Risky Business - Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects
Episode Date: March 19, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: Github Actions supply chain attack loots keys and secrets from 23k proje...cts Why a VC fund now owns a minority stake in Risky Business Media (!?!?) China doxes Taiwanese military hackers Microsoft thinks .lnk file whitespace trick isn’t worth patching but APTs sure love it CISA delivers government efficiency by re-hiring fired staff… to put them on paid leave …and Google acquires Wiz for $32bn This week’s show is sponsored by Zero Networks, and they have sent along a happy customer to talk about their experience. Aaron Steinke is Head of Infrastructure at La Trobe Financial, an asset management firm in Australia. Aaron talks through bringing modern zero-trust goodness to the reality of a technology environment that’s been around 40 years. This episode is also available on Youtube. Show notes Risky Bulletin: GitHub supply chain attack prints everyone's secrets in build logs - Risky Business Media China says Taiwan's military is behind PoisonIvy APT China identifies Taiwanese hackers allegedly behind cyberattacks and espionage | The Record from Recorded Future News Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds | The Record from Recorded Future News Lazarus Group deceives developers with 6 new malicious npm packages | CyberScoop Poisoned Windows shortcuts found to be a favorite of Chinese, Russian, N. Korean state hackers | The Record from Recorded Future News 'Mora_001' ransomware gang exploiting Fortinet bug spotlighted by CISA in January | The Record from Recorded Future News Black Basta uses brute-forcing tool to attack edge devices | Cybersecurity Dive Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court | The Record from Recorded Future News CISA works to contact probationary employees for reinstatement after court order - Nextgov/FCW ‘People Are Scared’: Inside CISA as It Reels From Trump’s Purge | WIRED The Wiretap: CISA Staff Are Cautiously Optimistic About Trump’s Pick For Director White House instructs agencies to avoid firing cybersecurity staff, email says | Reuters Signal no longer cooperating with Ukraine on Russian cyberthreats, official says | The Record from Recorded Future News Telegram CEO Pavel Durov allowed to leave France amid investigation Appellate court upholds sentence for former Uber cyber executive Joe Sullivan | The Record from Recorded Future News Google buys cloud security provider Wiz for $32 billion | The Record from Recorded Future News Pat Gray, Founder of Risky Business, Joins Decibel as Founder Advisor - Decibel
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business, my name is Patrick Gray. We've got a great
week of news to get through with Adam Bralow in just a moment and then we'll be hearing
from this week's sponsor. And this week's show is brought to you by Xero Networks who
make a really cool micro-segmentation product. And those words don't normally belong together,
which is a really cool micro-segmentation product. But Xero basically automates a lot of micro-segmenting your network.
And joining us this week, instead of someone from Xero Networks, they actually had me speak
with a customer, Aaron Steinke from Latrobe Financial in Melbourne.
And yeah, he talked through why they rolled out Xero and what that experience was like,
the upshot is Aaron says it actually does what's on the tin which even surprised him.
That was actually a really fun interview so do stick around for that one.
But it is time to get into the news now with Mr Adam Boileau.
And mate we're going to start off with a story that we actually were the first media outlet to break which is this supply chain attack
That targeted a github action and it is starting to pick up now in other media reports
But this looks actually quite bad
Yeah, yeah, this is an interesting hack. We don't know who pulled this off, but what happened is there was a github action
who pulled this off, but what happened is, there was a GitHub action that people were using
called changed files that you would use
when you're kind of assembling a workflow pipeline
for building your software in GitHub.
You can pull in third party bits of tooling,
and this was one that would figure out
which files are changed in your repository.
So like a pretty widely used utility function.
Somebody gained access to some kind of
access token for one of the maintainers of this changed files utility and then they backdoored it
to rummage around in the memory of the server that's running the builds. In this case this
is going to be a server at GitHub, but presumably in a virtual machine,
and rummage through the memory and find credentials.
So secrets, passwords, credentials, tokens, keys,
whatever in memory, and then write them out to
the build log of this build process in GitHub.
So this is running in your GitHub account,
but those build logs are yours as well.
But in the case of public projects,
those logs are also public.
So the net result of all of this is that anyone who was using
this utility had the memory of their build system scraped for credentials,
and then those credentials logged in a place that
probably the attacker or indeed other people can get to, which is bad.
We're talking like 23,000 repositories used this.
And, you know, triaging what this means for each individual project is pretty difficult.
But suffice to say, if you've been using this thing, then yeah, you probably are going to be
rolling all of the credentials ever because this thing was yeah used an existing
Tool for scraping creds that appeared to be pretty good at it. So yeah smooth really. I mean it is smooth, but it's kind of a
Bit of an interesting approach right which is to just crap out like private
Material into a build log because people are gonna notice that right so? So I, you know, I'm not quite sure
I understand the thinking here.
I mean, getting, you know, getting it to connect back
to an attacker and dump stuff, I mean, well, you know,
could you even do, I don't know, I just, I've got,
I don't know what my feelings are about this one.
I don't know if it's really smart or really stupid,
basically.
Yeah, I mean, if you were connecting,
like if they had it kind of connecting back out to you
or putting in these things in a format that only the attacker could get them. It was like, for example, you were connecting, like if they had it kind of connecting back out to you or putting in these things in a format
that only the attacker could get them.
It was like, for example, you could publicly crypto them
before you dump them in the logs.
So that only you can get them.
Yeah, that was one thing I thought about.
But also like the reason they're probably not doing
a connect back is because you couldn't do that
with a GitHub action.
Yeah, I'm not sure what constraints are on that environment.
Like it may not, it may be limited
in what kind of outbound connections it can make.
But yeah, you could have done this in a way that meant that only you got the creds.
But on the other hand, there is some kind of safety in numbers where if everybody's
got access to the creds, then no one's going to know that it was you that then used them.
And if you knew this was going to happen and there was a couple of specific things you
were targeting, like if you were a North Korean, for example, and you were going after a very
specific thing, this might be a good way to sort of, you know, hide in the North.
It's not that North Koreans care.
So that's a bad example, but you know, like there might be some smart as a fox
thinking here, or it might just be dumb.
And we can't tell anymore.
Yeah, that's right.
Like can't tell if smart or stupid.
But I mean, what we can say is it's high impact and there's going to be a lot of can't tell anymore. Yeah, that's right. Like, can't tell if smart or stupid. Yeah, exactly.
I mean, what we can say is it's high impact and there's going to be a lot of people out
there who are affected by this and who don't know because they might have run a build with
this script and there's a whole bunch of their creds sitting around in a public build log
and they don't know.
And that's the bit that's bad here.
And I mean, I imagine that the team at GitHub, who have proven themselves to be really smart
over the years, you've got to wonder what they're doing here, whether or not they're
like, trying to figure out how to scale Truffle Hog to like, go through every build log that
was done over a certain period of time.
But it's a mess.
Yes.
Yeah.
And I think they are communicating with repository owners and things.
Because obviously, if you aren't a public project, then the exposure is kind of different.
Like if you're a project where there are less trusted contributors, they can see the logs kind of
thing, then maybe there's some impact there.
So yeah, a lot of repository owners are going to have to go read the advice from GitHub
and then try and figure out what it means for them.
So yeah, messy.
Yeah, definitely messy and not the sort of thing that you enjoy as a public project
maintainer.
Something like this happening.
Let's move on now and some interesting developments in China.
The Chinese government, its Ministry of State Security has done some public attribution
looking at some Taiwanese military fellows here who apparently are behind this APT group
that targets various systems in China.
I mean, we've seen the United States do this to China and a bunch of other countries previously.
You get the impression China would love to do this to NSA but can't really because NSA
is pretty good at OPSEC. If they could, they would. So there's
that angle to it. But I think the thing that makes this most interesting, and it was our colleague,
Tom Uren, who's our Policy and Intelligence editor here, his thinking around this is that
it's quite threatening because there is always the possibility that in the medium term future, Taiwan will
be invaded and annexed by China and that would make these guys' positions pretty precarious.
So there is that threat side to this, which I don't think we've seen before.
Yeah, there's also a deterrent aspect in terms of recruiting new people.
You might think twice about going to work for the Taiwanese security services
if you were worried about a mainland China invasion future,
which I'm sure they are worried about.
So yeah, it's an interesting kinda,
I mean, the actual kinda attribution part of it,
like China is kinda clumsy with it,
and the press release from the Chinese Ministry of Defense
is kinda comedic in
that Iraqi information minister kind of way where they're all on about abandoning the
fantasy of Taiwanese independence and so on and so forth.
So that's kind of worth a read just for the comedy aspect.
But yeah, it's an interesting, you know, I would be a little concerned if I was in Taiwan
for lots of reasons.
And yeah, if I was working in the cybers, that would definitely a little concerned if I was in Taiwan for lots of reasons and yeah
If I was working in the cybers that would definitely one of them too
Yeah, communists always do the best press releases though on stuff like that because it's always so although I gotta say
You know the Trump admins are getting there
They do some pretty florid writing but I remember during Trump term one some of the
Releases out of North Korea
when the whole Rocketman thing was happening,
they were just so funny.
What else have we got here?
We got a crypto exchange named OKX
shutting down a decentralized exchange that they operate
because some of the Bybit funds
were being rinsed through it apparently.
And this exchange in particular
appears to be really on the ropes because everybody's
yelling at them for, you know, kind of, you know, allegedly allowing this sort of thing
to happen previously.
And meanwhile, they're denying it and saying, we do have everything that's required of us
by law to, you know, stop these sorts of things from happening.
But you know, to me, this is just one more example of the crypto ecosystem kind of speed
running like regulations and you know compliance.
Excellent write-up from John Greig by the way over at The Record. Well done John and we've linked
through to that in the show notes but what was your take here? I suppose the interesting aspect
here to the extent that anything cryptocurrency is interesting is that this company is a front
end to other exchange platforms.
So instead of being an exchange themselves, they are a distributed exchange front end.
So they aggregate other exchanges trade offers and they provide a unified API for you to
use it or split your transfers across multiple exchanges.
So like it's kind of a money launderers delight.
And the fact that if their platform that makes money laundering
Or using other people's platforms to make exchange, you know to exchange currencies and stuff
Like the fact that then get that then gets used for money laundering seems to surprise absolutely no one
I mean, it's a bit it's a bit dr. Strange Lovian right like this is the war room. You can't fight in here
How dare you use our money
laundering machine to launder money? Yeah, exactly. Anyway, so they've said that everything the EU is
asking us to do, we're doing, and they've shut down their distributed exchange platform for a
little bit whilst they think about what they've done. But this is just the nature of the crypto
ecosystem being what it be. Yeah, yeah. And staying with North Korean crypto hacks, apparently a bunch of malicious
NPM packages have popped up as well, you know, attributed to Lazarus Group.
One of them, though, pretty funny. Talk us through it.
Yes. So this was this was based on a report from Socket Security.
I think we've had on the show as a snake order, maybe at some point.
You know, they've been a sponsor. Yeah, they've been a real sponsor.
Yeah. For us, a book of DJ. maybe at some point. They've been a sponsor. They've been a real sponsor.
Yeah, Farros a book of DJ.
Yeah.
Yes, Farros has been on Farros.
Anyway, so they wrote up this particular campaign, but it's a little personal because one of
the NPM packages that the North Koreans are typo-squatting here was one that Farros wrote
himself back before Socket started, but kind of a bit personal for him.
So yeah, I don't know whether that's a case of you know, the North Koreans
Doing it specifically because socket keeps a track of North Korean supply chain attacks or whether it's just coincidence that for us wrote a popular
Package, but either way that was a funny nuance in it. I thought yeah
So what this is just plain old typo squatting is it plain? It's just plain old typo squatting. Yes
Yeah, yeah. Oh, and just to follow up on last week, like we were talking about how
the Bybit developer downloaded and ran a Trojan Docker container, and I was wondering if that
was like supply chain. Since then, I've heard from, you know, and been pointed to a bunch of
information about the likely threat actor in this case, and they always do social edge.
So it's very unlikely to have been a supply chain thing.
What they normally do is they put out some made up job
where people can apply and there's like a coding challenge
and they'll pay you to do the coding challenge
even if you're not gonna take the job, right?
So they'll give you 500 bucks to do this coding challenge.
Just download this Docker container and off you go.
And it looks like that's probably more like what happened here, which again,
I mean, nice.
Yeah.
I mean, and exactly really.
And I mean, clearly you would hope that an employee at a company like Safe
Wallet wouldn't be running their future job
application Docker images you know the thing they're gonna like some work that
they're looking for on their corporate machine but hey everyone's working from
home everything's you know everyone's just you know winging it on their
developer Macs and you know North Koreans know how to work that game so
yeah sure do they should do and look I know they're not a VM, right? But like VMs, much
like VMs, trying to put security controls around things like Docker containers, that's
hard.
Well, I mean, and if the normal out of the box Docker experience, there really isn't
any actual isolation, right? You have to go out of your way to make it even slightly isolated
from your host OS and a lot of people don't really join those dots. They think of it like a
traditional VM when it's kind of not unless you
you know push the right buttons and have the right config and so on so
But I guess my point is more that visibility is a problem with both not so much that there's separation
You know like there's no you're right. there's no separation like there is with a VM, but there's, like it's a bit of a black hole
in terms of like security tools being able to see inside what's happening in
them. Oh yeah, yeah, yeah, absolutely, yes, yes. If you have like EDR or something on
the desktop, right, yeah, you're pretty blind as to what's going on inside a
container image. Yeah. Now moving on to another story, and this is another one
from John Grieg over at The Record here and he's
written this story about state-based actors abusing LNK files to do various things, which
you know, your first thought is like, what year is this? But then you look at the actual
nature of the quote unquote bug that's being used here, which Microsoft kind of reasonably
argues isn't actually a bug. It's not really a vulnerability. And you know, the piece sort of goes on from
there. But walk us through exactly what the what the feature abuse is, or the UI abuse
is here, Adam, because it's kind of it's it's actually kind of funny.
Yeah, so Windows LNK files are let you you kind of, shortcut files I guess is what they also get called,
they let you kind of wrap up a file or a command line
in one kind of convenient blob.
And if you see a shortcut file,
I have a little arrow kind of over there,
I'm gonna right click on them,
you can see the command they're actually gonna run
or the file they're associated with.
And the trick here is that you make an LNK file
with an innocuous looking name
and an innocuous looking icon that links to,
you know, command.com or PowerShell or EXE,
and then hides what it's doing
by putting a whole bunch of white space
in the command field.
So when you right click and inspect it,
you probably will see either nothing in the command or something kind of that,
you know, is designed to confuse you because they've used a bunch of white space
characters, you know, line feeds or tab characters or whatever else to push it
off the side of the text box.
And Microsoft kind of rightly says that that's not really a
security issue, but-
Well, it's not a vulnerability but it is a security issue because it's an absence of
security like thought, right?
Where maybe you should have some sort of format checking on these things to make sure it doesn't
happen but that's not an easy thing to do because we're talking about this before we
got recording.
It's like, well, you know, you could just prevent multiple spaces from being in there.
And it's like, oh, well, then you got tabs and then you got this and the Unicode.
And, you know, so you would actually need to introduce some sort of,
you know, format checking and parsing and like it would be it would actually be kind of hard to fix.
Yeah, I mean, it's fiddlier than it first appears,
although clearly within Microsoft's ability to do something about.
There is actually a CWE,
the common weakness enumeration designation for this kind of floor.
It's called like a misrepresentation of critical information,
user interface misrepresentation of critical information,
which is what this is.
Clearly, the fact that a bunch of APT groups,
I think the record piece says
like 11 different APT groups have been seen using this so clearly it works for them.
Well now herein lies the argument for Microsoft to do something about it right, which is that
like you can say oh it's not a problem but if you know every APT group under the sun
from here to Timbuktu is using it, well you know maybe you want to get on that and put a few people on it, you know?
Yeah, I mean, in the end there are plenty of other places in like a decent set of layered controls
that would stop this being a problem, but the fact that they are using it says that yeah, it's useful for something.
Yeah, exactly. Now, let's look at
ransomware stuff. Yet one more from John Greig today,
and there's this Mora underscore zero zero one ransomware gang, which looks like it might
have spun out of the remains of LockBit. They are exploiting the Fortinet bugs that Cissa
was warning about in January and just going off and, you know, ransom wearing because
of that. Like, I mean, it's just God rinse and repeat same headline over and over right?
Well exactly you know and clearly the fact that your security appliance gets
you compromised by ransomware like it's just deeply ironic and funny in the kind
of tragic way but yeah like how many times have we seen this headline and how
many times are Fortinet customers
going to get rinsed as a result of their fine security products?
Yeah, yeah.
And in the next piece we've got today, which is from Cybersecurity Dive, Rob Wright has
written about some work out of, I think it was Eclectic IQ, who took a look at the Black
Buster chat logs and discovered that they have their own in-house brooding, like BruteForce
tool, which they've been using to go after the same sort of devices at the edge, like VPN devices
and whatever, just brute forcing their way in and dropping ransomware. And you just, you know,
it's depressing. These last two stories are depressing. Yeah, it is kind of depressing.
And the BruteForce tool that was written in PHP, which is like, that's kind of hard mode, like respect to the BlackBastar developer that did that because like...
Coded in PHP for efficiency.
It would be so much easier to write it in literally any other language because PHP is such a pain to write stuff in.
The thing I thought was actually amusing about this was the BlackBastar leaks where this, you know, revelation came out of this, you know, the details about this tool the Black Basta leaks where this revelation came out of, the details about
this tool were in. There was also some analysis which suggested that these logs were the result
of infighting because this particular brute forcing tool had been used against a Russian
bank.
Well, we saw that at the time. We did have a bit of an idea that the infighting was because someone had used the
tools to hit targets in Russia. And that's dangerous if you're a Russian threat actor
to have your tools associated with targets. And then my fun little bit of speculation
about that was, well, if I'm Cyber Command or ASD, I'm grabbing their tools and throwing
it against Russian targets to get them in trouble like that.
You know, because you're not really, look, brute forcing a shell at a Russian bank makes
a lot of noise.
You're not going to have to do any damage to cause them trouble.
You know what I mean?
So I'd imagine if there's something that's going to actually pass the legal checks that
would be required to do an operation like that.
I reckon with the right lawyers on your side, you could probably build a case that that one's okay.
So.
That is how I feel as well.
So like if it was some friendly five-way spooks
or their associates, then good job.
And hats off to you and your lawyers.
Now staying with ransomware and an alleged developer
of the LockB bit ransomware has been
extradited to the United States from Israel.
He's a Russian Israeli national, 51 year old Rostislav Panev.
He was arrested back in August 2024 and off he goes.
He's in a world of hurt.
Like you do not want to be extradited to the United States for doing lock bit stuff.
He's going to do time.
Yeah. Like it's not going to be extradited to the United States for doing lock bit stuff. He's going to do time. Yeah, like it's not going to go super well for him. And he was one of the developers
of a bunch of the kind of tooling and plumbing. And he was getting, so they've got like chat
logs of him communicating with lock bits up. And he was making, you know, a couple of hundred
thousand dollars a year writing tooling for them. So yeah, like he's, I don't think going to have a good time with the
US legal system. No, I mean, if you're him, you have to flip as quickly and as violently as possible,
right? And just because really too underground a year, like, oh my God, what are you thinking?
All right, so now let's have a bit of a chat about what's going on in the American government and we've got a few pieces to
get through here because we've seen a bunch of people fired, a bunch of probationary staff
fired from CISA and that might be people who've just been put in new roles or whatever. I'm not
even clear on what probationary means in the context of United States government HR systems
but you know who else is not clear?
Is Doge, right, who's been instrumenting these firings.
It looks like a court has ordered that CISA rehire
the probationary people who were fired,
but they come back and they go on administrative leave,
which I guess means they're all getting a free holiday,
which just screams government efficiency. So well done, Doge.
It's so farcical. Oh, God.
And then we've got also the White House telling US federal government agencies not to fire
cybersecurity staff because it falls under the umbrella of national security work. So
stop firing cybersecurity people. You sort of wonder how many have been fired already.
A little bit difficult to get insight there.
And then we've got a story from Wired written by Eric Geller,
which talks about the vibes inside CISA at the moment,
which are really extremely not great.
And then to bookend it all, we've got another story from Tom
Brewster over at Forbes, which says that people inside SISA are broadly happy
about Sean Planky being nominated as the new head of SISA.
So a bit of a mixed bag here.
And I think really, the reason we don't try to cover this too much is because I don't
think anyone really has a complete picture of what's going on because it is very chaotic
at the moment.
Yeah. I think that definitely is the overriding feeling you get here is there's just a whole
bunch of chaos happening and I'm sure there are a great many people, you know, still at
CISA and perhaps, you know, on administrative leave right now who really just want to do
their jobs, do good work, you know, look after securing America's stuff and then, you know,
all of this is happening around them.
And it must be a very trying time to be someone that cares about their work and their country,
trying to work through this madness.
And I kind of hope they get it over and done with sooner rather than later, but we've got
the whole West of the Trump administration to go, so who knows?
But I think it's fair to say we feel for all the people that work at CESA because there aren't many listeners
there and yeah. Well in FedGov generally right like it is not a great time to be
working for the for the federal government in the United States and
obviously there's a lot of people downstream from all of that who are
affected I've spoken to founders just in the last couple of weeks and you know
government projects are just stalling out. I mean,
there should be no surprise there, but it's just like dead for a lot of stuff. It's just, you know,
stuff is no longer moving forward. You do wonder about the, you know, the knock-on effects to
economic growth in the United States too, as all of this stuff happens. But we're also seeing a
bit of pushback finally against,back finally against Musk just randomly flipping switches
and firing people inside the government.
And you sort of wonder if things are going to start to settle down because you definitely
get the impression that it can't continue like this.
But yeah, woof, not a great time.
We had some actually reporting in today's Risky Billet in about a call amongst European tech leadership to
start working on a European cloud stack and a European technology stack because
they can't rely on the Americans and the American tech stack anymore because of
all of the uncertainty and you know there's so much of America's economic
success is because of being a world leader in this stuff and developing
all these things and encouraging people
to come from other parts of the world to work there.
And you gotta look at it and think like,
what's this gonna do to that pipeline, you know?
And all of that leadership.
I mean, I think if you wanna have, play crystal ball
with how that's gonna unfold,
I think that's gonna be a heavy lift, if I'm honest.
I think it's gonna be very difficult for Europe to have
like its own Amazon or something
like that. But if you want to see what that looks like when it really picks up steam, I mean, just
look at what's happening with defence tech and spending in Europe. We've already seen Portugal
back out of the idea of buying F-35s. Canada obviously not so interested in the F-35 program
anymore. We're going to see massive investment in things like air defense, R&D
and manufacturing. In Europe, we're seeing former Volkswagen factories being considered
as new sites to build defense material, huge amounts of capital being committed. So I do
think that there's about to be a big shift in defense spending. When it comes to broader enterprise tech though,
like the R&D lift that would be required there
is just mind boggling.
So I'm not too, you know,
I think they'll use local where they can,
but try, you know, what are you gonna wind up with like,
you know, EU Linux, like a Red Star Linux equivalent?
Like, I just don't think that's realistic.
Do you sort of see where I'm coming from with that?
Yeah, obviously Linux kind of came out of Finland
in the first place, but yeah, it's obviously global open source.
Well, I'm saying that's the one that I'm saying they can have,
but they can't have, you know, Windows.
Like in a viewer or, you know, or an Amazon.
Yeah, like there's a long way to go there.
So, but you know, it's just the, it's so mad, right?
I mean, you just, you know,
you want to throw your hands in the air.
Well, and there's going to be a lot of work,
I think from the major technology providers,
they're going to have to spend a bit of time working out
how to soothe the Europeans, right?
Whether that's through restructuring their businesses,
somehow licensing deals, you know,
different processes for distributing updates.
I don't know how that's all going to work out, but yeah, it's an uncertain time, that's
for sure.
Now, we've got a really intriguing story here from Dorina Antoniuk over at The Record,
which is about the Ukrainians saying, hey, Signal is no longer cooperating with us.
They're no longer cooperating with Ukrainian law enforcement
regarding Russian cyber threats.
And what makes this intriguing is a statement
from Meredith Whitaker, who is the, I think,
what is she, the president of the Signal Foundation
or whatnot.
You know, she came out and said,
oh, well, we don't have formal, you know,
cooperation agreements with anyone
or official cooperation agreements.
And it just seemed like a pretty
carefully worded statement, which didn't
exclude the possibility that Signal was assisting Ukraine in the first place.
So it's a little bit hard to know exactly what happened here.
But
yeah, we've done a bit of speculating around the office.
You know, why don't you tell people where we landed?
Yeah, and I guess the I guess data point of what is you wouldn't expect the Ukrainians
to be feeling like they had lost something and saying it out loud if they hadn't in fact
lost something, you know, they hadn't lost some benefit.
Now, whether it's a, you know, some individuals inside Signal, you know, who have sympathy
for Ukraine's plight and are happy to help them out, you know, have been sharing information, answering their queries or whatever else, you know, because
signal doesn't have a whole bunch of information to share, but presumably whatever they do
have, you know, they may have been sharing in some capacity. But yeah, it was a little,
yeah, it was just kind of a strange one because, you know, that wording of we don't have any
official cooperation.
Well, I'll read the quote, which is we don't officially work with any government,
Ukraine or otherwise, and we never stopped. We're not sure where this came from or why.
So why isn't it we don't work with any government? Why did you need the qualifier
that it's official? You know, like that's the bit where I'm a little bit like, well, what's,
what's, you know, what's going on here? That's a bit strange.
Yeah. And you've got to think, what could they possibly
be providing?
Things like IP addresses that are accessing
a particular account, because we've
seen reports of devices being seized in the battlefield
and then used for QR code, account linking, phishing,
and stuff into signal groups.
So there may be some cases where IOCs.
Well, that would be very useful information. IP address information would be extremely useful.
Yeah. But I mean, this is coming from the Ukrainian. Yeah, this is coming from the
Ukrainian police, I think Ukrainian law enforcement. So I mean, they're not even
talking about it in terms of like military intelligence, which is where you expect this
to come from. I don't know. My point is that this whole story is just a bit strange.
Yeah, yeah, it is a little bit strange. And bit strange and you know, it's hard to know without having
better sourcing but I guess we just wanted to flag it for everybody because it's kind
of interesting, you know?
Yeah, yeah. On a similar topic, Pavel Durov, the founder of Telegram, founder and CEO of
Telegram, he has been allowed to travel home to Dubai from France. He was arrested there last year, you know, because of all of the bad stuff that happens
on Telegram and his absolute failure to do anything about it.
You know, obviously since then, Telegram has taken some, you know, small but significant
steps toward actually improving moderation on its platform.
It's committed to doing something about the CSAM all over its platform, which is, in my
view, a positive thing.
And now he's managed to negotiate going home and has put out a statement talking about
how Telegram's great at doing moderation, cooperation, and fighting crime for years
and years and years.
So he's put out a statement just saying, yeah, yeah, law enforcement.
I'm very happy.
And he's, and he's gone back to Dubai.
I mean, I guess anything that moves the needle is good.
And, you know, it's hard not to look at this as a model for like, regardless of how successful
it is, specifically in the telegram base, they did manage to get some leverage through this approach.
And you have to think like if you were the owner
of another social media network
and you were traveling around the place
and you didn't want to be, you know, and you.
You want to be able to go to Paris for it
when you cannot go to Paris.
You want to be able to go to Paris or wherever else,
then maybe that would be a thing to consider that,
you know, this might be a model they could apply to other people.
Yeah, yeah, exactly.
And we'll see if that cooperation ceases the second he sets foot in, you know, off the
plane in Dubai.
Another one from the record, another one from John Grieg, which is a report about Joe Sullivan,
who was the former Uber Chief Security Officer.
And of course, he was convicted of like a bunch of stuff,
including like misprison of a felony for failing to report
to the FTC that there had been a data breach,
which you know, the FTC's contention is that he covered it
up because he tracked down the people who actually did this
breach, got them to sign a bunch of documents and agreed
to delete data, which, you know, Sullivan kind of argued,
well, that meant that it wasn't illegal and we didn't have to report it and everything's cool now. And I remember years ago when all of
this happened, I had some sources inside Uber and I got a pretty good idea of what had happened.
And even then I said what they had done with these guys in terms of tracking them down,
paying them a bounty and getting them to sign documents was fine. Where they messed up was
failing to report it. And ultimately the courts found that to be the case. He was convicted of a
bunch of crimes. He didn't have to do any prison time. He copped a fine and whatnot.
And he's appealed it and his appeal has been overturned. Now through the whole Joe Sullivan
thing, regular listeners would know that
I thought it was a bit off base that people, CISOs, other CISOs were really worried about
like DOJ going after CISOs for doing normal CISO stuff because when you looked into the
details of this case, he was not doing normal CISO stuff.
I mean, I saw him as recently as like RSA last year. He turned
up to a thing I was at and did a talk about it. And you know, it's still his line that
this is terrible precedent and whatever. It's like, bro, you know, two courts now have found
that you broke the law. Like time to just accept it and move on. And I think it's time
for people to stop worrying about this. Like until you've read the details of the case and what he's alleged to have done, stop
worrying that the FBI are about to come and arrest you. Like it ain't happening.
Yeah, I mean in the end it's the cover-up that gets you, you know, in this
particular case. They could have been more forthright with what they were doing.
Yes, kind of retroactively claiming something was a bug bounty is a little
bit weasely, but in terms of the data that went out and then preventing it from going further and causing more
harm you know. But they were in the middle of an FTC investigation like there were
requirements there for him to report exactly this sort of thing happening and
you know anyway look he argues and it's fair enough that the DOJ were using
charges against him to try to get him to flip on Travis Kalanick, the CEO of Uber.
And look, that might be the case, but that's what happens when you commit crimes around
other people that the DOJ are looking into.
They're going to use that leverage and the decision is yours whether or not you want
to wear the charges or flip.
And he chose to wear the charges.
I just wish he'd stopped complaining about it.
I mean, I've got a bunch of friends in common with Joe Sullivan.
I can't say I've met him before, but only briefly.
I can't say I know him.
He seems like a decent guy, but he's just got to let this go.
Yeah.
Yeah.
That's dragged on for long enough and yeah, time to time to get on with life.
Yeah.
Um, now in some business news, my God, um, wh Wiz, which was founded in 2020, has just been sold or
just been acquired by Google for $32 billion.
Now, that's not a bad payday for five years.
That's incredible.
That's wild, you know?
What, 32 Instagrams?
Is that the metric? What, 32 Instagrams?
Is that the metric?
Yeah, apparently.
Which, you know, that's pretty funny.
And of course, they rebuffed the Google
offer, was it last year for something
like, was it 23?
I think it was like 23, you know?
And like how they've managed to add,
like what, $9 billion in enterprise
value in that amount of time.
Like how?
How did they, like what are they,
did they hypnotize?
Like I don't know.
I guess clouds, you know, the cloud is a big deal
these days and securing your clouds also a big deal.
But like, this is the, I think it's the biggest
security acquisition ever, right?
Like not just Google's.
We're trying to think of a bigger one
and Splunk was like 28 billion.
Yeah, like Cisco and Splunk seemed pretty big, but...
I just think the thing that spins me out about it is like how quickly they built a $32 billion
company.
And to be honest though, like everyone you ask about Wiz, they're like, oh yeah, Wiz
is great.
Like, you know, talk about satisfied customers.
Everybody sort of loves it for its core, you know, for its core stuff.
It just kind of works and does a bunch of good stuff. And I think the only thing we ever
had to do with Wiz is we had, we had them into a snake oiler slot once just to promo
one of their new product lines or whatever. And you know, it's a company that does kind
of ooze competence, right? So it is nice to see, you know, just such a success story for
founders like, Oh my God.
Yeah. I mean, it's certainly, you know, congratulations to, to Wiz. And then,
you know, I guess we will see what Google does with it. Cause I mean, you know, we've seen sort
of Google acquisitions. Cause they're so good at enterprise sales, right?
Well, yeah. Right. And you know, you've also got to wonder if you're a customer that's relying on
Wiz for services on other platforms than Google. Like if you're using it in your Amazon environment,
using it in your Azure environment.
You know, part of Google's competences.
I'm less worried about that.
I mean, you know, Google have got their sort of
cloud scene product and that's not just tied to,
you know, the Google platform and whatever.
I think, you know, they're trying to build
a product portfolio that's not just relevant to GCP
because that would be really dumb, you know?
And they're not, they might not be great than enterprise sales, but they're not that dumb.
So I'm, I'm, I'm less concerned about that. Um, now just before we wrap it up,
we've actually got a little bit of sort of risky business related news, uh,
to talk about, which is that I have a new gig.
Hmm. A new gig you say, Jessica?
Yeah. So I am, I've taken a role with Decibel Partners, which is a US-based venture capital firm,
as a founder advisor.
And I'll just sort of explain a bit of the backstory of how we got here, right?
So for many years, I've been working with companies that have been founded by this fund,
right?
Like not through any sort of arrangement, they just tend to invest in the sort of startups that by this fund, right? Like not through any sort of arrangement,
they just tend to invest in the sort of startups
that I find interesting, right?
So like RunZero is a great example of that, right?
And HD more over there.
And they're a cool fund, they do like early stage stuff.
And I got to know John Ciccota,
who's the head honcho over there,
over the last couple of years.
And at the same time, I started thinking about the future of this company, right?
Because we are a small media company in a niche.
What's the future for a company like that that I've been running almost for 20 years?
And around the same time, there was some discussions with major vendors about
potentially acquiring risky business, which why don't we get you in here to explain why you found that deeply traumatizing?
I guess there's a couple of aspects. One is I've also recently been through the process
of selling off 15 years worth of work in a big acquisition and that has upsides and downsides.
And really for me, I've been doing risky biz
for almost as long as you, right?
I've been here, what, 16 out of those 20 years?
Something like that, 16, 17, whatever it is.
And so I'm pretty invested in risky biz being a thing.
And I am concerned about anything that kind that really changes what it is we're trying
to do here.
Ultimately, I like learning about interesting new stuff happening in InfoSec and talking
about it.
Anything that changes that is concerning to me.
Being bought by a vendor may come with constraints.
Well, yeah.
Ultimately, you're going to wind up, after I mean, ultimately you're going to wind up at, you know, after a few years, you're
going to wind up working for a CMO who's interested in pushing their underperforming
product line and they're like, get on your microphone monkey dance.
Right.
And that was going to be the issue.
And so Risky Business has always had a very different model, right?
You would notice, like, I'm guessing a lot of the people listening to this, they
listen to other podcasts and they are, their fingers are sore from hitting the 30 seconds
forward button every time someone, you know, breaks from their programming to read a script for like
BetterHelp or NordVPN, right? So we've never really wanted to have that model for as long as
we've been around, we've kind of worked with sponsors and people are like, well, but does that
give you conflict? And not really, you know, it's like not really
the way that it's turned out because we put a lot of effort
into picking who we put on this platform to begin with.
And now we're just kind of moving that
a little bit earlier, right?
Where I'm gonna be working to try to start startups
with founders, you know, practitioners who might have ideas,
you know, by all means, get into my
inbox and tell me what your ideas are.
We'll see if it's something that we can develop.
And that's going to be exciting.
And then, of course, once they're ready for that, we might start floating their ideas
in the show.
They can sponsor the show.
And I can work with them on refining their message and all that good stuff.
And this was John's idea, right?
John Cicciotta, who runs Decibel, he really came to me with an alternative
to selling risky business to some vendor
and then making, destroying what I think
has sort of become a bit of an institution, right?
So this is a new business arrangement we can come to
that keeps risky business doing what risky business does.
That's certainly my, the thing that made this appealing to me was
their incentives are very much aligned with ours, right? We want to do what we do and
not really change what we do. And, you know, their interest is...
For us to keep doing what we're doing, right?
For us to keep doing. Clearly, we have right? For us to keep doing. Clearly we have similar taste in tech firms because the such a lot overlap between our
sponsors and their stable.
Yeah, that's right.
And I've already helped one company raise money through Decibel, that's Knock Knock,
which everybody would know I'm a huge fan of.
I'm on the board of Knock Knock now, so they got a little seed round through Decibel, which
was just announced today.
And I'm working in an advisory capacity
with about five or six of their companies.
Push Security is one, RunZero, Authentic,
Prowler, which is super cool,
speaking of Wiz selling for 32 billion.
Prowler's got an open source platform
that does some of the stuff that Wiz does,
but it's very good for cloud security checks and stuff,
and even remediations.
But you see what's happening here is I'm already, uh, you know, just,
just motor mouthing about it because I'm actually into this stuff.
And you know, so what, what it means is that I've been appointed to this new gig.
Uh, decibel has invested in risky business, which means that we can grow,
hire some more staff, but we're not going to mess with it.
And that's the thing that I really want people to understand is any changes we
make here, we're going to think about them carefully because we respect our audience.
As you can probably tell from this conversation, we think being transparent is really important.
But that's basically it.
Like this deal, this change, you know, more than anything just sort of seals, you know,
the future of risky business being risky business.
And that's why we did it.
And you know, I think that's about it, isn't it?
Yeah, yeah.
I mean, having a way to fund us continuing
to do what we've been doing for so long without it
being your personal sacrifice for 20 years
and turning it into a thing that has a path forward that,
as you say, doesn't involve shilling nor VPN.
Yeah, no better help scripted reads and no working for a single product vendor who's just gonna get us to push stuff like it's just you know,
obviously at some point something has to happen with the business after 20 years and I'm just really glad it's this and I am
the interesting thing for me is like it took a long time to get this thing over the line and the thing that
has maybe happiest about it is like, now I get to start
doing the work with the founders.
I'm actually very excited about that.
I am not just saying that I enjoy that sort of work and I'm looking forward
to trying to develop some new companies and new ideas and whatnot.
So as I say, if you've got an idea for a startup, you know, let me know.
I'm, I'm all ears at this point.
That is my job.
Uh, in addition to hosting this podcast, but mate, we me know. I'm all ears at this point. That is my job in addition to
hosting this podcast. But mate, we're going to wrap it up there. That is it for this week's
news segment. Thanks a bunch for joining me. We'll do it all again next week.
Yeah. Thanks, Pat. I will look forward to it and I'll see you then.
That was Adam Bailo there with a check of the week's security news and big thanks to Adam for everything that he's done for this podcast over the last at least a decade and
a half. It's time for this week's sponsor segment now and this week's show is brought
to you by Xero Networks who make a really, really cool micro segmentation product which
orchestrates existing gear within your network to deliver micro segmentation product, which orchestrates existing gear within your network
to deliver micro segmentation.
And the way it deploys is actually pretty cool
because you throw it out there and it learns
which machines talk to which machines,
and then you can sort of put it in an enforcement mode
and bang, you have micro segmentation.
Now a lot of products have promised to do this sort of thing
over the years, and they don't really, like the experience doesn't live up to the marketing claims.
So this week instead of having someone from Zero Networks actually on the show to talk
about their product, instead they suggested I speak with one of their users.
Aaron Steinke works for Latrobe Financial which is a financial services firm based in
Melbourne Australia and yeah he rolled out Zero Networks and is a very happy customer.
Obviously, a vendor is not going to give you one of their unhappy customers.
But I will say I spoke with Aaron, I don't know, for a good half an hour
after we recorded this interview.
You know, this is a guy who knows his stuff.
Absolutely, 100% knows his stuff.
And, you know, I find I found this interview
interesting because he really does mount a compelling case that what Xero claims
it can do is actually what it can do which is more than you can say about a
bunch of vendors. Anyway here's Aaron Steinkie from Latrobe Financial in
Melbourne talking about his experience in installing and spinning up Xero
Networks network micro segmentsegmentation product.
Enjoy. We're a financial institution. We are very paranoid. That's the nature of working in finance
and getting those controls over lateral movement in our network is really essential and it's a
hard thing to do and we knew it was a hard thing to do before we committed to it. But like all the most effective controls, there's a fair bit of work to get it done.
We have actually found that with Xero's product, there's actually a lot less hard work than
there is in some of the alternatives that we have played with in the past.
This is in our first rodeo.
And there's been a few failed attempts in the past to get to a proper segmented and
micro segmented network with varying degrees of success.
Yeah. So that's the interesting part, right? And I think that's one of the reasons it's
not, you know, a commonly done thing as yet, right? Is it is hard to do. It's been hard
traditionally to do it. Well, like what were the sticking points with other attempts that you'd had at this with different tooling?
With some of the other tools, you've got a huge complex rule base that you end up having
to maintain manually. There's a lot of work and a lot of feeding and watering. And even
when it goes to new product rollout where the documentation is never what it should
be, you're putting in a system
created by someone else and you know there's some weird little port that only gets used once a month
that pops up. The tooling with Xero has really made that whole automated learning process work
really well which is another one of those features that everyone promises and it...
I was actually about to say so like what you're saying is that this
time it's not all lies, right?
Because everybody's like, you just drop it and it automatically does everything.
And you know, yep.
And that's the way the weather rubber hits the road.
It really has done what that, what it said on the sticker.
Yeah.
Well, that's good.
I mean, so look, I mean, it can't have all been a hundred percent smooth sailing,
right?
I'm guessing there's still a few corners to round off.
Like, you know, if someone's thinking about doing this,
like what should they prepare themselves for?
There's a little bit of trial and error in it,
as you would expect.
We also, so here at BluTrope,
we have a network that has been chugging away
and evolving for, since the 80s.
There's some weird little hollows of legacy horror shows in there, like
there are in most places.
A few of the headaches we had were things where people had in the past tried some odd
little tricks with group policies.
And I think this is where Zero really shines is that a lot of those problematic bits and pieces that we have tried in the
past that were really complex became a lot simpler.
We have the things that require like agents is where we've had a long struggle in the
past and I've got to admit too that I was a little bit cynical when we first started talking to Peter about how the whole product runs on WinRM,
which has also been a bit of a horror show for those of us who have been around for a while.
I was cynical that it could actually perform and do its job in a timely manner. And they've
clearly done a fair bit of work in the background and got that working,
and got that working quite reliably, and it's scaling pretty well.
We haven't had any issues with latency at least not yet.
And it's funny what you were talking about, the nature of your network is like what came
across was like, yeah, there were a few sticky parts, but that was our fault, not theirs
kind of thing.
And it is.
And that's actually a problem that I've seen in the our fault, not theirs kind of thing. And it is.
And that's actually a problem that I've seen in the past too with other Microseq products.
They work great if you're in a cloud native environment, if everything is modern and shiny
and new.
And we down here in the real world where you and Adam like to rubbish us a bit, we have
to deal with some pretty horrible old school protocols that don't play nice, that aren't
predictable.
And it means things like the zero trust approach to a lot of our software has been really difficult.
With zero networks and the way that it is identity aware at the point where you're
making a network connection has let us retrofit a lot of those smarts to products that really haven't let themselves to it that
would have needed an inordinate amount of development time in their authentication mechanisms
to get us to that sort of continuous identity.
Yeah, so we're talking like essentially bolting on at least some sort of identity aware access
control onto like on-prem legacy crap, horror show, awful stuff that you can't do it any other
way.
Yep.
And I'm well, I mean, you can always do it another way, but it's not necessarily cost
effective.
And bear in mind too, that some of these products are things we have already, we already have
a ax hanging over their head, but it's a multi-year process and hundreds of thousands, if not
millions of dollars to get rid of them.
We have to do something to get us over that gap.
And it's been a real godsend.
Well, yeah, and I'd imagine too.
So I work with a company that does something similar, but for external resources, not so much internal resources.
And one thing that's really interesting that we keep hearing from people around that one, and I imagine it's the same for the internal use case, is the
that one and I imagine it's the same for the internal use case is the the user attribution you get on who's doing what on the network like actually tied down
to a user who actually exists in a directory somewhere who you can who you
can identify imagine that's that's something you're probably doing
something with that yep our security guys love it the feed that's going into
Splunk is making their eyes water in a good way.
Yes.
They are tearing up misty tears of joy.
We've even had a bit of a tinker with those high risk protocols, the SSH
into boxes, IDPs into things.
It's also letting us put in an MFA step before the firewall even gets opened,
which is really nice.
That's historically been incredibly hard.
We've had a few shots of that
with other products that don't necessarily work in that sort of segmentation model, but where they
intercept the authentication mechanism, they tend to add latency, cause bugs, cause errors,
cause headaches, because this is happening before it triggers, where you're finding it's a lot more
successful and less intrusive. Yeah. So, you know, like have you racked up any, you know, any tangible wins since you've started
doing this?
Like, is there something you can point to and say, well, that saved our bacon?
One of our biggest wins is a common audit question every time the auditors come through,
which is every five and a half minutes in a financial institution, we're getting asked
why we're not doing MSA on certain products
and protocols. And it's given us a way of implementing that. That's probably the biggest
the use case we didn't really expect to be solving that it's really got us a nice little
green tick for.
Yeah, it's funny, actually, Benny, who's the you know, the founder of Zero when I've had
him on the show previously and asked him like, what's driving growth, because I know they're growing. And he's like, man, the amount of compliance stuff that people
are just like, oh my God, I can just get this in and it solves that problem. Like they,
the security benefits like a nice benefit to the compliance side, which is like not
the way it should be, but hey, I don't know, maybe it's a good news story about compliance.
I think it is. And the other thing it has solved for us is, you know, we don't have a huge team here.
We're not, you know, we're not a noble con bank. Um,
we need something that's reasonably easy and straightforward to manage so that we can get the best out of our,
out of our people and that
it really is quite
straightforward to add exceptions where we need them to respond to do all those things.
I like to think of it as doing a bit for our network segmentation, what the likes of
Airlock do on... Yeah, yeah, yeah, yeah, for files, right? It's similar thinking,
it's similar thinking, right? Which is default deny and open up only where you need to. So, yeah.
Now we were chatting before we got recording and I actually asked, like, did
you hear of Xero Networks from the podcast?
Because you are apparently a long-term listener who's listened when I used to
put music at the end of the shows and whatnot.
And you said, yeah, you remember us talking about their remote access product, right?
So this is for people who aren't familiar, they've got their micro segmentation
thing, but Xero developed a remote access solution for people who are wanting to throw away their
horrible VPNs and get something in place that was less risky.
What they've done is they've got a VPN where all ports are closed until you MFA, until
you go through your IDP, it opens up the port and then you can go through and it's sort
of IP restricted and just a lot safer. This is good thinking is good thinking, but you that's where you actually started with them, right?
And what's funny is I know from talking to people at Xero that like that product has
been like way more successful than I think they've realized it would be, which in retrospect,
I guess kind of makes sense.
But you wanted to talk about that too, because you're a big proponent of it.
I'm a big proponent, not just because the whole ecosystem of VPN solutions sucks but also
because when we look at more modern approaches to VPNs, the Zero Trust Network Access, the
SASE solutions, the enterprise browsers, they're pretty useless to us.
We have a whole lot of legacy protocols and legacy applications and things where we have
users who directly interact with SSH,
FIT clients that use RPC all over the place, those sorts of things which the more modern approaches
don't really work that well with. We've tried enough of them to have zero confidence in them
actually being a fit for the solution. So we've sort of stuck with a more traditional VPN type
of approach. And what we had been going down the road of was sort of stuck with a more traditional VPN type of approach.
And what we had been going down the road of was sort
of segmenting our users as they VPN in so that we
could get some sort of classification and firewalling
there.
And it, again, went back to a really deep.
Well, yeah, that gets complicated real quick.
And even trying to get the sort of same class of service
when you are on prem versus remote
has been a real nightmare.
Whereas once you put the two together, the Connect and the Segment product, you end up
with that.
The user gets the same user experience, whether they are remote or in the office, and we get
that same level of security.
Whereas historically, we found that you often end up in a scenario where people have more
network access when they're on the VPN because you can't categorize them and classify them well enough.
So that's really, I think, hugely improved with a typical workforce that we have where people are
regularly working remotely these days, which they weren't pre-COVID. It's given us a much more
robust solution to how we treat those remote workers without having to completely throw out our entire stack, which as I said earlier is not a cost-effective solution at least not to happen in three months' time.
All right, well Aaron Stanky, thank you so much for joining us on Risky Business to sing the praises of one of our sponsors, which is Zero Networks, which is certainly a company we think makes cool stuff. Great to meet you and fantastic to chat to you.
Cheers.
Thank you.
That was Aaron Steinke there talking about his experience of being a Zero Networks user.
And again, Zero Networks doing one of those companies that's taken an old concept and
actually made it workable, much like Airlock Digital.
I did find it funny actually in that interview when Aaron made an Airlock reference because
that implies that he's an Airlock user.
And I can just imagine being a very sad pen tester if you landed on a network that is
running Xero Networks and Airlock Digital at the same time.
That's a bad day at the office.
But yeah, that is it for this week's show.
I do hope you enjoyed it.
I'll be back tomorrow in seriously risky business,
but until then, I've been Patrick Gray.
Thanks for listening.