Risky Business - Risky Business #774 -- Cleo file transfer appliances under widespread attack
Episode Date: December 11, 2024On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Cleo file transfer products have a remote code exec, here we... go again! Snowflake phases out password-based auth Chinese Sophos-exploit-dev company gets sanctioned Romania’s election gets rolled back after Tiktok changed the outcome AMD’s encrypted VM tech bamboozled by RAM with one extra address bit Some cool OpenWRT research And much, much more. This week’s episode is sponsored by Thinkst, who love sneaky canary token traps. Jacob Torrey previews an upcoming Blackhat talk filled with interesting operating system tricks you can use to trigger canaries in your environment. You wont believe the third trick! Attackers hate him! This episode is also available on Youtube. Show notes Cleo Software Actively Being Exploited in the Wild CVE-2024-50623 | Huntress Blue Yonder investigating data leak claim following ransomware attack | Cybersecurity Dive Snowflake to phase out single-factor authentication by late 2025 | Cybersecurity Dive Treasury Sanctions Cybersecurity Company Involved in Compromise of Firewall Products and Attempted Ransomware Attacks | U.S. Department of the Treasury Another teenage hacker charged as feds continue Scattered Spider crackdown | The Record from Recorded Future News Germany arrests suspected admin of country’s largest criminal marketplace | The Record from Recorded Future News FCC, for first time, proposes cybersecurity rules tied to wiretapping law | CyberScoop Russian state hackers abuse Cloudflare services to spy on Ukrainian targets | The Record from Recorded Future News Cloudflare’s pages.dev and workers.dev Domains Increasingly Abused for Romania annuls presidential election over alleged Russian interference | The Record from Recorded Future News EU demands TikTok 'freeze and preserve data' over alleged Russian interference in Romanian elections | The Record from Recorded Future News Research Note: Meta’s Role in Romania’s 2024 Presidential Election - CheckFirst Key electricity distributor in Romania warns of ‘cyber attack in progress’ | The Record from Recorded Future News Backdoor slipped into popular code library, drains ~$155k from digital wallets - Ars Technica AMD’s trusted execution environment blown wide open by new BadRAM attack - Ars Technica New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader – PT SWARM Telegram partners with child safety group to scan content for sexual abuse material Apple hit with $1.2B lawsuit after killing controversial CSAM-detecting tool - Ars Technica Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - Flatt Security Research How do I turn on the Do Not Track feature? | Firefox Help
Transcript
Discussion (0)
Hey everyone and welcome to another edition of the Risky Business Podcast. My name's Patrick
Gray. This is our second last show for the year. We will be shutting down from around
December 20 and everybody's taken a month off so that is going to be pretty nice. But
we've got a great show to get through today with my co-host Adam Boileau and we'll be
talking about the news in just a moment.
This week's show is brought to you by Thinkst Canary and we are joined by Jacob Torrey from Thinkst and we're going to be talking about defending off the land. Like we like to talk
about how attackers can live off the land but how can you defend off the land and you know they've
got as usual because it's Thinkst they've got some pretty good ideas and we'll be talking
through that with Jacob a little bit later on.
But let's get into the news now, Adam.
And to kick it off, I mean, here we go again with the file transfer appliances.
Yes, there are some bugs in the wild being exploited in a product by a company called Clio,
and they have a number of file transfer-like products
that they have sold. They had some kind of security issue with the product, which they
patched, I think, back in October, but it turns out the patch is incomplete, and some people have
found a variant of it that works, and we're seeing it being used in the wild. huntress have a write-up of the bug itself which basically
is a unauth file upload that you can then leverage into command exec by uploading a particular kind
of crafted file to a certain place that gets processed you know by the uh the platform itself
as like i think it's like some kind of health check thing where basically you could run commands
so yeah we've seen this being used uh there is some scuttlebutt that perhaps blew yonder uh the company the supply chain company
that got themselves ransomware you know a couple of weeks ago now uh they may have had an instance
of this out on the internet we don't know whether that's the cause of it but you know interesting
uh interesting nevertheless yes and security scorecard or whatever didn't pick that up
crazy they didn't know about the o day in the thing you know um but um yeah we're not really
sure if so it looks like termite it you know i'd mentioned it last week that i'd heard that it was
termite uh the termite ransomware crew and it looks like they're a double extortion crew they
steal data and extort it and they also drop malware uh what I can gather. So yeah, this all kind of tracks.
So kind of not clear if you're going to use a bug like this as a point of entry to then onwards
deploy malware, but it sounds like they do both. So whatever, a bug is a bug for them. And as we
know from all of the other, you know, CLop-style intrusions into file transfer appliances,
like this can be a pretty good business on its own.
It's funny that the three products here are Clio Harmony,
Clio VL Trader and Clio Lexicon,
which are just odd names for file transfer appliances.
Like Clio Harmony sounds like something you find
in a pharmacy for women.
Yeah, I had never actually heard of this company before but i believe they
are they're an american company that was in the like mainframe integration space for quite a long
time and they built products that did you know gluing your mainframe to your other systems kind
of thing um and some of the other file transfer products have come out of similar lineage um so
you know they've all they all seem to have great bugs in them.
So yeah, I don't know what it is
about this particular product category
that just lends itself to old,
fairly brittle ghetto engineering.
So-
Well, but I mean, the mechanics of this bug,
as you said, it's like,
cause there's parsers everywhere and stuff like this, right?
And they're not gonna get the same level of QA
as the actual parsers from the company
that make the software. You know, like if it's parsing a pdf it's not going to do like
adobe has a hard enough time doing that in a secure manner right so you can't expect you know
some library written by these guys to do it i read all of excellions uh you know file rendering and
parsing code and boy oh boy that was a trash heap so yeah exactly right exactly so um yeah so
termite uh off to the races with this and i think uh what you had a look at shodan and there's
something like 1500 of these things out there is that right yeah kind of 1300 ish was the number
that uh you know a fairly naive shodan search uh turned up uh but you know that's i don't know that
there were that many you know go anywhere mfts
on the internet and that still turned into a pretty big deal so yeah i imagine it's a you
know target rich environment enough yeah so move it go anywhere mft there was another one i think
and now this one so yeah selling on ones of course they were you know the granddaddy of
file transfer bugs yeah there's the ibm product whatever that was called um yeah name name escapes me at
the moment but also big in financial industries so yeah a bunch on yeah and this sort of signals
that termite has arrived as the new kid on the block of ransomware and data extortion and i'm
curious to see you know like i've mentioned this earlier i'm curious to see how that's going to
shake out because we haven't seen much action from like a
big crew since the lock bit takedown and i wonder if the five eyes agencies that are doing stuff
about this are able to respond in a timely manner let's just put it that way and i you know you hear
through the grapevine that they're having some success actually in their counter ransomware
operations so let's see what what happens to said leak site you know i mean if they're having some success actually in their counter ransomware operations so let's see what
what happens to said leak site you know i mean if they're going to move to disrupt like now is a
good time i guess is what i'm gonna best of luck to the termite peeps because you're gonna need it
yeah and uh happy hunting to all our friends in windowless offices um now look staying on
something kind of related like we did see a massive amount of data theft out of Snowflake instances.
That was this year, wasn't it, with the Snowflake stuff?
I think so.
It was.
And now it looks like Snowflake is just phasing out
like non-MFA auth into Snowflake tenants.
This is interesting because, you know,
there was so much detail missing
from that whole Snowflake story, right? Because it was an InfoStealer that grabbed snowflake story right because it was an info
stealer that grabbed by the looks of things cred pairs um but i thought there was also discussion
that it grabbed like you know tokens as well um but i yeah i i i don't know uh but i'm guessing
if snowflake is moving to block non-mfa authentication that it probably was compromised
usernames and passwords and people
were actually just going straight in through a browser which is yeah kind of nuts although I
think there are command line tools as well that you can use username and pass either way I'll
stop prattling on snowflake is crushing like non-MFA authentication by late 2025 that's a good
thing yeah yeah they're going to move away from password auth they're going to keep a single
factor where it's robust so things things like certificate pairs, you know, public-private key auth,
and also like federated auth.
So if you've got, you know, a SAML or some other kind of SSO integration,
then that will still keep working and assume that you've, you know,
kind of done your own MFA at that point.
But yeah, getting rid of password auth is the plan.
And then they're going to provide, you know,
I guess guidance and more robust mechanisms
for non-human authentication flows
because that's the other hard bit of credential theft
is we still need to have a non-multifactor
for non-human use cases.
So they seem to be settling on mechanisms for that.
Yeah, and that's why it got a bit muddy in my head.
And I'm sure someone pinned it down,
but I was never entirely clear
how these attackers were accessing this data,
whether they were using command line tools,
whether it was username and password
or some token-based auth, but whatever.
They're moving on and that's good.
We've got some treasury sanctions to talk about this week.
Obviously, we have covered a few times the Sophos counter-APT operation
that was pretty awesome.
We had an interview with their CISO about all of that.
So, yeah, I mean, for those who aren't familiar with the story,
basically Sophos moved to drop implants basically on people
who were doing Voln dev or exploit
dev for their products in China and they obtained an awful lot of very juicy
intelligence and worked with authorities when they were doing that and as a
result of that we're seeing indictments and sanctions targeting the Sichuan
silence information technology company limited and one of its employees, which is Guan Qianfeng.
So, yeah, that's where we are.
And I think you pointed out, though,
that this company,
Sichuan Silence Information Technology Company,
offers some pretty dystopian products.
Yeah, they provide vulnerability development
and exploit writing services, but the other Treasury press release also says they provide vulnerability development and exploit writing services,
but the Treasury press release also says they provide, quote,
public sentiment suppression products and services,
which that's dystopian, yeah.
Yeah, that's one that makes the hairs on the back of the neck
stand up a little bit, somewhat.
But it's good to see a result there and, you know,
good way to go, Sophos.
Yeah, and I mean, I think that other vendors could well,
you know, they could model good behaviour for other vendors.
I think that would be nice.
Yeah, well, I think when I spoke to Ross, the CISO at Sophos,
he'd already spoken to some of his sort of counterparts
and other vendors and they were definitely curious about it.
And I think, you know, whether or not they pull the trigger,
I don't know, but they were like, oh, you did that, eh?
That's interesting.
And they get big ups from people for doing it.
So, you know, take that on board, other vendors.
Food for thought.
Food for thought.
We've got one here from James Reddick over at The Record,
which is another one of these comm kids has been arrested or, you know,
scattered spider or whatever you want to call them.
Remington Ogletree, a 19- uh resident of texas and florida uh he's the sixth one to get charged here i've one thing i found very funny reading this is the fbi apparently went to speak
to him i think back in february and he's like yeah no i've got you know i know a lot of those
scattered spider people and sort of talked about them as like how, you know, people that he knew, but obviously, you know, avoided implicating himself.
But then immediately went after the FBI visit to launder a bunch of cash.
And the launderer he had chosen was actually like the FBI pretending to be a launderer by the looks of things.
So, you know, we asked them to mail him 75K in cash in exchange for some uh cryptocurrency and you know they've got him now so uh looks like
he's in deep doo-doo indeed and yeah i mean he'd been doing it i think since he was 12 yeah i saw
that yeah started sim swapping when he was 12 years old yeah i mean that's a i mean kids kids
these days like i you know i'm sure i was not into that when I was 12, but you know.
Yeah, I mean, I think when all of the casino hacks
and stuff went down, was that last year?
I expected them to be arrested quickly
and that turned out to be wrong,
but it is all catching up with them.
It is finally, yeah.
It's taken a while for the wheels to turn,
but they're getting there.
Yeah, another one from the record, this one by Darina Antonyuk.
And we only included this one because there's a funny detail here, right?
So a guy's been arrested in Germany for running like a, you know,
drug and an online marketplace for stolen data, drugs,
and forged documents.
And like, what did he call it?
Crime network, which is the most german thing you can
absolutely you know what do you call your underground crime you know uh crime website
you call it crime network because well that's what it is it's a network for crime
yes that was an amusing detail when we were reading through the news, trying to prepare. But yeah, just very Germanic, very matter of fact.
And yeah, now he's off to jail.
Yeah, this site had been running since 2012,
had 100,000 users and 100 sellers on the platform
and, you know, Bitcoin, Monero, the whole thing.
So we've linked through to a write-up on that.
Now, we've got a response from the FCC to the salt typhoon stuff where the FCC
is proposing tying some cyber security rules and regulations to CALEA which is the wiretapping
requirements that's the communications assistance for law enforcement act so this is an interesting
idea is they're saying as part of your Calia compliance,
you need to make your networks more secure against foreign adversaries, well, any adversary,
being able to intrude upon your network and surveil your subscribers. I've had a look at the
release from the FCC, and it's all pretty weird generic stuff, where it says that they, you know,
carriers would need to secure their
networks from unlawful access of interception of communications that actually is accompanied by a
proposal that would require communication service providers to submit an annual certification to the
fcc attesting that they have created updated and implemented a cyber security risk management plan
which would strengthen communications from future cyber attacks i mean they're not doing this already exactly right telcos already take access to that stuff pretty seriously in my experience well but
this isn't just talking about the kalia gear this is talking about the network writ large right so
and that's why i find it interesting is they're tying broader requirements and regulations just
to the kalia authority yeah i mean you know i guess it makes
sense but surely it already says you have to do a reasonable job of not letting unauthorized people
in like that's well i don't know that it does say that adam but my point is like you would just
think the people running the telcos would have a cyber security risk management plan you know
exactly so and like the problems that telcos have which we've talked about at length
before you know one more line saying that they shouldn't be so bad is not going to really help
i mean maybe in the maybe maybe overall the response to salt i've seen will help telcos
up the game a little bit but it's a there is a long tail of problems to solve in those environments. Yeah, so that was my immediate thought,
which is it's well and good to say,
hey, you think you can work a little harder there?
But I don't know that it's...
And this isn't to say that they shouldn't do this.
It's just I would be surprised
if this yielded any sort of quick results.
You know what I mean?
Yeah, yeah, exactly.
And the CSRB obviously is going to do their review
of the salt typhoon situation
and come up with a bunch of recognitions.
And I'm sure something like this will be, you know,
will be part of what they're recommending.
But yeah, the problems run pretty deep.
So it needs a bit more than just a couple of sentences
of stern language.
Yeah, I think so too.
And I think it's been, who is just a couple of sentences of stern language yeah i think so too and i think the the i think it's been who is it sisa and the fbi saying hey everybody should use
over the top services you know i think maybe getting telcos to adopt things like rcs you know
which is a sort of encrypted messaging standard that would replace sms that's going to be a good
thing to do you know know, I discussed this
at great length with Chris Krebs when I was down in Sydney last week to record the last episode of
Wide World of Cyber for the year. I'm not sure when I'm going to publish that. It might actually
be in January. But a big thanks, too, to all of the listeners who came, because that was a lot of
fun. But yeah, you just sort of think
perhaps focusing on moving towards more secure services and away from relying on telcos to be
secure. Like, I don't know, that seems a better path out of this than getting the FCC to demand
that they come up with cybersecurity risk management plans. Yeah. And I guess, ironically,
in the lawful intercept bit, which will be hampered by the
use of those over-the-top services you know that that sort of you know is you know making it robust
so that people can't nick the awful intercept at the same time as telling people to not use
communications that can be intercepted by those things or we may see overhaul of intercepts to
deal with yeah look again i think it's important not to get tied
up in the interception equipment bit because that wasn't the stuff that enabled the salt typhoon
attackers to actually monitor communications they did not do it through the kalia stuff which i think
is an indication that perhaps they were scared they would get caught if they did do that yeah
surprised but uh yeah there is it is still a bit um funny directing people to you know services that where interception
cannot happen so yeah i agree uh now let's talk about cloudflare abuse this next piece is about
something that is not entirely new but it seems to have become workaday now for the last several
years i've been saying that i expected malware crews to start using, you know, TLS 1.3
encrypted client hello in their C2 as a way of avoiding detection. What we're seeing instead
is something roughly equivalent, but slightly different, which is everybody's using Cloudflare
tunnels, which is a way to provision remote access to servers that might be inside your
environment. You can create a Cloudflare tunnel and do your remote access that way.
Attackers love to use these for C2, and we're seeing that the Russians are using this currently
in a campaign targeting Ukraine. Yeah, I think this was a crew based out of Crimea that's been
using this. But as you say, anything where you can proxy your connections
through a more trusted or more opaque kind of place
is really helpful.
And Cloudflare, in some respects,
is the biggest bulletproof hosting provider
because you can hide your communications
or hide your services or hide your endpoints
behind their various services.
And there's so much traffic to and from those that it's difficult to spot or to block.
And also the impact of messing with stuff that goes to Cloudflare from an availability
point of view is very high.
So it's a challenging thing for people to respond to.
And I know when Cloudflare started providing their tunnelling services, you know, that
I think we talked about it on the show at the time
because there was already kind of signs of it being used for abuse.
But yeah, it makes sense that people would use it
because, hey, it works.
And domain fronting before it kind of got killed a little bit
and then empowered again with TLS 1.3
and the replacement to ESNI, whatever that's called.
ECH, Encrypted Client Hello.
Client Hello, maybe?
Yeah, yeah, yeah.
So that's the one.
So anyway, I just think that's interesting that it's become such a thing.
And Cloudflare, for its part, are like, well, you know,
when someone reports one of these to us, we crush it.
And I don't know, man, you talk to anyone who works in CTI,
they say Cloudflare is a bit of a pain to deal with
and don't really act that much.
And it's kind of not the point, is it? If you've got them, you know,
waiting on people to report the C2 to you to crush it.
Like, I don't know.
Yeah, it's a bit late then, yes.
It is a little bit late then.
And that's not the only thing going on with Cloudflare
because people are using,
attackers are using workers.dev and,
oh, what's the other one?
Pages.dev.
Yeah, so they're using them to spin up um phishing sites and of course these are sort of
trusted domains right so there's an advantage doing that and that's that's rife as well i've
got a post here from fortra talking about that yeah and like pages.dev is sort of a general sort
of hosting service where you can write content workers.dev lets you build out like client-side
javascript that's distributed by the CDNs.
And in both cases, it's behind Cloudflare,
behind their TLS, behind their, you know,
very best practice, modern TLS 1.3, TLS.
So yeah, it's, you know, complicates things for defenders
and of course, attackers are going to use it.
Yeah, yeah.
So links to all of that in the show notes.
Now let's talk again about TikTok,
where TikTok took a big L in the US courts.
They had challenged the law that was passed
that would demand TikTok be divested from ByteDance.
Interesting thing, interesting detail in all of that
is the divestment has to happen before January 19.
And Donald Trump's inauguration is what, the 21st, right?
So it's very deliberately a date picked before he can be inaugurated.
That said, I mean, Trump has gone back and forth on this.
Before, previously, he wanted to ban it.
Now he's decided he really doesn't want to.
But that's what he said.
And he might change his mind again. Who knows? And even then, like, what can he do? Because this is
actually a law. I think, you know, there would probably be a way for him as president to find a
way that that law is not enforced or whatever, like, like who knows? I think, you know, his
opinion on this is, is gonna really be quite pivotal here. but tick tock has now filed an emergency motion asking an appeals
court to block the law as well so that the legal fight is you know going into hyperdrive at the
moment but there's been another event which is quite relevant here which is the romanian
elections right so they had a multi they have a multi-round election for president.
The first round, in the first round,
which was held a couple of weeks ago,
a very little known far-right Russia-friendly candidate
named Kalin Georgescu came out of nowhere to,
I think he came into the second spot, right?
The odd thing about that is this guy was all over
TikTok and no one could quite figure out why. So I've heard, you know, interviews with Romanians
on BBC, like students just saying every second video on their For You page of TikTok was this
guy, right? Talking to our colleague, Catalin Cimpanu, who is Romanian, he's just like, man,
there was something deeply suspect about the extent to which this guy was just all over TikTok.
It's like you could not open TikTok without seeing this guy.
Well, it turns out that there was some money exchanged as part of this whole, you know, online advertising stuff that violated Romania's election laws.
The Romanian Constitutional Court has actually annulled the results of the first round of the presidential election.
They're going to rerun the campaign.
Now, depending on who you talk to, you know, this is a terrible violation of the democratic process or entirely appropriate, right?
And it really depends, you know, who you talk to about that. You know, the Constitutional Court has some ties, you know,
there's former members of the ruling party, I think,
are involved there and whatever.
But either way, like, this is a very, very big deal.
The EU has demanded that TikTok freeze and preserve data involving this
because there is going to be an investigation.
And meanwhile, we've got some work here u.s courts trying to trying to fight
this law at the same time where a european country a nato member has literally annulled
its first round of election uh you know its first round of its presidential election
largely because there was a lot of manipulation on tiktok and and you know some of this was
involving botnets and, you know, accounts that
had been dormant for a long time, like lots and lots of accounts that were coming along and boosting
this content. So yeah, intrigue, craziness, you know, anyone who's suspicious might think TikTok
dragged their heels on sorting this out. And, you know, does Russia have a hand in this because
it's more allied with China? I don't know. But the fact that we're even asking these questions gives you an indication that control over TikTok is actually a big deal.
Yeah, I agree with you.
This is a really interesting, I was going to say microcosm.
And obviously it's not a microcosm for, like it's not a small thing for Romania.
But for the rest of the world, like looking on at this.
Because I know plenty of people who are on TikTok and for them, you know,
they find the platform innocuous and fun and entertaining and kind of light
by comparison to, you know,
like Facebook is filled with old people and some of the other social networks.
Facebook is just filled with content farming slop, right?
Like it's just stacked with slop.
TikTok is authentic.
It's fun.
I love TikTok.
I am a huge TikTok fan.
But if my For You feed were to instantly transform
into something where every second video was some fringe right-wing lunatic
who I'd never heard of being pumped for the Australian election,
don't know how I'd feel about it then.
Yeah.
Yeah, exactly.
And I guess it's just really interesting seeing a concrete example to point to.
And the EU's investigation will be super interesting
to see where that goes.
And the situation in America, I mean, you know,
on TikTok you already see people starting to prepare
for where are we going to go, what's going to happen, what are we going to do on this platform without all the Americans there to make it fun? You know, it is legitimately interesting to see. And one of the things I was thinking about this morning, which is slightly tangential, I guess, is in the early days of, you know, really the beginnings of really heavy censorship of the Chinese internet, one of the things that was interesting was all of the alternate language that cropped up
to avoid censorship.
Yeah, we've talked about this before
and now it's crept into the West, right?
And it's not just TikTok though.
It's not just TikTok
because people will use the term unalived
instead of murdered or killed,
because that like downranks you
when they do the voice to text and process it in their in their giant algorithms they're like oh that's sad we want
people to have a good time on this platform you know yeah yeah exactly that it's really interesting
when i was thinking back to the you know the grass mud horse yes of early chinese internet fame um
but yeah it's interesting seeing that stuff spilling over into the West and now seeing it spill over into annulling an election
in a major European country.
It's just really interesting.
And I don't know what's going to happen, like whether TikTok will survive,
whether it will become Oracle Talk, whether it will, you know,
threads or whatever else, whatever the –
what's the meta short video thing called?
I forget now.
There's Reels, but that's youtube no no it's
real youtube is shorts oh yeah i don't know i don't know where people are gonna go but they
all suck that's the thing like tiktok is awesome it's so funny like i love to share share like my
tiktok faves are like my friends covet my tiktok faves because you know you can bust them out send
them over um because i've got my algo tuned so well for me.
It's very, very funny.
But yeah, like the whole, I mean, this just goes to show,
like this stuff is important, you know,
and it doesn't even matter if there were shenanigans.
The fact that there could have been shenanigans that, you know,
the fact that it's entirely plausible that CCP officials lent on TikTok to allow this to happen as a favour to Vladimir Putin.
Now, do I think that's what happened?
Probably not.
Is that a plausible theory?
Absolutely.
And that underscores the need for this ban.
Yes.
I agree completely.
It's probably just kind of regular manipulation as opposed to governmented, but as you say, it absolutely could be.
Yeah, that's the usual suspicion
that this is somehow connected
to a broader sort of influence
or influence campaign,
or this is the Russians getting one back
because they've annulled that election.
But there's no evidence there at all.
This is a ransomware one, isn't it?
Yeah, I think it says ransomware, yeah.
So it could absolutely be
just regular common garden ransomware.
It could be state directed.
It could be patriots. It could be state directed it could be you know patriots it could
be anything the world is the world is mad yes it's a mad mad mad mad mad mad world um now look we we
sort of went back and forth on whether or not to talk about this one in this week's show it's a
report from dan gooden about a backdoor in a code library that resulted in a crypto theft pretty
small small beer to be honest of 155 000 although i would not complain if someone dropped 155k on me
uh right now um but the reason i i wanted to talk about this one is it's just such a great
illustration of what supply chain attacks against code libraries look like in this year of our Lord 2024.
Yeah, so this was an attack on some like JavaScript plumbing used by the Solana blockchain.
So if you wanted to build Spark contracts, this was one of the libraries that you would use to do this.
And somebody got access to an account that had CodeCommit rights to their repo,
shipped a backdoor in it
that basically just made a web request
out with the private key material that you were using.
And this was live for like five hours
before it was snapped.
And because that ecosystem is so,
like rebuilding everything from source the whole time,
very dynamic, very modern, very hip, very DevOps,
means that you can get supply chain attacks like this into use very, very quickly.
And the fact that, like, I looked at the headline, $150K,
kind of not exciting by comparison to most crypto attacks.
But as you say, $150K five hours yeah is is pretty good um
return on investment so you know kind of a you know there's so many things wrong with cryptocurrency
as a as a as a thing but the fact that you can do this and still make such good money so quickly
i mean it's pretty amazing yeah but i mean this is just one class of attacker that rolls with this sort of, you know,
these sort of TTPs, right?
At the moment we see it mostly targeting crypto theft.
It ain't gonna stay that way, you know?
And I feel like this is a bit of a canary
in the coal mine situation.
Yeah, I mean, the fact that crypto moves so quickly,
I think means that you can go from access
to Codexec pretty quick, right?
Whereas, you know know more traditional software
dev environments are a bit slower you might end up with code exec in a dev environment somewhere
you might get it inside a you know developer's laptop but it will take a while for it to get
to a place where you could steal the good keys but in the crypto world everything moves so quick
and the rest of it is also moving in that direction so So as you say, it's a bit of a warning
for our over-reliance on distributed code infrastructure.
Yeah, yeah.
We got another one here from Dan Gooden at ours,
which is looking at a way to subvert AMD's trusted execution environment.
Talk us through exactly what the researchers did here.
Yeah, so this is some research that,
I think it's out of European academics.
It's been given the name Bad Ram,
which, you know, of course we have to have names these days.
But this is ultimately a really quite cunning attack
that's probably not super practical.
It's in AMD's, they call it the secure encrypted virtualization, secure nested paging.
And this is the security controls that AMD put in the CPUs to allow encrypted virtual machines to run on hardware that you might not necessarily trust.
This is to protect cloud users from cloud operators, which in this case,
the point of the control is exactly this, right?
The people who have physical access to the equipment
shouldn't necessarily be able to immediately by design
compromise the virtual machines running on their equipment.
And that's what this attack allows.
So some of the takes we've seen on social media
have been like, well, it requires physical access,
this is dumb, but the whole point of this control was to was to protect you against the people who do have physical access
right that's right by encrypting the memory of your virtual machine so that they can't read it
from the hypervisor and then to have hardware support to prevent the hypervisor from being
able to get access to that memory unencrypted or write to it or whatever else and this was a bug in the kind of attestation process that you would use to detect it and the
actual mechanism by which they do it is super clever it is it's it's very it's sneaky and cool
and simple and i like it yeah so essentially what you do is you modify the ram chips to over report
their size so they report that they
are double the size of what they actually are, that there is an extra address line for the amount
of memory on these chips. And then what that means is you've now got two separate addresses
that as far as the memory itself is concerned are the same thing, because it ignores the extra bit
in the actual memory chips because they're not connected so it there is a way to have two addresses that refer to the
same bit of memory and then you can remap these so that the host cpu the hypervisor which is
untrusted can use the second copy of the address which is different to read and write memory of
the guest thus circumventing
the control and they actually implemented this in the hardware and they argue that in some cases
the memory controllers are kind of software patchable you know firmware patchable so that
you could do this even without hardware modification but it's just a a really quite
clever attack and it doesn't work on intel's equivalent but i think in the past might have
and then no one's quite sure about arm yet so it's actually legitimately interesting research
even if probably not super practical but it's nowhere near as dumb as people have been making
out on on infosec socials yeah now let's talk about some research out of positive technology
of course the famous russian uh
security research firm they've done some stuff that's like they've done some research that's a
bit like some old research you did of course for those who don't know adam developed winlockpone
which was a dma based uh attack against uh windows right so you could plug something into some you
know a peripheral in to get direct memory
access through like a FireWire port people actually later discovered that you could just plug in like
a PCIe card that was a FireWire card and Windows would auto install the drivers and you could do
it that way as well and the idea was you could manipulate memory through direct memory access
overwrite where a password was in memory and just you know hit enter and and um you know get into
get into a computer system obviously there's a lot more controls against people doing that sort
of thing these days but positive has done some research in this area and it's quite interesting
yeah i mean i guess you know the overall thing is if you will put a bus that can do dma on the
outside of your computer you're going to have a bad time and it's up to individuals to implement
that bad time so we've i did it with firewire snare did it with thunderbolt other people have done it with
card bus and pcmca in this case positive have done it with sd cards and i did not know this
but it turns out that the most recent sd card like memory card interface actually has support for
bus mastering so it extends a pcie bus out the side of the machine.
The traditional SD cards used an interface called like SDIO,
which was a way to move data in and out,
but ultimately it was pretty slow.
Yeah, I was going to say, like this has to be speed, right?
For the next generation of like super fast SD cards.
Yeah, I mean, this is so that you can record,
you know, like 4K video, 8K video,
whatever else onto these cards and your cameras, transfer it onto your computers, those kinds of things.
And so yeah, the very latest standard has support for PCIe bus mastering.
And yeah, Positive did the hard work of building the hardware to actually do this.
And they made a really cute little board that looks like a train going into the side of your SD card slot.
And then you can talk to it and do bus mastering memory reads and writes, which is pretty cool. Some modern systems, and like mostly
Apple stuff, does remap this kind of, these devices into a separate address space with the
memory controller, which makes it so you're not getting to system ram that's not necessarily the case on non-apple hardware um but yeah i mean this is entirely
predictable put the bus on the outside and find out uh yeah there's pretty much what's going on
so which i mean good job positive it's real you know this is hard work to turn this into a working
thing so yeah no one doubts their skills no one doubts their skills that Handing it to them. No one doubts their skills, that's for sure. We just doubt who they serve.
Telegram, I mean, it's a new platform
since Pavel Durov was arrested in France.
They have a real commitment to improving the safety of their platform
and they've just launched an initiative to tidy up
or do their best to tidy up CSAM on the Telegram platform,
which is rife. And it looks like, yeah, they're working with some sort of foundation to try to
deal with that now, which is a good thing. I mean, it's incredible how Pavel Durov gets arrested.
And then all of a sudden, some of these of you know militant neo-nazis
that people start getting arrested and there's all these great new initiatives and you know i think
he's terrified of prison and that's what this is about but hey i'll take it yeah i mean in the end
like if if it works uh then then great and appears like at least on this one particular topic uh you
know scanning for known child sex abuse material
and so on and cooperating with the entities
that kind of coordinate that,
where traditionally Telegram just completely ignored this stuff.
So the fact that they're now starting to cooperate,
providing access, that's great.
And, you know, if it turned out that all it took
was arresting a few CEOs and threatening them,
then, you know, maybe there's them um then you know let's arrest
them all let's arrest them all and look you know this isn't government this next one that we're
going to talk about and that's why i find it actually very interesting but apple is being
sued for 1.2 billion dollars after it killed its proposal to do client-side scanning for CSAM that was going to then go into like
encrypted iCloud, right? So the idea was to make encrypted iCloud safe is they push out the CSAM
scanning to the edge onto people's devices and people lost their minds. So Apple wound up pulling
the feature. Now a group of victims, so thousands of victims of CSAM, are now launching a lawsuit against Apple
over its abandonment of this feature, which is very interesting because it's a case where it's
not regulators, it's not the government, it is happening in civil court. And I'm going to be
watching this one real closely because you get the impression this isn't people trying to get a payday this is people trying to get a result um so
i don't think this one i doubt this one will be settled quickly um it's probably going to go to
court yeah it is it is interesting and unique for that aspect of it and yeah i don't know how this
is going to go down because it doesn't they're not the sort of people that are likely to just you know settle for some money obviously you know
apple's got a heap of money they can settle these things if they want to but that is probably not
what they you know the people behind this class action are after and it it's it is interesting
that you know private company implementing controls on its devices you know and and in
this case not like being um you know having a lawsuit about not doing a thing like it's not
like they did a bad thing they didn't do a good thing um it's yeah it's really interesting so i
don't know how this is going to turn out for them well i think the interesting thing here is that
they had a proposal they had a feature that they then abandoned, right? So it's not like they didn't
do a thing. It's that they changed course on a thing, which I don't know if that makes it legally
more sticky for Apple, but I'm sure we're going to find out. I mean, you never know the way these
things go, because obviously we're not lawyers. It might make it a couple of days and then get
tossed, or it might turn into a multi-year thing. We just don't know. But it is interesting. It is
definitely interesting all right
so uh there's a bit of research here you wanted to talk about from flat security which is on open
wrt uh so yeah i'm not fully across this one take it away adam so open wrt is a set of open
firmware for uh lots of varieties of wireless access points and other kind of small embedded network
devices that people use for routers and switches and so on and this is a piece of research that
ultimately resulted in the ability to kind of trojan other people's firmware images
and it's useless in the sense that no one is ever going to get hacked by this
and they fixed it in a matter of you you know, like hours after it was reported
and they went through the logs.
And despite there not being a lot of logs,
they have no evidence that everyone's ever used it.
But it was just really interesting research.
So this person, I think a Japanese security researcher
that goes by Ryota K, was looking into,
there's a cloud-based mechanism
for building open WRt firmware images because
making a build environment for compiling a firmware is kind of a pain um and so open wrt
provides a mechanism for people to run and they also themselves run a cloud service for building
stuff and you submit your build request to it it builds you a firmware it signs it and you know
with some key material from OpenWRT,
if you're using their official one,
and then you can install it on your device.
And this researcher figured out a way
to kind of control that build process,
because you can provide what list of packages you want
compiled in your firmware and other settings.
So they turned that into CodeXec,
which not that surprising, but it runs in a container.
And then in the process of trying to escape from that container, they figured out a bug where you could basically cause a hash collision with the result of your build process, which essentially means you could have your firmware that you control the contents of return to other people as a result of their build, thus providing custom firmware for them,
which might include your backdoors, et cetera, et cetera.
And this involved having to brute force
like part of a SHA hash that was used in the file name,
but it got truncated down to a lesser number of bits
and the researcher built some, you know,
hashcat config to brute force it
and then do a command ejection.
It was just, you know, a great research story and well written up uh and i think anyone who's into you know hacking embedded
devices it's just a fun read so yeah have a look so it's flat security with two t's and i love at
the end they put in a shameless plug uh to celebrate the update of our brand new english
web pages you can currently receive a month-long investigation by our elite engineers for just $40,000. So they're branching out into the English-speaking market, flat security, welcome
to the suck. So last thing we're going to talk about today is that Firefox has abandoned the
Do Not Track feature. And look, it was always kind of silly, right, to introduce an optional do not track feature that nobody had to agree to.
But I think there would have been maybe an expectation when they launched this feature God knows how many years ago now that perhaps, you know, it was a bit of an indication to policymakers that, hey, there are these options here where browsers can set these flags. And if
you happen to, you know, come up with a regulation that says people have to respect them, maybe that
would be good. And of course, that's just not how things worked out. So without legislative or
regulatory support for a feature like this, it was never going to do anything. And this blog post
announcing the abandonment of the feature points out that do not track actually in some instances makes it easier to
track you right so they have now killed it off yeah i mean i yeah i think you're right in your
assessment it was a nice idea and as a user you know like turning on do not track it felt like
at least you had a very small amount of agency you were saying to the world i actually don't
want to participate in this you know trackingbased ecosystem that sells everything I do and sells me advertising and blah, blah, blah, blah.
You know, the reality is that is the world that we live in, suck it up.
Yeah.
And turning it on and off.
No one really cared.
Everyone ignored it.
And it was a nice idea, you know, kind of back in the day when Mozilla had ideals as
opposed to turning into an AI, you know, crypto junk company or whatever the hell they are now.
I haven't been following that, so that's all news to me.
I don't know.
The Mozilla Foundation has its ups and downs
and it feels like it's on a down at the moment.
Well, Chrome won the browser wars.
I mean, come on.
Even Edge is Chrome.
Yeah, I mean, it did.
Chromium and Chrome won.
And, you know, it was really important that we have another browser stack,
but Firefox's code base is so old
and Mozilla is not doing a great job of stewarding it into the future.
Well, how can they, right?
That's, I think, the question.
I've got a bit of sympathy there for someone
making a critical piece of technology
that's quite complicated and expensive to maintain and no obvious sort of business model there.
Yeah, other than being funded by Google, which, you know, a bit awks.
Here, have some irony.
Yes, exactly, exactly.
So RIP, do not track.
Yeah.
Well, we're going to wrap it up there.
And, yeah, second last show for the year and you know what an end to the to the year we've had the the you know Bashar al-assad has fallen in Syria which
is you know terrific news I mean who knows what's going to happen there but for now let's just
celebrate that um and you know we've had CEOs getting gunned down in New York by
gym bros with weird politics and like it just feels like yeah you know it feels like 2024 is
um is going out with a bang just one parting thought on the on the syria thing which is
i wonder what's going to happen to the syrian electronic army people
that's that's a that's a good question you do wonder you do wonder if some hts affiliated
nerd with a bone to pick is going to say no no, no, here's a list. We've got to get these guys.
Yeah, might be time to go somewhere else for a little bit.
Yeah, that's right.
Go hang out in Moscow with Bashar.
All right.
Well, that is it for this week's show.
Great as always, Adam.
Wonderful to chat to you, and we'll do it all again next week.
Yeah, we certainly will, Pat. I will talk to you and we'll do it all again next week. Yeah, we certainly will, Pat.
I will talk to you then.
That was Adam Boileau with this week's news segment.
Big thanks to him for that.
And yeah, just a reminder, as of after next week's show,
we're going to shut the whole thing down for about a month.
Everybody's taking a break.
It's going to be wonderful,
but there will be no risky beers for about a month it is time for this week's sponsor interview now with jacob tory from thinks to canary and you know thinks to make honeypots
and run alerting infrastructure for canary tokens and do all sorts of really cool stuff
and they did some interesting work on a sensitive command token a while back where you could set Windows machines to alert
if an attacker tried to run like, who am I, for example.
Really cool thinking.
And they've since expanded this a little bit
away from just a single feature or a single token.
And they're really talking about this concept
they're calling defending off the land.
We've all heard of living off the land, but now they're talking about defending off the land.
And I've got to say, it's really compelling stuff.
So here's Jacob Torrey to fill us in on exactly what things mean when they talk about defending off the land.
Enjoy.
So a lot of this came about from our sensitive command token that we released, I don't know, a year and a half ago, two years ago, where we kind of were able to kind of harden the Windows environment by making it where certain commands that attackers typically run, but kind of good guys don't as much.
And being able to kind of put this down as a configuration change now starts alerting on that behavior change.
And so as that evolved, we saw that that was kind of one instantiation on this spectrum of potential
capabilities and so we spent a lot of time over the last year or so looking at what are the
primitives available on windows that allow you to do hardening improve visibility or defending and
now we're kind of releasing almost a dozen different capabilities in various stages of
this is a product new a new Canary token.
These are some cool ideas, and here are some kind of basic scripts to start playing with it,
or here are some primitives that we think you might be able to tailor into your environment,
but it's not a kind of off-the-shelf capability like some of our other ones.
And so we're putting all those together and kind of showcasing how much there is out there for defenders built into our modern operating systems.
Why don't we just quickly recap the sensitive command token just for people who might not remember what that is?
Sure, sure. So basically, it sets up a hook to whenever a certain process is run, whatever the sensitive command is. So if you read defer reports, you see that they run things like who am I or K list to get the Kerberos tickets from
the domain or NL test, which does some kind of networking authentication checks. And those are
run very rarely kind of by the blue team. And very often, you know, early on when someone lands on a
network, trying to figure out where they are and orient themselves. And so by essentially setting this up to run a debug process
when that process begins, we can then create an alert on that.
And so this is essentially a canary token that allows you to,
you know, put these traps down for attackers who land on a legitimate box
and are then trying to, you know, orient themselves
and move throughout an environment.
And that was using all existing built-in Windows debugging capabilities.
So we ship you a registry file, you install it,
and then if someone runs that application or that command, you know.
Yeah, 100%.
So that was really popular.
I remember when you guys first started talking about that,
everyone was like, hey, that's a great idea.
So it makes sense to extend that.
So you've said, you know, I've read the synopsis for your Black Hat talk and you're going to present on nine of these techniques.
I don't think we're going to have time for all nine.
And in fact, you've told me before we started recording that you've got a lot more than nine.
It's just you had to whittle them down for the talk.
But why don't you walk us through your favorite few
of these defending off the land techniques? Sure. So one of the ones I really like is
using a primitive that you can then kind of repeat across different capabilities set where
if you create a certificate that is configured as the server. So if your endpoint is hosting RDP, it can be an RDP server or a WinRM
server, you can create that certificate with certain properties. So we found that the AIA
property, which is kind of a pointer to a URL for kind of the parent certificate, so when it's going
and verifying the certificate, if you do that, the client will gladly go out and go to that URL, even if that's a Canary
Tokens URL.
And so you can configure your system to essentially serve this certificate that anytime someone
connects and does a handshake and tries to RDP into your system or win RM into your system,
they've now made a request from the attacker side server to our Canary tokens system. We've got their client IP
address, and then we can tweak some of the permissions to actually deny actual logins or
sessions being granted over those services. So if you're not using those services, you kind of
enable it, but then deny all access, and then you serve this kind of tokened certificate. And now
anyone using that, you know, kind of gives you some visibility
when people are trying to WinRM or WMI
or PS remoting into your system.
So this is for what RDP systems,
RDP services that people aren't using?
I mean, how do you, you know,
disambiguate between people
who are legitimately using that RDP server, for example?
Yeah, so for RDP, you know, if you're not using RDP, like on your work laptop,
you could enable this or your personal laptop, you could enable this. You know, we find that,
you know, obviously with this whole defending off the land, we're not trying to replace
EDR kind of a professional, you know, agent solution. It's more about there are those
systems that are third party or they're not allowed to
be touched.
You can't install something on there.
You can't really mess with them.
These are ways where you can start to just make small configuration changes where maybe
you don't RDP into that system, but you SSH, you can enable that with the RDP.
So this isn't, it's not the case where it's like, oh, you know, this is the RDP that everyone
uses, you know, because then you're going to just be, you know, drowned in alerts.
I'm more clear now on what you mean.
Yeah, so one cute trick is, is you can essentially set up, you know, privileged access workstation where if you install the certificate into the client, the one that it would be looking up, it sees that it knows that fingerprint and it won't go to the Canary token server. So you could, if you said, okay, I'm only going to RDP in from these five workstations.
Sure. Or you could put some network logic around that as well, obviously. So, you know, anyone from
out of the country trying to do that, you can get an alert, but we've seen that backfire before.
What else have you got? Like give us some other techniques here
because I love these sort of tricks.
Yeah, so another one is projected file system.
So essentially it's a built-in FUSE type
user land file system in Windows.
And so you can create file systems out of thin air.
So we have a PowerShell script
that essentially creates a fake file system.
And then if someone is accessing it,
either it's on a server somewhere and they go in there and you can get an alert when someone's
accessing it. You can do things like tar pit where you're actually sitting in that filter driver
level, but you're running as an unprivileged user space application. So you can do fun things like
say, oh, I'm only going to give
you one byte of this file at a time, or I'm only going to numerate one of the million files that I
say is in this directory at a time, come back to me later. And you can take these red team tools
that are going and trying to, you know, grab as much stuff is there or ransomware, and you can
really bog them down and get, you know, early alerting in that perspective.
You could also create a share from these and that's a nice way to, you know, see if someone is sniffing around, you know, for a share that doesn't actually exist. And that's a fun one.
The world's most frustrating.
Happy to see.
The world's most frustrating Windows share drive, basically.
Yes.
All right, cool. Give us a couple more and then I got some different questions.
Sure, sure. So another one that's a little bit taking it differently, I guess,
is with the push for Azure and kind of this hybrid Entra ID world,
looking at things where can you start building OAuth applications or IDP applications that, you know, you know that you're
not running Salesforce in your Entry ID or your M365 dashboard, but there's an app there that
says Salesforce or GitHub. And if you click on that, so say you steal a session and you're
trying to look around and see what you get in that native M365 or Okta environment, these are
what appear to be real SSOso saml applications but they're
actually token applications um that you can get and see okay steve just got his credentials
compromised and because steve is trying to access the uh privilege manipulator um app right exactly
privilege controller we use it for controlling privilege. Like everybody's
going to try to do something with that, right? Yeah. It's kind of a similar vein of make
something juicy that shows up in an app list. We had our Android app or the web, kind of the very
progressive web app that we released over the summer that was very popular where you could put
Chase Banking on your phone. And you know that that's not really Chase Banking,
but if someone gets on your phone
and they try to go and see your bank information,
it alerts when that opens.
It's something kind of similar,
but moving that more into the kind of M365,
Okta, IDP realm.
All right, so here's the other line of questioning now, right?
Is when I think about what you've done with Canary tokens,
similar sort of idea, right?
Which is these really simple ideas
that people never really did much of
because who wants to spin up
all of the alerting infrastructure,
make that reliable?
Like it's actually a lot of work, right?
So for those who don't know,
Thinkstopper8scanarytokens.org, it's all free.
So you can go and spin up Canary tokens and do all of that. And, you know, so many people use it and it's great. But, you know, without canaryuring these sort of trap doors for people, these sort of tripwires, if you will.
So like, how would you begin to sort of approach this sort of thing at scale?
Are you planning on releasing some tools that might help people introduce some of these things into, say, Windows networks where they are centrally instrumented, right?
So I'd imagine you could produce some tooling here.
Or is this more just, for the moment, an academic exercise,
I guess is the question.
It's across the spectrum.
So this is us doing research in area,
and some of these turn into products,
so some of them will be live on canarytokens.org. And these are
things where kind of like the sensitive command token, it's a registry file that when that gets
pushed out and you can push that out en masse, it includes the computer name that was being used
and the username of who was running that command. So we can encode all of that kind of dynamically.
And so all you do is you get one registry file, you push it out through GPO or SCCM or whatever tools you use. And so some of making that a very seamless, easy to scale, easy to deploy. So for example, the RDP one,
we've already brought up that it really depends. Are you trying to use RDP? Do you know which
clients are supposed to access it? And so that's one that I think is, we've built a really simple
script, which you can deploy and say, okay, for these servers, hit this Canary token with all the information.
And then you start to get that information. You can use the Canary tokens infrastructure as an
alerting mechanism, but it's going to be a little bit more kind of, all right, do I want to disable
logins for this server or not? And then which one? So it's definitely not to the level of making,
you know, to the product level. And I think that's with labs, our research
group, is we do find that we have a lot of things that we spend a bunch of time in, and maybe the
mindset of making it super quick to deploy and forget about isn't the mindset you want to be
doing when you have these more nuanced or environment-specific decisions. And so for
those ones, we're going to be releasing it
kind of as a bunch of open source scripts and tools and capabilities for people to play with.
Maybe you end up using them. Maybe you end up tweaking them. But I think that's kind of
what we're trying to show is the primitives that you can build off of. And then some of them,
of course, will become actual Canary tokens and products you can use.
Yeah. I mean, I, I, I get it. I just would have thought some of these are really useful,
but they require a little bit of sort of tracking, if that makes sense. So you've got all of the
alerting side with canarytokens.org, but at some point, you know, if you want to really go to town
with this stuff, you might need something to manage all of this. Uh, any plans there? Cause
you know, someone sets up a
whole bunch of canary look it's one thing to put canary tokens into like documents and whatever
but like if you're doing this sort of stuff really getting advanced with it and the person who set
them all up like resigns moves on you know like it all starts to get a little bit um lost in you
know lost in the cracks so i just wonder if you're ever going to introduce something that formalizes managing
and tracking the rollout
of these sort of detections.
Because I think people would love it.
Yeah, I mean, it's definitely something
we're thinking about.
Some of our tokens are kind of simple
in the sense that for our entry ID...
But some of these aren't, right?
Which is why I'm asking about it. Yeah. Some of them kind of is one
set and forget for your organization. Others, yeah, there's going to be management. And we
launched the beta credit card token a year and a half ago, and that was our first token that
naturally expired, right? Credit cards don't last forever., we pulled that back down and we're re-releasing it again.
Now kind of the production mode. But there are kind of questions of, yeah, I mean, people are
spending time and they're maybe doing this and there's a lot of kind of human knowledge that
how do we help people do that in a much easier way? Yeah. And you want them everywhere, right?
Like a taco truck on every corner, a canary on every box, multiple canaries on every box.
Jacob Torrey, thank you so much for walking us through all of that.
A pleasure to see you again and chat to you again.
Cheers.
Thanks for having me.
That was Jacob Torrey from Thinkst Canary there.
You can find them at canary.tools.
And yeah, I love the concept.
I think we're going to see some cool products and tools out of Thinkst
to do all of this, and I think they're going to be really cool products and tools out of things to do all of this.
And I think they're going to be really popular.
So that is it for this week's show.
I do hope you enjoyed it.
We'll be back next week with more security news and analysis.
But until then, I've been Patrick Gray.
Thanks for listening.