Risky Business - Risky Business #773 -- Cybercriminals are dropping like flies in Russia
Episode Date: December 4, 2024On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: The FTC decides its time to take another look at Microsoft ... Exxon’s opponents targeted by hackers Russian hackers keep getting sentenced and it confuses us The Feds recommend Signal, because throwing hackers out of telcos ain’t gonna happen A South Korean set-top-box manufacturer shipped a DDoS client for corpo-combat And much, much more. This week’s sponsor interview with Vijit Nair from Corelight. We talk to him about doing detection in cloud environments, and how the varied nature of cloud systems makes the old ways - network monitoring - useful in new and interesting ways. If you’re in Sydney, Pat is recording a live episode of the Wide World of Cyber with Chris Krebs on 5 December. There might still be tickets left! This episode is also available on Youtube. Show notes SentinelOne: Risky Business LIVE FTC opens Microsoft antitrust investigation | AP News Exclusive: Exxon lobbyist investigated over hack-and-leak of environmentalist emails, sources say | Reuters Costa Rica state energy company calls in US experts to help with ransomware attack | The Record from Recorded Future News Blue Yonder Security Rating, Vendor Risk Report, and Data Breaches ENGlobal IT systems impacted by ransomware attack | Cybersecurity Dive Ransomware suspect Wazawaka reportedly arrested by Russia | The Record from Recorded Future News Russia delivers historic life sentence to suspected founder of darknet marketplace | The Record from Recorded Future News Vodka maker Stoli says August ransomware attack contributed to bankruptcy filing | The Record from Recorded Future News Hacker in Snowflake Extortions May Be a U.S. Soldier – Krebs on Security Uganda confirms cyberattack on central bank but minimizes extent of breach | The Record from Recorded Future News Press Release: HOME > Announcements/News > Announcements > Press Release U.S. officials urge Americans to use encrypted apps amid cyberattack With Threats to Encryption Looming, Signal’s Meredith Whittaker Says ‘We’re Not Changing’ | WIRED Japanese crypto service shuts down after theft of bitcoin worth $308 million | The Record from Recorded Future News He Got Banned From X. Now He Wants to Help You Escape, Too | WIRED cyberundergroundfeed on X: "🚨 Pro-Russian Group Allegedly Hacks #Australia #Melbourne Sewage System 🚨 Hackers claim to have compromised the Riversdale sewage pumping station in #Melbourne, #Australia, switching it to manual control and placing it in emergency mode." Pump station fears rebuffed - New Zealand News - NZ Herald NZ Navy ship runs aground off Samoa, catches fire and sinks
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name is Patrick thing. There's always going to be elements of like app monitoring,
something for your Kubernetes, something for your endpoints,
something to keep an eye on API calls, and of course, network data.
It's an interesting high-level chat, and that one's coming up after the news,
which starts now.
Although, I guess news for me is as soon as we're done recording today, I'm actually jumping on a plane and heading down to Sydney to record a podcast in the flesh at the Lecture Theatre of the Museum of Contemporary Art in Sydney with Mr. Chris Krebs.
And the reason I mention it is because there's still like eight to ten tickets left.
So if anyone in Sydney is listening to this and wants to come along, that's happening tomorrow at about 9 a.m.
So I will link through to the Rego link in this week's show notes, and I look forward to seeing you all there.
But Adam, the first thing I want to talk about today is the FTC opening an investigation into Microsoft, which is a huge deal,
which doesn't seem to be the subject of much discussion
in InfoSec circles, and I find that really surprising.
Why do you think that is?
It's a great question.
I mean, Microsoft is such an important part
of everybody's ecosystem and work life,
and especially InfoSec, right?
And we have all seen you know i
guess especially in as they've moved into the cloud the very kind of tight integration between
their security products and their business like their business software and stuff and you know
the fdc's previous like the previous antitrust work against microsoft really had a very long lasting impact
and this is back in the like browser wars era of you know internet explorer versus at the time
firefox i suppose um and that really you know has shaped so much of my how microsoft has behaved so
it's it is a kind of a big deal but i guess the political uncertainty in the US at the moment about what the next administration would do with
an investigation like this is I mean there's so much uncertainty I guess it's hard to
get too excited until you know the shape of that yeah I mean we've linked through to a
Associated Press article here that's you know points out in the headline FTC opens Microsoft
antitrust investigation that Trump administration must carry on or drop,
which seems, now that I think about it, a strange way to put it. But, you know, the FTC chair,
Lena Kahn, you know, J.D. Vance, who's the incoming vice president, has said positive
things about her as well. So really, we don't know whether or not it will continue under the
incoming administration. But I want to talk about why it's interesting from a security person's perspective,
which is that Microsoft bundles so much stuff under E5.
Now, of course, it does have some good security products,
like Microsoft Defender is a great EDR, right?
But they also bundle an awful lot of crap.
And you've got to ask yourself,
if it weren't for their ability to bundle like this,
would anyone buy it, right?
So the thought exercise that I came up with
in terms of evaluating whether or not
Microsoft is kind of abusing its market power
is to just think, okay, say flash forward,
it's three years from now,
the FTC has mandated that Microsoft needs
to take its cybersecurity solutions business
and spin it out
into a different company. Would you buy shares in it? Right? Would you buy shares in it? Or would
you be worried that the only thing keeping a lot of its security business spinning is E5 bundling?
And I think that's the question at the core of this, right? I think it was actually Chris Krebs,
who, you know, as I pointed out, I'm interviewing him tomorrow. Once we were at a conference, actually having a drink and what did
he say? He had a line. I don't even know if it's his line, but he said, Microsoft should be in the
business of making secure products, not security products. Now, sure, he works for a company that
competes with Microsoft in the EDR space, but I think that's a sentiment, you know, I agree with,
frankly.
Yeah, I mean, certainly it would be nice if you didn't need all of those security products
and Microsoft doing a good job.
You know, there's a reason they've been refocusing
a whole bunch lately because they've been beaten
with so many sticks about their security practice.
And it's not unreasonable to say that they have moved
so quickly in the last five years into the cloud world that, you know, their good practice hasn't really caught up.
I mean, and, you know, they've got a lot of work to do.
So, yeah, I can absolutely see that argument.
Although I suppose, like, you compare to, maybe it's not reasonable to compare to Google's Alphabet Chron Chronicle, you know, kind of that's a separate thing.
It's part of it.
It's, you know, maybe that mess is not comparable.
I don't know.
But either way, you know, Microsoft absolutely has to do better,
and I would prefer that they focused on making good products
than they did on making security products.
Well, I mean, that's the issue that we care about, right,
which is the incentives piece of this,
where they're making so much money out of selling.
You know, there was a saying I came up with,
which is Microsoft, you know, sells you a foot gun
and then sells you the bulletproof shoe, right?
And so the incentives are sort of all out of whack,
but there's not much I think the FTC can do
about that particular problem.
But what they can do is see whether
Microsoft's business practices in bundling all of this security software under its licensing schemes
is anti-competitive. And I don't think it's, I think it's a real heavy lift to show that that's
not anti-competitive, just in my view. Yeah, but I guess the other, the thing that comes to my mind
is in the cloud world where the vendor runs the software and the servers and the systems, the role of third party security products is greatly diminished.
Right. In the case of Amazon, for example.
But it's not in this case. That's the whole point.
They're selling the products. Right.
So and they're selling it to the, the you know via bundling to the detriment of
their competition that's the whole point i mean yeah i agree with you but like i'm just trying
to imagine like say they had to spin out a bunch of their security products like there are things
that you could imagine being standalone purchasable like their edr like defender for endpoint or
whatever but all of the things that you would be buying in your e5 that you get in your e5 bundle
if you don't mean to buy them a whole bunch of them are kind of things things that you would be buying in your e5 that you get in your e5 bundle even
you don't mean to buy them a whole bunch of them are kind of things that microsoft would have to do
anyway that wouldn't be a standalone product that you would buy that's just an expectation you have
of microsoft running the service things like providing audit logging or whatever right
consuming the logging you could buy another tool to process it and give you the data you want from
the log the intelligence you want for logging but there's a bunch of this stuff that's just like in a cloud
world is the thing the service provider needs to and should be doing and you know i think there's
an argument that microsoft shouldn't be upselling those security features when it's as a service
but that's kind of a different kettle of fish again. So yeah, I don't disagree.
Yeah, well, let's watch it.
I mean, you know, I think I was talking to someone who's quite informed about all of this
and I said, you know, is it a possible remedy
that they could force Microsoft
to divest their cybersecurity products division?
And they said, of course, but it's the US government
so they're going to choose something completely insane.
Instead, like, I think what is it,
the DOJ has been looking into um google's behavior and wants them
to spin off chrome which is like just an insane idea on so many levels right kind of dumb yes
yeah so they'll find something insane to do about it and then we'll we'll get on this show and talk
about how how nuts it is uh moving on to some law and order news. And Wazawaka has apparently been arrested by Russian authorities.
Of course, this is a very high profile ransomware affiliate who I believe might have developed some tools as well.
But, you know, we've seen a spate of lengthy sentences doled out to Russian cyber criminals.
We saw some rival people sentenced a while ago.
And, you know, the arrests and the sentencing sentencings continue
yeah it's kind of strange because i mean looking from the outside it's you want to have a simple
picture that explains to you why russia be like russia b and you know most people who are especially
ex-russians they have emigrated out into the west say look russia is just it's its own thing and you know it doesn't
always make sense i mean whether this guy ends up in you know a special penal colony or whether he
manages to bribe his way out or whatever else we don't really know but it's just it seems confusing
um to the outsider and i don't know that i have more better analysis than that. I am confused by Russia. Well, I mean, we did see
prior to the outbreak, well, prior to Russia's invasion of Ukraine, we did see that things were
kind of moving in this direction and it feels like that all stalled out, but it's sort of picking up
again. And I can't explain it either. But as you say, like everyone's addicted, everyone wants a
simple narrative here and there just isn't one, you know, life is complicated.
Russia is complicated.
So I think that explains it.
And meanwhile, they've handed down a life sentence
to the kingpin of the Hydra drug marketplace.
I mean, not technically a cybersecurity story there,
but, you know, it is an online crime.
And, you know, Russia has not done this before.
So it does seem like there is a
crackdown of sorts occurring uh or you know like a renewed focus on tackling you know cyber crime
and cyber enabled crime in russia yeah but a life sentence is certainly pretty significant and i
don't think we've seen that before in russia the financial penalties that uh the hydra market and
his various associates got were very small like in the tens of thousands of dollars kind of realm,
whereas previously we've seen big fines and seizures of property and stuff,
but in this case, very small monetary amount, but life sentence.
So again, I don't understand Russia.
Yeah, yeah.
So those last stories were from Darina Antonyuk over at The Record.
And yeah, this guy got sentenced to what i think we can call the full
ross full ross um but uh you know we're gonna see if he actually winds up getting uh getting freed
uh next year so that'll be interesting um so let's talk about stolle vodka filing for chapter 11
bankruptcy protection in the united states and explaining that a big
part of the reason why they've had to do that is because of a ransomware attack that began in
august that they're not expecting to fully recover from until march next year so just a wild story
john grieg has done a terrific job as he usually does uh of writing this one up and sort of explaining, you know, a bit of the history
around Stolle and its battles with the Russian government,
which wanted to, like, re-nationalise Stolle
after it was spun out in the 90s or whatever.
Just a wild ride, this story, all around.
Yeah, exactly, because that was my first question
when I saw the headline.
I was like, I wonder, like, is Stolle a Russian company still
or how does this work and in this case it's u.s subsidiaries uh have filed for
bankruptcy after ransomware and the original founder of of stolly is a russian who fled the
country and is kind of pro-ukraine and at some point uh the russian government nationalized or
took over some of their facilities in Russia.
They took like $100 million worth of vodka production facilities.
That was recent.
That was in March 2022.
Yeah.
They took over the last distilleries that they were still operating in Russia.
But this goes back to like 2000, this legal fight, right?
It's a tortured story. And, you know, there's no, like, evidence to say that the fact that the US, you know, entities got ransomware pretty bad, you know, whether that was kind of, you know, politically motivated as opposed to just regular common garden things getting ransomware and it's bad kind of thing.
But this ties back to what we were saying, right? Which is Russia is complicated and it's bad kind of thing um but it's certainly this ties
back to what we were saying right which is russia is complicated and there's no simple narrative
this could just be garden variety criminal ransomware or it could be you know they're
getting their getting their instructions from the kremlin you just don't know you just don't know or
even just you know patriots you know if someone gets got mad about, you know, about it and decided to do it themselves. Like it's, yeah.
Either way, they're having a bad time
and they're going to attempt to kind of restructure
the way out of it.
So yeah, I guess good luck, good luck to them.
Now we've seen two arrests
over the Snowflake data extortions,
but there's a third suspect who's still in the wind.
And Brian Krebs wrote up a report last week looking at who this person could be.
And it looks like this person may actually be a US Army soldier who is or was recently
stationed in Korea.
So this is a bit of beautiful Krebsing here.
Yeah, yeah, definitely solid Krebsing. This
guy goes mostly by the name Kyber Phantom and Krebs has been kind of tracking his various
previous identities and his activity across forums, has a couple of other names that he
goes by and kind of ties them all together with some social media posts or other, you know,
hack forum posts where the guy says that, you know,
at some point someone had dosed him.
They had some argument and he said,
lol, you just dosed a US military base.
So good on you, buddy.
And also there's some pictures of, you know,
like camouflage and military equipment and stuff in his post.
So it's kind of a it's an interesting
like my i guess i'm curious as to like if you were a serving u.s military person like if you
have enough spare time to run a cyber crime operation as well or to be a i mean i guess i
guess you must there's a lot of hurry up and wait in the military but it's an interesting kind of
um interesting yarn from crabs and I would not want to be the
guy uh he Krebs reached out to him and the guy was just like oh lol this was just you know opsec
epic opsec troll he's there which is what they always say when Krebs uh has totally nailed
the truth about this stuff so aha you took my bait to believe that my identity is not what it in fact is. Exactly. Exactly.
Yeah.
Oh man.
But no,
I guess,
you know,
everyone's got hobbies,
right?
Like even if you're stationed on a base,
you're not working 24 seven.
No.
And how much time does it take to take,
you know,
info stealer creds and plug them into a few snowflakes.
That's true.
That's true.
Yeah.
That's a pretty fast process.
It is.
It is.
I mean,
calling these people hackers is kind of like, I don't know,
a bit of an insult to hackers.
Another one from Doreena over at The Record.
There has been a breach at the central bank in Uganda
with attackers making off with around $17 million.
I believe half of that has been frozen already by banks
where the funds were transferred to, But some of it was withdrawn.
I mean, we haven't seen one of these in a while.
The North Koreans were targeting, you know, swift terminals at central banks in places like Bangladesh years ago.
But, yeah, I mean, you don't see this every day, which I thought is a reason to mention it.
Yeah, like a whole central bank a that's a pretty juicy target and you know they're not necessarily hard targets but you know at the same time you would hope that a central bank has
good quality audit and monitoring like so at least they would spot these things happening
and it sounds like in this case they did spot it and they managed to claw some back
um but i mean it's just i don't know it's kind of it's kind of funny in a way like
you know a whole central bank heist,
like you make movies about that and yet here we are with, you know,
kids or North Korean, you know, army doing it
and we don't know which, of course.
Well, I think they said it was a, was it Southeast Asians?
Yeah.
Yeah, Southeast Asian hacker group in this case has got the attribution.
But yeah, I mean, who knows?
Like someone in an internet cafe in the Philippines going,
lol, you know, here's 17 million.
But, you know, you'd think probably they're going to get busted.
Probably, yes.
Yeah.
Now let's have a look at this expose over at Reuters,
which has been written by Raphael Satter and Christopher Bing.
And by the looks of things, they've been working by Raphael Satter and Christopher Bing. And by the
looks of things, they've been working on this story for a very, very long time. And what they've
done is tied a lobbying group called DCI Group that did a lot of work for Exxon, the energy firm
or oil firm. They've looked at how Exxon was using DCI Group to hack activists and leak their data to the press to discredit
them when these activists were trying to prove that Exxon knew that climate change was being
caused by fossil fuels, but was being very misleading about it.
So they were trying to put together a legal case akin to the one that targeted tobacco
companies, saying that they knew that their products were causing health impacts, but were lying about it.
And, you know, this is just such an amazing look at the sort of dirty tricks that should only exist in the movies.
But, you know, it's all laid out here.
And this involves that Israeli private investigator who i believe was uh contracting some of these hacking
services to indian firms like reuters has done a lot of coverage on that but this whole thing ties
it together beautifully and it's just i gotta be honest it's a really depressing read yeah it it
really is i mean the idea of a big corporate like exxon you know and in this case you know an
environment destroying you know planet heating multinational hiring a you know, an environment-destroying, you know, planet-heating multinational
hiring a, you know, big money law firm
which then subcontracts out to some, you know,
like intermediate who subcontracts, who subcontracts,
and then everybody's washing their hands all the way down
until someone's email gets stolen
and then leaked and then used against them.
And then everybody along the line goes,
well, we just thought we were paying lawyers.
We didn't know we were hiring hackers for hire services um and yeah we had a little bit of money
set aside for opposition research but we didn't know that we're going to do this i mean that's
the you know and that's why like previously when looking at some of this hacker for hire stuff
um i can't even remember who i had that conversation with but apparently hedge funds love these
these cutouts
that they can use to get market intelligence and whatever, right?
So, but it's just grotty.
Yeah, yeah, it really is.
And I think one of the guys who is central to the story,
in a previous case that he worked,
he said, oh, look, I just found these guys' email on the internet.
I don't know where it came from.
And I think in that case, he was tied to Beltrox,
one of the Indian hacker for hire firms.
And, you know, pretty clear where it came from.
So it's just kind of gross.
And also, you know, I really feel for, you know, environmental activists
who, you know, feel like they're being targeted by a multinational and, you know,
and having their stuff broken into.
Like it's just, you know, being hacked is kind of distressing.
You know, when you know someone's been in your email,
in your postal files, in whatever, and stole them and leaked them.
And to feel like that's happening because of a, you know,
a giant company with infinite resources and et cetera, et cetera.
Like it just feels gross. And this was individuals in some cases but also organizations like greenpeace
yeah so yeah it's pretty pretty serious business and yeah great reporting um from the team over
at reuters too yeah i mean you'd meet an environmentalist who might say yeah man exxon's
hacking my email and you just say sure buddy yeah exactly. You've been done at the pub.
On a Friday night, you'd be like, yeah, yeah, okay.
Sure, sure, sure.
You're really important.
Exxon's scared of you.
They're hacking your mail.
They're leaking it to the press to discredit you.
Sure, mate.
But it's true.
But it's true, yeah.
All right, let's move on to this next one here.
And this one is wild, man.
It's a story from Korea that our colleague,
Catalin Kimpanu, unearthed.
Talk to us about the arrests in Korea involving the chief executive,
like including the chief executive of a company that manufactured
and exported 240,000 satellite broadcast receivers.
Why would he be arrested, Adam? That's strange.
So the story in the charging notes from the Korean law enforcement is that
this set-top box company included distributed denial of service clients in its firmware for its set-top boxes that it
shipped to a quarter of a million people and apparently it included this feature at specific
request of its customer who was themselves being DDoSed by some other competing Korean satellite
TV firm and they wanted to fight the hack so they paid to put a DDoS system into the set of boxes and of course this
whole scheme is now you know somewhat falling apart but like every time you you see a story
like this and especially I think we've seen a few like this in South Korea where you know the sort
of you know corporate level DOS or corporate level like I'm thinking it was a file sharing system
like appear to be a file sharing system we were talking about a couple of months ago,
where it was a similar kind of thing where they all got hacked and dropped malicious code on
people who are running this thing as part of that. Yeah, yeah, yeah. I remember that now.
I knew it was ringing some sort of bell. I just wasn't sure on the specifics.
Yeah. So I don't know whether, you know, I don't know what's going on in South Korea. Like
obviously they're having a bit of time, a bit of a time at the moment generally,
but it's a pretty wild story.
And I used to work with satellite TV equipment
back in a previous job at the Internet Service Bride.
And our main vendor was South Korea.
And they sent one of their engineers over to work with me
on some Linux drivers stuff that I was working on.
And so I spent a couple of weeks locked in a room with him
working on driver code.
And we didn't really speak much language, but we both spoke nerd.
And you kind of just get a, like South Korea is kind of different.
Like it's a weird place that I don't have a whole bunch of frame of reference.
And when you've seen stories like this, yeah, it's just, you know,
sometimes things are different than we expect here in the West.
Yeah, sometimes things are a little bit more different
than you can quite wrap your head around.
Yes.
That's the way you do that?
Oh, okay, right.
I'll just have to adjust my worldview.
Yeah, exactly, exactly.
Yeah, it's a crazy one.
And yeah, the political moment in South Korea,
like, you know, woke up here in Australia
and the president's declared martial law or something
for no obvious sort of reason.
And I don't know.
I think it's all pretty much wrapping up.
But, yeah, very, very, very strange political situation and crisis in South Korea today.
Now let's talk about some ransomware stuff.
Costa Rica is having a hell of a time because a state-owned energy provider has been hit with a ransomware attack,
which has caused disruption to, I think, their accounting and whatnot.
I don't think it's disrupted oil flow, sort of much like Colonial Pipeline in that way.
So, yeah, this company, Recope, has been attacked.
And apparently they're bringing in some expertise from the United States to help them deal with that. And it's not obvious whether or not that is,
you know, whether they've called the State Department or Cyber Command or whatever,
because previously the US government
had given some assistance to Costa Rica
when it was being absolutely battered
with ransomware a couple of years ago.
But, you know, I would be guessing
that if you're the Costa Rican government,
you're hoping this isn't the beginning
of another ransomware crisis
because that was hectic when that happened a couple of years back.
Yeah, yeah, it certainly was.
And major energy disruptions like this are national security issues.
And, yeah, it sounds like they're back to pen and paper
for managing the records of unloading ships
and distributing fuel and so
on and so forth so yeah it seems seems pretty serious and uh i don't know like i don't know
that i want to be the person on the plane heading out to costa rica to try and solve this problem
like that's an instant response job that's you know it's pretty serious yeah now a quick update
too on blue yonder nothing much on their website as usual but they have apparently restored service to a few customers and they're continuing to work through it and whatever.
But that one ain't over.
I just wanted to point this is i've always
loathed these like security scorecard related services that for a while it was thought that
you know these type of services would help insurance companies uh you know adjust premiums
and whatnot they are basically meaningless i i mean i'm sure you know someone with a really bad
scorecard rating is just like an incident waiting to happen but
you can have a good rating and still get absolutely wrecked and that's why I don't
like those ratings yeah I mean you know so much of the rating is going to be like does your website
have a certificate that gets an A on the you know SSL lab score list you know have you ticked all
those tiny little boxes in the SSL finding pen test report. And as someone who wrote a lot of
pen test reports, we spent so much time making our SSL finding good so that it could deal with
every possible misconfiguration, not because any of them mattered from a security perspective,
but because they were the sole metric by which these kinds of external scorecard things or
people would judge your organization. So they've always seemed a bit bunkum
because you have so little visibility as an outside party
into what the reality of the inside of an organization is.
And yeah, I'm amazed that anyone still relies
on these kinds of things.
Because as you said, if there's an F rating,
like if you're terrible, then probably not great.
But anything other than that, pretty much meaningless.
Yeah, I mean, what is it my most,
the most annoying finding I can think of
out of a volume scanner is when there was one I saw
where you could force like a null cipher or something.
You could force a TLS connection that didn't encrypt.
Like if you demanded it from the client
and I'm just thinking, really?
That's a critical finding? Just wild. i also got a bit of intel on that apparently uh as per my source
the and i don't know if this is out there elsewhere through the threat intel companies or whatever but
my source tells me the termite ransomware crew is behind the blue yonder incident so
there you go they're a relatively recent crew uh by the looks ofonder incident. So there you go.
They're a relatively recent crew by the looks of things.
There's another one targeting Ian Global,
which this is an energy sector vendor in, is it Texas?
I think Texas, yeah.
Yeah.
So, I mean, there's been a few of these, right? So Halliburton had some sort of incident, New Park Resources.
Hard to know how serious this one is.
I mean, they're even saying in their filings
the company has not yet determined whether the cybersecurity incident
is reasonably likely to materially impact
the company's financial condition or results of operations.
So I think with a lot of these that hit the media,
you've got to realise some of them are coming through SEC filings
where there's been an attempted incident,
it's been contained relatively quickly,
and they've moved on, but it still gets written up as like,
oh, ransomware attack, so we don't really know much there.
Yeah, those SEC filings are a great source for journalists
that want to hunt a story up,
but yeah, there's usually very little other detail.
So yeah, could be big, could be tiny,
no one can really say until, you know,
you either see some real impact
or you manage to snoop on, you know,
ransomware negotiations somewhere
and get some juicy details.
Yep.
Now we've got a write-up from Kevin Collier
over at NBC News,
and he's pointing out that, you know,
the United States government is now urging people
to use encrypted services
in order to defeat telco snooping by the Chinese as part of the Salt Typhoon campaign.
Now, I've had someone say to me on social media, oh, there's a bit of irony in us suggesting that the FBI used something like Signal to communicate with sources when the FBI is also having trouble, you know, getting those comms and complaining about it. And the reason, one of the reasons they would need to use something like Signal
is because Calia was, you know, the lawful intercept equipment at the telcos was compromised.
That argument carries a little bit of weight, I guess, but not all that much,
given that the Salt Typhoon attackers did not actually task any interceptions via the
calia equipment and even non-e2ee in this instance would have protected the uh the communications
and the metadata but then there's the point which is like if it's non-e2ee there's going to be some
sort of calia interception equivalent for that service and the attackers could just go there. So, you know, I think the salt typhoon thing has really helped
kick along the encryption debate somewhat. And I think we all need to sit down and have a think
about what sort of access law enforcement needs, which I don't think, I mean, certainly in the
case of Australian authorities
and Australian intelligence agencies,
they're not asking for complete breaks
to stuff like Signal,
but they are asking the tech companies
to maybe meet them halfway.
We had the director general of ASIO
on the show a while ago asking,
I mean, I'm guessing it was Meta,
hey, would you mind being able to drop us
into the neo-Nazi group chats?
Which seems like a reasonable request to me
and not one that would make me feel worried about my privacy, certainly.
But it is an interesting state of affairs, isn't it?
When telco lawful intercept is one of the things being targeted
by state adversaries.
Yeah, but it's ironic, I guess, on one hand.
On the other hand, this seemed that as i've said before like it's a very much reasonable kind of tasking for an intelligence
agency to go after lawful intercept capability and snoop on other people's stuff um but yeah it is
given the history of of the fbi and u.s law enforcement and their, you know, fights against E2EE and also access to end devices to circumvent E2EE.
It is a little bit ironic.
But at the same time, that really underscores the reality of it, right?
Which is these are complicated problems of balancing safety for, you know,
society as a whole with individual privacy and, you know,
the effectiveness of law enforcement and, you know,
the kind of money made by companies that can break into phones
or break into encrypted comms or whatever else.
You know, there's just a lot of equities there.
And, you know, if there was an easy answer, we would be doing it.
Yeah.
But lawful intercept at scale is never going to be 100% secure.
Never.
Exactly.
Kind of by design, it has to be able to get things
that people don't expect.
The thing that I liked about the story,
other than that, sort of the irony of it,
is the admission that telcos are just so wrecked
that they're probably never going to be able
to throw everybody out of there.
And I liked having people kind of have to say that out loud
because obviously I have feelings
about the inside of telco networks.
And accepting that truth into your heart, I think, is a beautiful thing for me to watch.
Yeah.
I mean, I don't know what the solution is going to be here.
But, you know, the status quo seems a little tense and I do expect stuff to change over the next few years.
Wyatt also has an interview with Meredith Whitaker of the signal foundation uh which is
worth a look one thing that she's really uh talking about is well you know it costs 50 million dollars
a year to run signal and you know there's funding challenges there i you know i honestly think
people would pay for certain features for signal like if you just said if you want to use emojis
it's going to cost you five bucks a year hey problem solved you know
what i mean like discord model if you want animated gifs you got to pay money uh and you know
there's absolutely worse business models to fund the important work that that signal does but also
like a regular cheap signal subscription it's not that expensive and you know i don't begrudge them
that money when i pay for it now we, we spoke earlier this year about a Japanese crypto service, DMM Bitcoin.
They had an incident back in May where $308 million of cryptocurrency was stolen.
And I thought, I can't remember if I said it on the show, but I did think they're promising to make their customers whole.
And I don't know how they're going to do
that when 300 million dollars has been stolen uh turns out uh yeah that's not going to happen
no they they looks like they are shutting down they've handed off what remains of their assets
to some other party to manage uh but yes that 300 billion dollars uh you ain't getting it back
if you were storing it in that particular exchange. The irony is it's probably worth $430
million now. So good job. I think North Koreans seems to be the theory. ZachXBT
tracked some of the money leaving it across the blockchain and said it kind of looked like
how North Koreans launder. It got split up into a bunch of $30 million chunks and then moved onwards from there. So yeah, some of it's gone through that platform in Cambodia
that we talked about as well.
So the Hui one, I think it was.
So it's been laundered through there
and presumably onwards to North Korea.
So yeah, good job, Morks.
Via a casino in Macau or however they're doing it these days.
As is traditional.
Yeah. I wonder if this will turn into another Mt. Gox situation, because I've spoken previously that someone I know, they had a little bit of, they had like, you know, a tiny amount of Bitcoin at Mt. Gox when it got hacked.
And then, of course, you know, the whole thing shut down and it wound up with the courts for years and years, which eventually determined that they needed to get their Bitcoin back instead of, you know, a percentage of the Bitcoin bitcoin back rather than money which meant everyone sort of was forced to hodl for years
and now their twenty dollars is worth you know two hundred thousand dollars or whatever so
maybe these people you know they're just locked into hodling and you know their ten percent of
their bitcoin that they'll get to keep is going to be worth, you know, a gajillion dollars when Bitcoin hits. The whole crypto ecosystem is just so dumb.
So dumb.
Now, I want to talk a little bit about a project by Micah Lee, who has created various tools
over the years.
He has created a product that lets you do things like delete tweets with certain attributes
from your account
or wholesale delete everything.
And it's just interesting that there's,
and he's not the only one,
there's this little cottage industry of apps
that'll let you do stuff like delete your tweets,
which is, I mean, what an amazing job Musk has done
to actually create this industry, right?
Of third-party apps.
A blossoming third-party ecosystem
of people who can delete
you from his platforms yeah yeah yes exactly um so the reason i want to mention micah's one is
because one of the reasons i haven't used any of these apps to like manipulate my twitter data or
you know nuke all of my dms i've nuked a lot of them but did that manually is because i haven't
trusted any of these app makers right because i just I just don't know them. Whereas Michael Lee, he's a known quantity in this space.
And I just sort of think, well, now I'm going to feel comfortable
to go and use that product to do things to my Twitter data.
Yeah, and it's really interesting, like the actual product itself,
because originally he had written some tools to do this via the API.
And then when X shut down API access or otherwise made it kind of impractical
he rebuilt this thing so essentially it drives a client-side browser on your machine and you
can kind of watch it clicking around and it sits there and just points and clicks through
Twitter's interface and you know deals with rate limiting and all the other dumb stuff that's
happened so that it can automate what would otherwise be a very very long and very tedious manual process and that's a fiddly job to do
right writing something that can programmatically drive a human interface and especially something
as bonkers as modern you know twitter um it's yeah he's definitely done the lord's work in
building a tool that can actually do that reliably. So yeah, I mean,
I think I'm in the same boat as you, right? Where I also have a, you know, a Twitter account that's
just sitting there fallow, but filled with content. And yeah, I also did not trust any
of the tools to do it. So this is probably what we've been looking for. Yeah. And meanwhile,
blue sky just continues to go to the moon. You know, I think I've got like six and a half thousand followers there now. Uh, cause I think there's all these
starter packs and whatever. I mean, I got like 32,000 on Twitter, but I don't care. Like a lot
of the people who would have followed me on Twitter, you know, maybe I broke a story years
ago, like, uh, what went wrong in the Australian census and, you know, collected a bunch of
followers who just haven't paid attention really to me ever since. And, you know, that's not the point. Like a follower point is not the,
a follower count is not the point of social media, but once you get to a certain level, it's fun.
Right. And certainly, you know, I'm, I'm just stoked to have that, you know, that sort of
following on a platform like Blue Sky, because when I put something out there, it results in
discussion and engagement and, you fun ideas right so um definitely
that's where i am now i don't think i've posted to twitter in weeks now and uh and i'm enjoying
that uh but we are going to actually link through to a tweet uh for this item a friend of mine
pointed this out to me which is one of these russian hacktivist groups is making a lot of
noise about how they have gone after targets in Australia, right?
So one was like a stormwater pump station, apparently in Melbourne.
And they're like, we've locked it and put it into manual mode.
And the Australians are supporting the Yukro Nazis and blah, blah, blah, blah, blah.
The thing is, they name it as the Riversdale Pump Station.
There is a Riversdale Road in like around Camberwell in Melbourne
because they say it's in Melbourne,
but I can't find any mention of a Riversdale Pump Station on the internet,
whereas there is one in New Zealand.
And I sort of wonder, did these guys land on a box in New Zealand
and think that it's Australia?
Because that'd be kind of funny.
And they also claim to have taken out some
of the industrial control systems controlling like a fruit and vegetable warehouse in Sydney
but again you know if you do something to manipulate the temperature in an environment
like that I'm guessing someone gets an alert and then they just go sort it out so I just think this
is a great example of this type
this type of hacktivism there's been ddos's as well they managed to take ing down for like five
minutes or something and you just sort of think this is it yeah that's that's the best you can do
i mean i know over on between two nerds our other show um where tom and the gruck talk they're always
very big on how cyber doesn't actually work because it doesn't really do anything important. And this is such a great example of that. So the Riversdale in New Zealand
actually isn't far from where I live. I've been there. I've been to Riversdale Beach, which is a
very small community. And the pumping stations there, you know, like tiny by the side of the
road, like literally it's sort of a little box on the side of the road.
And there was some controversy here at one point
when those boxes were a little too tall
and people were pushing prams along, might run into them.
So they put up a fence around it.
But that doesn't seem like...
Were they visually impaired?
It doesn't seem like the world's most...
Did the boxes move?
Did you have to dodge them?
I mean, there's not even a pavement in Riversdale.
Like literally it's a grass berm with a box on it.
They've now put a fence around so you don't accidentally drive
into the cover of these pumping stations.
But I did manage to find coverage of this controversy
from the New Zealand Herald.
Headline is Pump Station Fears Rebuffed.
If you want to get an idea of what serious news is in New Zealand.
Well, maybe Riversdale is overflowing with sewage
at this very point in time.
So thanks to Russian hackers.
Now, look, just before we wrap it up,
I need to tease you about an incident
that happened in New Zealand as well,
seeing as we're talking about all things New Zealand.
Why don't you tell us?
Because, you know, we can learn about disasters
that are non-cyber, you know,
non-cyber disasters can teach us about
cyber disasters, Adam. One of your Navy ships actually ran aground, caught fire and sank.
The incident report is out now. What happened, Adam?
Yes. So the illustrious New Zealand Navy, well, obviously we're a maritime nation right in the
heart of the Pacific. And we have a long and proud history of sailing and navigation and so on.
Yeah, so our boat was near a reef in Samoa,
and it rammed the reef and sank.
And the reason it rammed the reef, it was like surveying the reef.
It was its job was to look at the reef.
And the reason it ran aground was because the thrusters on the ship were thrusting,
as you would imagine, and they wouldn't turn.
And the reason it wouldn't turn and hence drove onto the reef was they left the autopilot
on.
And whilst trying to diagnose the thruster failure that was preventing the ship from
turning, the autopilot correctly drove the ship onto the reef, which.
Yeah.
Big shout out to the Kiwi Navy on that one.
And that's like a statistically significant amount of the tonnage of our
Navy as well.
Yeah.
And actually a few months ago,
one of our ferries that connects the two main islands of New Zealand,
very creatively named North Island and the South Island, one of the ferries that connects the two main islands of New Zealand, very creatively named North Island and the South Island,
one of the ferries that connects them together did the same thing.
Someone accidentally turned the autopilot on and drove it into the side of the channel that it was sailing down.
Boats.
New Zealand has some boat-like challenges, although I cannot tease you about boring place names,
given that I live in a country with a desert named
the Great Sandy Desert, which, you know,
creativity on that one is nil.
Mate, we are going to wrap it up there.
Great to chat to you as always.
And, yeah, we'll do it all again next week.
Thanks again.
We certainly will, Pat.
I will see you then.
That was Adam Boileau there with a check of the week's security news
and also a bit of a discussion
about the New Zealand Navy's woes.
It is time for this week's sponsor interview now
with Vijit Nair,
who is a VP of product over at Corlight, which makes the industry standard network security data sensor.
You just drop it anywhere. It's open source based and it will crunch your network data and provide you with an event stream that's actually very, very useful.
And a lot of people are now putting Corelight into their cloud environments because it is useful there.
And that's kind of the basis for this conversation, which is to really look at the state of cloud detection and response, which has not converged on to being one thing, right?
So this conversation is really about how in your cloud environments, you're going to need a little bit of everything.
You're going to need some application specific monitoring. You're going to maybe need something for your Kubernetes.
You're going to need to do some network monitoring as well, something for your endpoints. It's just
not going to be one thing. So here is Vijit Nair with that conversation. I hope you enjoy it.
As folks moved into the cloud, you know, the usual cliche security was an afterthought and all of that.
But where folks sort of went first was, can I lift and shift all security I have in my on-prem
into the cloud, right? And that naturally became, I have a firewall in here, give me a virtual
firewall that I can deploy in cloud. I have an EDR in here, give me an EDR in the cloud.
And quickly, I think what people ended up realizing was that deploying these things in the cloud, especially how cloud environments were built up
to be, which is, you know, fast moving, elastic, ephemeral, and so on. These things, if anything,
became, you know, impedance mismatch in the cloud, right? And essentially, you were forcing
engineering teams like DevOps teams to do,
you know, a lot of the nitty gritty work needed to deploy, you know, the lift and shift products
in the cloud. And that's where the model kind of ended up causing a lot of friction. And
income, you know, folks like the Viz and Orca of the world that, you know, landed on a fascinating
technology, agentless technology of what they call site
scanning, but essentially they can kind of copy, replicate, clone your environment, and
then go find a bunch of configuration issues, vulnerability issues, and so on in your environment
without having your DevOps teams to do a bunch of stuff, right? So that landed really well in the market as these teams were sort of migrating into the
cloud.
These tools became kind of an easy way, a SaaS-based approach, easy to use for the existing
DevOps teams to do kind of CSPM security posture management.
So that's kind of where it began.
And that's where you see kind of that burgeoning set of startups in that space. Viz is doing great, Orca, Prisma,
Cloud, and so on, have kind of really succeeded in that space. So, I mean, that's true. There's
been a lot of success in the sort of CSPM space, but we haven't seen uniform sort of detection
stacks pop up for Cloud, right? So CSPM definitely
established and vulnerability scanning configuration management and whatnot. But yeah, we don't have
much in the way of a uniform approach to doing, you know, attack detection, right? In cloud
environments. And you could roll a core light sensor, for example, into your cloud environment
and do your network based stuff. But nothing much sort of generic beyond that, right?
Right.
Yeah, and that's exactly the kind of mismatch between kind of where CSPM vendors are.
Like if you look at posture management, it's mostly protection-based.
It's mostly kind of doing kind of the pre-boom stuff, so to speak, right? Whereas in the detection response space,
there hasn't been sort of as much off in evolution. And I give it sort of two or three main
reasons, right? One is a lot of the organizations are still relatively early in their journey in
terms of cloud maturity. Some of the most sophisticated organizations that kind of really
invest in detection response and
really need that for their team in terms of threat hunting and detection engineering and so on
are still kind of partway through their journey right they're not there in terms of moving some
of their most sophisticated workloads into the cloud but they're beginning to get there so they
are starting to demand more and more off that from either cloud native services or from
vendors.
So now you're beginning to see almost every CSPM vendor has integrated some form of workload
protection, some form of agent-based protection that you can deploy in your Kubernetes stack,
in your VMs and stuff like that.
And then you're starting to see a whole slew of startups
that focus on CDR, ADR, like application detection response, cloud detection response, a whole slew
of startups come up in that space. And you can see Viz sort of acquired, you know, a company sort of
very much in that space as well, right? So you're starting to see that evolution happen sort of,
you know, very quickly here as customers are starting to demand these kinds of things.
I mean, there's heaps that focus on the Kubernetes stuff, right?
So RAD is one that sponsors us, right?
They do Kubernetes stuff.
There's some good options with Linux now.
I think Sandfly Security,
they've got Rob Joyce as an advisor.
They're actually based out of New Zealand,
but they've got a very interesting Linux security product.
And, you know, as I mentioned earlier,
you can throw like a core light sensor
if you want to get that network metadata
and crunch it for security purposes,
you can do it that way.
What I find interesting though,
is that there's all that stuff
that slips through the cracks
when it comes to that native functionality
of the actual cloud platforms.
You know what I mean?
When we saw even with that hack years ago,
the Capital One hack,
which didn't really target the applications themselves.
It was like using vulnerabilities
in like Amazon's metadata service and whatnot.
And, you know, where's your detection stack for that?
Right?
So that's the part that I find really interesting
is sure we can move over those existing primitives.
Like even some of this application,
you know, event streaming stuff,
that sort of, you know, that doesn't matter whether that's on-prem or cloud.
If you instrument an application, you can run detections against it.
But, you know, there's nothing really unifying, is there, that holds it all together?
There isn't.
And part of this, you know, you could challenge the cloud security providers themselves have not sort of done a great job at establishing kind of a standard set of primitives for what it means from a security standpoint, right?
Yeah, yeah, yeah. But I mean, they'll give you access to all of the APIs with varying levels
of documentation. And then they say, we figure it out. We just do the plumbing, you know,
you can put the taps on, right?
Shared responsibility, right?
Which means it's not our problem.
We take the money part of the share and you take the responsibility part of the share.
That's exactly right.
Yeah.
But that's exactly it.
I think they've, you know, I mean, we see this kind of when our customers deploy us for network monitoring in different cloud providers, right?
The kind of access that network monitoring and network, we can get into kind of where network monitoring fits in CDR in
general. But when we go into these customers or in these cloud providers, every cloud provider
has a different sort of perspective when it comes to what does it mean to monitor network traffic
for security purposes, right? So you think, you know, AWS does VPC flow in one way, Google does
it very differently and Azure does it very differently.
And what they monitor or what they capture in terms of flow are different from one to the other.
When it comes to getting down to traffic monitoring and getting actual access to packets,
they're all very different, you know, different levels of services, different levels of cost,
how they interpret it and so on are extremely different. And that's just one example. I think
that same example exists.
Well, I mean, it is the case that just the way Azure is built made them introducing virtual network taps very difficult.
I believe they've got it mostly sorted out now,
but it's just inherent in the platform that that's hard for them.
Right.
So I hear that they have it mostly sorted out now,
but I'm not holding my breath.
Yeah.
But that has also generated a slew of
sort of other providers that are now providing solutions, you know, on top of these cloud
environments to, you know, where they can deploy in a VPC and they can meter, they can proxy all
their traffic through them so that now you can mirror off of kind of a central choke point.
So there are a bunch of other solutions that have sprung up in the ecosystem to kind of solve that problem that the cloud providers have not sort of organically solved.
But your earlier point, yeah, I mean, there isn't a clean template from a security perspective, be it network monitoring, application monitoring,
or otherwise, that has been instantiated, which is why you see, you know, a fragmented set of
startups that are trying to sort of all go at it on their own, and come up with sort of, you know,
their own interpretation of what it means to apply in the cloud security space.
I mean, I mean, I think where this is going, right, is that there's not going to be one
unified kind of approach to this sort of thing, because you do need all of those primitives,
right? Like you are going to need some sort of host-based inspection. You're going to need
some sort of application instrumentation. You're going to need some sort of network traffic
inspection. You're going to need something for your Kubernetes. And the piece that's kind of missing, I think, at the moment is
you're going to need something to do proper inspection on like API triggered events in
cloud environments, which at the moment is just a giant black hole for most organizations.
So I think we can kind of get to the point now where when it comes to cloud detection and response,
it's not going to be one thing. Right, it's not going to be one thing.
Right. It's not going to be one thing, but at least if the access to the infrastructure can be slightly standardized, that sort of unlocks a whole bunch of opportunities. So one example I'll
offer is, you know, eBPF is now starting to gain a lot of traction. It's embedded in almost every
Linux player out there for every
one of these cloud providers. And interestingly enough, when you think about workload instrumentation
or network instrumentation, eBPF is a safe, easy way to instrument your workloads, be it VMs or be
it containers, and get you access to system processes, to memory, to much deeper observability than you're used to.
And guess what? It's now standardized across all cloud providers and Kubernetes running in your
data center as well. So does that provide one standard primitive that you can use for all
kinds of workload monitoring and network monitoring? That could be one approach, right?
Yeah.
You don't have something similar for application monitoring because that's still the realm
of the cloud provider.
It's bespoke, right?
It's bespoke, exactly.
And it's not just per cloud provider.
I mean, these are custom applications.
It's per service.
But I mean, even within different services within a single cloud provider, you see kind
of dramatic variances in how every service defines, you know know addition of a user like crud of a user
right like changes in their services every service is almost like designed by a different company
even though they all had a part of the same cloud service provider right but this is this is the
stuff that makes me nervous right is all of that you know cloud back-end plumbing stuff that's not
very well understood.
It's often not documented very well.
And it doesn't seem that there's a huge number of products
that can sift through that information
and give you reliable detections.
But at least we do have the network stuff,
as you're saying,
like that as a primitive has been mostly ironed out
at this point.
We do have some options for, you know,
Kubernetes, for Linux, for, you know, all sorts of sort of, you know, cloud-based hosts. But yeah,
that other stuff, as I say, it makes me a bit nervous.
Right, right, right. And honestly, the standardization across the cloud providers
is one of the biggest themes we are hearing from our customers right because when
they're coming to us their biggest challenge is almost nobody is deployed in only azure or only
aws or only somewhere else so they're looking for and their sock teams can't learn three or four
different tools for three or four different cloud providers so when they come to us they're usually
looking for can you give us kind of that de facto language standard that we can now apply
across all these cloud providers so that when our SOC team is looking at data
from on-prem, from cloud, they're looking at the same thing, right?
And they're also seeing attackers kind of laterally move from on-prem
environment through their cloud exchanges into the cloud, kind of, you know,
leverage permissions or kind
of arts that they can steal, credentials that they can steal in an on-prem environment and
then laterally move into their cloud.
And being able to stitch that attacker action together with that same set of data, same
set of primitives becomes extremely important.
Well, you're preaching to the converted when it comes to the idea that maybe you should
have some traffic monitoring in your cloud environments and that you should do that in a sort of standard way
that you can stitch together with your you know on-prem telemetry but um
that was a fascinating conversation about all things cloud thank you so much for uh joining
us on the show to to walk through all that let's see what the future brings indeed thanks for
having me on, Patrick.
That was Vijit Nair from CoreLight there. Big thanks to him for that.
And big thanks to CoreLight for being this week's sponsor. We really, yeah,
I really did CoreLight and I always enjoy the interviews I do with them.
So if you need some basic network monitoring or some advanced network monitoring, they've got you covered. But that is it for this week's show.
I do hope you enjoyed it. I'll be back next week with more risky business for you all. But until
then, I've been Patrick Gray. Thanks for listening.