Risky Business - Risky Business #775 -- Cl0p is back, SEC hack disclosures disappoint
Episode Date: December 18, 2024On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: The SEC’s cyber incident reporting isn’t very exciting a...fter all China Telecom on the way to being thrown out of the US The NSA/Cybercom might get two separate hats The Cl0p ransomware crew are back and taking responsibility for the Cleo hacks (Yet another) File upload bug in Struts makes Java admins weep And much, much more. This episode is sponsored by SpecterOps, who run a pretty top notch offsec/pentest team when they’re not busy making the Bloodhound Enterprise identity attack path enumeration software. SpecterOps’ Robby Winchester joins to talk about how pentest has changed, and how their customers get value from their testing. This episode is also available Youtube. Show notes SEC cyber incident reporting rule generates 71 filings in 11 months | Cybersecurity Dive US senators, green groups call for accountability over hacking of Exxon critics | Reuters Biden Administration Takes First Step to Retaliate Against China Over Hack - The New York Times Unfinished business for Trump: Ending the Cyber Command and NSA 'dual hat' | The Record from Recorded Future News EU opens investigation into TikTok and the Romanian election – POLITICO Clop ransomware claims responsibility for Cleo data theft attacks CISA warns of ransomware gangs exploiting Cleo, CyberPanel bugs | The Record from Recorded Future News CVE-2024-55956 | AttackerKB Apache issues patches for critical Struts 2 RCE bug • The Register Japanese game and anime publisher reportedly pays $3 million ransom to Russia-linked hackers | The Record from Recorded Future News Israeli spyware firm Paragon acquired by US investment group, report says | Reuters How Cryptocurrency Turns to Cash in Russian Banks – Krebs on Security Arizona man arrested for alleged involvement in violent online terror networks | CyberScoop Russia bans Viber, claiming app facilitates terrorism and drug trafficking | The Record from Recorded Future News
Transcript
Discussion (0)
Hi, everyone, and welcome to Risky Business. My name is Patrick
Gray, and this is the last Risky Business Weekly episode for
2024. What a year it has been and we're going out with a bang
because we actually launched our new website last week. Head on
over to risky.biz and instead of just seeing a horrible,
horrible kind of joke website that looks kind of like it's just an RSS feed, you're actually
going to be able to find all of the work from the Risky Business team there, including written work,
podcasts, videos, all in the one place. We're pretty proud of it. So yeah, head on over to
risky.biz. I should say thank you as well to Dave Snellgrove,
who is the designer.
Also to Dylan O'Donnell,
who did a lot of the front-end web dev work.
And gee, some jerk who did all of the back-end work
by the name of Adam Boileau,
who's been slaving away,
recoding our content management system
over the last few months and did a wonderful job.
But it's nice to have that done, isn't it, Adam?
It is.
It was very nice because I was the one
who mostly interacted with it these days
because you had PTSD from our old content management system.
And yeah, I very quickly understood why.
So there was a little bit of rip and replace to go on.
After 18 years of being the person
who posted all of the content into the
risky business content management system that was the first thing when you came on full-time i said
i don't want to do this ever again uh basically so thank you for that uh this week's show is brought
to you by specter ops which of course they are both a services and a product company they make
bloodhound enterprise uh based on their open source Bloodhound software project,
which is a really great way to do identity attack path mapping
through organizations.
And it started off just for Active Directory,
but now it does a whole bunch of stuff.
But today we're talking more about the services side of SpectreOps.
Robbie Winchester works on the services side over there and he's
going to be joining us to talk about how pen testing has changed and it really really has.
These days it's less about trying to you know do a to send someone a malicious executable and pop
a shell that way. It's getting increasingly identity centric and there's a lot of interesting
stuff in that interview so I do hope you will all stick around for that one.
But, mate, let's get into the news now.
And we're going to start off with a brief write-up
on Cybersecurity Dive from Matt Kapko
looking at the SEC cyber incident reporting rule, right,
which everybody said was either going to result
in people covering breaches up
or, you know, just a deluge of meaningless reports. And basically,
no, it hasn't really worked out like that at all. There's been 71 filings over the last 11 months.
And most of them are just people saying, well, we had an incident. I don't know if it's material.
So it hasn't quite turned into the disaster that people said it was going to be where,
you know,
Oh my God,
it's going to eat all of our time.
And we're all going to go to prison for not appropriately disclosing
incidents.
And it's just,
it's just turned into,
you know,
hardly anything's happened with this so far.
Yeah.
And the kind of the quality of the information it's collecting,
there's some kind of questions about the utility of it.
There's quite a lot of pretty generic words,
you know,
in these boilerplate
language in an sec filing no no that would never happen i mean it's not a fire hose of disasters
like we you know kind of half expected and at the same time i mean you know we do love a good
disaster fire hose around here um but it's also like, is it helpful for investors
to make meaningful choices about how they invest?
I don't know that it meets that bar either.
So, you know, it's...
Well, we did see, you remember earlier this year,
we saw the SEC sort of come out and say,
issue a bit of guidance saying, well, you know, if it's not,
if you haven't determined its material,
you don't kind of need to do the filing. So, you know, I feel like, well, you know, if it's not, if you haven't determined it's material, you don't kind of need to do the filing. So, you know,
I feel like this has, you know, there was so much hype about this,
like it was going to be the worst thing ever and onerous and whatever.
And it just hasn't turned out that way. But I mean, let's see, I mean,
maybe next year the SEC starts going nuts and like, you know,
cracking down or something. I don't see it happening actually.
I think this is a fairly basic requirement that's, you know, cracking down or something. I don't see it happening, actually. I think this is a fairly basic requirement that's, you know,
that's just working out about how probably the SEC expected it to.
Yeah, you know, we do see people keeping an eye on those filings.
We've certainly covered a few reports, you know,
in the news of people that have been breached that we found out through their,
was it the 8K filings that they have to do.
So, you know, it has some utility for people like us yeah but
for investors i don't know yeah yeah that's right uh we've got some u.s politicians looking at uh
they're looking to investigate and you know they're calling for accountability
over the exxon mobil sort of hacking allegations that we talked about last week this is where exxon you know apparently
used their lobbyists to gather information on protesters and whatnot and they then in turn
outsourced it to some private investigator who then bought a bunch of you know allegedly uh
bought a bunch of hacking for hire services out of india to like pop these people's mailboxes and
you know leak damaging information whatever real dirty dirty stuff that you expect to see in movies,
not in real life.
But, you know, it looks like a couple of sort of powerful,
you know, senators and whatnot are looking at this
and saying, no, we've got to do something about this,
which is good.
This is a response you want.
Yeah, yeah, it is.
I mean, obviously, of course, the publicity firm
that Exxon used and Exxon themselves said, like, you know, we didn't do it.
It wasn't us.
We had nothing.
You know, we would never commission hacking.
No, but we would commission a private investigator
who might do that, you know, for us.
Exactly.
So, yeah, you know, some accountability seems like it would be natural.
Like, that seems natural justice to have some kind of accountability for this.
Whether that will actually happen, I'm not super confident about.
But, you know, it's nice to see them getting a bit of heat for it
because at the very least it might give other people, you know,
the slightest amount of pause before they do the same sorts of things.
Yeah, so we've got the Senate Budget Chairman Sheldon Whitehouse,
you know, natural born politician with a name like that,
you know, saying in a statementhouse, you know, natural born politician with a name like that, you know, saying in a statement that, you know, we need to take a good long look at Exxon and its
fellow fossil fuel flunkies.
There we go.
And I think Ron Wyden's in there as well.
And a Democrat from California, Ro Khanna, talking about that one.
So, yeah, I mean, hopefully we see some comeuppance for Exxon.
But, you know, the incoming administration is not exactly hostile towards oil companies.
So, you know, I don't expect it to be a top priority.
Probably not.
Yeah, for the White House, at least.
But anyway, now let's take a look at this report from The New York Times, which, sigh, the headline is Biden administration takes first step to retaliate against China over hack. And that telecommunications firms moving to ban the few remaining operations of china telecom in the
united states that's not what's happening here this is not a response to salt typhoon
you talk to anyone who works in american sigint about china telecom and they've been trying to
kick them out for like i don't know at least half a decade probably a decade because
hive of scum and villainy oh my god the badness that emanates out of china telecom like
i'm amazed they haven't been yeeted until now but you know people are desperate for a hook desperate
desperate for an angle and that you know the new york times being the new york times
has just written it up like this which is just extremely misleading yeah yeah it is i mean
it's been a long time coming and you know the people we've thrown out of the industry before
you know people like huawei etc like it was that was a kind of an easier sell because it was more
visible and a bit kind of more egregious whereas being a back-end kind of telco it's a bit less visible and people
don't see huawei shops and huawei phones you know so they don't like you don't see that kind of thing
with um with china telecom so yeah it's taken a while to push through but you know they didn't
do a whole bunch i mean they had really been whittled down in the u over time. So, you know, there weren't a lot of options. Well, because using the, you know, the PLA and MSS's telco of choice,
allowing it to peer into American networks is probably not a great idea, right?
No. Oh, dear. So, good riddance, I guess. And I don't know what other Chinese telcos
there are still operating in the US as well,
but probably your time is up too.
Yeah, yeah.
Well, I mean, it depends where all of the villainy goes to, right?
I think that's going to be the determining factor.
I mean, China Telecom is not being kicked out
because it's Chinese.
China Telecom is being kicked out
because that's where all the attacks come from.
You know, I think that's...
Ah, sigh. Anyway, we got one from Martin Matysiak here over at The Record. out because that's where all the attacks come from you know i think that's um ah sigh anyway
we got one from martin matashak here over at the record and it's look i congratulations to him
because this is absolutely a really great write-up and a great summary of what's going on and it's
looking at how under trump uh you know he he planned to end the cyber command and nsa dual hat
role where the um you know the head of the the NSA is also the head of Cyber Command.
He introduced a plan in December 2020 to end the dual hat thing.
And of course, it didn't really happen because at that point,
he was a lame duck president.
But, you know, it's back on the agenda and it's probably going to happen.
There are arguments for this.
What's funny, though, is like probably he's not doing it for the right reasons um but it's look it's it's gonna
happen i would i would expect sometime over the next four years and i think look you can't make
a determination on whether or not this is a good or a bad thing until you see how they're planning
to implement it is it just going to be you know different heads or you know like how separate are the organization's going to be
because it's very clear that the reason they haven't done this already is because cyber command's
not ready to stand on its own so as long as they execute this right and there's like just different
heads and they get the management bit of it right it could work but god who knows right yeah well right? Yeah, well, that's the kind of thing with the whole Trump presidency coming in.
There's quite a lot of, well, who knows?
We're just going to have to wait and see how mad it actually is
once they start implementing things.
I mean, the relationship between the two, I guess,
like from the outside is difficult to, you know,
as an outsider, it's kind of difficult to judge
how much
disintegration there is between the two or how much integration there is and kind of what
to what extent this as you say like the different there are different ways they could
implement this change and how much effect that would have as an outsider is kind of hard to judge
so we are really just going to have to wait and see how it shapes up. But certainly people inside the IC have all sorts of varied opinions about it.
So, you know, if they don't know, then neither do we.
Well, look, I think the consensus from the people I speak to in the IC is that it's just what I said earlier.
Cyber Command's not quite ready to stand on its own, which is why this hasn't happened.
So, yeah, let's see what happens, right?
Yeah, exactly.
I did a great, I published it too.
I did a great podcast with Chris Krebs.
That was the one that we recorded live in Sydney.
And, yeah, some real interesting stuff there all about China
and some interesting stuff there, some interesting insights
about the approach to US cyber under Trump
and how it was more aggressive, more defend forward, you know,
changes to NSPM 13 that allowed them to do things like target C2 nodes in, you know,
even in friendly countries and whatever.
So I think we could see, and, you know, Chris said that the intelligence community part
of Project 2025, which is the alleged policy roadmap for the Trump White House,
the intelligence part of that is actually pretty good. You know, the DOD stuff is different in tone,
but the IC stuff is good. So, you know, it's going to be a mixed bag. I mean, it's hard to look back on the Trump years and say that the cyber policy side was terrible, you know, really. Like, you
had Rob Joyce writing the executive orders, and you had CISA stand up, and, you know, really. Like, you had Rob Joyce writing the executive orders and you had CISA stand up and, you know, a lot of good stuff.
And, you know, changes to an SPM-13.
So got to keep an open mind, I guess is what I'm saying.
Well, I hope it goes well for all of us because, you know,
it looks quite a lot of crazy as well mixed up in this.
It makes it fun, right?
I'm just sick of it that way.
Accentuate the positive adam interesting
times yeah uh meanwhile the uh european union has opened an investigation into tick tock
over the romanian election stuff that we talked about on the show i think last week
they'd already uh issued some sort of data and evidence preservation order to uh tick tock but
this is being taken very seriously in the EU,
given that this is the first time we've had an election
annulled over what was found to be unlawful interference
by one of the candidates.
But, I mean, I spoke about this with our colleague Tom Uren
on last week's Seriously Risky Business podcast.
You know, what were they thinking?
Like, why were they not on top of this?
Because it probably
wasn't like a state-directed thing but it's just such incompetence to allow this to happen at such
a critical time for the company yeah yeah exactly it's a very sensitive time and this is absolutely
not what they need right now um you know staring down the barrel of a ban in the u.s you know
investigations in the eu like it's a bad time to have these headlines and a bad
time, as you said, to have a historic annulling
of an election.
That's not good.
No, it's really not. And meanwhile, a detail
of Catalan, of course, one of our
colleagues, Catalan Kimpanu, he lives in Romania.
He is Romanian and
I think there's now all of this
anti-EU propaganda
spreading on TikTok in Romania, saying that the EU had ordered the election be annulled.
Yeah, to undermine the Romanian democracy.
Yes.
Yeah.
So, I mean, still up to it.
And you would just think if you know what's good for you, you're going to stop this.
And, of course, by the time we come back in 2025, it's going to be around trump's inauguration actually we come back like a couple
days before that but like a day after i think we come back on the day that tick tock is supposed
to have been divested so um next time we talk we're going to know a little bit more now uh to
some bread and butter infosec and klopp is back baby yes they have claimed responsibility for a bunch of the
attacks against the clio file transfer servers that have been being breached over the last couple
of weeks uh they of course were the group behind excelion and go mft and move it most famously move
it yeah you know a bunch of other file transfer hacks and they have
a you know they have a proven model for monetizing stealing data from file transfer systems ransoming
it off and apparently they have stolen so much data that they have cleared out their like dark
net leak portal to make room they ran out of disk space with all of the old leaks so they've junked
them all said we're only working with new companies, which is a nice way of framing it
because they've stolen so much data
through the Clio bugs.
And they said they've been using
both the current Clio bug and the earlier one.
This was initially going to,
the most recent one was written up as a variant of Twins.
Actually, that's not the case.
It's a whole new bug.
But yeah, clearly Klopp have been quite busy yeah now initially because
there's been some bad reporting around this because when we spoke about it last week we were like oh
they're exploiting a bug that was already patched and it wasn't patched correctly it turns out that's
not accurate it is a new bug also Huntress Labs were out there saying tying this to Termite which
is the ransomware crew that in turn is responsible uh for the blue yonder
incident right so they're saying you know we believe it's the same crew turns out not so much
it is clop there are also people saying well blue yonder ran uh a cleo box on their edge so maybe
that's how they got ransomware and that was you know further meant to substantiate that termite
was behind this it looks like that's not right you know know, we've got Klopp back now. I've heard from other sources that, you know,
the team have filled me in on this and they've spoken to their sources as well, that there's
really nothing linking Termite to this campaign. But I wonder, you know, I don't know because I
haven't spoken to Huntress about it. I wonder if they've got a bit of intelligence that maybe ties
some of these Klopp people to the Termite people because people because you know it's all one big sort of soup of bad actors but
it certainly looks like that original take that it was a exploitation of a failed patch uh and
and tied to termite it looks like that was bad info yeah and i can kind of see why with the
technical aspects of the bug because there were quite a lot of similarities between the two uh the first bug that was patched was a arbitrarily unauth file uh upload and also
read and the way it was exploited was by uploading a shell and then reading a password file off this
to get uh to be able to trigger the file that had been uploaded to it and execute and that triggering
process required auth so they used the read to get auth and then the write to upload a shell and
then cause it to be run the second bug is only write and it's quite closely related but they
have to use a different exploitation mechanism as well which involves like writing a configuration
file that subsequently led to command execution that was processed automatically.
So it was sort of a folder where you could drop configuration updates into
and they would get processed automatically.
So a little bit of very similar functionality,
but slightly different and a whole different bug.
I think Rapid7 had a pretty good write-up of the specifics of the bug.
And it's classic java you know enterprise
software where that's so kind of so over architected and componentized that no one really
knows how it works anymore yeah it looks like when you're writing it so um yeah standard sorts of bugs
but yeah nice to actually have some concrete details now yeah so i've linked through to
lawrence abrams write up for bleeping computer and uh yeah i've also linked through to a report from jonathan greeg which looks at sysa uh you
know issuing warnings about this i mean i don't know if this will be as big as move it and uh but
given the fact that we're shutting down this week and stuff you know normally chaos normally rains
when we're off probably will be right yeah and it certainly sounds like clop have been pretty busy
when they were talking to
lawrence abrams from bleeping computer and said like you know we have completed our project which
you know in the past has meant pillaging all of the ones they could find on the internet and then
starting to drop them so yeah we may be in for the traditional risky booze holiday times well
it's funny actually because clop say well we delete data from government agencies from medical
clinics and stuff like that um which
is you know their policy which i think i mean if you're going to be a responsible ransomware
actors i mean well it's it's not right it's data extortion it kind of annoys me when those two
things get conflated but i think if you're going to do this like at least having some scruples like
is i don't know i don't think it's bad actually actually. I think that's fine. But, you know, in the John Grieg write-up,
I mean, this is where we are, right,
as an industry and as a discipline,
where you've got CISA instructing
civilian government agencies
that they have to patch this by January 3.
I mean, come on, Adam.
You and I both know how many of these
are going to be left standing by January 3, right?
Yeah, I mean, I think CLOP has probably
already been through them all.
I think probably CISA should be directing people
to roll incident response.
Yeah, 100%.
And, you know, this is something that comes up
time and time again.
And it's great that CISA has the authority
to demand that agencies do this stuff.
But, like, it's too late.
It is.
It is too late.
Which is why, yeah, I mean, again,
I'm on the board of a company that's doing,
you know, zero trustee style stuff
to prevent people from being able to access these things in a pre-auth condition, right?
Because, again, that's that go-to line, which is for so long we've thought of authentication as access control, and it's not.
Because pre-auth bugs exist.
Yeah, exactly.
Especially with nasty Java enterprise.
We're like this.
And, you know, those bugs, bugs, like Rapid7 has a great analysis
and we've linked through to that one.
You dug that one up.
But you know, these bugs,
I know you and I know where your skill set is.
Like you would have found these on a review.
Like what are they doing?
Yeah, I agree.
Like I enjoyed reading the Java.
It's quite a nice throwback
because I have read a lot of enterprise Java in my time
and this is, yeah, exactly the sort of thing you find.
Just threading the needle through the file upload handling,
hitting disk and, you know, Bob is your Java uncle.
I mean, you know, most people listening to this would know,
but Adam is a, you know, pen tester
with over 20 years of experience,
who's an old hand who's, you know,
come up all the way through network and whatever
and has written DMA exploits and you know all sorts of stuff but wound up with a bit
of a specialty in java which is quite funny like and it's a love-hate relationship oh yeah it's it's
a deep deeply hate i mean i i hate hack java like it's it aggravates me so much that i want to
punish it but you're good at it leads to good bug to good bug hunting, yes. Also, it's easy. I mean, Java bugs tend to be pretty easy
once you can read the Java.
Not very many people have the...
Patience.
Patience or sickness necessary to read the Java.
I've seen him do it, folks.
I've seen him do it.
I've watched him do it, and he's very good.
Now, look, talking about bugs that just get us owned.
And, you know, this is another Emperor Has No Clothes moment, just like the last one where it's like, hey, would you mind patching that by January 3rd, like weeks after they're all owned and, you know, exploits are available?
You know, this is another one where what do you do about this, right? Another critical in Apache struts, which, okay, if you're using struts in some critical application that's well-maintained, you'll just patch it and move on.
But that's not where struts tends to pop up, right?
So this is going to be a perma bug, and it's a real dumb one that, frankly, it's very surprising that this one's, like, still there to be found.
Walk us through it.
I mean, to answer your first question, what does one do?
One gets wrecked
is what one does yes about this uh so apache struts uh for those who are lucky enough not
to be enterprise java developers uh is a framework used for building java apps from the apache
foundation and it's very widely used like it was one of the early kind of enterprise scale robust web application frameworks
for java and everybody uses it and it has a lot of you know risky functionality in it this is a bug
in the file upload handling and honest to god this is a straight up path traversal write file
through the upload handler thing that is just you, bugs like that really shouldn't exist in this day and age,
but they do. And Struts has had bugs like this in the past, and it probably will continue to
have them in the future, clearly. But the really hard thing about this is, the way that they've
patched this is by deprecating the file upload handler, like a piece of code, the controller
that handles file uploads, and saying, just don't use this. We built a new, better one that's more robust, and hopefully it is.
But the problem is, this is not a patch. This is a replace the file upload handling mechanism in
your application and recompile. And if you don't have access to the source, or you don't maintain
the source, or you're using an appliance that happens to use struts on the inside that's out of support, or you can't get a patch from the vendor,
or the vendor might not patch for months,
you're just screwed, and you can't put the stuff on the internet and survive.
There's already exploit code out there.
Like this is, I mean, it really is,
if you can find the file upload handler,
then you can dot dot slash your way to upright kind of level thing.
So there's code out there to do this, to test it, to discover them.
You're just going to have a bad time.
And we saw struts as the root cause for a heap of bugs in VMware products,
for example.
So if you are one of the customers that no longer has a great relationship
with VMware's owner Broadcom,
and you're not expecting to get patches from that, well, tough.
Yeah.
So, and there's just like there is so much
banking and middleware and all sorts of things that use struts that the source code's long gone
right there's no development team anymore it's abandoned it's never going to get recompiled and
updated and there's nothing you can do about it except not put it on the internet yeah and watch
like a hawk if your internal network has enough sufficient scale
that that's something you need to worry about, right?
Yeah, I mean, yeah, bad times.
Definitely, bad times all around.
But again, it's an emperor has no clothes moment
because we've got good at some stuff.
I feel like, you know, I'm in a reflective mood, right?
It's the last show of the year.
We've got reasonably good at defending Windows networks,
for example, you know, and I think we we can thank people love to crap on edr but properly configured edr you know gets you
a long way running a windows network and there's a whole bunch of stuff you don't really have to
worry about anymore an attacker is only going to get so far before they get snapped and evicted and
you know you got these all singing all dancing orchestration solutions to re-image boxes and whatever i feel like for the first time in a long time it is possible
with a reasonable amount of effort to run a reasonably secure windows environment but then
all this sort of stuff's out there you know your file transfer bug you know file transfer appliance
bug that you just talked talked about is an. And then you've got this stuff in Apache Struts,
which is a framework for making appliances
and all sorts of other stuff.
And that's an embarrassment.
And there's no, you can't just roll EDR for this.
You know, there's no simple solution here.
No, there isn't.
And I mean, you know, the Struts and Java in general,
pretty cross platform.
So it crops up on Unix boxes,
it crops up on windows boxes you know
it gets into all sorts of places and there aren't you know consistent controls like edr on non-windows
platforms right there there are products but they're not consistently deployed they're not
consistently reliable they don't have the kind of depth even incident response on non-windows
platforms you know the tooling is just not as mature the expertise is not as mature like it's still you know i guess i'm reflective too and then in the other way like it's all terrible still
yeah different terrible different terrible which i'm glad for because it'd be a boring career it
was the same terrible you know every day for 20 years but well and i think we're going to see more
attacks targeting stuff like this that aren't just smash and grab like data extortion ransomware whatever so you look at like salt typhoon there's no csrb report yet but when that lands it's going to show
us that the attackers did not come in via the windows networks they came in through owning
linux boxes owning old tolko switches owning all that owning a bunch of you know pizza box
rack mountable crap loaded up with stuff like struts like i know i can
feel it i can feel it in my waters that that's what that report is going to look like that's how
i owned telcos right i didn't like going to i don't like windows boxes i don't want to own windows
users like that's a terrible place to be in the network i would much rather own unix boxes and
have a good time so after a long time working on sorting out like big deal you know custom web
applications and stuff and
windows networks and whatever like this is the stuff that's looking juicy again and i just think
in 2025 we're going to see more of it now a report from darina antoniuk over at the record some
japanese game and anime publisher has paid three million dollars to a bunch of hackers in russia
now this on its own whatever it's it's it's a day of the week sort of story. I think Japan
could be in for a rough time. And I've seen people on social media at various points over this year
sort of float a similar idea, where you've got a country with a $4.2 trillion GDP,
some very large companies, and a surprisingly immature cybersecurity posture. And I have a feeling that once these attackers figure it out,
I think Japan could be heading for some ransomware drama.
And I also think that there are other motivations
to go after companies outside of the Five Eyes alliance
in that, you know, word on the street
is that the counter- counter ransomware operations by
the five eyes agencies are ongoing and actually showing some success so i think you know staying
away from those countries if you're an attacker would be the prudent thing to do japan just looks
like a great target is what i'm getting it does yeah no i completely agree with you and i think
you know i think back to some of the hacks we've seen of, you know,
like a weird sort of weird for us, like Japanese specific applications
for like, you know, government document sharing and other bits
and pieces where, you know, we've seen like Chinese intelligence
and other people busting into Japanese government,
you know, Japanese corporations through really quite, you know,
bugs that are not technically, you know, crazy,
but like are there in bits of software
that are kind of crazy?
So I think it's a pretty target rich environment.
The language barrier has bought them some things.
Well, not now because of freaking AI, man.
You can do good translations.
The data machine translation and stuff
has gotten good enough that, you know,
that's not as much of an insulating factor
as it once was.
So yeah, I thinkapan's a great target i mean when everyone was saying that ai was going to turbocharge cybercrime i don't think they realized it was just because it would allow
ransomware actors to negotiate with like japanese victims right but it's probably where we are god
you know it's been a couple of years now hasn't't it? Since ChatGPT. When did they release that?
Yeah, I guess.
Yeah, I suppose it has been.
It's been a little while now.
We still have jobs, right?
Remember when I was going to replace all journalists and, you know, anyway.
I think anyone who's actually used those things for serious work will discover why it has not replaced journalists.
No, I mean, and it's funny because I always said it's a better Siri, right?
Remember I said that on the show a bunch of times. That's what I thought it was. It was a better Siri, a better interface. And what's really funny is now I'm using Apple intelligence, which allows you to get Siri to interact with chat GPT. So it literally is a better Siri at Reuters. And an American firm, a US investment group,
has acquired an Israeli spyware vendor called Paragon,
which is a competitor to NSO Group.
I think this is good news.
Interestingly enough, though, this company,
it claims that it's very serious about who it does business with.
In job listings, it says that it applies strict moral restrictions on itselfimuth style approach, which is to be very careful about who they work with.
And as a result, there's an acquisition here for I think it's $500 million and then like another $400 million in incentives.
So a total deal worth about $900 million.
And this is great because we're seeing a reward for a company that's kind of
doing business the right way. And now it's going to be overseen, you know, by a US interest where
the US government will have more oversight, you know, over an American company. And we've got to
find jobs for these, all of these very talented people in Israel, because if they don't get
folded into quote unquote our system,
they're going to work somewhere.
And it might be for the next NSO style company
that's selling all of its stuff to God knows who.
So in my mind, this is a positive story.
Yeah, I think I'm inclined to agree with you.
I know that we have listeners who are of the opinion
that all spyware is bad.
Like the capability itself is too
tempting to not be abused but i think you are right like much like we you know gave jobs to
nazi rocket scientists or ex-russian you know weapons developers or stuff at the end of the
cold war to stop them from going and working for everybody else because like you look at the
source hey guys how about we try to go to the moon instead yes yeah exactly you guys love that yeah um but like you
know you look at the side of like say nuclear proliferation and how few really expert people
that can take to bootstrap entire separate proliferation risks and i'm thinking of like
uh aq khan i think was the pakistani guy um you know so i the Pakistani guy. So I think this is a smart move
and keeping the stuff inside the fold is great.
And yeah, you're right,
as a reward for doing this better than NSO Group,
a trillion dollars, a billion dollars or whatever,
it ends up being worth,
like that's a good carrot for other people
who are considering it.
And NSO got the stick. Yeah, well, yeah well i mean briefly it looked like l3 harris were going to buy nso group
and i think that was actually an initiative that might have emanated from within certain agencies
of the u.s government but then when the white house caught wind of it they crushed it and i
think it really was at the point where there would have been some
positives in that you would have had all of that talent all of a sudden working in a way that was
more closely aligned with u.s interests which would have been a positive but then there's the
rewarding bad behavior component which is why i think they actually killed it so it was a
more of an ideological decision than a pragmatic one. And I can go either way.
I can argue either way on that one.
But now we've seen this and this is a good thing.
And hopefully this will, and they're not doing this.
This company that bought them is not doing it as a, you know,
as a way to improve our world.
They're doing it for dollars.
But I just like seeing when the sanctions and whatever have sort of punished NSO
and now here's a group
who did it differently who are getting rewarded I think it's a sign that government settings around
this stuff are actually working yeah and how often can you say that yes yeah exactly you may not
necessarily agree with this being an un you know uncomplicated good thing but I think we can agree
that this is a better outcome than what we
've seen in the past like it's a step in the right direction i think uh you know even if it's
imperfect yeah well israeli hackers and exploit devs are going to hack an exploit dev so i think
it's better um if they are doing that within a framework that is um more conducive to you know
human rights and those sort of things funny that uh so let's look at a story from krebs on security
now and uh he's taken a look at the canada nexus of crypto money laundering like i don't think
there's an easy way to summarize this piece because you and i were talking before we got
recording and it is dense it is extremely dense but the upshot is there's a whole bunch of like
fairly shady looking crypto services and money remittance you know providers that are all based
out of a single address in uh in vancouver and that's just the tip of the iceberg there's like
thousands of these places and they're often sharing addresses and the registrations are
funny and whatever and um it's just a fascinating look into how some of this money moves around and and also the nexus
with um doing business with sanctioned russian banks and whatever it's just i mean it's it's
great work how did you find this yeah no it is it's really interesting because you're like you
know the mechanics of moving money around are kind of opaque and constantly shifting and so it's always
interesting to see you know what's the current state of the art look like so for example some
of these organizations were cryptocurrency you know kind of brokers or agents or whatever that
would spin up new wallets for every transaction and all sorts of things to try and make it
you know possible to do the laundering across the blockchain. So that's interesting, that part of it.
And then there's all of the shell companies
and all of the ways that you kind of hide it
from accountability.
And you do have to wonder about what exactly
are the Canadian regulators doing when there's
122 money services businesses in one building
that contains a massage therapy clinic.
Yeah.
You know, probably not exactly legit.
And then Krebs ties this through to a bunch of similarly named companies
or companies with similar directors or agents or whatever else in the UK
and then there's other ones in Europe.
And it just turns into that full, you know, crazy map on the wall
with lots of string connecting important points
sort of thing that you imagine Brian's,
you know, Brian Krebs' office probably looks like.
Yeah, he was profiled recently
by one of the broadsheet newspapers
and he had the journos and their photographer
leave their phones at home when coming to his house.
You know, he'd previously been swatted.
He's moved somewhere, very undisclosed sort of location.
And when he's writing stories like this,
you see why it's not just paranoia, you know.
So we've linked through anyway.
Go have a read.
It's just a really interesting story that sort of peels back the curtain
on something that's normally, you know, quite well hidden.
Yeah.
And you end up in like the western sahara central
reserve and it's just yeah it's a it's a wild ride it is now we got one from cyberscoop by greg otto
looking at this guy called baron martin who's 20 20 years old he's from tucson arizona and he was
arrested on charges of producing uh child sex abuse material and cyber stalking but his arrest
is connected with um these what they're describing as online terror
networks uh specifically uh one called 764 and another called cvlt and i think they're kind of
offshoots of the com or in that part of that whole mix and you think ah cyber terrorism's not real
don't be ridiculous and then you read this and you're like oh cyber terrorism's real yeah yeah there's some
pretty horrible stuff in here and also like so young 20 years old and doing all this kind of
real nasty nasty stuff yeah i mean these guys that's the thing right the underground i mean
back in our day right might look at uh spam carding you know uh hacking for exploits or whatever was
more i don't get it was was that Greyhut, whatever.
But it was even the serious stuff was a little bit more tame.
These guys are psychopaths.
Yeah, yeah.
I mean, really, exactly.
Like that juxtaposition, definitely this feels very strong.
And I think, you know, I didn't roll with a particularly bad crowd as a teenager, but, you know, even amongst the people I knew,
there was no one doing worse than carting a pizza maybe.
I mean, I knew a few doing carting for profit
or people who had done that.
And that's about getting paid.
And people who were doing that would sort of see it
as a bit of a victimless crime because it was spread.
The people who were losing the money uh could afford it they
were large corporations right but this is you know and they say that they you know this network is
noted for its use of cyber criminal tactics and manipulation of societal norms to exploit minors
guided by a broader agenda of societal chaos uh so i i think that's why they're sort of treating
these people as as terrorists because they seem to want to bring it all down.
Yeah.
Well, this guy, Baron Martin, he went by the alias Convict.
Yes.
So rather foreshadowing there, buddy.
Yeah.
So he could face up to 30 years in prison.
But these are the people who are coercing people into doing self-harm on video and whatever.
It's like kids.
Kids as young as 10. So anyway, let's see what the future brings
in terms of categorizing these people as terrorists
and locking them up for a long time
and whether or not that has any impact whatsoever
on unlocking further law enforcement resources
to go after these groups as networks.
And yeah, I don't know.
That's another thing to look out for in 2025
because you get this sense that authorities are onto this now
and they're taking it seriously yeah exactly another one from darina at uh at the record and russia
has blocked and banned viber which is a japanese sort of voice over ip and messaging app and they're
claiming it facilitates terrorism and drug trafficking who knows if that's the real reason
probably not is my feeling yeah and Viber apparently is actually quite big,
or was quite big in Russia.
It was the third most popular messaging app after, what, like Telegram?
WhatsApp and Telegram, yeah.
WhatsApp, yeah.
So, like, that's pretty big.
And, you know, we've seen restrictions against, you know,
WhatsApp as well in Russia here and there.
Like, they haven't been consistent. But, you know,app as well in russia here and there like they haven't been they haven't been consistent but you know they're definitely cracking down and they're cracking down on vpns
for circumventing some of these restrictions are also you know changing the game a bit in russia
like it's a pretty tough time you know to be on the internet there and you know to want to be able
to communicate without you know being uh you know being surveilled or being seen or you know being
tracked well i mean
you've got you've still got options right whatsapp is a reasonable option but i wonder how long it's
going to be before russia launches a reskinned version of wechat that g hands over the source
and it's you know congratulations get on ruchat you know like it's coming you've you can feel
it definitely yeah you definitely feel feels that way because you know the you know they have to keep kind of cranking the handles on control there because you know
putin's feeling threatened so yeah well putin is threatened i mean the economy there is really
not doing well at all and the slide appears to be accelerating the only thing keeping the ruble
you know keeping it at all buoyant
is a whole bunch of controls on foreign exchange trading that the Russian central bank introduced.
Like things are looking pretty bad there. Whether or not that leads to a collapse in
Putin's government, I mean, that's something different. I mean, I was having this conversation
with a friend recently and they pointed out that you know the turkish economy um
experienced extreme inflation and all sorts of issues as well and erdogan survived so we don't know what's going to happen over there but certainly you know things in russia are not
as good as they were a few years ago for sure yeah that certainly seems to be the case and
you know russia is it's uh that conflict is just it's so harrowing keep watching all of the updates when we get so
much you know kind of insight into what's going on over there and it's just yeah it's pretty horrific
yeah our current update is north koreans uh you know shooting at drones instead of running away
from them and getting mowed down in open fields like it's just it's just unbelievable unbelievable
but mate that is actually it for this week's news and that's actually it for us
for you and me for 2024 uh do we do a star rating for the year like is this like yelp i'd give it a
four star you think four star i mean there's definitely been a lot of interesting stuff to
talk about this year and there's been a bunch of great hacks and god the i think the thing that
really stood out for me this year is the sheer scale of the,
I suppose we're not supposed to call it pig butchering anymore.
Interpol asked us not to call it pig butchering.
Because it stigmatises the victims.
Fair enough, too.
Don't call the victims pigs, you know, that are getting butchered.
I think that's, you know, we can all be a little bit more sensitive.
We could, absolutely.
But yeah, the scale of that in Southeast Asia,
that's a thing that whenever I explain it to other people who are,
you know, not in the industry, you know, friends and family and stuff, people are like, what? You
mean like thousands, hundreds of thousands of people are enslaved? I assumed this was all,
you know, willing hackers, you know, ripping people off and running romance scams and not
victims of human trafficking and, you know, enslavement. So so that for me i think has just been a you know that's
not a thing i would have predicted you know five years ago when we were wrapping up the year that's
your big i don't even know what my big takeaway from the year is man you know people will say
well that conversation you had two weeks ago about xyz was really interesting i don't even remember
it i'm like did i talk about that i knew I was thinking about it, but I couldn't remember.
But, yeah, we'll wrap it up there.
Wonderful year.
Looking forward already to joining you again in 2025, my friend.
Have a great summer.
Have a great break.
Yeah, thanks so much, Pat.
And I wish everybody, you know, Pat, yourself, you know,
a great break and all of our listeners.
And, yeah, feel free to come check out our new website that was adam boileau there with the final news discussion for 2024 big thanks to him for that
and big thanks to all he's done uh for us this year including you know developing our new the back end of our
new website and you know taking on a lot of the work that I used to have to do as well.
It's great to have him on board. It is time for this week's sponsor interview now with Robbie
Winchester who works for the services part of Spectro Ops which of course also makes the
Bloodhound Enterprise attack path enumeration tool,
which is fantastic.
If you don't know it, just go and Google,
Google, go and Google for Bloodhound Enterprise.
But Robbie joined me for this interview,
which is all about how pen testing has changed
what buyers are looking for out of pen tests these days
and so on and so forth.
So I'll drop you in here where Robbie explains to us like, you know,
the answer to the question of, well, what's changed?
Here he is.
It's simultaneously a lot of the same because I guarantee that Windows XP still has a
beating CPU somewhere in someone's network and certain things never can really fully die.
But there's a lot of new emerging issues and threats, especially
around or things to be concerned with, especially with the new adoption of services like cloud
services and cloud integration, migration to the kind of identity focus. And it's tough to keep
track of when you're going and building all that out. What risk are you accepting? What are you
provisioning? How is it working? Is it set up the way you think it's set up?
And oftentimes, especially with some of the remote or cloud-type services, as new features
or capabilities are added, is that adding different things from when you configured
it that maybe you're adding additional risk?
And you're not aware of it because when you set it up, there was A, B, and C, and now
there's A, B, C, D, E, and and f and you didn't go back and update for that those new
additions um so it's kind of an emerging threat of this hybrid growing sprawling difficult to kind
of grasp network uh at time where you're not the admin and you don't really control the box right
so that's you know how you how do you even supposed to get on top of that i suppose you call in some
pen testers and they go and beat you up and and show you hey they introduced this new feature four
months ago and you didn't know about it right well and especially if you have do you do you
have an identity team and a cloud team and a data analytics team and all these different or parts of
the organization so like you said is it is it hard to find that central belly button for who knows
the whole picture yeah yeah well that's that is tough. But it also sounds, you did say something interesting there, which is, you know, there's always these like hype
claims that come out in security where people say X is the new Y. But like identity is the new
perimeter. I'm kind of sympathetic to that one because it really does feel like that's where
the action is these days. Yeah. I think that's the kind of core of our
perspective. Bloodhound Enterprise is big and just Bloodhound in general is big about understanding
the identity and the attack path problem. And we see this a lot in all of our testing services
where it's not just finding, or I shouldn't say it's not finding a vulnerability and taking
advantage of an exploit like potentially 08-067 Windows back in the day, it's keeping track of and what
are the different permissions that are attributed to all these different sprawling identity
providers and identity implementations and not realizing that a person or a computer or a group
can access all these other things that are not necessary. And especially when you go from the complexities of your local computer, and then I have sessions in my browser,
and are each of those sessions protected? Or can I hijack a browser session? And so now everything
you're logged into in the cloud is potentially exposed. So it opens up a very interesting kind
of new frontier of this big identity centric.
It's not a patching problem.
This is how computers work.
Well, and you've got all of these sort of style applications that are essentially, you
know, just offer limitless privilege escalation opportunities in the cloud as well.
So you know, it is possible sometimes to go from a fairly low privileged user through
one of these apps that's got way too much access
to everything and normal users can interact with. I mean, I'm guessing you spent a lot of time there,
right? Yeah. Well, and again, it's part of the challenge is, you know, as you, uh, the easiest
way to enroll and onboard and do anything, just like in, in computers networks back in the day,
the easiest way to make everyone be able to do anything they want on their computer is to make
them a local admin. And so over permission, over permissive entitlements, overly permissive, you know, granting of privileges is kind of an
endemic. It's a human problem of, it just makes it easier when you have more access than you need,
because then you're not butting up against that just enough. And it's hard to figure out what is
that just enough. So this begs the question then, is the market sort of across this, like what type of assessments are the most popular at the moment coming from, you know, I
mean, Spectrops is known as a good pen test red team shop, right? So I'm guessing, you know, you
would attract customers who are at the more serious end of the type of people who buy those services.
Like what are their purchasing habits telling us about how much they actually understand about,
you know, the risks that they face?
Yeah, it definitely varies.
The perspective is going to change very differently between companies who felt the pain firsthand. So if they've dealt with a compromise, they've dealt with an incident and they have firsthand knowledge and experience of how painful, frustrating, confusing that can be.
That's obviously going to change the perspective in some ways. I'd say in general, the kind of trend that we're seeing is, and this is where
we try and focus and operate, is less on proving that you can get access. So we're not as much
trying, our main focus is not around specifically the phishing or trying to break in through a web
application or crack passwords to get in from the from the outside it's less about capturing a flag it's more about sitting down and
looking at how things are set up right and and answering you know sorry to cut you off there but
i got a friend here in australia or you know someone i know in australia who tried to start
a business like you know they're ex-sigint and they tried to start a business doing that like
i don't know 12 15 years ago And just like no one was interested.
So they just wound up doing capture the flag style pen tests and red teams.
But I'm guessing, you know, from what you're telling me, because it was a good idea then.
It's still a good idea.
But what you're saying, people are actually buying that now.
Yeah.
And you have to have a certain, it's tough because I don't think that those things are not important.
It's just only part of the problem.
People will click on phishing emails.
There will be vulnerabilities.
There will be zero days.
That's all going to exist.
Credentials are going to get leaked.
So that's kind of that assumed breach mentality, which has become more and more accepted, I would say.
And so it's valuable.
On a similar trajectory is this idea that all vulnerabilities in your organization should be patched. And finally, people are like, okay, we can let go of that as an aspiration because it's completely unrealistic. And I think what you're saying is now there's a bit more of a realistic mindset creeping into enterprise understanding of, you know, how this all works. Yeah. And I think it's also, uh, I think to, uh, to a certain extent, like if, if you're practicing for any sport, uh, football, be it, you know, my American version or the
European version doesn't matter. Um, any type of football, you don't, every time you practice,
you don't just play full games and have to start and do 90 minutes. And then if you want to practice
a corner kick or a penalty kick or whatever, you don't only have to do that in the course of when
it happens in a game. You control practice time.
So you can go and set up different scenarios and set up certain circumstances.
And so I think that's kind of the attitude to a certain extent with the offensive services
of let's not just try and do everything from I have to send an email, the user has to click
it, we have to go through.
But let's figure out what are those specific areas or scenarios or things that we're worried
about.
And then can we demonstrate and provide something that might not happen all the time in a real world scenario or a real world situation, but it's something you're really worried about. Let's practice that in a controlled environment where there isn't actual risk. you get to know, are things working how I think they are? Am I seeing what I think I'm seeing?
You know, oftentimes there's one understanding of how things exist.
And then when the pen tester does that-
Generating some traffic and trying to have a look to see if it falls out the other side
of a detection stack is a good idea.
I mean, I've always thought this sort of approach is better, where you get some specialists
to come in, they look at your apps, they look at to come in they look at your apps they look at your services they look at your network diagrams and they say okay here would be a pretty good
place to have a shell let's pop a shell there right you know and you don't need to go and do
the recon and the exploitation the phishing because it's just a bunch of wasted time but
like let's give um one of our people a a shell there and you know let them go wild for a little
bit and see what pops out of the detections and and whatever and it's it's it's, you know, let them go wild for a little bit and see what pops out of the
detections and whatever. And it's, it's, it's just, you know, it's better bang for buck, right?
Like I feel like we've spent so much time as an industry, like wasted dollars, wasted hours,
just on that bit of like getting the shell on that box, which isn't really the important bit.
Well, you can, you can test that in so many more effective ways as a standalone circumstance of,
you know, can I, if I want to
test, for example, phishing, if you break that down, we had one of our team members wrote a
blog post a while ago, but basically talking about if you break down what is the phishing
challenge you're trying to answer, you can kind of decompose that into what are users going to
click something. And you don't have to have a payload execute to figure out if users will click
on something they shouldn't,
be it an attachment or a link.
You can design that where there's no risk
and that's an easy thing to test.
You can see, are things getting delivered through my stack
that I don't want to get delivered?
You can test that just going to a sample email box.
You don't have to go and do a full thing.
And then once something does get delivered,
if I'm curious about, will it actually detonate or call out or do something on the endpoint? If we take this
kind of combined problem of, you know, doing phishing, we can break it down into this,
these elements, and then better test each of those individual things. Not that it's not a
valuable circumstance, but why kind of test some of them some of the time instead of deliberately
testing it. So is this the most sort of popular assessment type that you're doing now? I'd say for us, what we're typically doing is
more of a objective focused red team or pen test. And predominantly it's just going to be based on
are we trying to evade detection? Are we trying to kind of go low and slower? Or are we trying to
just identify from that starting point? Not necessarily smash and grab, but we're not conscious of the
noise that we would make. Or if we run into a challenge, we're wanting to kind of document and
move on of, okay, this thing stopped us, but if it didn't, this is the next step.
And so it's taking more of, we kind of try and focus all of our assessments more in that
objective of what are you worried about? Are you worried about a user becoming a domain admin? Are you worried
about sensitive information leaving the system or leaving the environment? Are you worried about,
you know, financial institutions? Like, can I get into or touch ACH Swift, some type of sensitive
system, information companies where they have their crown jewel secrets of this is the proprietary
stuff we don't want anyone to get to and no one should be able to.
Can you get here?
And so we try and start from that perspective and then work towards answering that question
instead of going through kind of the more you call it the CTF, but like the compliance
style of we're scanning things, we're looking for things that are open, we're checking through,
we go, we got to the end of the list, and then we provide a report card and move on. Yeah. Yeah. So I'm guessing most of your staff are pretty au fait with Bloodhound
though, right? And that doing this sort of identities graph-based analysis is something
that you would get with most of your
assessments. Yeah. In general, uh, where, especially when we're operating in like a
windows enterprise, I mean, there's a reason, uh, a lot of companies and not just us use,
especially the community edition version of bloodhound for that. I have access here. I want
to get there mapping. Um, it does get interesting. You know, we have We have some of our customers who are Bloodhound Enterprise
customers, and then we also do a red team or penetration test. And that does kind of change
the perspective because it's less an easy way to privilege escalate to domain admin or take over
the enterprise. And the focus is a lot more than kind of in that objective of potentially even
elevating as much as we need to.
And just can we move in a way
that is not triggering those detections?
There's also a lot of interesting new,
Windows is both new and old constantly.
So we've done a lot of research.
Some of our team members done a lot of research on SCCM,
both some new features and things that have come out.
And then also we'll go forward into some of the Intune
and just the general whole device management process where there's there's
similar it's a similar challenge or a similar perspective i would say uh to that identity where
um if you implement everything the right way you know as microsoft designed it then you're probably
going to be mostly okay but some of the stuff is is maybe confusing or it's not as as clear
how you should implement it and i heard i heard a story of someone doing ir here in australia
uh for a large enterprise and uh it wasn't related to the incident but they discovered
that every single user every single 365 user was an intune admin right that was like whoa okay
that's not great well it's it's not a problem until it's a huge problem.
And so that's kind of part of the problem.
And for some of those features and stuff,
it's, again, and that's the challenge of that
as you go into the cloud, if you don't use Intune
and you might, you could see that and just have no,
you're very familiar with SCCM, let's say,
but you just haven't happened to come across
or mess with Intune and you see that
and you don't think anything of it.
You think it's some media player, I don't know,
and you're just like, okay, this is fine.
So there you go.
If you're after some red teaming slash pen testing
slash offset consulting against your network
that isn't just capture the flag based kind of silliness,
which, I mean, I know there's a place for that as well,
but it's nice to see people offering different services these days. You can get in touch with SpectreOps. One thing we'll
quickly mention is you're having a conference next year, March 31st in Arlington, Virginia,
a two-day main conference, and then you're going to have some four-day trainings. I'm guessing
that's going to focus on, you know, OffSec and with an emphasis on Bloodhound as well. Yeah, so we had an open CFP, got a lot of really interesting applications,
super looking forward to that.
We should be announcing the exact talk list here pretty soon.
But predominantly, again, that identity and attack path type focus
is really kind of what we're going for there.
And then the training classes we have are red team operations. We have a new identity driven operations trade craft or operational trade craft
or operator trade craft. I'm not sure. But it's an identity driven course centric. It's kind of
an evolution of the red team operations course, acknowledging all of these new identity centric
challenges with the cloud and, and intra and Okta and some of the like other types of implementations that are
there um so yeah very very exciting should be be a good time should be a good one all right so that
is socon so-con 2025 by spec drops and i'm sure i've given you enough information dear listeners
that you may uh google that one robbie winchester thank you so much uh for joining me for that
conversation very interesting stuff thanks a lot patrick appreciate it that was rob Robbie Winchester, thank you so much for joining me for that conversation. Very interesting stuff. Thanks a lot, Patrick. Appreciate it. That was Robbie Winchester from Spectre Ops there
with this week's sponsor interview. Big thanks to him for that. Big thanks to Spectre Ops for being
a risky business sponsor. And that is it for 2024. I do hope you've enjoyed being with us
through the whole year. It's been a fun one. It always is.
And we will be returning for our 19th season in 2025.
And I look forward to talking to you all then.
Have a great break.
Have a great Christmas.
Have a great New Year's.
And I'll catch you all next year.
Cheers.