease something by threefold?
Does that mean it starts at a hundred and then winds up at minus 200 a ransomware act is going around and unran some people
How does this work right and then they've got a chart crime in here where one axis
you know one y axis is the absolute number of organizations
having these ransomware account encounters and the right hand y-axis is the percentage of
organizations ransomed the highest record it goes from zero to a hundred but the highest level
looks like it's about three percent so you can't really tell anything from that chart like it's a
mess and you know aj vicens by the way congratulations to him because he's moving on tell anything from that chart. Like, it's a mess.
And, you know, AJ Vicens, by the way,
congratulations to him because he's moving on from CyberScoop and he's got a job at Reuters.
And I know AJ and he's a great journo and that's fantastic news, mate.
Well done.
But, you know, he had to write in his deck for CyberScoop's coverage
on this that they're down by 300%.
Like, what does that mean?
Tell me. That's a very good question and like i started reading the doc because you know you posted that graph and
slack and i was curious as well uh and like it's a great doc but it's so so dense right there's so
many things to read in there and trying to figure out exactly what they they mean by because they've
got a call out for a threefold decrease but trying to get to the bottom of what that actually means
what they're trying to say is that in absolute numbers is that in percentages and what does
threefold mean yes does it mean it's reduced by two-thirds or by minus 300 which is what i'm just
so confused at it you'd expect a bit better wouldn't you i mean you would you would but i
mean overall like they've done really great work there's lots of great stuff on here and good
insights and good data and so on but yeah it's that was definitely but the thing that i'm left
with here is has the six has the successful number of encryptions has the absolute number
gone down by a significant margin or just the rate because
we know that there's been an increasing in encounters so i don't know i'm just frustrated
by this because i'm left not really understanding what they're trying to say you know yeah no i i
share your frustration there and uh you know i i know we have a long history in this industry of
bad stats and bad numbers and bad decision making.
And, you know, you can just make up anything and put it on the slide and it'll be fine.
Well, I'm sure it's rooted in something.
They just haven't expressed it well.
Among our customers, Microsoft observed a 2.75x increase year over year in human-operated ransomware LinkedIn counters, defined as having at least one device targeted for a ransomware attack in a network. Meanwhile, the percentage of attacks reaching actual encryption phase
has decreased over the past two years by threefold.
So that's the percentage decrease.
Threefold? What?
Anyway, but they do say automatic attack disruption contributed to this positive trend,
and they also pointed out that unmanaged devices are the ones that get ransomwared.
So I'm going to chalk that up to being a win for EDR, basically.
Yeah, i think so
overall the trends in this are actually pretty reassuring in a way like the fact that it is
you know weird outlier unmanaged stuff uh and human driven like that the the like all the
automated stuff really hasn't survived the last few years improvements um so i mean we are making
progress slowly but you know is it enough probably
not now we got some reporting from darina antonik over at the record and also antoniuk over at the
record and also from our very own colleague catalan kimpanu looking at an attack by ukrainians
against russia's court system that actually looks pretty devastating yes Yes, it looked like the BO team,
which is some kind of, you know,
hacktivist crew that seems to cooperate
with Ukrainian intelligence services,
hacked the computers of the justice system over there
that runs the courts and so on,
deleted all their servers
and appeared to have deleted all their backups,
according to some reporting from Katalin.
And yeah, they are dead in the water
for a little bit they're saying they're going to build out a new system to run their courts and
you know that may happen at some point later this month but uh yeah i mean ukraine's definitely been
whacking russia pretty hard with uh with some of this you know kind of uh activist sort of stuff
yeah couldn't have happened to a nicer bunch of people right you know basically
uh so you know that one looks like it will really gum up the works um and just make things tough
obviously none of this stuff really moves the needle in a war like this but it is a level of
harassment that people are going to feel uh staying in ukraine as well ilia vichuk who has been on
this show he ran cyber for SBU. There were some
corruption allegations made against him earlier this year. He wound up being sent to the front,
and then I think he was fired from his post by the president. The anti-corruption organization
in Ukraine has essentially cleared him of having more wealth than he should.
They found no discrepancies between the value of the property owned by Vichuk
and his family and the legitimate income
that could indicate an unjustified acquisition of assets.
So it looks like, I mean,
I'm guessing he's going to be cycled back into a senior intelligence position.
Yeah, I would imagine so.
And, you know, it seems like he's been pretty effective
in the roles that he's done so far. And, you know, I front uh there's been
no update on that but uh you know i think it it certainly looks like uh you know he's he's in the
clear uh by the looks of things so we'll just have to see what you know what where he pops up
again so uh yeah good one to circle back on let's see the the Trump campaign. This is interesting, actually. Donald Trump's election campaign is using some specialized secure phones from a company based in California called Green Hills Software.
And they've been around a while.
And it looks like really what they're using is an ultra slimmed down sort of Android devices, which seems to be the approach when you
want this sort of specialised hardware. I just thought this was interesting that, you know,
election campaigns have kind of learned the lesson, especially with all of the heat
Trump in particular is facing from the Iranians. It makes sense that they do this.
Yeah, it does. And, you know, the sort of bigger questions for, you know, like,
is this a thing that governments should provide for
political parties more generally like should is this kind of should this be table stakes for being
a major political party like that you get some kind of technical support or you have to go fund
it yourself and and buy this off the shelf and is that appropriate but the um the green hill
software make a bunch of like embedded real-time operating systems for you know military aircraft and ships
and equipment like that so they they are pretty mature in you know that kind of very robust
computing space whether they're android you know it's kind of it's kind of up to that level like
you know it's it's hard to build a mobile phone that lets you truth social at the same time as
being robust right um but they have some things where like groups of users that use these phones can only communicate
with each other so presumably there's some kind of network level controls to try and make it not
more generally reachable from the internet so i'm sure there are a bunch of really smart things you
can do but on the other hand political campaigns do got to get out there and communicate with people
and you know there are humans in the loop too so you know hopefully it makes things better for them but yeah yeah i
mean we don't need a problem to solve nobody needs like even non-americans we don't need
interference in the u.s election you know what i mean the united states is an important country so
uh i think it's good if this helps uh the the trump campaign lock stuff down that's good for
everybody even people who don't support him.
Yeah, I agree.
Now, on to one of my favorite stories this week.
I've got two favorites.
This is definitely one of them.
And surprised it didn't get more attention, to be honest.
But the FBI ran a sting in the crypto space that is just so funny.
They actually set up their own crypto token.
And it's called, what is it?
Next Fund AI, right right so this was a sting
operation so they set up this token and and posed as people who'd created this token and went out
to all of these sort of consultants and crypto companies and said what can you do to help our
token succeed and the answer among all of these companies universally was crimes we can do crimes
for you let's do some crimes pay
us here and here are the crimes we're going to commit to uh for you and uh yeah they committed
the crimes and like did a bunch of wash trading market manipulation on these on these uh fbi crypto
tokens and now they've all been indicted it's just it's so funny it's a beautiful thing it is
and the um the united states like doj put out put out the details of the indictment or whatever.
And there's like meme pictures of Pepe pumping it up in there from their internal chat from some of the companies that were doing these pump and dumps.
So, you know, it's very hard to look at a thing like this and not feel like the entire crypto ecosystem is just one big crime scam.
Like if you know,
you are struggling at this point to find a legitimate use for cryptocurrency
anywhere, I think.
And the fact that anyone who provides any services around it in the end is
just going to be doing crimes.
You know, I'm, I'm happy for some people to get their comeuppance
it is hard to find good job it is hard to find legitimate uses like it really is ones that
matter you know yeah i mean even for international remittance like that's so easy these days i mean
you know we're an australia-based company that has us-based customers with employees in australia
new zealand and romania and it's not a problem, right?
It would cost me more to send this money via crypto
than it does through, you know, normal fiat services.
So, yeah, anyway, that's just how it is.
Okay, now we're into the enterprise crapware part of the discussion.
Talk to me about the criticals in fortinet products that are everywhere the criticals in palo alto the comedy bugs in a palo alto product called expedition
and also what's going on with avanti let's just combine this into one
globule of horror and horrific fail yes um so there are i think four bugs in fortinet products that are on the sysr kev list now as of
you know the most recent update to that uh that some of the bugs are funny of course one of them
is like a straight up format string in the management service which is a beautiful a
beautiful just you know like what year is it that there are exploitable format string bugs? So that's a good time.
There's a write-up we've linked through to from Watchtowers,
Watchtower Labs, which is a like very sassy write-up of them
reverse engineering one of these bugs so that they can implement detection
for it in their products.
And they talk through all of the just deep comedy involved
in looking in the gubbins of Fortinet products.
The Palo Alto one, though, like I had missed this one,
and you linked it to me after you got back.
You were meant to be on holiday and not looking at computers.
But anyway, you linked this one to me.
I can't believe you missed this one, man, because it was so funny.
It was just like, what was it?
It was, yeah, like you can whack a cron job into a get request and just fire.
And it doesn't.
So this is, well, actually was a set of bugs in
a product called palo alto expedition which no one has ever heard of um which is their tool for
migrating other vendors firewalls to palo alto so like you it's a like web app that you install on
some you know like linux vm or whatever uh and then you log into it give it creds for all of
your old devices and your new palos and it migrates conflicts across for you and then you log into it give it creds for all of your old devices and your new
Palos and it migrates configs across for you and if you were silly enough to put this on the
internet which some people are then it just it was comedy bugs all the way down there was a thing
where you could like unauth reset the password to Palo Alto and then from there bootstrap your way
up with a cron job for command exec and some sql injection and steel creds and clear text passwords
for the devices that you are going to migrate so if you have this thing on the internet and you've
used it people can just compromise all of your other devices and according to showdown at least
23 people have put this thing on the internet so bad news bears for them yeah i mean you say on the internet sure but i mean even internally oh yeah
i mean you want some persistence i mean you want some lawful intercept access yeah i mean yeah
like any if someone can see one of these things uh then yes you're definitely going to have a bad
time and it's just like come on palo really and this thing is all written in php which is one of
the reasons that like some of these bugs are just terrible because there's bad you know sequel query construction and you
know making cron jobs with no auth and and it's just yeah dumb yeah so bad bad Palo no biscuit
yeah and more Ivanti drama as well and yet more Ivanti dramas so yeah a bit if actually I think
maybe Ivanti was one that had four entries on sysacare rather than um than fortinet but either way uh bad times if you have that on the outside
network but by this point like if you have an avanti cloud service whatever it's called cloud
service manager like you must be used to either patching it or doing instant response by now and
either way you must be pretty polished at both so So go do that again. I mean, think about what Avanti is doing
for the state of the art in incident response.
You know?
Think about that.
Plus the state of the wallets of all of the incident responders.
So yeah, good job.
Thanks, Avanti.
All my incident response pals chuckling it up all the way to the bank.
Now, I mentioned that I had two favourite stories this week.
This is my other favourite where this person's written it up.
He claims to be a guy called Daniel who's 15 years old.
Obviously, I haven't reached out to confirm this, but we'll just take it on faith that this is a 15-year-old bug hunter.
You know, does a bit of bug hunting in his spare time.
And he found this bug in Zendesk, which would allow you to sort of extract tickets, right? And because they weren't
doing validation, the correct amount of email validation, whatnot, right? So he reports it to
them and they're like, yeah, go away. This is out of scope. We don't care. So then he figures out
how to turn this bug into like access to a company's slack and then starts reporting it to those end users of Zendesk.
And he makes like 50 grand in bounties.
And at this point, that's when Zendesk threw HackerOne's circle back and they're like, well, hey, maybe you just want to stop talking about this and stop doing these things.
And eventually they patched it.
They didn't give him a bounty because he took it like he violated HackerOne's confidentiality,
even though they weren't going to patch it in the first place.
Anyway, the whole thing just as a story is hilarious.
End result, though, is this kid gets 50k.
Zendesk look like idiots because they kind of blew him off when they shouldn't have.
And, you know, if I'm those customers who had to pay up bounties on this for a bug that was already reported to them
by the same person i'm thinking i'm gonna ask zendesk for you know my money back basically at
this point like what what did you think of all of this i mean i always love a great disclosure drama
that's you know a bug reporting drama that's always fun and this you know my experience of reporting bugs kind of
mirrors this you end up with um you know a bug being triaged you know to the letter of the law
of the bug bounty program in this case like the bug basically involves spoofing email and zendesk's
bug bounty program with hacker one excluded like decim and SPF and other email issues and that's because
there are so many people who spam every bug bounty program in the world with bogus SPF and DKIM
reports that are pointless and add no value so they just put that on the like out of scope
but in this case you know you should have looked at this bug and triaged it a little more sensibly
in my opinion so you know in that respect well my favorite part is where the hacker one people came back
and they're like but you didn't tell us you could use it to do you know for like slack takeover it's
like well you know use your imaginations yeah and i mean that's kind of what you're paying hacker one
for is to be able to make sensible triage choices and i have a lot of sympathy with people who do
bug bounty triage for hacker one and other places like that what's hard it's hard to do at scale right which
is why that whole industry exists in the first place so i mean you know i'm not going to sit
here and say oh that person doing triage was terrible and whatever you know because it happens
like as you as you point out but still like this we we can still chalk this one up as a miss
yes yeah exactly and you know i think maybe they could have uh given the kid a little bit more we can still chalk this one up as a miss. Yes. Yeah, exactly.
And, you know,
I think maybe they could have given the kid a little bit more money
rather than just saying $0.
Yeah, they took their bat and ball and went home in a huff, basically.
Which, yeah, not exactly classy.
But, you know,
if you're one of the Zendesk customers who paid a bounty to this kid,
I'd be asking for some free licensing in the equivalent value
to what you paid out on this because that's, you know, come on.
Yeah, agreed.
Now, I don't know if this is disclosure drama, just some stuff that got mixed up, lost in translation or whatever.
There was a bunch of reporting that a recently patched Firefox Oday was being exploited in the wild against Tor browser users.
And that's how the reporting went.
Grok even had a good joke about it, which is like, well, if you've got Oday and Firefox,
who else are you going to use it against, right?
So that was good.
And I think this came from the Tor project itself saying that this bug could be used
in that way.
I don't know where the miscommunication started,
but that's what all the reporting was.
And in the end, Tor's come out and said,
oh, we've got actually no evidence
that it was reported in the wild.
And Mozilla's come out and said no.
So it looks like that was all a big nothing burger.
Yeah, like Mozilla said they had seen it being exploited
in the wild, but not specifically against Tor browser.
And then at some point wires got crossed
and that got kind of claimed that it was against Tor browser after all. at some point wires got crossed and that got
you know kind of claimed that it was against Tor Browser after all I think maybe by the
Tales people which are part of Tor Project these days so yeah in the end I think Gruck
really has the point here which is that it may not be confirmed that it was being used
against Tor Browser but I mean what else are you going to use it for so either way you
know if you rely on tool
browser you should definitely patch your firefox uh frequently yeah indeed now uh we got a report
here from dan gooden at ours about some malware that looks like it's designed to hop air gaps
it's being attributed to russia yeah this was for some research research from ESET following up on a piece of malware that was
I think originally written by Kaspersky and this was you know an intelligence crew that was doing
air gap jumping collecting data and exfilling it back out through USB keys and this particular
actor has been doing this with I think a, a whole, you know, kind of basically two separate toolchains over a number of years, and ESET wrote it up having found it in a South Asian
embassy in Belarus, and, you know, the malware itself, you know, the actual air gap jumping part
of it, like the USB infection is, you know, it's one of those, it's not dumb if it works, but it's
kind of dumb, but the rest of the tooling, all is, you know,'s one of those it's not dumb if it works but it's kind of dumb uh but
the rest of the tooling all is you know pretty polished for doing what it needs to do and it's
you know always interesting to see a good write-up of these but you know i don't know uh you know
we haven't really seen it in widespread like it's not a thing that most people need to worry about
because most people aren't worried about about usb air gap jumping malware but still legit interesting to read the details yeah yeah uh and one more we got here from krebs on security brian
krebs has this is an interesting report actually because it you know you and i've been talking
about this before we got recording and it's just proof that people will always find a way to
monetize vulnerable systems right and he's he's got this report here where attackers are essentially
reselling access to large language models so they're taking over like you know commercial
llms and then reselling that access to people so they can have like ai girlfriends that are like
children and like but um you know, the interesting part
for the purposes of our discussion here are that, yeah,
I mean, if they can breach it, they'll monetize it, right?
It reminds me of like back in the day
when people would get illicit access to telcos
and then they'd plug that access into like a calling card system
and they'd sell calling cards.
So, you know, you'd sell someone, you know,
100 minutes for 20 bucks or whatever and they would use it until you got evicted and then what
are they going to do get their money back but this is how you would get you know discounted calling
back in the day um so this is interesting isn't it that that people are stealing access to llms
you know we see people still compute for things like crypto mining and now they're selling access
to you know compromised llms and they're taking access to, you know, compromised LLMs,
and they're taking some of the safeguards off them to allow them to be used for this purpose.
And, you know, that's a whole new criminal cottage industry.
Yeah, yeah, it is. It's the, you know, so much of what we report on follows the ability to monetize.
And, you know, that's where ransomware was, you know, so innovative was it was a way to monetize
access to computer systems where previously CPU crypto mining mining or you know end user kind of consumer ransom wearing which didn't make
particularly much money so anywhere where we see innovation in extracting value from hacking is
going to push um you know the trends in the crime world and i just thought this was really interesting
because exactly that stealing access to llms or anything else where you know a bunch of AI resource be it at runtime or building
model time can be stolen and monetized then you know we'll see new crime types so you know in this
case it was like Amazon people who used Amazon's things were having their their compute stolen I
think researchers from Permiso leak on purpose leaked
their tokens on github or wherever to wait and see what would happen and then they watched and
that's how they kind of tracked down um who was stealing their you know was losing their amazon
account and where it was ending up um being used to run you know sex chatbots or whatever else but
you know probably higher value than cpu crypto mining so
yeah innovative good job well you can't crypto mine with an lim really like they can't even
do basic multiplication as it turns out it's funny actually permisso we're just in our last round of
uh snake oilers uh the last the last batch um and yeah they're x fire eye people they're pretty
smart smart folks you got that impression yeah
yeah yeah so i mean it's all yeah it's just bizarre it's just what a world um before we go
though there's a there's a long read that you wanted to uh talk about it's a report from the
washington post called the cyber sleuth and looks at an irs investigator who does blockchain stuff
and you you say this one's a really good long read.
Yeah, it's a very long read.
And it's actually written by a fiction author.
It's a nonfiction story, but written by a fictional author.
It's quite a nice piece of prose.
And if you have friends or acquaintances or whatever,
and they're trying to explain what it is you do
if you're a blockchain investigator or crypto criminals
or whatever else uh worth sharing to
them but um it's the story of this guy that's an irs investigator also ties in a bunch of other
people like that guy that's currently being held in zimbabwe or wherever it was nigeria the guy
was being held in nigeria that used to be an irs investigator and then you know he's being held
political prisoner there that you know there's just a bunch of interesting bits that touch on things we've talked about.
So if you want a lunchtime read, I would definitely recommend giving it a go.
All right.
Well, I'll whack a link in this week's show notes.
But Adam Boileau, that is it for this week's news.
We've managed to keep it pretty tight considering we've been on break for a while.
But we were very brutal in organizing this week's run sheet.
And it's paid dividends because the show is not an hour and a half.
So that's great, mate.
But, yeah, we'll wrap it up there,
and I'll look forward to speaking to you again next week.
Yeah, thanks very much, Pat.
I will talk to you then.
That was Adam Boileau there with a check of the week's security news.
It is time for this week's sponsor interview now with Casey Hill, who is a product manager at Panther.
And Panther makes one of these sort of more newfangled, you know, detection as code based seams.
More cutting edge than the stuff we're seeing out of the likes of Google and Microsoft,
who are kind of doing cloud splunk, if you want to, you know, describe it really.
Panther is much more about doing high volume logs and whatnot. And, uh,
this conversation with Casey is an interesting one. It's really about how,
you know, there, there are new models coming out for SIEM basically, um,
over the last few years, we've seen people, uh, you know,
various companies encourage people to set up data lakes and just put all your
logs in a data lake. And then what do you do from there? What query it with SQL like that hasn't worked
out so well. So Panther sort of somewhere in the middle of those approaches where they can help you
set up those data lakes and then really help you to query them and build detections and things like
that. But Casey joined me for this conversation really about those same trends and what the same of the future is going to look like.
I hope you enjoy this interview.
Two years ago, we were pretty early in this space.
So there were a lot of homegrown solutions where people were starting to look at how they could play with some of the new data storage mechanisms like data lakes and push all their data there and then leverage things like
SQL to search through it. But what we've seen is more and more folks are starting to transition
in this way. And it's not just homegrown solutions anymore. So we've seen other competitors start to
really emulate a lot of things that we're doing around some of the infrastructure, as well as
leveraging things like Python
so that you can run real-time streaming detections.
I mean, I found, I remember the whole data lake thing, right?
And everyone was like, it reminds me of that old joke, right?
Like step one, stick everything in a data lake.
Step two, question marks.
Step three, stop attackers, right?
Like it always seemed like that whole thing was more being driven by
your sort of elastics and snowflakes of the world which as a way to sell their product right which
is just throw all of your logs in here and figure out what to do with them what to do with them
later i mean is that is that approach just throw them throw everything into a data lake and like
think of something later is that Is that dead and buried yet?
I would say that is not fully dead and buried,
but it is on its way.
I think one of the things that we've actually seen is some competitors even look at things as,
oh, either we can throw it in the data lake for you
or if it's already in your data lake, that's fine.
We'll just sit on top of it.
But that's actually a huge challenge
is if you don't
actually have the data structured in a way that makes sense and is actually useful for you to
then analyze, then you're just spending time elsewhere in terms of cleaning that data up and
making sure that you have good data hygiene. But Casey, the pamphlet told me that I didn't
need to structure the data. That's the whole point of having a data lake exactly right it's it's just
supposed to magically uh work itself into the shape that you need it and patterns across the
across it for you yeah yeah exactly so so okay you mentioned that you know you were early to this
party um others are they taking a similar sort of approach now, which is it's about, yeah, getting things into some sort of sensible form when they're stored so that you can like run some standard queries last few years, it's kind of looked like, you know, backstory from
Google and Sentinel from Microsoft. But I guess at least with those, you know, those major platforms,
they've got the option to move in this direction as well in the future. But yeah, I'm just really
trying to get a sense for where the innovation's going here. Yeah. So we've seen obviously platform play has become extremely important across both
just security vendors, but then obviously the cloud providers as it's an easy tack on we're
looking at security leaders are often looking for how do I consolidate different things,
especially if I have a number of different point solutions. But one of the things that we
consistently see where customers are coming to us or prospects are coming to us and they're having frustrations with some of those is usually it's a little bit clunky.
So one is just the ability to actually set up the ability to ultimately get that data in the structure that you need it.
And then the ability to ingest data that's not within that particular cloud environment is another piece. And so ultimately, ownership has become a really important thing for a number of our customers is they want to have more flexibility about
not just what data they're ingesting, but ultimately, how it gets stored and, you know,
where they can actually take that data with them. After, you know, either they've decided they need
it only for compliance purposes, after the fact, or they might want to be able to have some sort of flexibility with ultimately the data store. So do you actually have customers who are
using you to take like application logs and whatever, you know, whip them into something
sensible and then pump that onwards into those platforms that I mentioned? Is that a use case?
So we see some customers will do,
they'll basically bifurcate certain data. So they'll say, okay, I want to keep all my security data continuing to go into Snowflake, for example, with Panther. And then I also want to duplicate
data into say like S3 so that I can keep it there for compliance purposes. So for example, I might
say, okay, this is for PCI compliance. I need to go ahead and store this, but I'm not regularly accessing this.
And so I just want to dump this into- You need to check the box. So when the
auditor comes around and says, where is this data? You say, there it is in that bucket over there.
And they say, yes. And they tick the form. Yep, exactly. You know how that goes.
Yeah, I do. I guess what I was asking though is more um whether or not people are using um you know
stuff like panther as a sort of hop point right between the application and seem some of these
newer cloud seams from the likes of google and microsoft so we'll see not as much in terms of
like if you're saying downstream consumption into like a google chronicle or a Microsoft. We don't see that as much.
We actually see more like questions around, especially with some GCP customers recently
of, okay, how can I either run Panther within GCP so that I can actually use up some of
the credits that I've already purchased there?
Or how can I use it as a sort of side by side so that things that I need either high volume
or I need really
quick response, those will be different workloads that they'll actually transfer over sometimes from
like a Chronicle into Pinter so that they have more of the real-time analysis and they can also
do so in a more cost-effective manner. Yeah, I mean, that's why I asked, right? Because as I said,
like it looked for a while like, oh, you know, we'd worked out what the future of SIEM was going to be. And it was basically going to be like cloud splunk, right?
Which was, you know, a bit of a bit of a disappointment, really, when you look at the,
you know, the next iteration of a SIEM is like, well, it's like the same thing,
but it's in the cloud now. So yeah, that's why I was wondering, you know, just where that fits
among the type of customers who are, you know, using your stuff. And really, you know, just where that fits among the type of customers who are, you know,
using your stuff. And really, you know, a company like yours, increasingly you're ticking off what
are going to be the requirements of, you know, the enterprise of the future, right? Which is more
high volume logs, more custom applications, you know, yeah, more custom logging right so like you pointed out uh like very early on before we
got before we even got recording uh it's not a case of storing and looking at firewall and router
logs anymore that you know and with a enriched with a bit of core light data that's not what
seam is about in the future yeah you're you're absolutely right there one of the things we've
seen too is we've seen a gradual shift towards more security engineering and more technical chops in some of the personas.
But it's not a full-on migration.
Everyone immediately picking up Python or SQL.
And so that's something that we've observed.
And why that's important is when you think about the makeup of certain security teams, the sort of
security team of the future or some of the enterprises of the future that you mentioned,
that's something that we're starting to see evolve. So we'll see a lot of our customers that
jump in and they really start to do well are oftentimes those that are cloud native. They're
doing a bunch of terabytes of data per month, sometimes even per day.
And they have a sort of more, I would say, even keeled approach in terms of security analysts
and security engineers. It's more of a balanced team than you might see in a little bit older
companies. And so that ultimately makes it so that they're looking for, okay, how can I have a SIEM
that allows me to do things that are a little bit more high leverage with my security engineers? So think about like, how can I deploy things like
infrastructures, code type workflows for when I'm setting up different log sources? How can I make
sure that I also have resilience that can ultimately be built into more of like a CICDA pipeline?
It's interesting that you're talking about basically terraforming a network to handle your logs. I mean, you're talking about a lot of logs
here, right? Once you start needing to terraform something, terraform stuff to make that work.
Absolutely. We're talking about a significant number of logs and we're talking about a lot of
different custom logs as well as something that we've started to see a lot of different custom logs as well as something that we've started to see a lot of
different customers have, which is one of the things that actually, it sounds very maybe nuanced
or niche, but it's actually really important when you're thinking about how do I get up and running
and I'm not just sitting there and mapping exercises to make sure that I have everything
formatted the way that I need. And so that's an area that we actually do a pretty good job of getting folks up and running using
things like inferring the schemas from the data, that sort of thing.
Yeah. But I mean, that's the thing, isn't it? I mean, it really is that data lake approach,
but instead of just saying, throw it all in a data lake and then, I don't know,
write some queries, that's up to you. You know, the idea is this is more of a tool set,
isn't it? That can help people through that process of yeah storing things sensibly and then i mean in terms of detections
you know when you've got people using custom logs from custom applications i i imagine it's a little
bit difficult for you as a seam vendor to have like pre-canned detections that they can run
against those you know data stores so how does that work? Do you
have like detection builders or are there pre-canned ones that once you've stuffed their
stuff into the, you know, inferred the schema, there are still some pre-canned detections that
work? Like, you know, give us an indication of where the effort is there.
Yeah. So we see a lot of folks who use our out-of-the-box detection content
for sort of a jumping off point.
So they'll look at that as almost like,
okay, here's a boilerplate of what it might look like
to view a failed login
or look at when possibly there's data exfiltration
in terms of just how would I actually look at
and do a quick comparison.
And so oftentimes they'll use our out-of-the-box content
to then jump into things that they want to do on their custom blog sources.
One of the nice things is we've started to simplify
just how you can actually get your hands on and look at that data
within the console so that you can start to look through examples really easily.
And then one of the things that we've actually started to roll out
is a new Python library that ultimately supports the way that we've actually started to roll out is a new python library that
ultimately supports uh the way that we do detections and that's really really helpful
when you think about okay i want to actually take something that panther produced and then i want to
inherit from that um certain conditional logic but then i'm going to adapt it and so i can work
in certain instances like for example, if you're extending maybe
different AWS rules that maybe we already produced, like an AWS ALB rule, for example.
Now I'd imagine too, and we're going to wrap it up shortly because we are running out of time,
but I'd imagine that among your customer base would certainly be some of the Silicon Valley
type of companies, right? Because everything that you're describing just makes me think of like
the intro montage to the Silicon Valley TV show with all of those logos, right? Because they're
the orgs that are going to use that. Is that about right for now? Or are you seeing a lot
of traditional enterprise as well? That is right in terms of a lot of the folks that
onboard with us early are still with us. And a lot of what we've seen in terms of growth is with that type of
cohort. They're much more familiar with just kind of the actual infrastructure. And oftentimes,
they've actually gone down the route of we tried a homegrown solution. And we realized it's a lot
harder than maybe we thought in order to sit there and maintain that level of data ingestion,
let alone build out a bunch of different connectors. And then that's not even taken
into account off the downstream, which then you're looking
at a lot of, okay, I need to both write my detections.
But then I also want to make sure that we actually have the time and capacity to think
about how do we quicken the pace of being able to resolve alerts once they happen.
And so that's where we have seen a lot of success with those type of kind of more forward
thinking high tech companies.
Yeah, all right. Well, Casey Hill, thanks a lot for joining us to walk us through a bunch of that.
It's really interesting stuff. Yeah. I do find Panther really interesting. I think it's like
one of those, yeah, one of those tools where the people who need it, they really do need it,
which is always a good thing. But yeah, thanks a lot for joining us to walk us through all of that.
Appreciate it. Thanks, Patrick.
Appreciate the time.
That was Casey Hill there from Panther.
Big thanks to him for that.
Big thanks to Panther
for being this week's Risky Business Sponsor.
And you can find them at panther.io.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back on deck next week
with Adam to do more risky business.
But until then, I've been Patrick Gray.
Thanks for listening.