Risky Business - Risky Business #771 -- Palo Alto's firewall 0days are very, very stupid
Episode Date: November 20, 2024On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Microsoft introduces some sensible sounding post-Crowdstrike ...changes Palo Alto patches hella-stupid bugs in its firewall management webapp CISA head Jen Easterly to depart as Trump arrives AI grandma tarpits phone scammers in family-tech-support hell Academic research supports your gut-reaction; phishing training doesn’t work And much, much more. This week’s episode is sponsored by Greynoise. The always excitable Andrew Morris joins to remind us that the edge-device vulnerabilities Pat and Adam complain about on the show are in fact actually even worse than we make them out to be. Andrew also tells us about a zero-day Greynoise’ AI system truffle-pigged out of their data set. This episode is also available on Youtube. Show notes Windows security and resiliency: Protecting your business | Windows Experience Blog Microsoft revamps how it will disclose vulnerabilities | Cybersecurity Dive NIST says exploited vulnerability backlog cleared but end-of-year goal for full list unlikely Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 Palo Alto Networks customers grapple with another actively exploited zero-day | Cybersecurity Dive Unpatched zero-days in Fortinet and Palo Alto Networks software Palo Alto Networks’ customer migration tool hit by trio of CVE exploits | Cybersecurity Dive Readout of President Joe Biden’s Meeting with President Xi Jinping of the People’s Republic of China | The White House Easterly to step down from CISA director role on Inauguration Day | Cybersecurity Dive Top White House cyber official urges Trump to focus on ransomware, China Ransomware gang Akira leaks unprecedented number of victims’ data in one day Hacker Is Said to Have Gained Access to File With Damaging Testimony About Gaetz 1,400 Pegasus spyware infections detailed in WhatsApp’s lawsuit filings NSO Group admits cutting off 10 customers because they abused its Pegasus spyware, say unsealed court documents | TechCrunch Ransomware gang Akira leaks unprecedented number of victims’ data in one day Ohio man behind Helix cryptocurrency mixer gets 3-year sentence O2 unveils Daisy, the AI granny wasting scammers’ time - Virgin Media O2 Understanding the Efficacy of Phishing Training in Practice Bunnings facial recognition cameras breach Privacy Act, retailer to challenge ruling | news.com.au — Australia’s leading news site Nudity, punches in newly released Bunnings CCTV as company found to breach Privacy Act | news.com.au — Australia’s leading news site Bitfinex Hack Launderer Heather 'Razzlekhan' Morgan Sentenced to 18 Months in Prison
Transcript
Discussion (0)
Hey everyone and welcome to another edition of Risky Business. My name is Patrick Gray.
We'll be chatting with Adam Boileau about all of the week's security news in just a minute and then
we'll be hearing from this week's sponsor which is GrayNoise and we're chatting with GrayNoise
founder Andrew Morris about something that's quite topical which is the amount of attacks
against edge devices these
days on the internet. And as bad as it seems, and indeed, we're talking about a few of these
sorts of attacks in this week's news segment, as bad as it seems, Andrew is here to reassure us
that it is in fact, much, much worse than people fully realize. We're also going to talk to him
about how GrayNoise's LLM driven analysis engine actually caught an ODA
command injection vulnerability being used in the wild against a bunch of IP cameras.
It's a really good interview. We always love having Andrew on the show. So do stick around
for that one. But Adam, it's time to get into the news now. And we're going to start off with some
with this blog post from Microsoft where they've outlined a few things that look to be in response
to the CrowdStrike incident back in July. One feature they've announced is a sort of remote
recovery feature. So if your kernel all of a sudden becomes non-functional, you can actually
roll back some changes. And the other thing they've announced is that they're going to introduce
features into the OS that will allow security companies to build things like EDR without having to use a kernel module. Let's start
with the recovery stuff. Like, do we actually have any details on how this thing's going to work?
No, we haven't seen details yet. Microsoft's having their Ignite conference at the most.
They've been announcing a whole grab bag of stuff, but I guess we're going to have to wait
and see the specifics.
Essentially, the problem they are trying to solve,
as you said, is the kind of crowd strike scenario
where your machines are rendered unbootable.
And clearly there's going to be some kind of like
network aware safe mode that they can boot up into
and then apply security updates or Windows updates
or patches or something that administrators
can use rather than having to physically go to individual machines, boot them up and so on.
And there's a bunch of moving parts here that we do need to see specific stuff like how does
this interact with BitLocker? How does this interact with TPM-backed BitLocker, et cetera,
et cetera. But clearly they're trying to solve the problem that we all want solved, which is having to roll truck in the event of an outage
and physically put hands on keyboards,
you know, is a thing that isn't so useful anymore
when we have a billion Windows machines in the world
or whatever it is.
Yeah, I mean, we saw what that looks like back in July
and it meant a lot of people stranded at airports.
And so on, right?
So not so surprised to see Microsoft trying to get on top of that.
But the other thing they've announced as part of this,
I mean, there's a whole bunch of stuff in this blog post.
We've linked through to it in this week's show notes,
so people who want to read the whole thing can go and do so.
But another thing that caught my eye is that they are, you know,
introducing these features which allow people to, you know, run security software outside of of kernel mode we're going to really have to see what that looks like because there are
good reasons for security software to be in the kernel and you talk to anyone who develops
endpoint security software for mac via its api and they'll tell you all about the limitations
they will not stop talking about the limitations in, your ears will fall off from how much they talk about the limitations involved in, you know, using that API.
Yeah, yeah, there's absolutely a, you know, a set of trade offs that you have to make here,
you know, for having standardized interfaces. And, you know, the impact that has on the ability to
kind of innovate or to provide security solutions that are differentiated from competitors and so on.
And I think the comparison with the Apple ecosystem is pretty apt
because Apple provides these APIs that people can use.
And if you don't want to do it Apple's way, then tough.
But on the other hand, they also provide an ecosystem
that is much more locked down and controlled than the traditional PC world.
And we have ended up with these, you know, kind of
Windows antivirus and EDR and whatever else solutions because that platform is so much more
flexible. The security software needs to kind of be more flexible too. And so, you know, the idea
that you could do it kind of Apple style or even more like iOS style on Windows, you know, the
platform itself would need to be pretty
different um and we only have to look at how like the success of the microsoft store and what a mess
that's turned into um to kind of see that it's a whole ecosystem but anyway i'm super interested
microsoft is going in the right direction here but you know it's not as simple as just now we've
got some apis for building EDR in user mode.
Well, and I don't think they're going to cut off kernel access. Well, let's put it this way. I
would be surprised if they cut off kernel access because there's going to be legal challenges there,
right? Because if they're still allowing Defender access via the kernel, they kind of have to offer
that to everybody else. Otherwise, they're going to face a whole bunch of legal challenges. So the
precise phrasing they've used here is to help our customers and partners increase resilience. to everybody else otherwise they're going to face a whole bunch of legal challenges so the the precise
phrasing they've used here is to help our customers and partners increase resilience
we are developing new windows capabilities that will allow security product developers to build
their products outside of kernel mode now this doesn't suggest this phrasing doesn't suggest
that they're going to force people to do that just that it's an option and maybe microsoft's
hope is that customers will start demanding that security providers do that i'd be pretty skeptical there because if i'm
crowd strike or sentinel one or whoever you know in a customer meeting i've got well we got our
kernel mode one which can do this and then we've got the user you know the api based one which can
do a whole bunch less you know which would you prefer you know, when they've got the remote recovery feature
as well as a bit of a seatbelt,
I think it'll be hard to convince people to pick, like, these versions.
Let's put it that way.
Yeah, I mean, I guess, you know, what we will actually see likely
is that some of the functionality will be able to be moved out.
I mean, everything you can move out of kernel space
into a user space process is an improvement.
And maybe, you know, handling updates
or maybe there's some rules around, you know,
much like Apple has about like how much compute time
you can spend, you know, in kernel or whatever else.
Yeah, but that's, that gets a bit dicey, right?
Because what Apple will do is just shut down a security tool
that it thinks is using a few too many cycles.
It's just like, bye-bye, boom, and it goes away.
Yeah, yeah.
So there are a bunch of trade-offs,
but ultimately the goal is to just do less stuff
in a privileged context.
And if Microsoft can provide support
that means you can move 60% of your EDR product
out of kernel,
that's still 60% less that you can have bugs in.
100%, 100%.
Move in the right direction, devil in the details,
but so far so good.
Staying with Microsoft and they've announced
that they're going to start publishing
machine readable vulnerability information,
which is a great idea.
And frankly, like I'm surprised this hasn't happened already.
Yeah, so they're using a standard mechanism
for publishing them and you know
essentially it's json files with a schema that's specified by a standards body and i had a look
through and it all looks pretty sensible and given how many people have had to write things that
scrape the volume information off microsoft's web pages and then try to munch it into that json yeah
yes yeah try and build this and i mean mean, you know, clearly Microsoft is sharing,
like the data source is shared behind the scenes
because you can kind of see artifacts of the web part of it,
you know, in some of the JSON documents they provide.
But hey, this is a move in the right direction
and anything that makes our lives easier
in terms of consuming this data is great.
It doesn't necessarily solve the problem
that garbage in, garbage out, right?
You still have to have good quality information.
And I feel overall the incentives
for providing good quality public vulnerability information
have been going down over time.
But Microsoft's stuff is at least better than average.
So good point.
Yeah, but I mean, you said it.
It's the motivation.
It's not required to the same degree, right?
People don't have time these days to sit down
and look at detailed information on each bug.
They want to know the CVSS score and then what to do, right?
That's sort of where we are now.
Yeah, and I guess for people like me that worked,
where you want to know the details of the bug
because you want to reproduce it and then use it,
which is a slightly different use case
than the problem they're trying to solve.
It's become frustrating more and more over the years
to consume vulnerability information
for anything other than that.
Just tell me the CVSS and patch it.
So your objection here is it might make pen testers sad?
Yes.
Okay, right.
And pen testers are already sad so it's you know marginal difference
but why we can't have sad pen testers let's immediately protest this this development now
look staying with vulnerability information and uh everybody knows that nist you know its efforts to
uh manage the national vulnerability database kind of just fell over this year.
They have now come back and said, good news, everyone, which was we've cleared the backlog
of publicly exploitable vulnerabilities, right? So they've now gone and enriched
the data for like stuff on the Sysachev list. And they're like, yay, that's great. But their goal of end of year, like getting everything back to speed, they're like, yeah, that's not
going to happen. I mean, it's amazing that they just fell by this is an important
data source and it just fell over and it's it's kind of i mean it has got headlines but this is
just a pretty epic failure when you think about it yeah yeah it really is and i'm i am surprised
that they let it get this bad.
The articles about this, though, and like some of the headlines we've seen about this,
you know, because, for example, the record runs apiece at starts.
The federal body in charge of processing prominent vulnerabilities said a backlog of unanalyzed exploitive bugs has been cleared, which you and I know means the hundred bugs on the Kev list for this year, not the hundred and whatever thousand or 18,000 or whatever it is that they
haven't dealt with this year,
like tens of thousands.
So like,
it's a very,
very small percent.
Okay.
It's an important,
very small percent,
but yeah,
it is weird that,
you know,
such an important standards body has just screwed up this badly.
They dropped the ball.
But, I mean, I'm guessing there's a backstory there, right?
Like, I'm guessing there were people in there who were warning about it
and, I don't know, the right people didn't take it seriously.
Like, there's, you know, a story like this isn't just,
oh, they're a bunch of useless idiots, you know?
Like, there's obviously some stuff went down is what I'm getting at, right?
Like, some stuff went down. I don't getting at, right? Like some stuff went down.
I don't want to criticize that reporting, by the way.
This one's from John Greig at The Record because, you know,
he does present all of that context.
And it is what NIST said.
So, like, he's not, you know, he's reporting what they said.
Well, I mean, it's right there in the headline that the end-of-year goal
for the full list is unlikely, right?
So it's not like that did not feature in that story.
But, look, staying on Volns, I mean, list is unlikely right so it's it's not like that was not um did not feature in that story but look
staying staying on volms i mean you're gonna have to un unpick all of this for me because i'm i've
got so many cve numbers in front of me that it's making me a little bit dizzy and i can't keep
track of them all but palo alto networks is having a bad time. So we've had zero day, exploded in the wild, like proper zero day pre-patch.
There's bugs in multiple pan products.
It's chaos out there, man.
Like walk us through,
walk us through what's going on here.
Because there's two sets of bugs,
some affecting like what one of their management products
and the other one,
the management interface to their products.
So what can you tell us about this? Yeah, so you're right. There's essentially two sets of Palo Alto
bugs that are in the news. One is extremely funny and quite important, and one is really not that
significant. So the not significant one is their customer migration tool that I think we talked
about that a while ago, and I had some bugs bugs in it people have been looking at it and have found more bugs but very few people run this particular product the one that is great
is there was a bug that was being sold on some hacking forums somewhere that was advertised as
like pre-auth remote code exec in Palo Alto's firewalls and we saw Palo Alto warn about this
before they even understood what the details of the bugs were
they said hey someone is selling this bug I guess maybe firewall the management interface for your
firewalls and then now we've seen the details of that particular bug which turned out to be two
different bugs come out Watchtower Labs have a write-up of it, and it is such a clangor of a bug.
So there are two.
The first bug is essentially an auth bypass,
and the auth bypass is you send an HTTP request header
to the web server of the management interface,
which basically just says,
hey, don't worry about authing me.
It's fine.
Yeah.
And that works.
And then once you've got that, once you're past that auth step,
you can go forward and look for the next bug,
which turns out to be a straight up shell metacharacter command injection
in like the username field.
So you put shell metacharacters in it,
and it runs commands as root on the underlying firewalls OS,
which again, oh my God, it's the year 2024.
What are you doing, Palo Alto?
Yeah.
So, I mean, I guess if you have the firewall management interface
on the internet, you were going to have a bad time.
You've always been going to have a bad time.
But, I mean, this is a firewall.
It's a security product from a major vendor with, you know,
no auth please header, and I would like to run this shell command in my username please.
Yeah.
It's really funny.
I've been spending a lot of time with my head in access control, right?
So I think for a long time people made the mistake
of thinking that authentication was access control.
And it is, but not when you're dealing with vulnerable
technologies that you can pop shell on pre-auth, right? And that's one of the issues. And you look
at what people have built in terms of trying to deal with these sorts of problems. And when it
comes to like enterprise web applications, you've got some reasonable options there so you've got your sort of cloud flare excuse me cloud flare stuff you've got
uh zscaler you know that there are options for doing web application delivery when it comes to
controlling access into production environments whether that's database access, SSH, whatever. You've also got some options there.
Tools like StrongDM are really good.
But I feel like a lot of this has kind of missed the point,
which is the stuff that really needs to be access controlled
is not often the stuff
that is already getting the most attention, right?
You're not going to serve up the login interface
to your Palo Alto box via Cloudflare.
No. That's just not something you're going to do. So the reason I've been, I've had my head in all
of this is I, you know, don't mind saying it now at this point is I've joined the board of Knock
Knock. And this is the problem that they're trying to solve, right? Which is how do you,
how do you actually put access control beyond just sort of authenticate
authentication based stuff how do you put access control on crap right not just your most vital
known about infrastructure how do you put access control on the web interface for an ip camera
right and so you know the way they're doing it obviously is with ip restrictions and whatever there There's a new feature coming, which is very, very cool, which is sort of akin to an
identity aware proxy, which gives you an extra level of protection for web-based stuff. But when
you actually really go out and survey this stuff, you know, it's like access control is just
so neglected, which is very strange when you think about what a fundamental building block of security it is.
Yeah, it's very hard to implement complicated controls,
and access control, unfortunately, is kind of complicated
in the enterprise context because you've got to have
Federated Auth and SAML and all sorts of complicated
auth things, and in an IP camera,
no one expects enterprise-grade auth in an IP camera,
but you still need enterprise-grade auth.
And no one expects good quality implementations
of complicated protocols in, sadly, a Palo Alto firewall.
And so you have to have something that is simple enough
that you can just layer on,
but does not rely on the vendors of these products
to either implement complicated features
or to implement them safely and network-based controls is the old-fashioned way of doing that
yeah but a good way well but even with even with web-based stuff and even web-based stuff to iot
right you can use a reverse proxy for this stuff yeah and there are tricks you can use so that it's
not just ip restriction because you know they knock knock had an issue and i've got to spell
it out because they people can't find them because it's k no c k no c so there's no second k on knock
uh so so so there you go um but you know they spoke to one customer who's like excuse me they
spoke to one customer who's like you you know, IP restriction isn't enough
for this particular set of applications,
but they were web-based, right?
So you could actually work something out there
where what they're developing for that customer
and it's gonna be a killer feature
is sort of like a identity aware proxy, but really dumb,
but it works and you can put it
in front of basically anything.
So instead of having to like, you know,
GCP has like a way to do iap like identity
aware proxying but you install these connectors and whatever and you know cloudflare can even
tunnel out ssh but you need to mess with your ssh configuration and trust cloudflare's ci and
whatever like all of this stuff is just sort of needlessly complicated when it comes to trying
to lock down low value vulnerable stuff and i feel like finally just in light of all of these issues
we're having with enterprise vpns and with all manner of devices that are just sitting around
stinking like corpses on the edge of a network like it's about time we did something about this
and just yeah going through the market research phase I'm just surprised there's not an awful lot there you know yeah yeah I mean I think you know just not
putting these things on the internet is how we used to do it but you can't do that anymore but
now of course we put everything on the internet because the internet is everywhere and you know
if we lived in the IPv6 world where there was no NAT to save us we would have already been putting
everything on the internet for a long time and had to cross this bridge earlier.
But Nat bought us an extra 15 years.
But it's just crazy that this just hasn't been addressed.
But I guess we're there now.
Anyway, let's move on.
And we've got a readout here from the White House
of a call between Joe Biden and Xi Jinping.
And what's really interesting is, you know,
the vault typhoon stuff came up.
And it's just really wild to see that in this sort of readout.
So it reads,
the president raised deep concerns about ongoing PRC cyber attacks
targeting civilian critical infrastructure
and threatening the safety and security of Americans.
Sign of the times, I guess.
Yeah, I mean, it's become an issue that is discussed in this
context and kind of fair enough because i mean you know china's in their pre-positioning for
things that are very relevant to this level of leadership so yeah yeah and staying with u.s
government stuff uh jen easterly is going to step down from sisa uh on inauguration day i don't think
we should be particularly surprised that a bunch of
officials, particularly from DHS, are going to leave. The incoming administration is very hostile
towards the work CISA has done around disinformation. So I think it's probably good
that Easterly just gets out of the way here instead of of trying to you know dig in uh and defend and wind up sort
of escalating a you know the attacks against it from the white house but um you know it's still
very unclear what's gonna what what's gonna happen to sisa under under the incoming admin because
there is talk of making sisa go away i don't know how credible that is but i think the disinformation
stuff that's gone.
Yeah, yeah.
I mean, it's a pity that, you know,
because CISA has done so much good work,
it would be a pity to see them kind of curtailed
or wound down or made, you know, less effective.
But, I mean, on the scale of US politics,
cybersecurity is a relatively not so partisan issue
compared to other things.
The problem is, though, Cisa is so closely tied to this
disinformation stuff yeah you know and it could you know the wider org could be punished but even
some of the people who are like looking to damage it are even saying well i don't think we can get
rid of it entirely but you know just think like uh chris krebs was uh you know he's on the csrb
at the moment uh i don't think he's going to stay because, you know,
like he did not have a good time under Trump once.
So, yeah, I don't know about that.
And even more news, we've got a report, another report here from John Grigg at The Record looking at Ann Neuberger,
who is the US Deputy National Security Advisor for Cyber
and Emerging Technologies.
And she did a talk and asked about,
you know, what the incoming administration should focus on from a cyber perspective over the next
100 days. And I guess not surprisingly, she said China, but she also singled out ransomware. And I
think, you know, Neuberger did do a lot of work on ransomware over the last four years. So and it
would be a shame to see that work
let up now so let's hope whoever comes in is going to listen to it yeah yeah i hope so i mean ransomware
once again is a thing that shouldn't be particularly partisan but then again we've seen
you know things like adding regulatory stuff to the water industry for example you know be made
complicated even though basic IT standards for critical
infrastructure hopefully shouldn't be but hey what do I know well I mean that was more of an issue of
government overreach I think in that case I kind of agreed with the republicans on that one
so I don't think that was necessarily about politics I think that was about sort of like
what the government was allowed to to to really do. But I do feel like the US government's efforts on ransomware
over the last few years have helped, you know,
and it's probably a good time to look back and think about that.
But, you know, we haven't seen a United Healthcare style
or whatever their subsidiary change.
You know, we haven't seen something like that in a little while.
And it just felt like for a while that was happening just so regularly.
And, you know, the volume and intensity seems to have dialed back a
bit yeah no i i agree with you yeah it does seem to have cooled a little bit i mean our shows are
not a hundred percent jam-packed full of hospitals getting ransomware like they were a year ago but
that's also a degree of you and I getting bored of talking about ransomware.
Yeah.
I mean,
I think there's,
there's,
I mean,
there's still a lot of ransomware out there.
Don't get me wrong,
but you know,
the idea that you had a mega cartel like lock bit that was just being so
successful.
I don't think we have a replacement for that yet.
Yeah,
no,
I think you're right.
And actually the,
the next story,
which is about a ransomware group,
you know,
the reason it stuck out and stood out to me is actually, cause it's story, which is about a ransomware group, you know, the reason it stood out to me is actually
because it's such a low-rent kind of ransomware group.
This was the Akira crew.
And, like, they are kind of by design a pretty low-rent sort of new group.
So, yeah, I think the landscape of ransomware has changed a bit.
And so, yeah, I mean, you're probably not wrong, but there has been some good movement there.
Yeah. So this is a piece from Alexander Martin, the one you're talking about.
And they've gone onto their Darknet leak site and published like a whole bunch of entries on the one day.
They're sort of some people have sort of speculated, are they just doing this before they shut up shop?
And other people are saying, no, this is their announcement that they've arrived, you know, and that they're the of some people have sort of speculated are they just doing this before they shut up shop and other people are saying no this is their their announcement that they've arrived you know and
that they're the next big player and i just think okay that's okay uh you know they emerged in march
2023 in its first year of operations it made 42 million dollars from 250 attacks okay cool
if those numbers 10x they're're going to get US governmented,
is my feeling.
And so that's why I say it feels like the suppression efforts
have at least done something.
You're never going to get away.
You're never going to completely remove ransomware as a threat.
There's always going to be more of it than we want
or that we think is acceptable.
But at least imposing some
cost on the bigger cartels i think has has has actually delivered some results yeah no i think
so like there there is a point now where you can become too big to not get attention paid to you
and hopefully that message has been pretty clearly received and then you're going to have a bad time
now let's turn our attention to a report from the New York Times,
which was published just today. And it looks at, look, the headline is,
hacker is said to have gained access to file with damaging testimony about Gates. Now, of course,
this relates to Matt Gates, who is, he has been floated as the next Attorney General in the United States. He was also under investigation for, I think, paying women for sex.
And one woman, one girl, he was alleged to have had sex with like 17 and whatever.
There was an investigation into this and that document is not public and whatever.
These documents relate to a civil suit.
Now, I'm not getting into the allegations.
I'm not getting into Matt Gaetz I'm not getting into Matt Gates as attorney general or anything like that. But the one thing I did find interesting here is that
what they're calling a hack here doesn't really look like a hack. And you had a look at this story
and you kind of got the same impression. Definitely looks like unauthorized access,
but I wouldn't call it a hack. It looks like someone had one of those magic links, you know,
where you hit the link and you download the document and you know someone who wasn't supposed to have that link use that link to download the document
i mean that's it's impossible to know given the level of detail in this story but that's what
that's what it feels like if that makes sense yeah yeah it does it feels like a dropbox link or an
excelion link or something like that that got shared around amongst some you know legal staffers
and presumably one of them shared that link somewhere
or it was obtained, maybe InfraStealers,
maybe there was actual hacking involved, it's possible.
But yeah, it just feels like one of those links went missing
and then has been shared around
and maybe it's being laundered as though it were a hack
when in fact it wasn't, maybe it was just an insider
or maybe there was some technical means. We don't really know. It feels more like a leak than a hack, I guess. It does feel more like a leak were a hack when in fact it wasn't maybe it was just an insider or maybe there was some technical means we don't really know feels it feels more like a leak than a hack i guess it
does feel more like a leak than a hack yes and this is a bunch of i think uh testimony in in in
a civil trial or whatever and then it's sort of opened up that whole can of worms of well do you
report on hacked data and i think you know when you're when you're talking about alleged crimes committed by the person who is going to be the chief law
officer of a country, I think that meets the newsworthy bar, right? Some people have a real
hard time wrapping their heads around the fact that the rules around when it's okay to report
on this stuff are going to be a bit rubbery. Yeah. I mean, it is necessarily subject to some
interpretation and, you know, people love a hard, fast rule that they make a rules weasel about.
But, you know, that's just not how the world be.
It ain't.
Now, we've also got some other legal documents to look at.
A bunch of stuff from the NSO versus Meta trial have um unsealed and we got to learn some things uh about like the number of
targets over a certain period that um uh that nso group were you know compromising uh we learned
that they cut off 10 customers because they were abusing uh the pegasus software but you know just
again more and more uh information coming out you and i were talking about this yesterday and in an odd way,
the scale of NSO's bad behaviour might actually be a net positive in some ways,
because if there weren't a company like NSO being so bold and so out there and so unethical,
I don't think we ever would have got that critical mass that we needed for governments to take this seriously, for regulations to be introduced in various places, for sanctions to come online.
So I think to a degree, like their bad behavior has served us in terms of having to take this seriously as a policy issue. Yeah, I think that's a really interesting read on it because you think back to the other pre-NSO alternatives,
things like Hacking Team.
It was hard to take Hacking Team seriously.
I mean, they had a product that kind of worked, but ultimately the hooded hackers, Italian hooded hackers
in their marketing shots just made you not want to take them
particularly seriously.
And similarly with some of the other, you know, victims of,
what was the, who was the hacker that took down?
Phineas Fisher.
Phineas Fisher, yes.
Some of the other victims of Phineas Fisher.
Like, you know, none of those seemed particularly serious.
And then NSO group, A, technically pretty sophisticated.
B, you know, had bugs in high profile stuff in ios and
android you know whatsapp etc etc also like the close ties to the israeli establishment and being
used as kind of diplomatic tools by the israeli government like offering to sell that to other
countries as kind of part of relationships it just kind of got elevated to the point where, you know,
they were taken seriously by Meta and by some of the other people
who had beef with them.
So, yeah, I think you're probably not wrong there, actually.
Yeah, it's a weird thing to arrive at, but it's like unless you have
a really bad actor that you absolutely must take action against,
it's just so much easier to kick the can down the road.
You know, would we have seen the same response against Kanduru you know they're a little bit more low profile i mean nso
talk about flying too close to the sun yeah yeah yeah and then when we saw things like
which u.s defense contractor was like initially rumored to be in talks to buy them or something
oh that was l3 harris was it l3 harris yeah and that kind of thing like is just
because of the profile of nso now is the sort of thing that was just not tenable anymore but
for any of the smaller players you could actually kind of imagine that being a way to sort of solve
the problem but nso was not solvable in that way because they got too big for their britches yeah
i mean i think in some ways that deal actually could have been good
because putting them under the oversight
of a company that's going to be more adherent
to certain norms, rules and laws
wouldn't have been a bad thing.
And it would have, you know,
corralled a bunch of those people
with those special skills in one place.
So, but on the other hand,
it would have been sort of rewarding people
for bad past
behavior so there was a bit to weigh up there that was not a very that was not a straightforward
you know thing to form a judgment on yeah yeah exactly yes it's complicated it is it is it often
is now let's talk about some law and order adam and uh if you're only getting the audio version
yeah you know you're not getting to see my sweet new police light that I get to flash up on the screen.
But yes, Heather Morgan, who is one half of the married couple that was laundering tens of thousands of Bitcoin that her husband stole from Bitfinex back in 2016.
Yeah, she's been sentenced to 18 months in prison.
The husband who hacked the exchange, he's been sentenced to 18 months in prison. The husband who hacked the exchange,
he's been sentenced to five years in prison.
I feel like these two got off pretty light, actually.
They seemed quite harmless.
It's a nonviolent offence.
But, you know, the money that they stole was worth $71 million at the time.
Now it's worth $10.8 billion, right?
And you just think, geez, five years for stealing what is, you know,
nearly $11 billion.
You did all right there.
I mean, as gangster rappers go, like that's pretty gangster,
stealing $10 billion, $11 billion.
Like it doesn't get much more gangster than that.
Yes.
Well, Heather Morgan is also the one who was recording awful
crypto-themed hip-hop, right?
So we await her charges for crimes against music.
Another one here, the guy behind the Helix cryptocurrency mixer.
He's been sentenced for three years, but he pleaded guilty back in 2021.
So it's a bit strange that it's uh taken so long yeah this guy larry dean harmon
uh 41 years old from ohio uh is is uh has been has been sentenced what was really interesting here
is he has to forfeit 311 million dollars as well as seized cryptocurrency real estates and monetary
assets valued at over 400 million dollars so we're talking $700 million in forfeiture. And I thought, hang on,
because it says here from 2014 to 2017,
Harmon ran Helix,
facilitating more than $300 million
worth of cryptocurrency transactions.
So I'm thinking, how did he wind up with $700 million?
Hoddle, hoddle.
Hoddle, hoddle, hoddle.
And then I went back and I looked at the Bitcoin chart
and Bitcoin back then was worth a few hundred bucks.
So that's how he wound up having
to forfeit you know 711 million dollars twice what he laundered it's so good yeah so there you go
any thoughts on this uh i mean just that you know it's good that they are tracking down and finding
the people who run the mixes and run the money money laundering, because that's the kind of lubricant
that makes Bitcoin viable
and other cryptocurrencies viable
as a method for doing crime
and the proceeds of crime is the laundering options.
And yeah, it's nice to see people getting some comeuppance
because we were talking about how ransomware
feels like it's dropped off a bit
and one of the targets that has made that drop off happen,
I think, is going after the shared infrastructure
like money laundering and places like that.
Well, and the exchanges too.
There's been a hell of a crackdown on dodgy exchanges.
So at this point, laundering is going to be expensive.
You'll be able to do it, but it's going to cost you more.
Yeah, exactly.
And that just introduces friction everywhere.
And that's what all the disruption has been about now speaking of friction
uh my favorite story of the week uh virgin's o2 telco uh in the uk has introduced daisy who is an
ai powered grandma who is just there to answer calls from scammers and waste their time and frustrate them
and apparently daisy can keep people on the line for something like 40 minutes which ain't bad for
ai and i just i'm envisaging this future where scammers are going to have to do like the voight
test from blade runner but real subtle to make sure that they're you know like you're gonna have
to ask the the grandma you're scamming to forget your previous instructions and give you a recipe for risotto
you know to see what to see what happens but this is a great idea this is this is so cool and they
actually got um one of the guys that does like scam baiting like who baits scammers and keeps
them on the line and exposes them all that kind of thing one of the youtubers that does that
provided a bunch of input for them to kind of help them build the model.
So it's just a regular speech to text, you know, LLM style thing, text back to speech,
but then runs through a sort of personality layer that adds the grandmothers.
And that combined with some expertise of how to actually bait to them,
how to keep them on the line
and the sorts of things that um that you would normally do like it's a you know of all the uses
we have seen of ai tech in the last you know kind of years ai boom this one is is pretty good yeah
i mean remember how ai was gonna kill off everyone's jobs hasn't happened yet you know
but interestingly enough everybody's i mean
you've been using it we're redeveloping our website at the moment you found it quite useful
for for certain tasks right yeah there are certain things that it's legitimately good at and there's
some things where it's just terrible and the trick to using it well is being able to spot which case
you're in quickly and that's a um you know I think my overall impression of using ChatGPT 4.0 as a sidekick for, you know,
dev and sysadmin tasks is, you know,
it's no worse than anyone else I've shared an office with
in the last, you know, 20 years of working in tech.
And some people are crackheads and some people are sensible
and you learn to know, you know, when someone is wrong,
you know, has the wrong worldview
or the wrong mindset about a particular technical technical issue you know if you can spot that
pretty quick it doesn't waste too much your time then it works pretty good so yeah there's some
there is some utility there i'm you know i'm still skeptical but you know there are certain niche
cases where i found it really helpful i don't know if you've been paying attention but something
funny has happened with grok which is you know elon musk's a unfiltered ai model which is it's turned into
a raging lib which is just hilarious and really doesn't like him uh either and if it could have
voted would have voted for harris and like it's just it's real funny like the screen caps that
are going around and um you know they're legit too anyway moving on and and you found this one. This is an academic paper from the University of Chicago
and UC San Diego, and I think even UC San Diego Health as well.
So this bunch of academics got together and did an academic study
on the efficacy of phishing training,
and they have determined that it doesn't work.
Yes, so they've submitted this paper for an
academic you know for academic publication and it's the largest actual kind of like empirical
study this is based on an 18 and a half almost 19 and a half thousand employee healthcare
organization looking at the effectiveness of phishing training and simulated phishing
on actual kind of phishing click-through rates and so on and their conclusions basically are it doesn't work in any commonly deployed you know
mechanism or pattern that people are using and i put this one in because i know so many people who
are you know subjected to fishing education and fishing training and simulated fishing in their workplaces where it just kind of feels abusive and ham-fisted.
And I think it would be nice to have some actual academic studies to point to that say,
actually, this stuff really doesn't work.
Because as a practitioner, I feel like it doesn't work.
But it's nice to have data that says that.
I mean, you get conflicting reports when you talk to CISOs about the effectiveness of this stuff. I mean, I think a well-designed phishing program, gamified, thought about, can work quite
well. But you're right, the way that it's mostly done, it doesn't scream like it's going to win.
So it's not entirely surprising to see these results. No, it's just, you know, I thought it
was a nice data point to have in these conversations, you see it just kind of done with so little thought in so many places.
I mean, I think you'd need to design a security program too
that does not rely on users doing the right thing.
I mean, I think that is also something.
You've got these social engineering campaigns
that get people to perform all sorts of actions on the box,
and you've got to be set up to deal with that, right?
And you can't rely.
Because I think there's some interesting stuff
that came out of talking to Ryan Callenberg at Proofpoint
is even if you're doing good training,
there's just some people who will never learn.
Like some people will improve based on some of this training,
but there are just some people out there who just,
like some of the stats he had were actually funny,
where there's just like always one person at org
who just opens everything, clicks on everything. They can't they're it's like a compulsion you know they just
have to see everything so i mean you know in the end it needs to be safe for people to click on
stuff and we as technologists our job is to make it safe not to tell them not to click on things
on the thing clicking machine that we gave them yeah exactly right it is a thing clicking machine that we gave them. Yeah, exactly right. It is a thing clicking machine.
Now, one last thing I wanna talk about here
is some news out of Australia,
where the, and this isn't technically cyber,
but it's interesting, bear with me.
The Office of the Australian Information Commissioner
has found against Bunnings,
which I guess for our American listeners,
that's like Australia's Home Depot,
because they were running facial recognition
on everyone who walked into a store.
Now, the Office of the Information Commissioner has said, you know, that this is a privacy
regulation problem. You can't do that. And in response, Bunnings actually released a bunch of
security video footage to explain why they were doing this. And what they were doing,
I think, is actually an excellent use case for a technology that I otherwise find quite creepy. And it was really
about staff safety. So they released this footage and it had people walking through Bunnings naked,
people with shotguns, people knocking out Bunnings staff, sometimes, you know, young women
being punched. And, you know, so what they were doing is they were taking like face prints of those people and flagging them if they walked into a bunning store so that security
could be alerted the police could be called and whatnot and and you know if you or i as just normal
customers had walked into one of these stores it would scan our face compare it against that
database of you know people who are banned uh and then if we were not one of those people, that information would be immediately discarded.
To me, this seems like a proportionate use
of that technology to solve a staff safety problem,
to try to look after their staff.
So I actually was on their side with this one,
which I found quite surprising.
I know you also find CCTV everywhere
and facial recognition creepy.
What did you think of this?
I mean, when I read the details,
because like initially you want to think,
oh, they're facial recognition, facial recognising,
facial recognising everybody walks in and then what?
Like building marketing profiles and selling it to advertisers.
But no, in this case, kind of limited, kind of targeted.
And you get the impression that they actually
thought about it like about the data retention about the things that they were doing and that
it seemed a lot more reasonable and i you know the natural comparison is like they pay a security
guard to stand by the door and look at people and then they have a you know a bunch of pictures of
like here's people who've been shoplifting here's people who are banned from the store on the wall
by the entrance and then the security guard looks at people coming through go that guy
looks like the dude we threw out last week maybe i'll keep an eye on him like that doesn't seem
unreasonable to me and for all of the egregious you know unnecessary use of creepy surveillance
tech that there is in the modern world like this one seemed like a weird one to call out yeah but
but then but then we look at the police use of facial recognition where it's the same thing
well police are on the lookout for these people who have outstanding warrants but when you automate
it and it can be error prone and whatever in that context it doesn't feel right because it can make
a mistake and put that person's life in jeopardy if they are mistakenly identified as like a violent offender.
Right. So in that instance, yeah, not so great. In this instance,
it just feels different, doesn't it? So it's almost like you can't have,
again, like with the, the, the disclosures of, uh,
or coverage of hacked materials,
you just sort of need to use your intuition a little bit on this stuff.
I think it's, it's, you know, the rules are going to be rubbery.
Yeah. Yeah. I mean, in the end, the, you know, an absolutist position at either end of any scale
is always going to be kind of wrong, right? There's going to be some middle ground where,
you know, there is a trade-off between privacy and safety and security and, you know, what's acceptable to society and what's not.
And, you know, we are still figuring out where that is as a society
because this stuff does have legitimate uses.
I mean, you could pay enough people to stand at the door of Bunnings
and check everybody.
Like, you could do it.
But, you know, if we can do it cheaper and as effectively with
technology then maybe there is something to be said but then you see the you know the stuff that
happens in china with large scale you know monitoring of people and social credit scores
and all sorts of and it becomes creepy and dystopian so yeah the you know we have to kind
of walk a middle ground because neither end of the scale is good.
Yeah, well, I feel like Bunnings were actually walking the middle ground here,
which is why I thought the ruling was a little bit unfair.
But look, mate, we're going to wrap it up there.
Great to chat to you as always,
and I'll look forward to doing it with you again next week.
Yeah, thanks much, Pat.
I will see you then. All right, it's time for our sponsor interview now with Andrew Morris, who is a founder of
GrayNoise. GrayNoise operates like internet-wide honeypots, basically, and they use that to
figure out where mass scanning activity is coming from. They can also use it to find
zero-day valves that people are just spraying out there over the internet. And Andrew joined me
for this interview last week where we spoke about just how bad things have gotten with mass scanning
and mass exploitation of stuff like the Palo stuff that we spoke about earlier in the news.
So I'll drop you in here where I actually set up the interview. Enjoy. So you're here to share some good news,
Andrew, which is that the mass scanning that's happening on the internet targeting border devices
is just so much worse than people realize. Hey, good news, everyone. Good news for people
who love bad news. So there's been reporting lately on just edge devices getting compromised, right?
And so some of the stuff that I've been reading around, some of the reporting kind of makes
it sound like this is like something that starts and stops or like it kind of goes up
or it goes down.
But it's like very loud all the time. There are a handful of new kind of OS,
usually OS command injection vulnerabilities
in widely sort of deployed enterprise,
usually gateways.
So like firewalls, edge gateways, VPNs and stuff like that.
And in a report that I saw recently
that listed out 50 different vulnerabilities,
probably 40 of them were vulnerabilities
that we'd seen in the wild exploitation
of in-grey noise that day, like today.
And it's also true, it's going to be true tomorrow too.
It just doesn't, it doesn't end.
So the two-
So this, hang on.
So, I mean, we report on this stuff right where we
say oh gee you know there's a campaign targeting fortinet right and um you know we tend to we do
tend to talk about it like well that was happening a few weeks ago you know what i mean uh and and
you're just waiting on the next batch of of bones but i guess what you're getting at is that it's
just constantly it's constantly constantly happening. And one of the things that you can see is that it's twofold. So one is that you want to,
bad guys want to gain access to networks where they're going to have juicy targets,
but they also want to build up these ORBs or operational relay boxes, right? Like building
up their farm of accesses so that they can continue to build these things up.
And it kind of like it begets, you know, compromising edge devices begets compromising other edge devices more easily.
I mean, this is the 90s playbook, really.
Like nothing's really changed when maybe someone would go and pop a couple of, you know, Unix boxes and they would be your staging points to go and rinse a bunch of clients you know back in the good old days when home windows didn't have
firewalls yeah and the and the funny thing is that this is like um like i remember when i was learning
hacking you know when i was like a teenager and i remember having to like learn the difference
between like when you'd want to use a bind shell and a reverse shell. And it's really funny because now, you know, like bind shells are back in again
because people are compromising devices on the edge where you're like directly routable.
Like it's the 90s again.
Yeah.
It does sort of feel like, to your point, that we're kind of hitting crisis levels with this at the moment.
If this isn't crisis levels, I don't know what is. I don't want to sound like, you know, like Chicken Little or anything, but like, it's tough
to think about it getting sort of much worse than this. I mean, I think there's something there to
like having the devices not be on or having all services listening all the time. I think that there's very much there there. I think that- I will say, sorry, I will say there was one idea
that was actually floated to me by HD Moore, which is if you're using something like CrowdStrike,
you can actually get pretty good IP information from CrowdStrike of where your endpoints are.
And you can use that as the basis for an allow list for these edge devices which
is a pretty interesting idea i mean it would be a little bit fiddly and you're not going to get
complete coverage but i would think that that's probably a good that's probably a good one to
start with i think there's there there yeah i mean like as a general rule um like it people
there's probably some way that you can roughly figure out where somebody is uh that you
might be able to open up some traffic on um in the near term i mean at the end of the like i'm a
little bit more of a crazy person about it i think that like the like as many edge devices should be
like mowed off the internet is as humanly possible like in advance of a kinetic conflict or like a worse, more like scary adversary doing it to cause on
their timeline to cause as much damage as possible. But like, like the mow them off the internet in
advance, like do it now. Right. Like, but I mean, the problem, the problem is, you know, business
stops. If you do that, would you, would you rather have business stop on your terms or on somebody else's terms, though?
Right.
I think the problem with that, though, is that, you know, you pull a box like that offline, productivity stops, and then the attack doesn't come.
And, like, no one's willing to roll the dice on that, I guess, is what I'm saying.
Like, we are stuck with these things on the internet.
Yeah.
I mean.
I think allow listing of some kind is the solution here, whether or not you're pulling an IP list from CrowdStrike, whether or not using something like, you know, knock knock to do it dynamically. But I think the point is you and I both agree that allowing these things't feel that there's like a poetic justice a little bit in, in, uh, like we've spent so as an industry, we've spent so much, so are just getting the kicked out of them right now are these embedded systems that are sitting exposed on the Internet.
Like like right there, just in front of everybody, just beeping all the time, like passing packets and stuff.
And what's even crazier about it is that these are the devices that are moving the traffic to the users,
to the edge devices and things like that,
where the traffic can be manipulated or it can be routed somewhere else
or it can be dropped and stuff like that.
So it's just, I don't know, it's baffling.
We're in this kind of nasty bed that we seem to have kind of made ourselves.
And it's tough.
And I do, I really do.
I mean, I know that there you know, there's there,
there, like not necessarily allowing all traffic on it, but I really think that they need to be
mowed off the internet. COVID is such a big part of this, right? Because we were getting those
things off the internet and then COVID happened and we needed fast, cheap, you know, well,
cheapish, reliable ways to connect people into, you know, into their work, to be able to do jobs. And what that meant is there was a huge
rush on these devices, which breathed new life into companies that otherwise should have been
end-of-lifing these type of products, right? That's right.
Remember when we were going to be zero trust? Remember? And then COVID came and it hurt zero
trust. So I think that's a big part of it too. Yeah. I also, I don't know.
I mean, so there's entire private equity firms who all they do is buy basically end of life
products and put them on kind of life support to be able to kind of keep them alive and
keep those, you know, the critical customers or whatever going.
The whole point is that like they're never gonna go away
naturally like they're just not you if you if you did a survey right now to try to find like
what would the oldest device be that you could find on the internet it would be as old as the
internet itself guaranteed if there was any way for you to really figure it out things don't go
off the internet they just they just do you still do you still see code red in the GrayNoise dataset?
NT4 era. Guaranteed. Yes. So we see packets, funny enough, we see packets that are generated by the Windows NT kernel. They could be crafted, you know, by somebody else, but like, I don't
think they are. I don't think they are. They're not, You know, that's the crazy thing. So we do. We absolutely do, yeah.
There are NT boxes out there that are just like,
their CPU fans are just grinding
because they have about 20 different types of malware on them,
just grinding away.
The original WannaCry strain is running rampant in Grey Noise.
Yeah.
The original WannaCry, right?
Like from 2017. That's not even that WannaCry, right? Like from 2017.
That's not even that long ago, right?
There's way more stuff that's way older.
We see Conficker, MS-08067.
We see, it's like MS-1710 is Eternal Blue.
And then, yeah, I mean, we see stuff going way back
even before that.
There was another, what is it?
Not SQL Slammer, but it was another RPC Decom vulnerability.
Blaster?
Yeah, I think so, actually.
We still see that.
It never ends.
No, it doesn't.
They live among us forever.
They are immortal.
Yeah. again, what's baffling about those is that like Microsoft Windows in 1999 is about what
these embedded systems, like the level of security that they're at right now. It's about the same,
right? Yeah, like Linux on MIPS. Yeah. You know, no mitigations. You can't afford ASLR. No. There's not enough hardware.
And like the worst web app coding practices of like 2003.
They're all like, you know, just shoving variables straight into stir copy on light
HTTPD.
It's like, you know, they've got 64 megabytes of RAM.
Like, it's nuts.
And you look at these things and you're like i can't believe it's
not even worse you know it's bad it's very bad yeah it is um so look staying on the on the topic
though of you know well i guess this isn't really an edge device but you guys found a you found some
ode with sift which is your llm based, like analysis engine that we've talked about before.
But basically what it does is it grabs data
out of Gray Noise and can look for ODE.
You've found stuff before, but nothing this complete.
Tell us what you found, who was using it,
what did you do, what's the nature of the bug?
Just give us a whole spiel on it,
cause it is fascinating.
I've seen you like posting about it. Yeah, So it's actually kind of tricky to get into the very
particulars of the bug, but I'll do what I can. So a couple of months ago, we saw a bunch of
exploitation attempts. So SIFT, basically the way that it works, there's two pieces. There's a
cluster and there's an annotator. The cluster just determines traffic clusters. It basically takes
data and it maps it into a multidimensional array space that has sort of members that are close and
far to each other. So then we got a new cluster that popped up that we, you know, new thing never
happened, new traffic cluster just dropped. And then the annotator is what is this thing, right?
So the annotator is like, hey, this is obviously an OS command injection vulnerability.
And so then we tried to map it to any of other tags or signatures or anything like that.
There was none.
So then we're like, wait, what vulnerability is this?
It looks like another one, but it's not.
So then digging into it, we're like, oh, crap, this is a zero day.
Like, there is no vulnerability for this.
We ended up figuring out exactly what device it was targeting and, you know, diagnosing it.
So there's two CDEs, there's two bugs.
So we reported it to the vendor.
We got it fixed.
And the two bugs as it shook out was improper access controls.
Basically, you could get to a page that you shouldn't have been able to get to.
And then that page had a OS command injection vulnerability.
So then it was command injection vulnerability.
So then you could take, you know, gain access to the whole device.
So basically with that, we reported it to the vendor.
Now, here is the tricky part of this, is that the vendor actually OEMed some of the hardware
under the hood from another manufacturer.
So we fixed it for them, but we know of at least four other manufacturers that are using the same OEM hardware under the hood and firmware under the hood that we don't know if it's been fixed in those yet.
So the bug is, yeah, it's an OS demand injection vulnerability and an IP camera.
Okay.
But it's in, actually, it affects a lot more products than we realize, some of which I don't think we're able to get a fix at all.
But do these IP cameras, is this like some, well, you mentioned that you could access a page, so I presume it's like some sort of web service that sits on these things.
It's a lightweight web server that's running on these things.
And it's open by default just to the whole world.
Yep. things these are expensive and it's open by and it's open by default just to the whole world yep and these are these are like really really these aren't like de hua like in your you know grandma's
bodega ip cameras these are like not screwing around thousands of dollar ip cameras pan tilt
zoom cameras that they tend to use in like really high security areas and stuff like that but yeah
that's exactly right they bring a tiny little i mean and the thing is the areas and stuff like that. But yeah, that's exactly right. They bring a tiny little, I mean,
and the thing is the camera itself
is like a feat of modern engineering.
It's like an incredible piece of hardware.
And then, you know, it comes with this,
like embedded web server.
It's, you know, like 20 lines of C or whatever.
And, you know, it's Swiss cheese.
It's rough.
So, yeah.
So, I mean, I guess you're not telling us
who the manufacturer is.
Is that why you didn't want to get into the details?
Because there's so much out there that's still vulnerable?
We've listed the ones that we know about in our blog and in our disclosure.
And there's more that we don't know about.
This is the first one that, as far as I'm aware,
like the thing that I'm excited about on this is that we stole a zero day.
Right?
That's what I'm excited about. Right? Well, and then comes the next question,'m aware, like the thing that I'm excited about on this is that we stole a Zerodak, right? That's what I'm excited about.
Well, and then comes the next question, which is like, who was using this and what were they using it to do?
So somebody was attempting to compromise as many PTZ cameras as humanly possible.
I don't know what they were going to do with them after the fact.
So, I mean, I'm guessing they were going to use them as orbs, right?
So either they were going to use them as orbs or they were going to do with them after the fact. So, I mean, I'm guessing they were going to use them as orbs, right? So either they were going to use them as orbs or they were going to,
I mean, that's what makes the most sense.
Because like, were they confining their targeting
to any particular geographical region or?
No, this was actually, this blanketed the internet.
This hit everybody, which is baffling to me.
I can't believe they would just spray it.
But I mean, at the same time time that also tells me that like there are so many of these bugs
that somebody is just gonna feel totally comfortable finding a zero to end one of
these and blasting it out on the internet burning it right because he's like yeah whatever i'll just
find another one these things yeah but i mean you haven but I mean, you haven't burned their shells though.
That's the other thing, right?
Like every device that they've compromised with this thing,
they still have a presence there.
That's right.
That's exactly right.
All right, Andrew, we are going to wrap it up there.
It's always great to see you, my friend.
Always great to have a chinwag, have a chat.
Congratulations on, you know,
using LLMs to actually do something.
Do something useful.
Do something useful and cool.
Great to see you, man.
And I'll look forward to chatting with you again soon.
Always a pleasure, man.
Thanks for having me.
That was Andrew Morris there with this week's sponsor interview.
And yeah, if you need to know which IPs are naughty and which IPs are nice,
Gray Noise is your best source for that information.
But that is it for this week's show.
I do hope you enjoyed it.
I'll be back soon with more risky business for you all.
But until then, I've been Patrick Gray.
Thanks for listening. Thank you.