Risky Business - Risky Business #788 -- Trump targets Chris Krebs, SentinelOne
Episode Date: April 16, 2025On this week’s show Patrick Gray talks to former NSA Cybersecurity Director Rob Joyce about Donald Trump’s unprecedented, unwarranted and completely bonkers politica...l persecution of Chris Krebs and his employer SentinelOne. They also talk through the week’s cybersecurity news, covering: Mitre’s stewardship of the CVE database gets its funding DOGE’d The US signs on to the Pall Mall anti-spyware agreement China tries to play the nationstate cyber-attribution game, but comedically badly Hackers run their malware inside the Windows sandbox, for security against EDR This week’s episode is sponsored by open source identity provider Authentik. CEO Fletcher Heisler joins to talk through the increasing sprawl of the identity ecosystem. This episode is also available on Youtube. Show notes Cybersecurity industry falls silent as Trump turns ire on SentinelOne | Reuters U.S. cyber defenders shaken by Trump's attack on their former boss Trump Revenge Tour Targets Cyber Leaders, Elections – Krebs on Security Wyden to block Trump's CISA nominee until agency releases report on telecoms’ ‘negligent cybersecurity’ | The Record from Recorded Future News Gabbard sets up DOGE-style team to cut costs, uncover intel ‘weaponization’ MITRE Warns CVE Program Faces Disruption Amid US Funding Uncertainty US to sign Pall Mall pact aimed at countering spyware abuses | The Record from Recorded Future News Court document reveals locations of WhatsApp victims targeted by NSO spyware | TechCrunch Spyware Maker NSO Group Is Paving a Path Back Into Trump’s America | WIRED NCSC shares technical details of spyware targeting Uyghur, Tibetan and Taiwanese groups | The Record from Recorded Future News Risky Bulletin: Chinese APT abuses Windows Sandbox to go invisible on infected hosts China escalates cyber fight with U.S., names alleged NSA hackers Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs - Ars Technica China-based SMS Phishing Triad Pivots to Banks – Krebs on Security Risky Bulletin: CA/B Forum approves 47-days TLS certs Ransomware in het mkb: Cybercriminelen verhogen losgeld bij cyberverzekering 4chan Is Down Following What Looks to Be a Major Hack Spurred By Meme War
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business, my name's Patrick Gray. This week's show is
brought to you by Authentic, which is an open source IDP play, so think kind of Okta or
Ping but open source, and we'll be joined by Authentic's very own Fletcher Heisler in
this week's sponsor interview to have a bit of a chat about how there seem to be frankly too many products in the identity space right now, sort of
fulfilling things that should be features as opposed to
entire products. That one is coming up later but of course we're gonna get into
the news now. Unfortunately Adam Boileau is very ill today so he's had to take
the day off but Mr Rob Joyce, former Cyber
Security Director of NSA has agreed to fill in for him today and joins me now.
Rob, thank you so much for filling in for Adam, especially at such short notice.
Always great to talk to you Pat and so sorry to hear about Adam.
Yeah man, he's like sweating at the moment and Adam if you're listening mate, we hope
you get well soon.
Now of course the first thing we're going to talk about this week is what happened last
Wednesday when US President Donald Trump signed a presidential memorandum instructing the
Department of Justice to investigate the inaugural director of CISA, Chris Krebs.
Now regular listeners would know that Chris Krebs is frequently on this program.
In fact, we even do a podcast together
sponsored by his employer, Sentinel One.
That podcast is called The Wide World of Cyber
and it's with him and Alex Stumos
and it's a really great time.
So yeah, we've obviously been paying
very close attention to the news,
but here's how major media outlets reported that story.
President Trump signed executive orders aimed at two federal officials who criticized him.
Revoking the security clearances of his former cyber security head, Chris Krebs.
This guy's a wise guy.
He said, we've been proved this is the most secure election in the history of our country.
Now this was a disaster.
Krebs' apparent crime is telling the truth
about the 2020 election.
All he did was rebuke the president's false claim
that the election wasn't stolen.
He's the broad, he's a disgrace.
So we'll find out whether or not it was a safe election.
And if it wasn't, he's got a big price to pay.
It is someone who wasn't even particularly negative about Trump.
He was just doing his job and did it successfully.
And he's a bad guy.
Here's another one.
I have no idea who he is.
Krebs.
I have no idea who he is.
Okay, so Rob, let's just break down exactly what's happened.
There has been this presidential memorandum, which seems like he's being politically targeted.
Another thing that this memorandum does is target
his employer. So it revokes the security clearances of everyone working for Sentinel One. And of
course, you know, the EDR companies that do government work, they will typically have a
few people with clearances. In this case, Sentinel One says it's something like 10 people.
This seems like what Trump has done to law firms as well to bring them to heel, which is to use canceled classifications
as a way to get them to do certain things.
There's obviously also the implication
that they will lose their government work.
I mean, it is pretty extraordinary
that the White House is actually targeting
Chris's employer in addition to Chris.
I mean, this is a form of, what would you call it?
Like blacklist, they're trying to blacklist him. Yeah, there's no precedence for this, Patrick. Sentinel One's offense really
was employing Krebs, right? And Chris is an awesome person. I was around during those election times.
I was working with Chris across the years. He had nothing but, you know, the best
intentions and organized an amazing response to be able to help secure those
elections. And, you know, to see him singled out years after the fact, as well
as Sentinel-1 being targeted, you know, just to put pressure around him and kind of dissuade others
from being associated.
That's a scary place to be.
Yeah, it really is.
And I mean, you know, as we just saw in that montage there, President Trump saying, well,
I like how he says he quotes from Chris directly around his comments about the 2020 election
being secure, and then goes on to say he's never heard of him which I think is quite funny but yeah I
mean the whole thing is just extraordinary. I do get the impression
that Chris's position at Sentinel One is just untenable now. I think the only
logical thing that can happen from here is that they write him a check and he
moves on because that company has an obligation
to its shareholders, to its staff.
And frankly, I know Chris a little,
I don't think he would want to cause drama
for the company either.
I mean, I'm guessing that's,
just logically if you game it out,
this is probably what's gonna happen, right?
Yeah, I don't know where it goes,
but this clash really blurs
politics and cybersecurity. So that to me makes all of us less safe.
I mean, I want to be clear too, and I did say this on Blue Sky the other day, I don't
feel that Sentinel One is the bad guy here. I mean, they've issued a statement that was
pretty weak, but they're being singled out by the White House. And, you know, obviously there's an implied threat that they will lose
government work, they will lose government sales.
I don't really see how they can fight back against this unless there's some
sort of solidarity within the industry.
If every EDR company got together and said, we're pulling down all of our
people who do any classified worker information sharing, you know, unless
there was some sort of unified pushback,
I don't see that there's anything that they can do here. And that's the whole point, isn't it?
Yeah. I think Reuters asked like 36 different organizations about the Sentinel-1 issue,
and only one came out and commented. That was the Cyber Threat Alliance. They talked about how they were concerned.
Everybody else, all the big companies, ducked it.
They don't want to get drawn into this.
That's the problem.
It's a chilling action.
For me, I just want to thank Krebs for being an awesome American.
He continues to do the right thing.
He's getting pinched personally for this.
He'll, I imagine, have to pay a lot of lawyers fees and that's not right for somebody who
is doing service for the country.
Yeah, I mean, you know, he showed a lot of courage last time around in 2020.
You know, I believe he and his family were receiving death threats for a long time.
You know, I don't know how he's going to play this, whether or not he's going to go low profile or whether or not he's going to be everywhere. But yes,
it's certainly not fair. Now, some listeners will be wondering also. So last week, Tuesday,
Australia time, Monday in the US, I actually recorded an episode of Wide World of Cyber
with Chris and Alex. And we did talk about Trump's policies and the firing of the
NSA leadership and, you know, cuts to CISA and things like that. I wound up publishing
that like, you know, like the day after or the day of this executive action with a note
on it saying, well, we recorded this before this action was taken. Sentinel One asked
me to pull down that podcast after it was published and I did.
I don't think that was, I personally don't think that was the right decision,
but I can also understand that for them they need to do the corporate equivalent
of curling up into a little ball at the moment. So having a podcast out there
featuring Chris talking about Trump's policies, I just thought look at the end
of the day I'll just pull it down and we'll sort it out later.
Maybe we republish it in a few weeks or whatever it is.
I just I probably should have asked them, hey, do you still want me to publish this?
But I, you know, it was just such a weird day that I just wound up doing that.
So, you know, even though that was an uncontroversial podcast, they just asked me
to pull it. And I decided to do that because I don't want to, you know, be the cause
of more problems for Sentinel one between them and the White House.
And as for the future of the Wide World of Cyber podcast, I have no idea what that looks
like.
I hope we get to continue it.
I don't know what that's going to look like.
Ask me again in a couple of weeks.
Now, look, another thing that I need to mention is Adam and I, we were due to travel to the United States you know week after next to travel to
next week actually to travel to the RSA conference and we have had to cancel
that trip and look there's several reasons for this. Australians are being
hassled a lot at the border, well everyone's being hassled a lot at the border so we
were already looking at having to bring burners with us. Burners only get you so far because if you do get singled out by
customs and they ask to search your devices and they see that they're burners,
they can use that as well. Why are you taking burners into our country sir? Now I
would have been traveling on a foreign media visa if there's one thing that
this group of people hates more than foreigners, it's journalists. So I'm like
a double threat. And one of the
things I was doing in the United States was recording a live podcast with Chris
and Alex at the RSAC. So ultimately I just decided it wasn't worth
the risk. If they are also, you know, Chris and I were in contact through his time
in government, if they are going to try to come up with some
sort of charge that he was behaving inappropriately with journalists.
The last thing I want is to be held in the United States as a material witness to some
sort of grand jury investigation.
You know, they intimated they wanted to see if he improperly disclosed classified information,
which for the record, absolutely is a ridiculous idea for anyone who knows Chris or dealt with him.
But you know, this is where we are. I am now at the point where I don't feel I can travel to the
United States under this administration and I mean what more is there to say? I mean I even
talked to you about this when I was mulling it over. It's nuts.
And as an American that makes me sad sad, Pat. It really does.
But I certainly understand.
And hey, I still owe Adam a Waymo ride
when he does get it back over here.
Yeah, exactly.
It's a shame. I was really looking forward to it.
Anyway, we've got a lot of other stuff to get through.
So let's just get into it.
This next one, you have already said
that you're not gonna touch it with a 10-foot pole. But the Director of National Intelligence Tulsi Gabbard in the United States
is constituting a new task force, which is, quote, designed to, you know, restore transparency and
accountability to the intelligence community. It mentions that there was, what is it, weaponization
of government against America America and it's rooting
out deep-seated politicization, which is for someone who's spent 20 plus years reporting
on cybersecurity, and I've met a lot of people at these sort of agencies, they are not the
most political people I've come across, to put it mildly.
So this all seems a bit weird.
It's sort of being billed as like doge for the intelligence community. As I said you don't want to touch this with
a 10-foot pole so we're just going to move on to the to the next story here
which is that Senator Ron Wyden in the United States is saying he will do his
best to block Trump's nominee for the next director of CISA until DHS
releases a report into telco security.
It's an unclassified report that dates back to 2022. You know, he thinks in light
of salt typhoon the public deserves to see this document. It's my feeling that
the DHS won't want to release it because if they do spill the tea here the next
time they want to actually look into an industry no one will talk to them. Is that is that about the impression you
got here as well? Yeah I think it's fair and you know I do understand the worries
on SS7 and diameter right it's SS7's an international protocol used for
setting up the public switch telephone network calls and facilitating services
like SMS,
it's been demonstrated as vulnerable.
And I don't know that Senator Wyden needs
this particular report to continue to show that.
It's already, in fact, it's been on 60 minutes
talking about insecurities in some of these protocols.
But I do think that, you know, we need a SISA director and hopefully
we can get the nominee in front of the Senate for a hearing and quick confirmation because we do
need these positions filled. That's interesting. I didn't realize it was that report. I thought
they were talking about something else about the security of like telco systems and practices,
but this was actually just a report into weaknesses in SS7.
I kind of remember when this one came out.
SS7 and Diameter.
Diameter is the next generation of protocol
that is used in some of the 4G, 5G networks.
And there was some investigations, I expect,
into how it's implemented,
because there's also a difference
between whether the protocols themselves are vulnerable
and how you implement them.
Overall, when these networks were set up,
everybody assumed it was a closed network,
and everybody who was on them was a telco,
and therefore to be trusted.
And we found that if you know, if you can find
your way into these networks, either hacking or as a company, you can do a lot of mischief
just by being inside the network that doesn't have a lot of trust.
Yeah, I mean, in light of the salt typhoon campaign, the advice from the US government
is for its employees to use over the top services, whether, whether that's WhatsApp or iMessage or Signal, which seems like good advice and deals with the SS7 threat
as well.
I mean, the report I'd really like to see was the one that the CSRB was preparing into
salt typhoon, which of course is dead now because the CSRB has been disbanded.
By the way, when I've joked previously on the show about how the Trump admin will reconstitute
the CSRB and task it with proving fraud into the 2020 election, I'm only half joking.
I think that's actually on the cards.
All right, moving on to another piece here.
There's this Palmeil pact.
It's a non-binding voluntary agreement that countries are signing, which
guides them to create policies that are designed to prevent spyware proliferation and to try
to sort of regulate that space.
From what I've seen of it, it actually looks like a pretty good idea.
Even though it's voluntary, even though it's non-binding, it gives everybody something
to work towards. Early reports said the United States would not sign the pact, but it looks like
that's actually happening now. I don't know whether that was a reversal of a position or whether or
not they just got around to it. But I think this is a really positive thing. And I was curious for
your thoughts on this because, you know, as someone who worked in the intelligence community for a
long time, I figured you'd have feelings on commercial spyware makers.
Yeah, I do think that this is a big deal, right?
In general, there's bipartisan consensus in the US that, you know, spyware for hire industry
is a problem if it's not done correctly.
And in fact, you know, there was an executive order in the previous administration that
kind of tightened down on some of the spyware and put some accountability on when the government
would use it and how.
We saw the NSO group be pushed out and essentially driven out of the US market.
And so there is some support and I think it's kind of a hint as to this administration's
policy that that executive order wasn't pulled down and that they're willing to sign on to
this treaty or onto this agreement because I do think we're essentially trying to prevent
a cyber arms race in this space where you want the folks who
have these capabilities to at least put some consideration into how they're used, who they're
sold to, and what are the second order implications of them being a capability in the market that's
sold. Yeah, yeah, I think that's it. I mean, I wouldn't call it an arms race concern,
more of a proliferation concern, right?
Which is, yeah, you just don't want anyone
being able to hang up a shingle
and sell this stuff to whoever they please.
And the fact that that was ever possible is kind of nuts.
We have seen previous sort of international agreements
and arrangements designed to combat this stuff
most notoriously or infamously was the Vasanar
arrangement which sought to regulate dual use technologies. I mean we talked about that at the
time a decade plus ago and it was just never really suitable for this and you know you and I
were just talking before we got recording and I think at the root of the problems with Vasanar
were the spyware industry wasn't really clearly defined at that point.
So it was a difficult thing to know
how to get your hands around it,
which is why they were sort of trying to define exploits
as dual use technology and it all, you know,
but what if it's Metasploit?
You know, what if you're using it for pen testing?
Like there was no way for them to really do it
in a way that made sense.
Whereas now that we're further down the road,
it seems like this is something policymakers
will be able to get their hands around.
Yeah, and even in the Palmao discussion,
there was a German participant who said something like,
you can't slap the same rules on spyware vendors
and exploit brokers, indicating there needs
to be a need for nuance.
And hopefully they'll drag some of the industry players
into this to make sure that
you know red team tools and other things are considered. That's where some of the Vasanar
agreements started to fall apart was they didn't have the nuance and the expert input.
Well there was never any enforcement either as best I could tell right so yeah anyway positive
step and look speaking of NSO the Meta lawsuit against NSO just keeps churning out interesting data
points. We've got one here from TechCrunch written up by Lorenzo where
it looks like 1,223 WhatsApp users in 51 countries were targeted in the
campaign that this lawsuit's about back in 2019. And it goes into which countries and everything
this happened in.
So yeah, the lawsuit just keeps delivering.
But also, we've got a story here in Wired
about NSO engaging a bunch of lobbyists in the United States
right now.
Now, previously, it looked like they were using lobbying firms
that were much more aligned with the Democrats know, the Democrats and not surprisingly, now
they've pivoted and are looking to lobby Republican lawmakers. I mean, how do you,
first of all, how do you think they're going to go with this? And second of all,
now that we are in a less permissive environment for these companies, now that
it's clear that
if you step out of line, you're going to suffer.
Do you think it might actually be safe to let a company like NSO back into the fold,
so to speak?
Yeah.
I'm not sure on the NSO name just because of all the damage that is associated with
the Khashoggi killings and other things.
Yeah.
You're still seeing Pegasus used
in some questionable places.
Now some of that may be historical popping up,
but I do think that there's-
They went too far, is what I'm hearing here.
Yeah.
Yeah, that there's just, there's overreach.
And so, you know, the charm offensive
will only take you so far,
but who knows with the right lobbyist and the right ear,
it could happen.
Huawei tried the lobbyist route, it didn't work for them.
ZTE used some lobbyists and they did avoid
the complete death penalty.
So, you know, there's a chance,
but this is a new administration
and you gotta shoot your
shot, Pat.
Yeah, exactly right.
They'll give it a crack.
Now let's look at what it looks like when you want to get spyware onto a mobile device
and you don't have to worry about being particularly targeted.
What happens if you're trying to target an ethnic group, say?
Now we've got a report here from Suzanne Smalley over at The Record, which is a write-up of
some data out of the NCSC in the UK looking at some spyware that targets Uyghur, Tibetan
and Taiwanese groups.
And they've done this in a smart way.
The Chinese, obviously it's the Chinese.
They've done this in a really smart way in that they've just created apps that people
from those groups, from those cohorts, would like
to use.
There's like an audio Quran, there's an app called Tibet One.
I mean, it's just when you're dealing with niche sort of diasporas, creating an app that's
going to be popular among that diaspora isn't actually that hard.
And that seems to be the approach the Chinese have taken here.
So on one end, you've got the NSOO stuff targeted, expensive, whatever, and then you've
got stuff like this at the other end of the spectrum which is you can just go wide by creating
sort of, I don't know, like the upper version of a watering hole, right? Yeah, seed them into the
places those target communities trust and you're going to have success. And you know this isn't
new either. China's had this playbook for a long time.
I remember there was a ghost net operation all the way back in 2009,
where the researchers found they were going after Tibetan exile groups' computers.
And, you know, so what's old is new again, and this is just a tactic that works,
so you're going to keep going to it.
Yeah, absolutely.
Now, staying with the Chinese, my colleague,
Katalin Kimpanu in the Risky Business,
or the Risky Bulletin newsletter,
wrote up a really clever technique being used by APT 10.
This is so cool.
So there is a sandbox in Windows where you can run stuff in.
And EDR basically has a hard time seeing it, right?
But the saving grace is if you run something in this sandbox, it pops up on
the screen in front of the user.
So what this crew does is they compromise the box and they set the malware to run
in the sandbox from the task scheduler in a different user account, then reboot
the box and happy days.
Like in terms of like just really simple persistence techniques
that rely on core windows functionality, like I love to see this because it just has that slight
flavor of old school. Did you get the same sort of nostalgia vibe reading through this one?
So Adam's not here, but chef's kiss, right? That's, I am certain that is his assessment.
So it's just getting down beneath the security tools
and running on that whole system in a place
that they don't monitor or inspect the processes.
That's just really slick.
And I think, you know, PowerShell has been abused
for living off the land a lot.
And I think we're gonna see some creative sandbox
and virtualization trade craft emerge
now that this innovation is known.
It's just creative, not too high tech,
but a whole way of thinking that others will launch off of.
Yeah, exactly.
I dug it as well.
Fun stuff.
Now, this one I expected,
and we just went through the run sheet just before we got recording. I said, I imagine you won't wanna Now this one I expected and we just went through the run list, run
sheet just before we got recording. I said I imagine you won't want to touch
this one with a 10-foot pole but you surprisingly, you're happy to talk about
this one. China has alleged that the NSA hacked the Asian Winter Games or
something and to do something that I don't think they really spell out to
collect data on participants.
They've alleged that a couple of US universities were involved in this campaign.
They've dropped a bunch of names, but the whole thing, like the White House has
called this a fabrication and like a lot of these claims from China, the whole
thing just reads really weird.
Like they talk about like secret encrypted packets or something, which
sounds super spooky and it's just, it's, it's, it's a fever dream.
It's like something that was written by five eyes, but if they were, if they
had the fever that Adam's got right now, it's just deeply, deeply weird.
Like what, what's your take on this as someone who, you know, worked on the
sort of teams that, um, uh, China would allege did these sorts of things.
Yeah.
It doesn't happen in a vacuum, Pat.
It, it follows years of the the US publicly attributing attacks,
indicting Chinese military personnel
for their espionage, right?
It can be seen as Beijing as a wannabe.
They want to do the public attribution game,
but they just don't know how to get there.
I really don't think it's a coincidence
that this comes right after
Some diplomats screwed up to imply that the volt typhoon attacks
Were in fact China, right? We knew that but them owning it a bit
Went to far. Just to be clear. This was in a private meeting between a Chinese diplomat and US officials where they said yeah
What did you expect? Of course, we did volt tyoon, you're supporting Taiwan. And yeah, whoops. Yeah. And I think that story getting out embarrassed
them and they have to reply. But once again, it's really weak, you know, and a whole bunch
of stuff, anybody that goes and reads, you know, they talk about there was like 63% of the attacks
came directly from the United States. So which is it? It's a super secret NSA operation that came
straight from a USIP with no obfuscation or you know tons of loud things out of USIPs or it's that
high-end NSA tradecraft right? Yeah and I think the point you made too is they're name-checking
American universities because they don't really understand that in the United States the
universities don't operate as an extension of the state, right? Yeah,
just culturally they don't grock that we don't control the universities. So
they think something coming out of a university IP is government associated
when it's probably either the weak security in that environment or the open environment
that is a university is allowing it.
I mean, I think though that like it's one thing for you and me to sort of have a chuckle
about this, but I do worry sometimes that this sort of stuff can influence policymakers,
right?
Like they read about this in the mainstream press and they don't necessarily understand
what the global intelligence
dynamics are like and they might sort of be swayed by this. So I think from China's perspective it is
a smart strategy if I'm honest, but to us it's just beyond the pale because they're always denying
that they've ever done anything. Of course we don't hack, America is the big hacker and it's just
so I guess what I'm getting at is it's something that is seen one way by people who are sort of at least have some proximity to this
or just like me people who study it in the open but pay close attention so we see it one way
whereas people who are less familiar you know they might actually get they might actually fall for
this sort of stuff or be influenced by it. Yeah, it makes me a little proud though, because they're trying it because it hurts them.
So it's a reflection of the pain we are bringing them by showing their activities
and their screw-ups, right? And where they try to identify and name people, right? Back in the day,
the PLA was using their own social media apps in the middle of operations
so they could be personally identified. And then you see the ISUN companies get name dropped
because of the leaks and things like that. I can tell you the NSA tradecraft is not going
to identify those individuals. Never has. It's not going to, right? That's why all of
this is so humorous. Yeah, I mean at those sort of, yeah, Five Eyes agencies, you don't, you can't
make mistakes like this because there's procedures around it. And I do also find it funny that they
pinned this one on TAO, which is a unit of NSA that you used to run that also has not existed
for quite some time. It is not called that anymore.
But let's move on and talk about MITRE. MITRE is warning that its funding contract with
the US government has not been renewed. It will expire basically, I think, in a couple
of days. And they're saying things could get a little bit screwy. I think Cattle and my
colleague spoke to a source kind of close to this who said look the situation is everything will be fine
unless someone trips over a cable at the data center and then things could get
really could get really wild. Now of course MITRE is not the only
organization that issues CVEs. They're not the only company where you can say
I've got this bug I need a number. They're not the only host of this sort of information,
but of course, it is their program.
They developed it, they operate it, they coordinate it.
So funding for this program going away would be pretty bad,
but I wanna hear your thoughts on what that would mean
if MITRE was forced to step back from CVE.
So I literally swore out loud when I heard this. The program is administered by MITRE was forced to step back from CVE? So I literally swore out loud when I heard this.
The program is administered by MITRE, so they are a lot of the infrastructure. It's paid for by CISA,
which is where the problems I expect are originating as they are being cut and squeezed.
And it's run by an independent board of directors, but the content is created by those
individual vendors that are CVE naming authorities.
So as you mentioned, there still are people who can issue CVEs.
So it's a community program, but what this is doing is it's eroding the effectiveness
and the efficiency.
And like I saw in the MITRE letter or in the assessment of the MITRE things that you know, the
the web facing tools
That MITRE hosts may go away
And they're pointing you to a github repository where the information exists
But it adds the friction of getting to that information. So everything is just not as good. So I really hope industry steps up
and you know picks up the pieces of this artificially induced mess. We're gonna
need to clean out. It's another self-induced crises that's eroding our
cybersecurity capabilities writ large and you know I expect that we will find
a way through it. You know, people will
fill the vacuum in a voluntary sense and then others hopefully will come in and restore
the programatics. But we need somebody to do it.
Stuff like this gets weird though, right? Because we've seen similar troubles with NIST, right?
Where they fell behind on, you know, data enrichment for the National Vulnerability
Database. You know, one enrichment for the national vulnerability database.
You know, one of the places people were going to get that contextual information was the Chinese version of their NVD, right, to try to get this information, which is nuts. I mean,
NIST is at the point where it's given up on enriching anything like older than 2018, which,
okay, fair enough, you've got to draw the line somewhere if you've got limited resources.
But that has caused problems. Like, that's caused real issues. I kind of feel like this could do
the same and probably be even worse than in this situation. Like what's your vibe as to the actual
potential impact here? Yeah, I think we'll struggle through, there'll be some, you know,
bureaucratic friction. It'll be a lot less effective and timely in the near term.
But I think we'll sort it out.
I'm an optimist, a glass half full kind of guy.
So I think we can pull together a coalition of the willing
and dig our way out.
But again, you know, it's ready fire aim.
We've shot ourselves.
Yeah, right.
Now moving on to some more sort of bread and butter cyber
security news. We've got a great write-up on this from Dan Gooden over at Ars Technica.
A researcher has uncovered a bunch of Chrome extensions that have four million installs but
are not really visible in the store. Now this suggests to me that these browser extensions
are probably being installed either via social engineering
or via malware, but that's a lot of installations.
And I just think, you know, browser extensions to me, like the risks have been so clear for
so long and it wasn't really until about December last year that the cyber security discipline
writ large kind of got that, right?
Because it just, it just wasn't really happening yet and now it really really is I think most security tooling is not
really even prepared to deal with this yet and in an identity centric world
getting into somebody's browser it just gets you so much what are your thoughts
on this one yeah you've got to think twice before installing a random Chrome extension, right?
I do think that anything that lives in that browser extension world can look at all of
the data you're going to entering and pulling off the web.
And nowadays, everything comes through that little portal that is your browser.
So it's pretty powerful.
And I think the researcher here,
he didn't catch it outright stealing passwords,
but the infrastructure and the code were in place
to do a lot of spying on that.
What really caught my attention was these extensions
were either unlisted or really hard to find in the store. They
weren't trying to get them into your browser through the store. So now the
question is how were they getting all of these millions of
installs? Was it adware? Was it in these watering hole types of attacks?
I'm not sure, bundling or third party websites,
but the casual Chrome user wouldn't stumble
into an unlisted extension,
but it shows that they were getting hundreds of thousands
of installs for each extension, and that's pretty scary.
Yeah, bundling, I didn't think of that,
but that would explain it if it's some sort of shady
commercial arrangement to get a presence in the browser and then figure out
what to do with it later.
This research was done by someone called John Tuckner, who is with a browser
extension analysis firm called Secure Annex.
I hadn't heard of them previously, but yeah, it's good work.
So bundling makes sense.
I think the thing that counts against this being malware is we saw in
incident response to some North Korean intrusions
Where they had got malicious extensions into people's browsers like the number of hoops
They had to jump through to do it's not like the old days where you got right
Right access on the disk and you can just do whatever you want
Like the hoops they had to jump through to get malicious extensions into a browser were crazy. So I think that I think you probably hit the nail on the head there. Yeah, it's,
it's a case where Chrome extensions have been fruitful for attackers for a number of years.
I think 2020 Google had to purge something like more than 500 malicious Chrome extensions.
And here we are today where, you know, independent researchers
are finding things that are not just malicious in the store, but taken through the actions.
I think John did some really good work finding shared code across a number of extensions,
extensions that talk to the same servers or ask for the
same permissions.
So he was doing some systemic searching.
And I know that Google does some things like that.
And hopefully these kind of independent research efforts will give them the leads that will
take out much more in the store that is malicious.
Yeah.
And you can go like, yeah, you might want to check the extensions.
Keep an eye on the extensions in your organizations.
But do you, do you agree with what I said earlier that maybe people haven't
really paid enough attention to this issue?
Cause I just feel like you don't hear about it nearly enough.
I agree. Browser extensions are the new malware.
Yep. Yep. Yep. That's it.
All right. So we've got another piece here from Krebs on security. This is stuff we've talked about previously, which is these Chinese operations
that are enrolling stolen cards into like mobile phones for like Apple pay or the Android equivalent
of that. And then they're doing relay attacks to people who are actually in other regions. So
relaying transactions back and forth. So we've talked about that before,
but now these groups are directly targeting
people as the bank, right?
So the pretext has changed.
It's not like, hey, you need to pay an unpaid toll
or pay a customs fee to release a package from DHL.
Now they're actually saying, it is the bank.
We need you to give us this code
and that's how they're doing the enrollment.
What's interesting though about this story
is the approach here and how this scam, this fraud
is now taking on this sort of industrial dimension,
which is very Chinese in character.
It has Chinese characteristics, shall we say,
because it just looks like they are scaling this up
like it's a well-funded startup.
At sort of series B stage,
they're in the growth phase of this.
And yeah, what a world.
Yeah, they're using messaging services.
So not the true SMS text messaging.
And so they can spam internationally at super low cost.
And that jumps over some of the carrier filtering that
probably makes them a little more effective as well but you're right these
these techniques get get this deployed at scale and if you have you know even a
half a percent hit rate and you're doing it by the thousands hundreds of
thousands millions that's going to be a lot of success in the end.
Yeah, and this is really going back to that whole
identity versus authentication paradigm, right?
Where here we've got essentially an excellent technology
for authenticating transactions, but the enrollment's weak.
And that's what we see with everything,
like even a Yuba key or a Passkey or whatever,
like you can have these really secure
authentication techniques, but identity is hard. Yeah, but this campaign was something like 120 or more countries.
So this wasn't localized.
This was planetary.
This was big and at scale.
It's the Chinese, man.
It's the way they do it.
It's that industriousness.
Let's see, we've got a couple more to go here.
The CA browser forum has passed a ballot to reduce the maximum validity of TLS certificates
from 398 days to just 47 days by 2029.
Look, this just means we're gonna have to all go
to programmatic certificates, you know,
let's encrypt and whatnot.
This has been on the cards for a long time.
No surprises here.
Yes, I will need to now delegate DNS authority. Anyway, I'm
going to have to do some like, well, Adam Bailo is going to have to do some sort of
admin kung fu to get us doing programmatic certs just due to some quirks in the way we
run things. But like, it's time, isn't it? Like you can't say it's not time to do this.
Yeah, this is going to be eight times a year. can't say it's not time to do this. Yeah, this is gonna be eight times a year.
And I think it's only gonna get faster and faster.
It lets us clean up when somebody issues a bad certificate
that it won't live in the environment for a long time.
It's also gonna give us the chance
to pay attention to that automation.
Don't be surprised if some of the exploitation
starts to take advantage of the automation as well.
But overall, I think if we can get the infrastructure
in place to roll these certificates faster,
you get more security.
You can push the bad guys out of the ecosystem faster.
Yeah, I mean, it's a net gain.
And I mean, a change like this is rooted in the fact
that we don't really have effective mechanisms for certificate revocation, right?
So that's what this is about.
Now we've got some data out of the Dutch government.
So it's from some PhD research by a man named Tom Muurs, who's a cybercrime specialist with
the police in the Netherlands.
And it looks at ransomware and payments.
And there's just two really, really interesting data points
that I feel like we need to mention
because there's policymakers who listen to this.
There's been a policy discussion about whether or not
ransomware payments should be banned.
I think this data point, there's a data point here
that really argues that you shouldn't do that,
which is that 95% of organizations that paid ransoms would have gone bankrupt otherwise, right?
So that is a very interesting data point.
And the other interesting data point here
is that organizations with cyber insurance
pay ransoms that are three times the amount,
like per incident, than people who don't have the insurance.
So it just shows that once the attackers
are in an environment, one of the first things they look for are the insurance policies to see if there's coverage,
and that really informs how much they ask for. I don't think we should be surprised by this,
but it is nice seeing some concrete research that shows it, right?
Yeah, it's showing a higher level of sophistication. The fact that they aren't
guessing random ransom amounts, that they know your policy, they know you're covered,
they know they can squeeze you for more.
Those criminals are doing their recon in their homework.
Yeah, exactly.
And finally, just to wrap up this week's show, there's been some sort of intrusion at 4chan,
which looks like there was, it looks like there was some sort of mean war between 4chan
and Soyjack and it's spilled over into packets fired.
You know, image board people are awful,
but at least the culture's alive. That's my take on this.
I look at it like the internet tire fire that never goes out. It flares back up,
right? But, but is it a tire fire that warms the cockles of your heart in some
weird way? Yeah, I do love me a good me more, Patrick. I do. All right. Well, that actually is it for us this
week. Rob, again, thank you not only for joining us on
short notice for you to fill in for Adam, who, yes, get better,
mate. I hope you're feeling well. I hope you're feeling better. But yeah,
thank you for not only joining us to fill in for Adam,
but also for sharing your thoughts
on the Chris Krebs situation with us.
I know there is a lot of pressure on people
in the United States to not talk about these sorts of things
at the moment.
So yeah, I think that was great what you did.
And yeah, I'll look forward to chatting to you again soon.
Happy to be here and get well soon, Adam.
That was Rob Joyce there with a look at this week's Happy to be here and get well soon Adam.
That was Rob Joyce there with a look at this week's news and big thanks again to him for that. It is time for this week's sponsor interview now with Fletcher Heisler who is with Authentic,
that is Authentic with a K on the end and Authentic is an open source IDP or identity provider so you
can think of it as like a single sign-on thing that you might buy,
software as a service, but you can run it yourself, right?
So you can get it and just deploy it and do whatever you want with it.
It's turning out to be really popular in high side networks because they can't use
software as a service over the Internet, but in all sorts of situations as well.
And Authentic makes its money by doing things like selling compliance modules and whatnot.
But the guts of the product, it's free, it is open source.
And yeah, you should definitely check it out and have a play with it.
Full disclaimer here, I am an advisor to Authentic.
Now I spoke to Fletcher Heisler, who is the founder of the Authentic company, one of the
founders, about the identity space, right? Because it seems to him like there's
an awful lot of products crowding out this space that are doing stuff that the identity providers
should kind of be doing themselves. So he joined me to talk through all of that and here's what he
had to say. Yeah, identity is a very crowded space lately and Everything around identity and access
I think we're just seeing a lot of companies crop up to solve very specific problems that
In a lot of cases IDPs have kind of created for themselves
And so we're trying to be as vendor agnostic as possible, but use those products to the best of our ability
But also let you
Consolidate and not have to have a dozen different things to do something pretty straightforward sometimes
Yeah, so why don't you walk us through some examples here?
I mean one we were talking before we got recording and one example you gave us is like being able to check device health, right?
As part of an authentication flow, which is something, you know, everybody would ultimately like to do now
If you're in the commercial ecosystem obviously there's some great
Integrations there already like if you're a crowd strike plus octa shop, you know bang you can get those things to work
Well, but the point you were making is
Not everybody's gonna want to be a crowd strike and octa shop and you might want to do your own integrations
And that's get that's a little bit too difficult
Definitely and and if you have any other signals from any other products,
good luck integrating those into the rest of that flow.
So we're not looking to be a device management company.
There's obviously a lot of deeper problems to solve there,
but if you're using something else, if you're using Fleet
or you're using Google's BeyondCorp,
like the device trust connector,
you can plug those into Authentic
and use those helpful signals dynamically
as part of login authorization and so forth.
And we want you to be able to,
let's say Google adds in a new signal,
you don't have to wait for us.
You can custom map that,
you can level up security based on that,
you can change your policies very dynamically
based on whatever tool you happen to be using for that.
We're starting to build in some of those pieces ourselves.
So we're starting to build, for instance, a Windows Credential Manager, things like that, that can sit on your desktop as an agent.
And then you have similar signals coming from parts of Authentic, parts of whatever other
device trust you're using and you can match those up and level things up accordingly as well.
Now Authentic has the types of customers that tend to be perhaps a little bit more forward-looking.
I mean some of them they just have a niche requirement right which is why they're going
with Authentic but quite a lot of them you know just tend to be wanting to do new stuff.
So when people are coming to you and showing you
what they're doing around these types of signals,
I mean, is there anything interesting happening there?
Is it like less EDR, more like they're
getting some exotic weird signals?
Like, what are some of the cool things people are doing to,
you know, as part of their authentication flows
to verify device trust?
So maybe I'll use like geo IP as an example.
We can all agree, especially with things like VPNs,
you know, using an IP by itself, not a surefire way
to guarantee security.
But there are a lot of really interesting things
you can do with that.
So we have a standard sort of impossible travel policy.
But you could further customize that.
So you could say, as an example, this particular team
we expect to be connecting on this network
or from these locations and even update that easily
with your various policies.
So that again, you're combining signals,
you're scoping things down to the expected usage
and you can use those results according to
what you very
specifically are expecting as your security team on the other side of the
equation. Now another thing that you've mentioned you know is something that you
don't feel should exist is a lot of this like onboarding and off-boarding users
stuff right it is kind of strange when you think about it when you've got
these companies that call themselves identity providers and yet there's a burgeoning market of other vendors who solely
exist to do the user provisioning.
I've always got the impression that's because the SSO slash IDP providers can't really be
bothered or don't really want to get involved in writing integrations for a million other
products where a lot of user accounts need to be provisioned. You know, I'm guessing
you're going to be wanting to do some of that, but where do you draw the line? Right? Like
how, how do you, as an identity provider go, well, maybe we're going to support, you know,
provisioning credentials from our directory, you know, through this integration into this
set of products, but like you can't play the game of trying to cover everything.
So how do you handle that and where do you draw the line?
Yeah, well, where the legacy players,
maybe Octa, Ping, et cetera, are technically ahead of us
just in years in the game, they have a vast marketplace
of these are applications we have pre-built integrations for. But it's very much an 80-20
where those have to be maintained, things change over time, you can't necessarily get all the
details you want or the customization and flexibility there. Whereas the way that we
built things with Authentic, you can reach in and modify that yourself. You don't even
have to wait for us most of the time to make any changes.
So as an example, workday is probably
a particularly nasty integration to work with most of the time.
We didn't have a pre-built one.
We were able to build that with a customer,
I think, in under a week.
And then we're able to benefit other customers by saying, yes,
here's how we did it.
Here's the policy to stand up.
But they could also reach in and custom map
any attributes they want, make full use of that
in a much more flexible way as things change over time.
We're also going to be introducing
a Blueprints marketplace, so allowing our customers,
our users, our wider community to contribute
their configurations back
so that not just us, but the rest of the community
could say, here's an integration I've built.
We can read that in, modify it, build upon that.
And then it's also kind of a group effort
that we're all stronger by sharing
our information, our configurations,
and our best practices.
So we can kind of leverage our wider community to do that as well.
Yeah, now one thing that you have also looked at recently is actually stuff like Knock Knock,
which is trying to take SSO and glue it to the network layer.
You know, you're doing some interesting stuff as well around tying
authentication to some services like SSH and RDP through like a web proxy, which
makes a lot of sense, but there's no network sort of component to that. Is
that something you're looking at as well? Are we gonna be competing? So that's the
interesting part. Things like KnockKnock again, shouldn't exist if we'd all done
our jobs right, but I'm really
glad that they do.
And similarly, we have some overlapping functionality there.
You can get RDP and SSH in the browser.
You can SSO into legacy applications with both products.
But they've gone really deep on the networking side.
And so you can integrate Knockknock and Authentic
and you can make custom scripts, I think,
in Knockknock as well.
So you can leverage all of the details,
all of the power behind both
by integrating those very flexibly together.
So that's the nice part about everything being an API,
everything being terraformable as well,
that you can have infrastructure as good as well
and repeat this in an automated way.
Sure, with another team,
they could do the same thing easily as well.
Now, one sort of unlikely integration
that's proving to be quite popular for Authentic
is actually with like, what is it,
Apple Business Manager or something?
It's like popular in schools and whatnot.
Why don't you walk us through that?
Sure, SSF. So, Shared Signals Framework is right now basically synonymous with Apple Business Manager
or School Manager. You know, it's an open protocol that could be implemented, probably will, by
some other major companies and systems eventually. We had a large school looking to roll this out for
again, device health and user enrollment.
We're now using it ourselves as well for our own employees to automatically enroll them
with an authentic account and so forth.
That was an interesting one because it started out early on just on the Okta side as an implementation.
We had to do a little bit of reverse engineering, so I'm pretty sure we're the second in terms
of IDPs to be able to offer that kind of support.
There's always the protocol of how things should be done by the standard and then the
practicalities of how things actually get implemented.
Fletcher Heisler, always a pleasure to chat to you, my friend.
Always good to talk through all of this stuff.
Great to see you.
And I believe you'll be at RSA?
We'll be at the RSA conference.
We'll be sponsoring B-Sides SF as well.
Are you doing a booth?
We are.
Wow.
There you go.
Open source project with a booth.
That's crazy times.
All right, mate.
Great to chat to you.
And I'll see you over there.
Sounds good. thanks so much.
That was Fletcher Heisler from Authentic there, big thanks to him for that and I guess if
you want to find Authentic, just Google Authentic with a K and like SSO or identity and you
will find them. But that is it for this week's show, I do hope you enjoyed it. I'm actually
on leave next week so I'll be back in two weeks with another weekly edition of the show, but until then, I've been Patrick Gray. Thanks for listening. Thank you.