Risky Business - Risky Business #776 -- Trump will flex American cyber muscles
Episode Date: January 22, 2025Risky Business returns for its 19th year! Patrick Gray and Adam Boileau discuss the week’s cybersecurity news and there is a whole bunch of it. They discuss: The i...ncoming Trump administration guts the CSRB Biden’s last cyber Executive Order has sensible things in it China’s breach of the US Treasury gets our reluctant admiration Ross Ulbricht - the Dread Pirate Roberts of Silk Road fame - gets his Trump pardon New year, same shameful comedy Forti- and Ivanti- bugs US soldier behind the Snowflake hacks faces charges after a solid Krebs-ing And much, much (much! after a month off) more. This week’s episode is sponsored by Sandfly Security, who make a Linux EDR solution. Founder Craig Rowland joins to talk about how the Linux ecosystem struggles with its lack of standardised approaches to detection and response. If you’ve got a telco full of unix, and people are asking how much Salt Typhoon you’ve got in there… Sandfly’s tools are probably what you’re looking for. If you like your Business like us… - Risky - then we’re hiring! We’re looking for someone to help with audio and video production for our work, manage our socials, and if you’re also into the Cybers… even better. Position is remote, with a preference for timezones amenable to Australia/NZ. Drop us a line: editorial at risky.biz. This episode is also available on Youtube. Show notes POLITICO Pro | Article | Acting DHS chief ousts CSRB experts, other department advisers Treasury’s sanctions office hacked by Chinese government, officials say Strengthening America’s Resilience Against the PRC Cyber Threats | CISA AT&T, Verizon say they evicted Salt Typhoon from their networks Risky Bulletin: Looking at Biden's last cyber executive order - Risky Business Internet-connected devices can now have a label that rates their security | Reuters US sanctions prominent Chinese cyber company for role in Flax Typhoon attacks FCC ‘rip and replace’ provision for Chinese tech tops cyber provisions in defense bill CIA nominee tells Senate he, too, wants to go on cyber offense | CyberScoop Trump tells Justice Department not to enforce TikTok ban for 75 days Judge rules NSO Group is liable for spyware hacks targeting 1,400 WhatsApp user devices | The Record from Recorded Future News Unpacking WhatsApp’s Legal Triumph Over NSO Group | Lawfare Time to check if you ran any of these 33 malicious Chrome extensions Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls - Arctic Wolf Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware Researchers warn of active exploitation of critical Apache Struts 2 flaw DOJ deletes China-linked PlugX malware off more than 4,200 US computers Russian internet provider confirms its network was ‘destroyed’ following attack claimed by Ukrainian hackers | The Record from Recorded Future News Ukraine restores state registers after suspected Russian cyberattack | The Record from Recorded Future News Hackers claim to breach Russian state agency managing property, land records | The Record from Recorded Future News U.S. Army Soldier Arrested in AT&T, Verizon Extortions – Krebs on Security
Transcript
Discussion (0)
Hi, everyone, and welcome back to Risky Business for 2025, our 19th season of this podcast.
My name's Patrick Gray.
We've obviously got a lot to talk about this week because we've had a four-week break.
So yeah, we're going to get into the news in just a moment with Adam Boileau, and then
we'll be hearing from this week's sponsor, Sandfly Security. And Craig Rowland, who is the founder of Sandfly, he's going to be along to talk about a couple of
things. First of all, why people don't tend to pay as much attention to their Linux fleets as they do
their Windows fleets when it comes to monitoring. And also just talk about the general state of
monitoring and Linux security in enterprise environments.
It is a very interesting conversation and it is coming up after this week's news with Adam Boileau,
which starts now. First of all, Adam, how was your break?
It was really nice. I didn't think about computers for several weeks, which, you know,
it's kind of a, it's been a long time since I've had that much of a break and that's really,
it's really nice. Although of course we're a break, and it's really nice, although, of course, we're back into it,
and it's just full of crazy, as you would expect.
It's chaos, indeed.
And, yeah, it was good.
It was a longer break than usual.
Your idea, which is like, come on, man.
Let's everybody take a good break.
So, yeah, we're all back.
We're all feeling very refreshed after a month off.
So, yeah, happy days.
One thing before we get going too,
I should mention, we are hiring.
We are looking for someone who can take on audio
and video editing for all of our podcasts.
And we want this person to be able to do
some of the social media management stuff.
So we should have a presence
on some of these short form video platforms
as well as like LinkedIn and whatever.
And we would obviously like it on some of these short form video platforms, as well as like LinkedIn and whatever.
And we would obviously like it if the applicant
has an interest in or some experience in cybersecurity.
So you can send it a resume or an introduction
to editorial at risky.biz,
if that is a job that you are interested in doing.
But let's get into the news now, Adam.
And I suppose, look,
there's gonna be some Trump stuff in this week's show.
It's kind of unavoidable.
And we're beginning with the news that there's been some sweeping changes at the Department of Homeland Security in which all committee members, you know, external to the government have been sort of fired, essentially,
which means that all of the external advisors to the cyber safety review board
are at least for now uh they're gone so that means uh rob joyce chris krebs dimitri alperovic
heather adkins uh yeah all gone which i'm guessing would make the review they're in the middle of a
little bit difficult to complete yeah that's uh you know that review is pretty important that's
the one into uh salt typhoon right? That's the right typhoon?
That's the right typhoon, yes.
Which is the widespread intrusions into American telcos,
which is undoubtedly important.
And yeah, having the expertise of people like that list
is pretty critical for that report to have the kind of depth
as well as technical credibility outside of government circles, right?
The private sector likes to see its input
in those things to take it seriously.
So, I mean, we're going to see so much Trump crazy
over the next little while,
so I guess we should get used to it.
But this one just, you know, makes me a little bit sad
because we really enjoy their reports
and they're all, you know, good, smart people
doing great work. Well, I mean, i don't think we could we should you know declare csrb csrb dead
um just yet also it's a little bit unclear whether or not the government members have also been
suspended from all committees it's like it's a little bit unclear exactly what's happened here
but either way you know csrb is essentially benched at the moment I would expect
and I do wonder you know given that Trump has surrounded himself with China hawks
I'd kind of be surprised if it didn't come back in one form or another I guess my concern is
that it comes back and the White House gets to determine what it looks into and it be you know
it winds up being used as a political tool
so they're going to have to go back and look at you know cyber attacks and election fraud targeting
the 2020 election you know things like that so that's one concern i have but you know i'm more
than happy to be surprised to the upside here you know so i think we have to wait and see
yeah yeah i mean it is still very very early days and obviously there's just a whole bunch of you
know kind of churn in the u.s government at the moment as they figure out what this all means. And, you know, the cynic in me says that the CSRB was probably just collateral damage here, right? Because the DHS Homeland Security has, you know, and dozens of other you know things like the CSRB and other disciplines
other fields that are also being gutted with no real clear idea of why or thoughts about what it
means big picture and you know where it actually legitimately helps with their interests so
you know I I guess I don't buy you know incompetence seems more likely than malice
to me but maybe that's just, you know.
Well, no, I mean, I think it's just, you know,
it very much connects to, you know, Trump's philosophy,
which is they were appointed by the previous people,
so clear the decks, you know, and then start again.
So I don't know.
Let's not prejudge it.
Let's just wait and see what happens.
Meanwhile, Risky Business News,
which has been renamed, by the way,
it's called Risky Bulletin these days.
That's the work done by our colleague, Catalin Kimpanu.
He reported on this Beyond Trust incident last year where their remote like admin management, you know, support product, they detected some sort of intrusion targeting a client.
We've since discovered that customer was the u.s treasury and yeah it looks like this was a
um chinese uh operation targeting treasury to get you know gathering intelligence on things like uh
sanctions and whatnot and we've seen a lot of action in in sanctions we've seen catl the battery
maker had some sort of designation put on it recently so obviously and that they they're the biggest EV battery manufacturer in the world, and they're Chinese.
So, you know, obviously, this is an area where Chinese intelligence would be interested in focusing, but looks like a tremendously successful operation here.
And God knows how long they were rattling around inside Treasury, including a presence on the computer of the treasury secretary, Janet Yellen.
And I will admit that this job is somewhat of a disease
because when I read that during my break, I thought, nice.
Well, yeah, it's hard to argue with those results.
And, you know, one assumes they popped enough domain admin
or whatever to show up on those desktops.
So, you know, in which case, case like that's a solid day's work because they were in uh as well the office of
foreign assets and control well that's treasury so yeah so that's part of the treasury also the
cepheus the committee of a foreign investment in the u.s so like all the sorts of bits of treasury
that are very relevant to this kind of ongoing economic conflict between China and the US so yeah that's a solid day's work whoever that was
absolutely in China I think you were saying that Cesar had said so far they're the only
identified victim of this beyond trust supply chain thing I mean do you yes originally beyond
I think beyond trust said there was only one victim and then later they've come out and said there were a few more.
But I think Treasure is the only one we've seen actually confirmed so far.
Yeah.
But I think Beyond Trust said like, I think it was like less than 10.
There wasn't very many other customers, but clearly some.
Meanwhile, Jen Easterly, who was the, I mean, I'm guessing she's gone now.
She was the head of CISA.
She's published a blog post over at CISA.gov that says that Salt Typhoon, which of course, as you mentioned earlier, is the
campaign targeting US telcos, that the same actors were actually rattling around in federal systems
as well for a little while. CISA had detected it and given them another name and whatnot.
And it looks like when, you know,
the salt typhoon detections and evictions kicked off in earnest,
that turned out to be useful information.
Seems like the blog post is kind of trying to take a little bit of credit
for detection here,
but they're being a little bit slippery with the words that they're using,
which makes me think that probably CIS's detection of this crew in FedGov
isn't what led to the rest of the campaign being unpicked.
But they kind of are trying to imply that a bit.
So God knows how it all came together.
We'll find out one day.
But it is interesting that this group that we've pretty much exclusively associated with attacks against telcos was also targeting federal systems.
Yeah, I mean, it kind of makes sense that they had tasking before this and they will have tasking after this as well.
But yeah, kind of joining those TDPs together
or following the leads around the place.
I mean, that's kind of what the cooperation
between private sector, threat intel
and threat hunters and government,
CISA and et cetera,
is kind of meant to be able to do.
So it's kind of, you know,
I guess for them putting up a, like,
here is a win that we had might be a useful thing at the moment.
I don't know.
Yeah, yeah.
And meanwhile, AT&T and Verizon have said that they have finally managed
to evict, this report is by Matt Kapko over at Cybersecurity Dive,
published Jan 7, says that, you know, AT&T and Verizon have said
they've managed to evict Salt Typhoon, which is great news.
Unsure about the other 100-odd telcos that have been impacted though, right?
Yeah, I wouldn't want to be the person that has to put their name to a statement
that says, actually, yeah, we totally threw these guys out
because they're pretty sneaky.
And we've seen some really cunning long-term persistence mechanisms,
things like building control systems or ups system firmware or whatever else you know plus all of the you know early boot malware and
things like throwing people out these days is legitimately hard especially when they're well
well resourced and motivated and properly sneaky so we would say that they're not cured they're
perhaps in remission maybe and i think um the I think Anne Neuberger said, look, basically,
like, that's great and all, but they also need to secure
their network so they don't just come back in another way,
which, yeah, legit.
Yeah, indeed.
Now, Joe Biden signed an executive order pertaining
to cybersecurity on his way out the door.
Some good stuff in it.
I mean, it puts new obligations on government agencies
and departments and also their contractors, right?
Where you've got to use phishing resistant,
you know, authentication controls and blah, blah, blah.
There's a lot of stuff in here.
You wonder if this one,
cause you know, one of the first things that Trump has done
when he took office this week is to rescind
a whole bunch of executive orders that um that biden put
in place you know you kind of get the feeling because this is last minute they didn't have time
to prepare its removal you sort of wonder if maybe it'll stick um but you know hard to know it is
and it's a pity because it's full of pretty sensible stuff things like let's use our pki for
you know cryptographically signing route advertisements via BGP and as you
said multi-factor auth and mail crypto and all sorts of things like that that you know you
wouldn't think were at all contentious but you know just throwing out executive orders because
they got Biden's signature on them is a thing that could totally happen one of the things that was on this was, so the US Cyber Trustmark,
which is the scheme for like labeling IoT devices
with like, you know, they've got some security at all.
They can get firmware updates, that kind of thing,
was going to be mandated for government purchases
after I think it was 2037 or something like that.
And that's the kind of thing
that really helps along initiatives like that.
And it'd be a pity to see that also gutted early on.
But we'll wait and see, as you say.
We don't know yet what's going to happen.
We just don't know.
And we've linked to a separate – we've linked to our piece by Catalan on the EO.
And we've also linked to a Reuters story about the IoT labeling stuff.
We've also seen the U.S. sanction a Chinese cyber company for its role in another
campaign that Microsoft calls Flax Typhoon. What's Flax Typhoon? Because we've got our salts and our
vaults and now our Flaxes. Yeah, so Typhoon obviously is just like China in general, Flax Group is, I think this was the crew that was building like an orb network
out of owned IoT devices and primitive devices a while back
that the FBI rounded up like late last year, I want to say.
So that one's Flax Typhoon.
I don't know which bit of MSS or Chinese military
or whoever it happens to be that's behind it, but there's a private sector firm that's been doing a bit of MSS or Chinese military or whoever it happens to be that's behind it.
But there's a private sector firm
that's been doing a bit of work
that's got themselves some sanctions.
Integrity Technology Group based in Beijing.
That's the one, yes.
Sucks to be them, although I don't know how much...
Also a client of and competitor with iSoon,
I think I mentioned in the leaks.
Yeah, yeah yeah yeah yeah exactly
um now uh we probably should have mentioned this earlier but the fcc uh
the the annual defense spending bill um was signed by biden on monday evening um and you know how
they do it like they bundle up a bunch of other stuff into the defence authorisation bill to get the spending that they need.
It's an $895 billion spending blueprint.
That's how it's referred to here.
This is a Martin Matyshack piece from the record.
But there's $3 billion in there to help telcos rip and replace
insecure equipment and sort of Chinese equipment from telcos.
You know, this is helpful, I think.
You know, I think federal funds going to help them replace stuff
where their attitude otherwise is going to be,
well, it ain't broken, so why fix it?
You know, I think this is probably a good use of government money
when it comes to, you know, $3 billion in the context of national security.
I mean, it's not all that much.
I do wonder how much it will genuinely help though.
Like just updating equipment
does not give you a great security program, right?
But I don't know.
I think it's probably on balance a positive thing.
What do you think?
Yeah, I agree.
Like all the talkers I've ever worked with,
you know, even when they understand that for example
having a huawei mobile network is not great you know now when they built it or when they installed
it they probably didn't understand that now they do they're still not going to rip it out until
it's end of life and they've got you know the program will replacing that stuff's going to take
years and you know that's a long-term project that's probably already underway someone's showing
up with some money to move it along
will change things and it's you know it's not ideal that the taxpayer subsidizes private
businesses technology choices but you know the outcome that you want which is less huawei in
the middle of your network you know if you want to spend some money to get that outcome sooner
then yeah i think it's a good it's a good idea. Otherwise, it will just live
forever. Yeah, so it is mostly targeted on Chinese equipment. Initially, this program was created in
2020, and they spent $1.9 billion, with everyone saying it needed another $3 billion to make it,
like, to get it to the finish line, and that's what's been authorized now. Interesting thing
about it being created in 2020 is that was obviously during the last Trump presidency,
right? So I think this one, you know, is kind of a bipartisan thing. So that's good.
Now, look, just a couple of quick notes on the incoming, the return of Donald Trump. I think we
can expect to see much more aggressive operations against China in particular.
So we've got the CIA nominee telling the Senate,
and this is a story from Tim Starks at CyberScoop,
that he wants to get much more aggressive,
develop more tools, blah, blah, blah.
We've also seen some names floated,
some possible names floated
for like White House security you know, security coordinator,
which would be a dual hat role. Also, you know, sitting on the National Security Council.
And, you know, you look at the people who are possibles for that position,
and they're very hawkish and they're big believers in flexing America's cyber muscles, right?
Previously, our colleague Tom Uren has written about trump's propensity to use state
power and to embrace the use of state power so what i'm thinking here is the the murmurs coming
out of the sort of mega camp are look at what china's doing to us and we're clearly not deterring
it it's time for us to do the same thing to them
which would be a radical departure from norms but you also at the same time think well what we have
been doing hasn't been working china's not adhering to norms fight fire with fire i don't know if this
leads us to a crazy path of escalation and the abandonment of good behavior by states on the internet um but it's going to be interesting to talk about and that's our job so you know yay what do you
make of of all of this rhetoric coming from the uh incoming administration and it's and it's
possible appointees i mean it's hard to argue with the view that relying on a norms-based global
order has not worked particularly well,
especially when it comes to China and deterring their cybering.
Right?
I mean, China to this day just says,
hey, we don't cyber.
What are you talking about?
Yeah.
Right?
That's just the...
And in the face of that,
you can't really have a sensible, grown-up,
norms-based conversation about, you know,
setting expectations and blah, blah, blah, blah.
And, you know, we've advocated for hound release for a long time.
Hounds get released these days.
Clearly there are a lot more things you could do.
And, you know, there's a lot of crazy stuff that comes
out of the MAGA camp.
But is this that?
Because that's the thing.
I mean, this one is you know giving china a
bit of a you know a bit of a bloody nose in the cyber what does that look like that's the thing
that that gets me right because you've got sort of international law which i know is you know
not everybody what even is that these But, you know, targeting civilian infrastructure and whatnot.
I mean, that is problematic.
But at the same time, when that's what your adversary is doing, I just I sort of wonder what the alternative is.
You know, if they're doing large scale preparing the battlefield sort of stuff targeting, you know, US interests, why should the US then not punch back?
I think it was possible to make an argument against that
previously but with what we've seen particularly over the last 12 months you know it's insane
it's absolutely insane and I kind of understand the instinct to hit back I just wonder a if it'll
actually deter anyone you know b will it escalate things um c what do you even actually really achieve i don't know so
i'm you know you just can't accuse the mega camp of not thinking outside the box i guess is what
i'm saying right i mean in some in some ways it's like i think i've described i described
trump in a recent conversation is like the stochastic president right because they tend
to just generate an awful lot of random ideas and they're not all
bad yeah i mean yeah yeah i mean that that's it and at the very least as you say it will be very
interesting for the commentariat and just sit here and and watch what goes down and you know i mean
you know i've been inside enough you know instant response reports and things
that don't end up getting public or whatever
where you just look at what
China does and you think my god
if people knew how bad it is
and what kind of stuff they pull
we would be having different conversations
and you know
I
if they decide, if the US decided
I don't know what fixing your cyber muscles looks like,
but if they decide to do it, I mean, I'm kind of curious.
Yeah, I mean, I think if they go hand to hand with China,
I think they're in there with a shot, right?
So it's not like they don't have a decent capability.
Then again, China's come a long way too.
They have, they have, yeah.
I mean, and we just get to sit here on the edges
of two superpowers going at it and hope it, you know,
stays in the cyber realm.
That's right.
I mean, funny thing, though, is you look at you, you look at me.
We are unlikely hawks when you think about it.
But here we are, right?
And I should also, too, before you send me an email,
I'm not a fan of Donald Trump, right?
So I would hope that no one thinks that i'm endorsing him
by saying that you know occasionally stochastically they they generate good ideas uh but it's you know
obviously a touchy subject because he's a very polarizing figure and as i said he's not my cup
of tea but you know he clearly won uh the election uh you know by a narrow margin but he won the
popular vote he won the electoral college he is the american president as chosen by its people so uh gonna be an interesting four years
uh speaking of you know i think i signed off last year's show by pointing out that the whole tick
tock ban and everything and the inauguration was going to be happening the week we we got back and
you know that got messy right so you had tick tock shut down its servers in or, you know, display a message to users briefly saying TikTok has been shut down due to the due to the laws.
And then it came back even before the inauguration, which was very interesting because the companies that were still hosting TikTok at that point were breaking the law.
OK, so they could be, in theory, fined,, fined or punished by a future administration for doing that.
Not that I think that would be particularly productive,
but it was interesting that they were prepared to skirt the ban.
You know, Apple, Google didn't remove TikTok from app stores, as far as I'm aware.
Oracle continued to host their content, as far as I'm aware.
So that was one interesting facet of this.
And then, of course, Trump is sworn in.
He can't just overturn the ban.
It's law.
But what he can do is sign an EO giving them, you know, 75 days to kind of prepare a sale.
You know, it'll be interesting to see if he can make a deal here.
You know, he's the dealmaker.
Can he get this forced divestment across the line?
I guess we'll find out in 75 days.
Yeah, yeah, I guess so.
And, you know, kind of watching the end of TikTok
in the days leading up to it was kind of interesting in a way.
There was a lot of people posting kind of farewell videos
and talking about what they'd achieved on the platform.
And, you know, a lot of it was really quite heartwarming.
Yeah.
It's a wonderful platform.
It's a wonderful platform it's a wonderful platform yeah there's a few kind of um you know creators who were posting videos saying hey actually look i never really made those meals that i prepped for the you know for the work
week that i've been talking about it was all just for the clicks and then now the platform's back
after 14 hours offline it's a bit awks uh for So anyway, it was just an interesting period on the internet.
And yeah, we're just going to have to see what 75 days brings.
Yeah, and meanwhile, a bunch of Americans were signing up
to all these other China apps like Red Note and whatever
and like posting really pro-Chinese stuff.
I mean, you know, it's probably worth reiterating
that you can't access American social media in China.
You know, it's not like,
it's just, I don't know why this has been so hard. And I'll also point out that it's an absolute
political disaster for the Democrats, right? Because they announced this thing, which was
initially Donald Trump's idea, mind you, pushed the law through. And then now they just, you know,
100 million Americans plus use TikTok tiktok and now it
looks like trump is the is the savior here so they just like they can't help but shoot themselves in
the you know what the democrats in america they just they did such a poor job of explaining
you know explaining why like i mean they can't i guess they can't come out and say look
we are in an existential crisis in which we are competing with China in a new war.
They are the enemy.
You can't use the enemy's app.
Right.
But I guess they can't say that out loud.
But, you know, there are so many people missing the point, like thinking that it's about individual privacy or thinking it's about.
Yeah, about data theft or whatever.
It's just not.
Which it's not.
We've spoken about it a million times on the show but when you got 100 million americans using it for an hour a day you know that is your number one media asset
in a country and there are already quite strong laws about about foreign media ownership so yes
you know china wanted to come in by the washington post the new york times you know forget it right
they want to buy cnn forget it it's not going to happen so yeah crazy stuff but i did find it funny people you
know rushing over to sign up to apps and to agree to terms of service that said that they would
respect chinese cultural values and be good socialists
it's a crazy world now as promised ross albrecht the founder of this silk road drug and all sorts
of bad stuff marketplace he's been pardoned by Donald Trump.
I mean, he was convicted in 2015 for distributing narcotics,
distributing narcotics by means of the internet,
conspiring to distribute narcotics, engaging in a criminal enterprise.
That one carries a sentence of life and a mandatory 20-year sentence.
One count of conspiring to commit computer hacking,
conspiring to traffic and
false identity documents and conspiring to commit money laundering and uh yeah free as a bird
meanwhile other news and this one just happened like the day after we went on break but nso uh
lost its you know lost its big lawsuit uh in the United States where they were being sued by Meta
over the installation of Pegasus
on their customers' devices via WhatsApp.
Pretty interesting.
I've posted also a link to a legal analysis on lawfare
by a guy called Asaf Lubin.
And yeah, it's really interesting
because what this guy says
is that the judge was able to sidestep the most critical questions so as to avoid creating problematic precedents or whatever.
One of the reasons NSO got into so much trouble here is because they just refused to produce evidence that the court asked for.
So that worked really not in their favour. And it reminded me of,
you know, 20 years ago when I was sitting in the Australian Federal Court, you know, attending the
Kazar lawsuit, which was the peer-to-peer file sharing app. And the judge did something similar,
which was to really base their judgment less on the technology and more on the actions of the
company. So it doesn't look like this is going to have
huge ramifications for the broader sort of and well-behaved spyware industry particularly
considering the better behaved actors don't tend to do operations themselves like they provide
tools to government agencies who then use the tools whereas here you know nso actually going
out and doing the shell popping and intelligence extraction you
know you can wave goodbye to any sort of sovereign defense um on that but yeah what did you make of
this i mean i'll admit to being a little bit surprised that the court found in meta's favor
here yeah i mean i i was surprised and then when i read through the the law fair bit about kind of
like uh how it actually ended up being ruled in in whatsapp's favor it kind of like how it actually ended up being ruled in WhatsApp's favor, it kind of made more sense.
It also means, I think,
that it doesn't really make much of the way of precedent.
And there were some questions about, like,
what kind of punishment are they going to get?
Like, are we going to see, like, big damages?
And if they are big damages,
to what extent are they even kind of,
are they enforceable or are they a thing that you can collect?
NSO is dead. Long livesp yes exactly i was in group or whatever else yeah yeah um so i mean it is
interesting you can kind of see why apple threw in the towel a while ago um because you know kind
of winning you know a spiritual but not particularly effective victory like whats has done here, maybe is a waste of time.
And then we've still got appeals that could happen.
It could take another however many years, who knows.
And by then, probably NSO Group won't even matter anymore.
It'll be something new entirely.
Well, I mean, they've already quite diminished.
They are somewhat attenuated between the sanctions
and all of the drama so
uh meanwhile now this is an interesting one that was reported the reports on this was sort of
surfacing late december early january there was a interesting attack against the publishers of
chrome extensions and it looks like what brought this one undone is they successfully compromised
a cybersecurity company's extension.
And this thing was designed to prevent you
from accidentally disclosing important information
into a web form or whatever,
like a phishing protection or whatever.
They're called Cyberhaven.
And they did actually wind up shipping a bad extension as a result of this campaign, but it looks like they detected it quickly and that's what brought this whole thing down.
So bad on you for getting owned, but good on you for being the ones who brought it to the public's attention.
But if you look at how this phishing attack against the publishers worked.
I mean, you know, it's impossible I would think
to prevent this from being successful
in a big enough team, right?
Like someone is gonna click on it.
Walk us through the actual way this worked.
Cause reading this, I was just like, man,
that is solid phishing.
Yeah, so the phish pretext is an initial email
which says, hi, we're from the google crime web
store your extension has violated some obscure google policy that you didn't know about
click here to read the stupid policy that you didn't know about and then that leads you through
to a like sign in with google a worth grant flow to authorize a malicious application called, in this case,
the Privacy Policy Extension to get access to your account. And then once they've done that,
they've got permissions to upload new versions of the extension to the App Store.
And if you've ever used any of the kind of modern cloud world with lots of OAuth flows and whatever.
I was playing with Google Cloud stuff just yesterday, right?
And I ended up having to click through
all sorts of crazy OAuth grants
that I didn't really understand
because I'm using a new technology thing.
I don't really know what all the words are.
It's hard to tell which is Google internal
because in some cases,
like the Google API Explorer, for example,
is a Google app, but you have to authorize it to access your stuff as well. And it's all, you know, I can
totally see why you would fall for this. And it's just, yeah, I mean, it's a hard one to fix. And
especially, you know, OAuth is complicated, modern cloud apps are complicated, you know, in the old
days where we kind of, you know, when we had Windows apps on Windows boxes complicated you know in the old days where we kind of you know
when we had windows apps on windows boxes you know you kind of understood the framework in which you
were working in whereas now everything's crazy web sass who even knows how it's meant to work
it's not uniform i mean we're not actually talking about it this week but dan gooden has a great
piece up talking about the problem with pass keys. And one of the issues is like,
the UI is different everywhere, you know?
It's like, it's not a uniform experience.
And when you look at things like OAuth grants and whatever,
yeah, you don't know what they're doing.
You don't know how they interact really with your account.
You don't know quite who the publisher is,
or maybe you might, depending on the UI.
So...
And what are you even granting?
Yeah.
It says, hey, we're only going to do this.
But like, how do I know that?
Like, where's the thing that says that?
How do I check that?
Well, I mean, quite often in the UI, it will tell you.
Yeah, but like, do I trust that UI?
Like, is that the UI or is it a screenshot?
Is it a fake of the real UI?
Like, how am I supposed to tell when it's all in a browser?
You know, I live in fear of
hitting a fake password prompt because it just looks like the real thing and in the old days
you could like drag the auth window off the side of your browser and it's like it's a it's an
operating system window okay fine yeah but you know when the browser is the operating system
who even knows anymore yeah yeah I mean it's yeah it's
interesting right so it looked like this the malicious code added to these
extensions did things like harvest like Facebook session tokens and stuff so it
doesn't look you know it looks more like you know fraud at scale you know
stealing Facebook accounts right like nothing fancy. But you can do an awful lot with a compromised extension.
You sure can.
You sure can.
And, you know, it's funny, right?
Like the Airlock digital people who do allow listing.
I remember like years ago saying to them, like,
it's not happening now, but it's coming, right?
There's going to be people targeting extensions.
And I really think, you know, and they're like, yeah, we'll get to it. We'll get to it. And like, they did have it on
their roadmap, but I was like, they're just going, put it further up on your roadmap. They actually
shipped it. I think it was last year. And they, they told me in Slack, they're like, this will
make you really happy, Pat. We've shipped the extension allow listing. And it was funny because
that was my pet, my pet request from the Airlock people. But, you know, and even then,
like I'm not sure about their implementation.
I think it would actually handle this okay
where you've got updated code
because I don't think they did it through the Google.
I'd have to check with them,
but I don't think they did it through like Google APIs
or whatever.
I think they actually did it like on disk.
So if the code changes, like it will disallow it.
But, you know, even if you're doing it
with some sort of Google UI,
what does that mean in terms of updates?
Does it block them?
Does it allow them?
Like, I don't even know.
I think more and more,
we're going to see security tools
doing cool stuff in the browser.
You know, we've got custom browsers like Island,
which is the big, you know, enterprise browser play.
But then there's others,
like I'm doing a lot of work
with a company called Push Security
based out of England
who do like identity security in the browser
and they do some very interesting stuff there.
So more and more,
I think we're going to see identity-based attacks
targeting things like OAuth grants
and various tokens and whatever.
It's just, yeah, it's the new black, right?
Absolutely, yeah.
Attackers are going to go where the data is where the creds are you know with whatever works yeah
well and an oauth grant is the new code execution that's kind of the way i look at it right that's
the new running malware and uh i used to hate it when people would you know everyone comes up with
a with a with a buzzword when things change and one that i really didn't like and i do now is like
identity is the new perimeter because i think that is you know we're far off far along uh far enough along
for that to actually seem kind of yeah true yeah agreed when you look at m365 and what that gets
you in terms of like other access even into physical environments and whatever anyway sorry
i'm i'm i'm ranting i'm ranting it's good to be back uh it's good to be
back now 2025 same as 2024 in some regards so we've got all this new identity as the new perimeter
but sometimes your old perimeter is still you know crappy old stuff like uh fortigate firewalls uh
which apparently adam have more comedy bugs in them that are being uh oh my god this this fortinet bug all right so uh in the fortinet web interface
for their for the firewall the main firewall product and also their 40 proxy uh you can access
the command line console interface of the device through the web interface so it's like a you know
window that pops up and gives you the command line and the way that that works behind the scenes is
there's kind of a web socket to some kind of end point,
you know, on the web server of the device
that exposes the command line interface.
Turns out that didn't have effective auth
and you can show up and just send commands to the device to run.
Now, hang on.
You said it didn't have effective auth,
but it didn't have any auth, right?
Well, this is the funny bit so uh part of fortinet's advice and also their um remembering this as you're saying about the
cbss score is that you do have to know the admin username and if your admin username was a secret
then the attacker can't get in and fort Fortinet are actually full serious in their advisory saying, well, hey, you could
just change the admin username.
Is it a default though?
I mean, the default is like admin.
Yeah.
But I mean, if you want to change it to, you know, Cheez Whiz.
Yeah.
Then, you know know you are secure and i'm making i'm making scare quotes for the
people watching the you know listening to the audio version well i own some shares in knock
knock and i'm on their board and i'm feeling very good about that so yeah yeah because
letting's uh yeah web interface on the internet fortnite's having a bad time um people are out
there using this in the wild like it's just it's everything you expect
if you have a fortinet on your perimeter i'm afraid yeah and as i said 2025 new year same as
old year ivanthi stuff is you know there's still ivanthi drama like how do these companies like
maintain their value their position their revenue like it's just i have no idea you know it's one
of those things where you just sort of rage against it in an impotent way you know you wish you could be global overlord
for a day and just smite the wicked starting with avanti and fortinet that would be a beautiful
thing this uh this is vandy bug too actually i have a b in my bonnet about this one because this
is a stack buffer overflow in their like
the web vpn so in the the web server that provides their tls vpn so like core functionality of the
product and it has a stack overflow and i went and dug up the x word because i wanted to see
because i mean stack overflows are a bug class that have been dead effectively for you know in
a sensible platform for a very long time like this is real proper
time warp stuff here right i mean look they've been known about and exploited you know i mean
that was like early 2000s it was you know stack overflows everywhere but they were pretty easy
to find in a code base and code out right so easy to grip for you to fuzz for easy to fix with you
know stack cookies and various other,
you know, compile time controls. But the thing that's most beautiful, so I went and dug up the
exploit. I think Watchtower has done a really good write-up of it. The bug is they use strcpy.
They don't use strcpy, they use strncopy, the safe version of strcpy where you specify the
length of the buffer so that it doesn't run over the buffer and corrupt memory except that to strip in copy you have to pass the length the destination buffer and they pass
the length of the source buffer i.e the attacker provided buffer so of course it overwrites the
destination buffer because they use the wrong length which and then there you are security product you're smashing the stack yeah listening to the chili
peppers like well it's 1999 yep yep that's exactly yeah that's and then dan gooden over at ours has a
write-up of so this is being actively exploited but the people who are doing it have a pretty
nice set of post-intrusion tools including a one that when you try and update
your avanti it gives you like a fake update screen that makes you think you're being updated like it
has a bunch of like sleep statements in it to make it look like it's patching itself it also has
tools to circumvent avanti's integrity checker because when an attacker has root on the box the
way you can fix it is by deploying a thing that checks the hashes of files on the device and that's somehow fine no they just switch out the hashes
of the bad components with good ones during the checker and the checker says everything's fine
because instead of fixing their goddamn stack overflow they wrote a whole like let's try and
hash the components and make it fine. So thank you for that event.
Yeah, I think we need a collective om.
We do, we do, we do.
Just quickly, we'll mention this one.
We spoke about that Apache Struts 2 bug last year.
We got a report here from David Jones,
which kind of oversells the article.
The headline oversells the article.
It says, researchers warn of active exploitation
of critical Apache Struts 2 flaw.
But it turns out like it hit a honeypot somewhere.
Someone was messing around trying to get it to trigger.
I mean, you know, that doesn't seem like a campaign.
That seems like someone who's like maybe a bug bounty person
who is trying to get this exploit to work
and couldn't be bothered spinning up a Struts 2-based application
in a test network so
they just went and found one on the net that's what it feels like we've all done that so
well i mean you know that's a crime technically adam so i wouldn't say we've all done it
but um you know you know that's what it feels like doesn't it like it was a pen tester who
just yeah trying to get something to work can't be bothered spinning up test environment was that your immediate take on this as well i mean that is
kind of what it feels like i had a quick look in gray noise and there was like two expert attempts
in the last couple of months against this bug which seems a bit sus and i don't understand why
because like there's proof of concept code which looks believable to me and you know the bug doesn't
seem that complicated doesn't see that
many prerequisites so i don't know why it's not going nuts like it seems like it should be but it
doesn't seem to be so there must be some other wrinkle or complexity or nuance that we don't
understand i mean you think about log4j i mean it was the slow burn it didn't turn into a disaster
remember because attackers hate Java.
Yes, because Java is gross
and no one wants to have to deal with it
except a few desperate sickos.
Well, and I think Struts 2 is kind of the same, right?
And we're not going to see incredible volumes of exploitation,
but it'll be a perma-bug that's just going to trickle along.
You know,
people, I mean, I guess where Log4j really turned up was in VMware stuff when people had pox for that. And I think it'll be the same for the struts2 stuff where there's going to be some
enterprise stuff that uses it and someone will do it. Literally in the case of VMware, there's all
struts2 all through VMware stuff as well. So great. But I think everyone's already got all of the
VMware shell, so they probably don't need this bug.
Maybe that's what's going on.
Everything that was on to this is already shelled
by someone so you don't have to bother.
Well, but I mean, you see what I'm saying, right?
Like I can imagine someone finds a bug,
you know, finds out how to use this bug,
targeting some VMware stuff or whatever,
proof of concept hits and then people will just use it.
But you know, it's got limitless potential
if you put in the effort
to target like bespoke apps or whatever yeah yeah agreed completely and you know i like targeting
bespoke java apps so you know good times the u.s department of justice managed to vape plug x which
is a piece of malware favored by chinese apt crews they managed to vape that off 4,200 US computers.
This is a story from John Greig.
Shame they only stuck to the US, you know?
Why not just nuke it everywhere?
But I guess, you know, they've got to scope these things, don't they?
And, you know, interesting story here.
It's always good when you see the DOJ has figured out a way
to safely uninstall bugs.
Yeah.
Sorry, malware, not bugs.
It's nice when you think how much hand-wringing there has been
about this kind of thing over the years.
I mean, now we're at the point where we can just kind of do it.
Yes, you do have to jump through a few hoops,
but we can just go do it, uninstall a couple of thousand PlugX deployments.
And I think this one was in cooperation with,
was it Sequoia, the French firm?
Yeah, and the French government, I think.
And the French government.
I think there's been a bunch of,
the French seem pretty forward thinking
at building the tools to do this
and then sharing them with other people
so that they can go do it their own way.
The Dutch were doing this 20 years ago. And at the time, I think it was
controversial then. And you're right, it's not controversial now, which somewhat connects
to the earlier conversation we had about the incoming, you know, Trump administration in
the United States, where they're going to just ditch some norms. I mean, I think we're
always trying to find the line, right? You've got to move the line and find it. But, you
know, this is one of those instances that you correctly point out.
It used to be massively controversial to do these sorts of things,
which is to execute a command on someone's computer
when it's been impacted by malware.
But now it's just like, well, that's just how it be.
Yeah, and it's kind of pragmatic.
And there's some value to pragmatism.
Yeah.
Now we're going to wrap it up here,
more or less wrap it up here, with a quick discussion on the ongoing conflict
between Russia and Ukraine,
the cyber dimension of this ongoing conflict.
Looks like, according to this story by Darina Antoniuk,
a Russian ISP got vaped by Ukrainian hackers.
This is the second time we've seen them do something like that. This ISP I think is called Nodex and yeah bad times being had by them. But
then we've got you know Ukraine restoring its state registries. I think
that happened last year, like in December last year. Some of their state
registries were vaped by the Russians and then the Ukrainians have you know
breached various Russian state registries,
like their land records and property records registry and vape that. So, you know, it's fun
to write about, I guess. It's fun to talk about, but I don't think it really changes much, you know.
And I think that's just consistent with the theme over the last few years now, when talking about,
you know, cyber actions in this war
is that they haven't really done all that much.
No, they've certainly made a lot of trouble
for people who work in those fields
or work in those companies or are customers
or users or whatever else.
But compared to having drones fly through your apartment window
and blow up your house
or all of the other terrible things that are happening
in both Russia and Ukraine because of this conflict yeah the
cyber domain has not been particularly effective other than you know the very very early days of
the conflict um and i know you know seriously risky businesses um uh sorry between two nerds
has talked a bunch around um you know the extent to which cyber just has not been effective
and it kind of continues to be that way yeah that's right although i would probably call you
out on saying horrible things happening both in russia and ukraine because it is so asymmetrical
that yes it's true you know i don't think i'm you know people in russia are not suffering nearly to
the same extent that yeah i mean i guess i was thinking like the sysadmins at the various companies.
Well, yeah, if you're a sysadmin fighting in the cyber trenches, sure, I get what you mean.
Now, look, we're going to end with an attaboy for Mr. Brian Krebs,
who last year did some krebsing of this guy who was involved in the campaign targeting snowflake instances.
You know, a couple of guys had been arrested.
He's like, well, there's another one,
and I'm pretty sure he works at this military base.
And, you know, he did his unpicking and doxing.
And, yeah, this guy got arrested at that military base.
So bad times ahead for him.
Yes, Cameron John Wagnias,ius i think it was kyber phantom uh so yeah he's uh going to face
some criminal charges and yeah it's you know krebs does solid work i think um brian was saying as
well like 15 years of krebs on security the blog so yeah solid work uh brian and uh you know grats
on i don't know how he gets does it every morning like gets up
you know walks into his pepe de silva office and you know sits down and starts putting those little
red pieces of string on the wall i mean good on you buddy good on you that's right that's right
all right man that's actually it for the first episode back for 2025 great to see you great to
talk to you it's good to be. It's good to be back.
It is. It's nice.
We'll do it all again next week. We certainly
will. I think next
week we'll do it in person,
aren't we? That's right. That is
absolutely right. You're going to be here at Risky Biz
HQ, so we'll do it in the flesh. That'll be fun.
I don't know how we're going to video that, but we'll figure that out.
We'll figure it out.
We'll do it live.
We'll do it live.
That was Adam Boileau there with a check of the news that we missed while we were on break.
Big thanks to him for that.
It is time for this week's sponsor interview now with Craig Rowland, who is the founder of Sandfly Security, a really interesting company that makes a Linux security product where instead of it being an agent it essentially goes
in logs into all of your Linux stuff deploys like tiny little binaries you know written in Go
that go and collect you know bits of information and can detect things like configuration drift
incidents intrusions whatever it's a really novel approach to Linux security. Rob Joyce, former NSA, he's an advisor to Sandfly. And yeah,
they're really cool. So I wanted to talk to Craig, though, about how there doesn't really seem to be
a uniform approach to looking after the security and monitoring of Linux systems. A lot of companies
seem to develop their own tools, or they might use EDR,
but it's not uniform across their Linux fleet.
And I wanted to talk to him about why that is.
And I guess we started this conversation
by talking about how Linux incidents aren't as splashy
as things like ransomware.
And there's a good reason for that,
chiefly being that it's difficult to create
malware that works across a lot of Linux variants. So you tend to see a lower volume of more sort of
handcrafted attacks hitting Linux systems. So here's Craig Rowland to kick off that interview.
What you see with the Linux malware is generally it's a lot harder to get it to run across multiple
Linux systems. They tend to be incompatible with each other,
or they tend to have different configurations.
So what we find is that the Linux side just doesn't get a lot of attention
because it's not had this highly targeted, splashy, like I said,
in particular ransomware in particular.
But we definitely do know about it being targeted by more advanced groups
that are looking to do some serious damage, financial
damage, looking to steal information, looking to get inside the critical infrastructure. So it is
there. I just don't think it's received the press of, again, having a massive encryption happening
across all your Windows shares, for instance, shutting down a company. We haven't seen that
on Linux, but that does not mean people aren't operating there. They are operating on those boxes.
We just haven't seen the ransomware groups
really go after them directly as much.
No, you make a really interesting point,
which is malicious activity against Windows
is easier to scale.
It's easier to turn that into an industry,
into an illicit industry,
because it's a target-rich environment
and there's a lot of compatibility
across the different Windows.
And that's just where the knowledge base kind of is.
And if you want to go after Linux, as an attacker, you kind of need to know Linux, right? And it's going to be
every single environment is going to be different. It's almost like you're doing bespoke attacks
in every different environment you're trying to enter. Yeah, that's exactly right. I mean,
if you think about it, even from your own experience running the Linux box, I mean,
each system is going to be slightly different. So we might run into customers who are running standardized images, but it's standardized to
them, right? It doesn't necessarily mean it's what everyone else is going to see. So, and they'll
have different configuration and different hardening or sometimes no, often no hardening at
all. So at that point, you know, the attackers do need to approach each system a little bit
differently, custom exploits and things like that. Again, it's like, it's like people bash on Windows, but the one thing Windows is really good at
is backwards compatibility. You could take an EXE from 20 some years ago, it'll still run.
Linux just doesn't have it. And in a way, it's a bit of a saving grace in a way, but it also means
advanced attackers could hide. And that different configuration also means it's hard for security
teams to find them because again, they need to know about all these different ways people can get on a box
and remain there. And it gets quite difficult and complicated very quickly.
Yeah. I mean, I think another issue you've got there is that the security tooling,
like writing security tooling like EDR for Linux is fraught. I mean, we were just talking before
we got recording and you were saying that, you know, you speak to customers where they're like,
we can't do a kernel update because we think it's
going to break our EDR. And as a result, I mean, that's not good, right? Like right there, that's
not good. And as a result of that, you know, you might even have people who are just don't want
complete EDR coverage because they're worried about how brittle it makes their deployments.
It does. We run into that that there's actually a interesting case
certain industries are required by regulation to update if there's a certain kernel level attack
over a certain cve severity right so they're faced with a situation where they have to update the
kernel but they've not had the ability to get the edr agent updated or they haven't been able to
test it so what they do is they just have to shut the EDR off because they're required by these regulations to do the kernel update.
So basically the systems are, yeah, they're patched, but now there's no monitoring going
on and there won't be monitoring going on until that EDR agent is able to go through
the configuration testing necessary to make sure it's not going to crash the system.
So it does create a weird situation. It's interesting too, because you mentioned
that some organizations have a standard sort of Linuxux build that they use but i'm guessing that's only
going to be in pockets of the business right so you have this team has this standard build this
other team has that standard build like i i i imagine it's ex it's extremely rare that you go
into an environment and it's one standard build everywhere. Yeah, it would be pretty rare. I think we've seen
it a couple times. But even then, once we kind of got into it, it wasn't really true, right? You know
what I mean? Well, you're going to get some configuration drift and people who need to change
because they just need to do the thing and the standard build doesn't support it. You're
going to get all sorts of drift. Sure. And these major global companies might have that level of
sophistication. Like you might look at a Google or Facebook or something like that. But for a lot of other organizations, it's just not that easy to keep everything. And a lot of companies grow by acquiring other companies. So you're rolling in this different type of diverse infrastructure, stapling it all together, and it eventually just becomes kind of a big mass of various lyt Linux all over the place. Man, my head, I'm rubbing my temples, right? Like
just even having this conversation. And that's not even to mention, and it's something you and
I spoke about in our snake oiler slot last year, but like Linux based appliances, right? And what's
interesting too, is your product, you can get into some of them. Like if you can get an SSH shell and
reasonable level of privilege, like it doesn't matter that it's an appliance you can still do some stuff there you can pull down artifacts you can inspect the machine
um and that's great but you can't get on every platform right like i think you were saying like
you'd love to get shell on avanti so that you could take a poke around those boxes but you just
can't yeah that's right about it we'd love to get on those systems but you know we just can't there's
no easy shell access.
And yeah, we could do some things to access the shell
through various technical mechanisms
that people post online.
But at that point,
your service contract-
That's an unsupported access.
And they can patch that out too
so that you just lose it.
Yeah, we just don't want the risk.
Look, they clearly don't want us on the boxes
and we're happy to stay off
until they decide to kind of cover their senses.
Do you think they will?
I mean, do you sometimes talk
to some of these pizza box makers
and say, look, you know,
getting some shell access
to be able to do this sort of inspection
would be really useful.
I mean, I imagine they just tell you
to pound sand, right?
Yeah, we've never gotten good response to that. Yeah, we would definitely like to take a look.
Now, there are other companies that are far more open, you know, like Synology, Ubiquity,
those systems are fairly easy to get access to. Quite a few IP cameras are the same way
you could get onto these systems. And there, our product works perfectly fine. We could go
into sweep those systems as any Linux box. But there are other ones, yeah,
they just don't want you getting access to it.
Cisco's the same way.
Some of the newer Cisco gear
is basically Linux under the covers,
but to get a shell on it,
they'd have to go through different configurations
to enable it.
And we just, they just don't want us on the box.
So just going back to what you said earlier
about how Linux teams, you know,
tend to be quite small kind of
overworked and often even lacking some deep expertise there I imagine that that would have
had some implications for the way that you even develop your software right because you almost
need to make it something that people can use if they don't have deep deep deep Linux expertise and
it is it is it is really knowing Linux is an entire career
in itself right like it's not like you can just bone up on it and get good at Linux real quick
you know and and be able to walk into any environment and be dialed in so like how do you
make a security product for Linux that's easy enough for someone who's knowledgeable but not
a specialist
to use, but without dumbing it down to the point that it's useless to the specialists, right? Like,
has that been a bit of a thing for you? I imagine that would have been a thing for you.
It is. So basically the answer is we do both, right? We provide a very high level explanation
of kind of plain English about what's going on with MITRE TAC tags. And then under the covers,
you can always get to
the raw forensic data, which has really extensive raw information. So if you get, usually in the
SOC, you're going to get different tiers of people operating. You're going to get the people who are
stuck in the graveyard shift, right? And then you're going to get the really senior people
that things get kicked up to. So we provide information for both sides. So we want to get
the attention of the junior people to say, yeah, we don't want you to ignore this alert, and we want you to bump it up to someone who needs to
pay attention to it. But we do provide the information with it as well. And in a way,
even the people who are very good at Linux, sometimes we see stuff they hadn't really
considered. So we still need that basic explanation, just to let them know kind of why
this is a problem. And essentially, we just want to automate having a really pedantic 24-7 forensic investigator
just walking around your network constantly.
And that's really what we do.
So essentially, we can alleviate a lot of the headaches
with monitoring these Linux systems.
These teams frequently don't have the expertise themselves.
So we try to do it for them.
Now, just one last thing I want to talk about.
Am I right in assuming that
the companies that have the more secure Linux environments, it's because they do have that
deep expertise and they're kind of rolling their own security tooling through a combination of
like scripts and orchestration. And like, they're the ones who do well. And, you know, also the
mega companies who that would be their approach like your Metas and
your whatever like you mentioned before.
But everyone else is kind of cooked because that's kind of what it feels like because
there hasn't really been a mutually agreed upon sort of tooling approach to doing this.
So you've either got to do it yourself or you don't do it.
Is that kind of the state of things?
Yeah, we do see custom tooling happening.
We've seen that at some companies some of them are quite
advanced some of them um not as advanced uh sometimes we've seen products internal tools
that kind of do what we do but we just end up doing it better so they end up using us instead
but you do get this man that is that is a sales path for so many vendors i've spoken to over the
years where like people have been doing it some hacky way and it's work right to maintain it they've they've wound up essentially running a software product
just for their own use and then someone comes along who's just like you know because they've
got multiple customers like it just works better and yeah it is switch to that right that's what
it is we just we just do it better and more thoroughly but even the advanced organizations
they still need I think sometimes they still want to have an external set of eyes. So there's some that definitely suffer from not invented here syndrome, but there are definitely others that are like, yeah, we have our own internal toolings, but we want to have another way to development team. There are certain companies that absolutely do have great internal development teams,
but most people can't afford.
That's a very elite level, you know, reverse engineering on staff and all sorts of stuff.
Most companies don't have it.
They need to go to external vendors in order to get that monitoring done.
Yeah, right.
So, I mean, look, I think what we're describing right now is a mess, to be frank, which is just the general state of Linux at scale in the enterprise.
And I'm not surprised.
I don't think that's hysterical to say that.
It's just been neglected.
I mean, I think, you know, we talked about ransomware earlier.
And I think ransomware has done us a lot of favors in that it's forced companies to properly configure and roll out EDR everywhere.
And like Windows networks these days are pretty good, largely thanks to ransomware, right?
But we haven't had that in Linux yet.
So it's just been, it's now at the back of the pack,
I guess is what I'm getting at.
Yeah, I've joked about that in the past,
that if you get CryptoWiner on your system,
the first thing you should do is get the address
of the person who got it out of your box
and send them a little bit of Bitcoin
to thank them for the free audit. Because I mean, they've done you a service. So like, it's very obvious they've
been there. So you know, you've got a problem. Because there's definitely some more serious
people that are not going to let themselves be known. And it's just a reality of it.
I mean, at this stage, you know, as we record, we don't quite know what happened with Salt Typhoon,
but I'm guessing there was some Linux hacking involved there, right? That might change the conversation a bit.
It could. Telco's run a lot of Linux, a lot of switching equipment's Linux-based,
and there's just a lot of places to hide. I used to do Red Team. That's where I started off
years ago. One of the first places we Red Team was a hospital. One of the first systems I broke
into was a box at an uptime of four years and that always left an impression on me because i knew we were not going
to be found and that really left an impression that unmonitored unix and linux systems is just
very very bad news you don't you don't want people you know like me on those boxes for any length of
time and unfortunately today they could exist on these systems for a long time just real quick on
the telco switch thing
right how do you go getting on them because quite often they are linux based but then you get
companies like cisco who put like a weird ios uh you know command line interpreter on top of that
so you can't actually interact with the linux unless you've got some sort of you know priv
that drops you into a real linux shell like how do you go about doing that? Well, it would probably depend on the vendor.
And again, you're going to run into
the whole service contract thing.
So would it count as an unauthorized modification
that you're modifying it?
Telcos, even outside the switches,
Telcos run a lot of other Linux
outside of just the pure switching equipment
just to keep the networks going.
And those we could generally access
pretty much straight away
because they're not under a particular vendor's control. So there's just a lot of Linux running the infrastructure.
I mean, when you pick up your mobile phone, you should just bow down and thank the gods that it
actually works. There's a lot of fragile components involved with keeping it running.
Yeah. Yeah, there sure is. All right. Craig Rowland, thank you so much for joining me for
that conversation all about how wonderful the state of Linux security at scale is at the moment
a disturbing conversation but an interesting one, cheers
That was Craig Rowland there with this week's sponsor interview
with Sandfly Security, big thanks to them for making this week's
show possible and you can find them at sandflysecurity.com.
And as I say, I think it's a really cool concept.
I think it's a, you know, it's a cool idea.
But that is it for this week's show.
I do hope you enjoyed it.
I'll be back next week with more security news and analysis.
But until then, I've been Patrick Gray.
Thanks for listening. Thank you.