Risky Business - Risky Business #789 -- Apple's AirPlay vulns are surprisingly awful
Episode Date: April 30, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: British retail stalwart Marks & Spencer gets cybered South Korean ...telco sets out to replace all its subscriber SIMs after (we assume) it lost the keymat It’s a good exploit week! Bugs in Apple Airplay, SAP webservers, Erlang SSH and CommVault backups Juice jacking! No, really! Some researchers actually did it (so still not in the wild, then) Anti-DOGE whistleblower sure sounds like he has a point This week’s episode is sponsored by Knocknoc, who let you glue your firewalls to your single sign on. Knocknoc’s CEO Adam Pointon talks about the joy that having end-to-end IPv6 would bring for zero-trust access control. He also touches on people using Knocknoc inside their network to isolate critical systems. Editors Note : Pat also gives Adam (Boileau) stick in the sponsor interview about the Risky Biz webserver not having IPv6 enabled, which fact-checking during the edit says is FAKE NEWS. Just uh, don’t look at how fresh that AAAA record in the DNS is, friends 😉 This episode is also available on Youtube. Show notes British retailer M&S confirms being hit by ‘cyber incident’ amid store delays | The Record from Recorded Future News M&S cyber-attack linked to hacking group Scattered Spider | Marks & Spencer | The Guardian Bina Puri shares, Warrant B close sharply lower day after hacking Bina Puri, Pos Malaysia tumble following hacking incident | FMT Japan warns of hundreds of millions of dollars in unauthorized trades from hacked accounts | The Record from Recorded Future News US conducts cyberattacks against major Chinese commercial encryption provider: report - Global Times Iran says major cyberattack on infrastructure repelled | Iran International Spain rules out cyber attack - but what could have caused power cut? South Korea's SK Telecom begins SIM card replacement after data breach AirBorne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk | Oligo Security | Oligo Security iOS and Android juice jacking defenses have been trivial to bypass for years - Ars Technica How Android 16's new security mode will stop USB-based attacks - Android Authority Researchers warn of critical flaw found in Erlang OTP SSH | Cybersecurity Dive Critical vulnerability in SAP NetWeaver under threat of active exploitation | Cybersecurity Dive CVE-2025-31324: Critical SAP Flaw Explained | Strobes Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028) Risky Bulletin: NFC card malware keeps evolving in Russia, a bad omen for the future - Risky Business Media Hegseth had unsecured internet line in Pentagon for Signal, sources say | AP News Whistleblower: DOGE Siphoned NLRB Case Data – Krebs on Security 2025_0414_Berulis-Disclosure-with-Exhibits.s.pdf CISA gets a deputy director as it braces for major layoffs | Cybersecurity Dive Two top cyber officials resign from CISA | The Record from Recorded Future News Ex-CISA chief Chris Krebs leaving SentinelOne following Trump pressure | Reuters Former cyber official targeted by Trump speaks out after cuts to digital defense Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries | SentinelOne ZachXBT on X: "Nine hours ago a suspicious transfer was made from a potential victim for 3520 BTC ($330.7M)"
Transcript
Discussion (0)
Hey everyone and welcome back to Risky Business. My name is Patrick Gray. This week's show
is brought to you by Knock Knock. Knock Knock is a company that I'm actually on the board
of and they make a really cool technology that allows you to orchestrate network controls
via your single sign-on, right? So basically you can have a dynamic allow list,
you can have a network resource
that nobody can connect to until they SSO
and say, yes, let me have access to that resource.
Knock Knock's CEO, Adam Pointon,
will join us in this week's sponsor interview
to talk about a couple of things.
First of all, it's actually turned out
to be surprisingly popular for internal use.
Places like OT networks, super computing environments and whatnot.
So that's, that's an interesting thing.
And we're also going to riff a bit on IPv6 and just like the staggering security
benefit that v6 can deliver.
It really is the thing that unlocks the zero trust model.
And you know, once you're playing around with the technology like this
You start seeing that really really clearly so that's a fun chat and it's coming up
After the news with Adam Boileau which starts now and Adam we're gonna kick off with the news that a ransomware incident at the British retailer
Marks and Spencer this has sort of been unfolding over the last week
It started with reports of as these often It started with reports of, as these often do,
started with reports of a minor cyber incident, you know, nothing to worry about, everything's fine.
Then you flash forward a week, they've lost half a billion pounds in market cap from their share price tanking,
they're standing down hundreds of staff, online sales disabled, just a complete mess.
Yeah, there's, you know, pictures of empty shelves and that's just not a good look for a retailer,
that's for sure.
We have seen reports that this may involve Scattered Spider, which is a group that was
behind the attacks on the casinos in Las Vegas sometime last year.
They may have deployed ransomware into Marks and Spencer. And that's kind of interesting because they've been pretty quiet lately,
you know, after a bit of law enforcement attention, you know,
after the casino attacks and other things.
Yeah, that was actually in 2023. I just checked that while you were chatting.
Yeah, I know. That's why it's like time, time just flies,
but it is interesting seeing a group. Well, I mean a group in air quotes,
like scattered spider, which is, yeah, it's like you've got the com and then you've got
these sort of adjacent clusters, I guess, like scattered spider, lapsus and whatnot.
But they tend to be young people in English speaking countries doing this stuff. And I'm
guessing something like this, you would have to think they're going to get caught, right? Like a lot of the people behind the MGM stuff did.
Yeah, you would kind of expect so.
And, you know, Marks & Spencer is such sort of British institution that I can see it being a
sensible target for, you know, the kind of British kids that are going to be part of that, you know,
the calm, scattered spider, octopus, lapsus, you know, kind of crowd, you know, just because of the
publicity it's going to get, but it is going to get law enforcement attention.
And that crew is not really known for their opsec.
So yeah, probably going to end badly.
I was predicting very quick arrests after the last time we saw this particular cluster
of people, you know, doing the casino hacks and stuff,
I expected handcuffs on them the next week and it did take a while.
It did. Yeah, and I guess there's, you know, there's a lot of people involved,
there's a lot to unwrap them and, you know, it's not much fun for law enforcement having to dig
through these kinds of communities to make the connections, but yeah, OpsSec is not their watchword.
So I'm sure in time we will see people in cuffs. Yeah, they'll get, they'll catch up with them eventually, I think seems to be the connections, but yeah, Opsic is not their watchword. So I'm sure in time we will see people in cuffs.
Yeah, they'll get, they'll catch up with them eventually,
I think seems to be the thing now.
In other sort of criminal activity on the internets,
we're seeing reports out of both Malaysia and Japan
of attackers obtaining access to brokerage accounts,
like owning people's, you people's stockbroking accounts.
And what they do once they've obtained access
to those accounts is they sell all of that customer,
all of the shares in that account,
and then they use the funds in the account again
to buy penny stocks that they already own, right?
So they'll buy some penny stocks
in some Chinese company or whatever,
or in this case, one of these cases, a Malaysian company, and then they just buy, buy, buy, buy, buy, which pushes the
prices price up as well.
And, you know, just gets all of the money out of that account and into their pockets.
I mean, one of the things that's kept a lid on these types of scams in the past is financial
regulators, right, are able to, you know, in some cases, roll back trades and, you know,
very easily track who was behind this trading activity. But I guess the thing that makes it
different in this case is, you know, it's a much more, you know, interconnected world these days.
And if you can do this with like Chinese penny stocks, I mean, good luck catching the people who
did it. Yeah, yeah, exactly. Like as we get more and more interconnected in terms of financial markets and things,
it just unraveling the stuff becomes more and more difficult.
And I think in both of these cases,
we're seeing sort of a password reuse.
So account takeover because they've got
either infrastealers or reusing credentials
from other cred dumps or whatever else.
So pretty normal from a cyber technique point of view, but we've often talked about how
innovation and turning cyber skills into money is where we see crime really boom.
When you come up with a new way to cash out, then off you go and repeat that around the
world.
Yeah.
I mean, this is not a new thing.
We've been seeing this sort of thing done many, many times over the world. Yeah, I mean this is not a new thing. We've been seeing this sort of thing done
many many times over the years. I think one thing that's interesting here though is the scale.
So I think in Japan the regulators there are reporting that something like yeah 350 million
dollars worth of shares were cashed out and they used those funds to purchase
of shares were cashed out and they used those funds to purchase $315 million of that was used then to bid up penny stocks, which is just crazy.
Yeah, yeah, yeah.
We've seen some quite large price changes in markets in Malaysia as a result.
So yeah, the scale of this I think is what made us want to stick it in the list to talk
about this week because two in the same week and both of
them pretty reasonable size. Yeah, it's interesting.
Yeah. I mean, I think the reporting here from Japan is sort of describing more of an ongoing
activity and the one in Malaysia was just one event. But yeah, we've dropped links into
this week's show notes. Everybody can go have a look at that.
Speaking of markets and price movements, this one's just too funny not to include. But someone stole
3520 Bitcoin, I'm guessing from it. It just says from a potential victim, we're going
off a Zach XBT tweet here. So about $330 million worth of Bitcoin. And to launder it, they
just decided, hey, I'm going to just throw it all into Monero. And the hilarious thing was it caused the price of Monero to spike 50%
because there were so many bids on it.
Right.
It's kind of funny when you see that, you know, the scale of cryptocurrency
things that you can do, like when you're stealing that kind of amount of money,
trying to launder it all at once, you know, it kind of makes me wonder whether,
you know, can you make more money than you stole through this kind of amount of money, trying to launder it all at once. You know, it kind of makes me wonder whether, you know, can you make more money than you
stole through this kind of like manipulating the pricing in the money laundering markets?
Because I don't know, it's all pretty wild.
I mean, I did see some other reporting.
I think Catalan had some reporting in today's newsletter that we were proofreading earlier
that said it was like an individual private investor lost the 300 and whatever million so it sucks to be
them but yeah like it's just it's it's so funny watching a speed run all of this
you know financial crime learning all at once. Yeah now we've got a report from
the Global Times the Chinese Global Times and so reliable so reliable so
reliable um so this is very very, uh, for reasons that will become obvious very
soon.
Let me just read from it.
China's cyber space security association revealed in a report on Monday that the
country's national computer network emergency response technical team, CNSERT,
had detected and handled a cyber attack
launched by US intelligence agencies against a major Chinese commercial
encryption provider. So you hear that Adam? They detected it and it's handled.
It's handled. And then you read the report and it talks about how
throughout 2024 suspected US intelligence agencies owned their CRM and
also owned their repos and stole something like 950 megabytes and then something like
6.2 gigabytes.
So by handled, I don't know exactly what they mean by handled.
You know, they handled it, they repelled it after all of their source was stolen and all
of their CRM data was stolen.
But look, you alluded to this as well, like who knows what actually happened here.
Well, yeah, exactly.
I know when we were talking about this beforehand, the thing that came to my mind was, well,
when the Chinese hacked RSA and stole all of their key material for all of their hardware
RSA tokens, the secure ID tokens.
I guess RSA handled that too.
Yeah.
Having to reissue all of the tokens
to their entire customer base after it
had been used to break into military industrial complex
companies and onwards.
Yeah, totally handled.
But yeah, it's always funny when we
see China do the same kind of name and shamey sort
of attribution that we have been doing to them for so long,
but just kind of less well.
Yeah, I mean, there is that.
I mean, I think also the story talks
about how there is a concern that the source
code for this stuff was tampered with.
So again, well handled.
It's been totally handled when all of your source code is gone and you wonder about the integrity of it.
I just say, yeah, I just find that very, very Chinese media, right?
Yeah, I mean, it's a good thing that the US doesn't have a background in, you know, manipulating other people's crypto systems for long term access and profit.
Yeah.
Dear, oh dear. Sucks to be you, China.
Yeah. Dear oh dear.
Sucks to be you, China.
Now also, Iran has also repelled a major cyber attack on its infrastructure, it says.
Now this comes hot on the heels of a giant fire which ripped through a port, which who
knows what was behind that.
But when things start going bang in Iran, when Donald Trump is president, you do kind of wonder if a lot of the bad things are happening as a result of the US government
or perhaps the Israeli government.
But yeah, apparently Iran said it has foiled a major cyber attack.
I mean, yeah, they haven't provided details except that it was very complicated and very
big and very taken care of and don't worry about a thing.
And presumably unrelated
to the fact that their containers full of rocket fuel blew up in the port.
Yes, complete coincidence. Yes, again they handled it. They foiled it by turning it into
atmospheric pollution. That's right, they foiled an attack after it happened. But no, look I have no doubt
that they probably found some other stuff had happened. But no, look, I have no doubt that they probably, you know,
found some other some other stuff and whatnot.
Now look in news out of Europe, a lot of people would have seen that there was a major blackout like a power systems failure
in Spain and Portugal
earlier this week and the usual people were sort of jumping up and down and saying, oh, what if this is cyber war? Could be Russia?
Usual people were sort of jumping up and down and saying, oh, what if this is cyber war could be Russia?
Indeed, I think one Spanish government body actually said, oh, we think this might be a cyber attack But then they quickly walked it back Portugal says no to cyber as well. And now it looks like Spain has ruled it out
So probably a squirrel
Probably yeah, I did see some conversation about the amount of renewable energy resources
Probably, yeah. I did see some conversation about the amount
of renewable energy resources in Spain,
and we have seen plenty of speculation
about the ability to attack those
and cause downstream problems in the rest of the power grid.
But yeah, there is just no suggestion
that it's anything other than Spanish squirrels.
Yeah, and it's interesting that you mentioned that though,
because the research that we spoke about recently
was really about how you could
manipulate some of these like solar controllers and stuff to desynchronize them from the grid,
which is actually what happened in this case.
There was a desync.
The, you know, the frequency of the power actually dropped below 50 Hertz, which caused
a cascading failure and whatnot, but you know, probably some damage to a line or something like that.
And you know, again, not even probably due to renewables per se.
But moving on, and this one is interesting. Something really bad happened to a South Korean telecom called SK Telecom
because they are replacing the SIM cards of all of their customers.
They have 20 million-ish customers, I think, and they only
have a million SIM cards on hand, so they're having to order a bunch more and this is going
to be a bit of a long-term project. But you and I were talking about this and the only thing that
we can come up with is that the key material, the private key material for those SIM cards,
must have been stored somewhere in the telco and someone got their hands on it.
Well, yeah, that's the conclusion you end up arriving at because I've been in plenty of
telco security meetings and the level of badness that it would take for them to roll, like
physically replace the SIM cards of the entire subscriber base, like no one wants to say
yes to that.
No one wants to do that.
So it has to be like nose rubbing in bad for them to suck it up and do it.
So presumably someone was in a position to get to the HLR, the place where the keys are stored for those SIM cards.
The way SIM keying works, there is basically a symmetric key that's stored in the SIM and at the telco.
And if you nick it, now you can clone SIM cards, you can become anybody, et cetera, et cetera.
You just answered the question I was gonna have,
which is why are they storing private keys?
Yeah, so it is actually symmetric
because this stuff goes back to the GSM era
when doing asymmetric crypto in a tiny SIM card
probably wasn't super feasible.
So anyway, that's what I imagine what happened. Early reports. So,
Catalan had some coverage of SK Telecom having an issue, I want to say, a couple of weeks ago.
And that said, it made it sound like there had been some data theft. Like, they had a
machine compromised and they had access to some customer data and they were, you know,
sort of warning customers. But it sounds like, you know, I guess it had access to maybe backups of the HLR,
maybe the HLR itself,
or they pulled the thread and realized
that it wasn't just a single machine,
it was actually domain admin and everything,
and oh God, you know, and here we are, you know,
trying to, like, there's apparently queues
outside mobile phone stores in South Korea
where customers have been told they have to show up
and get a new SIM card, and then the store's like we only had a hundred, now what are we going to do?
So it's all very big mess.
It's funny what you mentioned about reports of a data breach in a telco.
It's usually like, a subscriber names, addresses, emails, right?
You just sort of read that and think, whatever.
And then it's like, oh no, they stole the keys for everybody.
And whoever did it, good job, good job. Yeah. Now let's talk about some awesome research here from a company called
Aligo Security, which is having a look in the Airplay protocol, Apple's Airplay,
excuse me, Airplay protocol and the implementation thereof.
They've found a bunch of really cool bugs in Airplay.
So if you could get on the WiFi network,
the same WiFi network as an AirPlay device, you can own it.
And this is not just, this doesn't just affect Apple devices,
this affects third-party devices as well,
which I think is probably the more insidious bit to this
because Apple's patched this stuff, right?
Like you probably installed the patch for this months ago.
Whereas,
you know, if you've got some
Sony TV or whatever that supports AirPlay, these bugs are going to be in stuff like that forever.
Yeah, so a lot of other companies that implement AirPlay use Apple's SDKs to do so. Some of these bugs are in
code that's part of those SDKs. There's also bits
of AirPlay shared in things like CarPlay. So these bugs are applicable to plugging an Apple
device into your car and doing the screen sharing, audio sharing thing. There's a range
of bugs. At least one of them is like kind of zero user interaction required affected Mac OS and the other Apple
system as well.
The guts of it comes down to that in the network protocol, they use Apple's plist format,
which is a sort of a, I guess, kind of like imagine like the Windows registry format,
plists are kind of used in similar sorts of ways for storing key and value pairs and then
either on disk or passing them around. Anyway, the parsing code for the P lists used
to parse information for the AirPlay wire protocol
is a been a bit fast and loose.
And there's some like use after freeze
and some other bits and pieces like that.
You know, you don't really expect from Apple these days,
but there's probably quite a long tail on this code base.
But yeah, this company has pulled that thread,
identified a number of bugs,
and demonstrated exploitability,
some with zero interaction,
some with some degree of user interaction required
across Apple devices, third party things like
AirPlay speakers and TVs,
and car head-end units via CarPlay.
So pretty comprehensive research.
Uh, and yes, the long tail of non-Apple devices is the real problem here.
Yeah.
It's interesting what you say about this stuff, probably dating quite, you know,
a ways back because you read about these bugs and they feel old school, right?
Like it doesn't feel like the sort of stuff that you should find
in a modern Apple device.
No, no.
I find that's, you know, you know, they've been writing code for a long time and, you know,
this is, you know, I guess a sort of an obscure-ish corner of their code base compared to like,
you know, WebKit or iCloud or, you know, things like that that get a whole bunch of attention
like iOS bootloaders and things like that.
So yeah, interesting niche and I, you know, I was reminded of like Mark Dowd bugs in like the airdrop sharing protocols as well.
And that also was like super weird old school, like UNIX CPIO archive path traversal or something.
So, you know, there are some corpses in Apple's cupboard, Apple's closet, wherever you put corpses in the metaphor.
I don't know.
I actually I was in Sydney last week on my break, had a wonderful time down there, went
with the whole family and I actually had a chance to have dinner with Mark Dowd last
week.
Oh nice.
So that was a lot of fun as well.
So I joked on Blue Sky, I went to Sydney and saw the sights, like the Sydney Harbour Bridge,
the Opera House and of course, Mark Dowd.
Yes.
I tell you, he's still very much enjoying hacking the internets, which is good to see.
It's good when your, when your friends have a passion.
It's great.
Or sickness.
Exactly.
And he sure does have it.
He's one or the other.
You're quite right.
Now let's have a chat about juice jacking, right?
Because this is one of those things where, you know, the advice for so many years is
like don't use public wifi and never plug your phone into the, you know, this is sort
of out of date advice that doesn't really, you know, help anyone.
But we're actually, we've actually got some research here into a potential juice jacking
attack that would have worked quite well.
Thank you very much. This is a bit of research. It's called our choice jacking attack that would have worked quite well. Thank you very much. This is a bit of research. It's called Choice Jacking. We've got Dan Gooden's
write-up on this one from Ars Technica. Yeah, when I was going through preparing
the run sheet for the show and I saw the juice jacking in the headline and I just
immediately went, paste down next, didn't even read it. And then I'm like, it is a
Dan article. Like he probably, I guess I'll go back around. I'm really glad I did,
because it is actually what you want in a juice jacking bug.
I think there's some researchers from,
were they an Austrian university maybe?
Yes, a university in Austria.
And they came up with the actual juice jacking bug
that you want.
Plug in a modern fully packedpathed Apple device or Android
into what you think is a power-only connector
and receive disk access to the device
and steal data off it, right?
That's, you know, with no user interaction required.
And that's, like, I was super curious,
like, how did they actually do it?
How did it work?
And it's super interesting.
So if you'll indulge me, I'll walk you through the bug.
Well, that was gonna be my next question.
How does it work?
I'm afraid to tell Adam.
I'm gonna tell you, even if you hadn't asked,
I'm gonna tell you.
So this is super cool.
So you plug in the USB device,
it initially pretends to be a keyboard.
It injects keystrokes into the device
to get to the Bluetooth pairing settings menu,
triggers Bluetooth discovery,
and then at that point,
the device that's attacking you
stands up a Bluetooth keyboard,
and then you accept the Bluetooth pairing
with this fake Bluetooth keyboard.
So now there is two keyboard paths,
one via the USB connection and one via Bluetooth.
Then you reconnect the USB via the USB power delivery
mechanism where you can change the role
of USB devices between host and client. So then you change it so that the attacker is now
a host device, sorry, is now a client device and then the phone spins up its share media with a
printer, you know, whatever thing. And then you use the Bluetooth keyboard that you've got connected
to accept the prompts to say, yes, please do it.
And that's the kind of the whole process end to end.
So by changing client server role and then using Bluetooth as a side channel,
because you can't do keyboard at the same time as being a USB
client device.
That's how they circumvent on the application.
In the Android case, there are some other tricks
of using out-of-state messages in the USB stack
to do the same kind of thing.
But honestly, super cool research.
And I just loved that, let's just make a second keyboard
via Bluetooth.
So yeah, just cool work.
I mean, it is.
And it doesn't involve any sort of O-Day
memory corruption.
It is just like old school logic hackery.
It's fun.
Using the brain.
It's funny actually, because when I had dinner with Mark,
and he's a very, very well-known iOS security expert,
and we were just chatting about what a hard time it must be for
companies like Celebrite and like Greylock and, and, or Greykey or whatever
they're called, because, you know, to do this sort of stuff, because the attack
surface for this is just so tiny.
Um, you know, so literally having that conversation last week, and then we
see this research and it's like, wow, you know, when there's a will, there's a way.
Hey, yeah, yeah, yeah. I mean. We just got to love it. You know,
it's as good. This was just such good work. Now, if your computer will allow you to move
over to the tab containing the article, the next article we're going to talk about, because
it's on a website called Android authority that I think the ads were chewing what a whole
core on your computer. All of my course, all of the cores of my CPU are pegged at 100% on this website because of the amount of advertising.
So turn off the JavaScript and then look at it if you're clicking on the link, dear listeners.
Yeah, so apparently there is actually some new stuff coming in Android 16 that is designed
to prevent USB-based attacks.
And this is part of Android's whole, they're building some, you know, advanced
security mode that is similar to the, what's the upper one called? Lockdown. Lockdown mode.
Yeah, yeah. So they're building a mode that's similar to that. And they're, you know, introducing
some changes to the way Android handles USB connections. Walk us through them.
Yeah. I mean, the basic gist of this is that you'll be able to tell it that when the device
is locked, physically disable the USB port, or this is that you'll be able to tell it that when the device is locked,
physically disable the USB port, or at least like make it so that it doesn't work, so that exactly
this kind of juice jacking thing isn't viable unless your device is unlocked. Then, like that's
basically the guts, but there's a bunch of other changes they have been making as they design this advanced protection mode. But certainly, if you were Greicy or Celebrite,
this kind of thing is probably a death
now for a lot of your business.
So yeah, bad times to be them and good times
for Android users.
Yeah, yeah.
If they're using that mode, I guess,
would be the caveat there.
Now let's talk about a critical bug in Erlang OTP SSH.
Now, whenever I hear the word Erlang as someone who did a, you know,
communications and electronics degree a million years ago, I get triggered.
Uh, cause an Erlang is actually a unit that measures traffic on a, on a telco
network.
Um, so of course, anytime I hear the word Erlang, you know, I just immediately
associate that with telcos.
I'm guessing Erlang OTP SSH is found in telco environments, Adam.
Yes.
So Erlang, in this context, is a language slash runtime
environment from Ericsson and very heavily used
in the telco environment.
And systems built in Erlang tend to be
used in big communication systems that need to have very high availability
because you can kind of hot patch it and keep the system running whilst you work on it.
Anyway, there is a SSH implementation in OTP which is basically the de facto standard library for Erlang applications
and this SSH server has a bug that is CVSS 10 out of 10 no-auth remote
command exec and that's bad.
I mean you don't often hear the words CVSS 10 and SSH in the same sentence right?
Well, well yes.
Because people are like oh why are they talking about some bug in SSH?
I mean CVSS 10, SSH.
CVSS 10 and obviously this is just Erlang's implementation of it.
But the thing that really touched my heart reading the story is the guts of the bug is that
you can basically send out of state messages down the SSH protocol channel pre-authentication saying,
hey, please open up a command prompt and run a command and
when I was doing my work on weird out of protocol SSH out of state like weird
protocol stuff in SSH for SSH Jack back in 2005-06 I went and looked for this
bug in open SSH and a number of other implementations of SSH on Unix I didn't
look at the Erlang one because I wasn't in a telco.
And this bug didn't exist in any of the ones I looked at,
but it was a bug that I thought about and that I went looking for.
So seeing someone else find it now all these years,
that just warms my heart, like it fills me with joy and love.
So good job, researcher who found this.
Sucks to be everyone running Erlang anything with SSH.
On the plus side, you can probably hot patch it.
So yeah.
So you feel vindicated because you would have spent
a few days on that 20 years ago.
And now you understand that that wasn't a waste of time.
Yes, exactly.
I feel justified.
My instincts were good, man.
They were good.
Now look, I mean, we're going to continue talking
about a few bugs because it's just
a big week for bugs this week.
So we've got two more to talk to.
And one of them is in SAP.
SAP NetWeaver.
This is under active exploitation,
and it's a bad one.
Yeah, this is straight up Arnold-Wolfe code exact.
Once again, CVS, S10 out of 10.
This is a bug in the SAP web server component.
There is like a service discovery and registration endpoint.
They use a UDDI, which is like a Java.
Java people use it for doing service discovery.
Anyway, it just has no auth and the net result is you can connect to it,
kind of reroute services inside it, inside the big applications,
and then leverage that upwards to code execution,
which is wonderful and great.
And there is quite a lot of this on the internet.
And for internal networks and SAP environments,
this bug would be a wonder.
Like you would have such a great time in an enterprise.
So yeah, once again, fills me with joy.
Yeah, I think it's a CVSS 9.9.
So, so close to being perfect. I wonder
how they lost that 0.1 percent, 0.1 point. Probably because you have to think about Java and that's
enough to put off you know some percentage of attackers. A large part of them actually. We saw
that with log4j you know like people only ever used ready-made exploits for that one like wow
as far as we know anyway. Yeah. And then there's some nasty stuff in Commvault as well.
Yes, the Commvault backup system, there's a bug in it.
Watchtower Labs have their usual very high grade, you know, meme heavy write-up.
Like, I just can't give enough props to Watchtower because so many advisories that we read have
zero detail and seeing someone
actually work through and work up the exploit and give you all of the details that you actually
want fills me with joy again.
This is just a wonderful week.
I'm having a great time this week in the show.
And this is once again Java bugs processing a zip file with pass traversal that leads to unzipping a you know a JSB file or malicious code inside the web root of the Commvault
Java web application and they talk through their auto think approach which
is once again exactly how I approach auto think Java web apps like this so
yeah I felt right at home it was a good time if you run Commvault. Oh boy oh boy
yeah it's gonna be time to patch,
I'm afraid, cause yeah, this is straight up
code executive backup server, and then you restore
the backups of the domain controller,
steal all of the keymat, and Bob is your domain admin
having uncle.
Yeah, yeah, and I think this is being exploded
in the wild now, isn't it, since this write up?
Yeah, I think so, like the write-up is super clear,
and Watchtower has what they call their euphemism
for a POC, a Detection Artifact Generator.
So yes, easy times for everybody who is near a Comm Vault.
Yeah, there you go.
Now let's look at future trouble, right?
So we've spoken about it on the show before
about how Chinese crooks are really scaling up
a lot of these scams where they get people to,
they obtain one-time passcodes
to enroll people's card information
into like Apple wallets or whatever,
where they're in China.
And then they're doing relay attacks
to post terminals or ATMs or whatnot in targeted countries.
So that's interesting.
But Karel and Kim Parnu, our colleague, and you know, we keep talking about his work this
week.
If you want to read this stuff yourself, go to Risky.biz and subscribe to our newsletters
and you'll get this in your inbox.
And you don't have to listen to us talking about it, which I guess we don't want that,
do we?
Anyway, but go subscribe to his newsletter anyway, because it's really good.
But he's done a bit of a deep dive
into what Russian crews are doing with NFC card malware.
So this is different to the enrollment scams
and more about being able to relay sort of NFC-based
information, I guess, that unlocks transactions
off to other locations and whatnot.
I guess the point he's making is that this stuff is on the up, right?
So between what the Chinese are doing with this stuff and what the Russians are doing
with this stuff, it feels like mobile payments fraud is about to become an issue.
Yeah.
I think the ubiquity of NFC payment cards and equipment in the forms of mobile phones has just like,
it's giving opportunities for new ways to do crime.
And the enrolling stuff into Apple Pay, enrolling cards into Apple Pay through social engineering
to get the enrollment one-time code or whatever, that's really smart.
And then this Russian stuff where they get a piece of malware on your phone,
you know, through all the normal mechanisms
and then social engineer you into holding your card near it
and then relaying it.
Like both of those are, what can we do when we have,
you know, card readers in everyone's pocket?
And I'm sure there's going to be a bunch
of other really interesting ways
to attack the payment ecosystem
that we will see over the years.
It's also transferable between markets.
We're seeing it mostly in Russia, mostly in China, but it's going to appear in other
markets because the techniques are the same, the cards are basically all the same, the
phones are all the same.
There's no reason we're not going to see it elsewhere.
Catalin's been pretty good at giving everybody a heads up of what's coming down in other places as well.
So if you're in that payment space,
definitely go read, because it's a good write up.
Yeah, I remember like 10 years ago watching Nick VD
doing like a NFC relay demo at KiwiCon and just thinking,
oh, this could turn into a problem, I guess.
And yeah, here we are.
Took 10 years.
Yeah, took a while, but it was fiddly,
because I work with him on some of the implementation
of those attacks and getting the timing working and stuff. but it was fiddly because I worked with him on some of the implementation of those attacks and getting the timing working and stuff.
It was fiddly, it wasn't complicated, but it was just, there was fiddles that you didn't
really appreciate.
So doing it in the wild is pretty cool work.
Well, we've also seen, and I don't think it's necessarily applicable in this case, but we
often see too when technology companies lay out a foundation for something
that can be done really, really securely and amazingly, they don't use all of the features
that would enable them to do it really, really awesomely and securely.
So you think back to when Chip and Pin was kind of new.
And I think Australia and New Zealand were certainly ahead of the United States in terms
of having Chip and Pin.
So there were a lot of people doing research on that stuff here.
And, you know, just they, there were so many ways
they could have implemented it that they didn't, you know,
so you could do things like replay attacks and whatever.
And like, yeah, anyway, let's just see how bad it gets.
I get, I'm guessing there's already some work being done
on countermeasures to a lot of this stuff, but, you know,
there's a lot of banks in the world. Yeah. And it's also so applicable to other things like, you know, car,
remote unlocking cars via the key fobs and stuff. Like once, as those radio systems converge and
become more and more in common, you know, and people are using, you know, their phones to
unlock their cars or whatever, like there's just a bunch of building access control. Like there's
so many hotels, like so many places this research is applicable even beyond payment cards. Yeah. Yeah. All right so
now we're gonna talk about US government stuff and you notice that I buried this
towards the back of the news because it's just the US government. Yeah. Yeah. So you
remember when the whole Signal you know Hoofie Signal group chat came out I
speculated well they're gonna be using, you know, Hoofy signal group chat came out, I speculated, well, they're going to be using probably, you know, not just the mobile app, they'll
probably have it on their desktop as well.
And they're probably not running that on government computers because that's against policy.
Turns out Pete Hegseth actually had a personal computer, like a non-government computer in
his office and was even provisioned a like commercial you know
internet access to that machine so that he could use signal on that machine so
that's a report from AP it just really confirms our vibes on this when it all
first started I guess which is why I mentioned it yeah yeah exactly I've been
typing all those things on your little phone keyboard as a pain using a real
keyboard a real screen super super convenient, and yeah,
you can see why. And then you've got to wonder, like, what else does that machine have access
to? What does its microphone listen to? How difficult is it really to compromise Pete
Hegg's dirty computer?
Yeah, his unsanctioned computer. And this was always my concern, right, is if you've
got, like, if you spider out the number of people in these sort of group chats, right,
and the number of devices, okay, if they're all
just using the phone app, you know, as I often say on this show, I don't use the
Signal desktop app for this reason.
And you would just think one of those, yeah, one of those devices somewhere
along in these group chats would have been compromised almost certainly.
Uh, but we've also got, uh, so this is a story from April 21.
I'm choosing to include in this week's show notes
Brian Krebs's write up of this because it is superb.
It is really good.
A whistleblower from the National Labor Relations Board
has filed a complaint.
This guy's name is Daniel J. Baroulis.
He's 38 years old.
And he's come out and made a series of allegations
about the way that the Doge people were handling data
and access into this organization's environment.
And you read the complaint, and it's pretty mind-blowing stuff.
Now, we've got to keep in mind that these are just allegations,
but there is some evidence provided, like various photos of consoles and whatnot.
But I mean, walk us through this one, Adam, because it is a wild time. I mean, just before
you do that, I will say that very early on when we started talking about this Doge stuff, we said,
look, there's probably a data governance issue here because it doesn't seem like they're following
many procedures. And, you know, I expected it could be quite bad but this is even worse than I thought it would be.
Yeah so this is a relatively smallish government agency that you know handles relations with
unions and other you know kind of labour related stuff and interestingly as an aside a thing
that Elon Musk and Tesla and SpaceX and so on have had some beef with over the years
you know whether that means, I don't know.
I think they're suing this NLRB, right?
So, I mean, it's not just a bit of beef.
This is, this is an organization that is loathed by Elon Musk, but anyway.
Anyway.
So this guy worked in the like network and computer governance bits of this
organization, and he was told that Doge people
were coming in and they needed access to the environments. The Doge people in question were
provisioned tenant admin level access to their Microsoft 365 environments in contravention of
all of their normal policies and processes. And then they started seeing sort of signs in their logging
and signs in like usage accounting and stuff in there
as your environment that just looked kind of weird.
They started pulling threads.
They found things like user accounts being created,
you know, for Doge people.
And these accounts are like,
some of them have like fake names
or had generic kind of names. They also saw records of these accounts are like something like fake names or generic kind of names
They also saw records of these accounts being logged into with the correct username and password
From IPs geo located into Russia within you know like 15 minutes of the accounts being created
Well, I mean they weren't successful logons, right? Okay, so they were they were successful. They were the right creds.
The reason this guy thinks they were the right creds is because the logins
failed on the geo block side of things, right? Um, but not,
they didn't fail at the, at the point of credential entry, which suggests that,
you know, probably these doge people, I mean, if this is true,
it would suggest that one of the Doge people's systems that is involved
in provisioning these accounts is compromised.
Yeah, either compromised or the Doge kids are using commercial VPN providers with boxes
that happen to be based in Russia for whatever reasons.
Because you think about the ties of some of these guys to cybercrime and stuff in the
past, it wouldn't be super unreasonable for them to be using VPNs or whatever.
So could be that if it was Russia on Doge employees systems, you wouldn't imagine they would log in too much. I feel like the Doge people using cheap ass VPNs is probably more likely.
What if it was the Canadians trying to get them to think it was the Russians?
Maybe false flag, that's also entirely crazy possible.
It's the Canadians false flagging.
Yes. But anyway, so this guy's got a whole list of complaints and weird stuff that they've seen.
He raised it with his management and eventually their investigation of it got shut down
and the guy got his access revoked and he's currently on paid leave or something. I think they all got their access revoked. Yes, like the
entire IT team or whatever it was at this organization. So like really kind of
weird looking and the thing that strikes me about it, you know,
having been an auditor, having been a pen test, something that goes into
other people's environments to go look at stuff.
Quite often you do end up saying,
look, just give me root, just give me admin
and we'll sort ourselves out
because understanding the local policies and processes
and all of the weird account types and rules
of any particular organization
takes longer than the job is worth.
And I get the vibe that DogeKids,
like they're going into hundreds of organizations,
everyone's got different setups and policies, just asking and demanding Tenon Abin because you can, is pretty easy.
Like it's, it means you can use the same rule book and the same playbook for everything, you know, and that's efficiency.
But...
Sure, but they're going in there and they're flipping off logging spinning up a bunch of new users running random containers
Like I mean I get that that is the easy way to get it done
But I go back to that whole thing which is this is a data governance and process problem, right?
Because they're not adhering to any processes like they're not logging what they're doing and a lot of this is sensitive daughter
It's just nuts. Yeah, I mean I think like both of these things are true, right?
this is the easiest way to get the job done.
And I have been on the other side of this where you need to get the job done.
And, you know, you do circumvent all these processes and controls because,
hey, you're there for a week.
You've got an outcome to get.
You ain't got time for their stuff.
You just go get it done and tidy up after yourself and hope you don't make any mistakes.
Right. And that's it's not great.
But rules, rules, sometimes they don't apply any mistakes, right? And that's, it's not great, but you know, sometimes- Rules, rules, they don't apply to us, Adam.
It's what you gotta do.
But, at the other hand, these are government organizations
with very real data, you know, governance requirements
and obligations that exist for a reason.
And just cause it's easy and you're 23
and you've got a boss providing top cover
that says you can go anywhere in government and do whatever the hell you want, yeah, doesn't mean
it's the right thing. Yeah well staying with US Government News and
Cicero is getting a new deputy director Madhu Gotumukala who is the CIO of South
Dakota is the number two pick. I think the nominee for the director
position that's still being held up by Ron Wyden who's waiting for them to
release a report into SS7 from 2022 because reasons. But yes, CISA now has a
deputy inbound apparently, starting with CISA News and Bob Lord, who I've interviewed him before.
He was the CISO of Twitter a long time ago and then went and did a bunch of work with
the DNC to secure their campaign.
He is leaving CISA.
He was a senior technical advisor there and he was working on Secure by Divine and also
Lauren Zabierak, who worked there on the same stuff.
She is also leaving so it looks like things are a little uncertain for the Secure by Design
initiative.
And of course the Axis is about to fall on a zillion employees there so yes the doging
continues at CISA.
And now a quick follow up on the Chris Krebs situation. He was, of course, was the first director of CISA and, you know, is being, he's
subject to an investigation now ordered by Donald Trump himself into God knows what.
But yeah, he was put in an untenable position.
He has resigned from Sentinel One as we predicted and promptly turned up at RSA
and bucketed the Trump administration for all its cups of cyber agencies.
So yeah, I think Trump's earned himself a new thorn in his side for the next couple of years while Chris goes on a warpath.
And one more thing we wanted to touch on quickly, just very quickly, is there's a blog post from Chris's former employer called Top Tier Target, what it takes to defend a cybersecurity company from today's
adversaries.
I actually spoke to like the head of Threat Intel, Steve Stone and Alex Damos yesterday.
We did an event, I just joined by Zoom, an event in around RSA to talk through all of
this, but it was actually really interesting research and I figured you'd want to chime in your two cents
on this as well.
Yeah, well, this is a super interesting write-up
of the sorts of attacks that Sentinel One
have seen against themselves and other peer companies
in the industry that do important security work.
And attacking security vendors,
there's a long and proud tradition of that.
And it's just, you know,
it's very rare that anyone comes out and talks about it. So it's really nice seeing a write-up
of some of the things that they have experienced. One example is North Korean IT workers, you
know, and how they went and kind of worked with their HR team, recruiting team to sort
of spot some of that stuff early on. So that was super interesting.
And then also some of the work on when cybercrime actors are renting access to EDR products
to be able to test stuff and to be able to kind of get into even some people's production
environments like where there's EDR consoles on the internet, some of the attacks around
their products and how the customer's using it.
I thought that was kind of an interesting thing that you don't often see vendors
talking about, you know, compared with like Fortinet, who every time they have a
bug, they just find a bug in somebody else's product and quickly drop a press
release to distract you from the fact that, you know, 40 everything is getting
your own. So it's just really nice seeing this kind of detail.
Yeah. And it's, really nice seeing this kind of detail. Yeah. And it's from a vendor.
It was a great conversation.
I'm still waiting on the video feeds from the other side.
And once we get them, we're going to chop that all up into a podcast.
It'll go out next week. It's our first wide world of cyber without Chris,
which was a bit strange. But anyway, and for anyone wondering,
Chris Krebs will absolutely be back on Risky Business.
It's just a matter of how long he's a little bit busy right now, as you can imagine.
Yeah. So that's actually it for the week's news,
but I'm going to do something now,
which we don't normally do,
which is just chat to you a little bit
about this week's sponsor interview,
because part of it was inspired by conversations
you and I have been having about IPv6
and the adoption of IPv6.
Because, so Knock Knock is this week's sponsor. They make a
technology that orchestrates your firewalls and it's tied to SSO. So
basically you SSO to a web page which is the Knock Knock page and
you just press authenticate with SSO and then it opens up network access
to the resources that you want to access. So unless you've done that you just
can't even get a port to these
resources. Now it's funny because a lot of what, and I'm on the board of this company, right? I work really closely with them. And a lot of what we spend our time thinking about is like how to
get around the fact that occasionally someone's going to want to connect from a CGNAT gateway
that's shared access that has possibly some compromised bot machines behind it, right?
You are then opening up to them.
So what do you do?
And there's a few approaches there.
You can have gray noise risk scoring,
where you can say, well, you know,
we've seen some bad activity from that IP,
so just don't allow that user to connect from that IP.
That's one way to do it.
Or if they wanna connect to a web application,
you can shunt them into a ID aware proxy.
Right?
That's another way.
And that also works for stuff like RDP because there's,
you know, various stacks where you can basically
Webify RDP and whatnot.
But then you look at like the experience of one
of their customers who's an IPv6 shop
and just the way they use it,
you don't need to do any of that with IPv6.
And then you quickly realize that IPv6
is going to be the foundation of the zero trust future. And of course I have this conversation
with you and then you say, but v6 is nowhere near ready. And it's like, oh, he's kind of
right, but he's kind of not. But it is true, isn't it, that v6 just solves so many problems.
Yeah. I mean, the ability to be able to individually address computers on the internet is a thing
we have given up on over the years because of V4 exhaustion and the complexity of networks
and things like that, breaking that kind of...
The way that networks were meant to be end-to-end reachable and the return to the end-to-end
internet is a thing that a lot of people are not really ready for, but this kind of use case of doing access control based on source IP address is exactly why end-to-end addressing is so great.
And in the old days, there was this idea that IPv6 was going to have built-in
kind of IPsec style VPNing and stuff that would have delivered also confidentiality and integrity
on top of it, but then the standards were so complicated no one implemented an IP6 terrible and blah blah
blah but you know just being able to identify who you're talking to is super
super valuable and we've forgotten how valuable because of the the sands of
time in v4. We've learned to deal with it right and that's the thing like until
you say oh well actually things would just be so much better if we just all used V6.
If the entire internet moved to V6, then everything would be super great.
Yeah. Yeah. Well, that's the funny thing in this interview.
As everybody's getting here, there's a moment where it's like, Oh, it's easy.
All we've got to do is get everyone in the world to use V6 and then it's,
you know, problem solved. We can go get a coffee. But yeah,
I'm going to intro the interview now. Adam, thank you so much for,
for joining me for a discussion of this week's news.
It's great to be back.
Yeah, it's really good to be back.
And yes, I will talk to you next week.
That was Adam Boyle there with a check of the week's security news.
And as you just heard, we're going to chat with Adam Pointon, who's the chief executive of Knock Knock.
Now about IPv6 really, and the security benefits it unlocks,
which are many.
And we're also gonna talk about a couple of use cases
that they have, that are turning out to be really popular
for Knock Knock.
And one of them is internal use to segregate
a production network from an OT network.
It's a really clean way to do that.
And other approaches can be a bit more fiddly like VPNs internally.
Yeah, you can do that.
It's a bit more fiddly.
Jump boxes again, a bit more fiddly.
You can micro segment the entire network, but that's like a lot of work, right?
So people are finding that, yeah, you can just drop in knock, knock, add a few
firewall rules and orchestrate it that way. And it's really working, working well. So
I will drop you in here though, where I first off asked Adam, you know, if he agrees with
the proposition that IPv6 really unlocks massive security wins. And here's what he said.
That's very true. It really does. You get precision.
You get precision attribution.
You get precision direction of the flow of traffic.
And it's just, unlock is the right word.
It's one of those sort of words.
But it is very true.
You get absolute precision attribution
of the client, of the server.
You get orchestration at the firewall level.
You don't have to have all this nat.
And the whole nat-ed, walled garden thing, everybody, you know, NAT came around,
everybody had their nice soft and squishy internal networks, but don't worry, NAT prevented anybody
getting in from external. And IPv6 is a little bit of fear still around that, a bit of confusion,
lack of understanding, but the world is almost there at IPv6. The rate of adoption now and we're above 50%.
It's quietly happening in the background and we love IPv6 because it allows that precision
of attribution and target what server, what service and other benefits of IPv6 that it
brings.
Yeah, that 50% figure is now like 50% of Google visits us in the United States are served
over v6, but the problem with v6, right, is you can't be guaranteed that you're going figure is now like 50% of Google visits us in the United States are served over
v6 but the problem with v6 right is you can't be guaranteed that you're going to
get it from your provider like if you're out on the road right you're connecting
to the hotel Wi-Fi there is no guarantee that you're going to be able to get v6
you know this is just the problem with it so we are really talking about an
ideal world kind of scenario but you know once we imagine a world where you
have to authenticate a completely
unique IP before it can connect into our services, you'd imagine that you would just do this
on every network and oh my God, the benefits would be just incredible.
Incredible. It's almost comes back to the micro segmentation piece you said before where
you've got individual client, individual host, individual services obviously at a massive scale and the ability to have you know single pinpoint between the two
as opposed to you know allowing broad networks through. It'll take a little
bit of time to get there but it's it's happening it is actually happening.
People probably don't realize. Yeah I mean I think there's a couple things
there though right so you've got the ISPs who've got to support it.
And then a lot of enterprises, they don't have the, I mean, I don't even think we've
got, we're serving our website via v6 at the moment, right?
Like which is terrible and we're going to have to fix that.
But that's my point is like when I talk about this with Adam Bailo, he's like, well v6,
if you want to roll v6, it's a whole other network.
You know, I mean, it's on the same equipment, but you need to be maintaining essentially a dual network
if you wanna run V4 and V6.
So I don't know, like, how long is it gonna be
before we can reliably get V6 everywhere?
We are gonna get there.
It is a whole lot on the network.
It is complicated.
There's a lot more to it.
There's other security elements of it that aren't fantastic,
but there's a lot of pros.
But personally, I love the ability to pinpoint a client and a machine and,
and have that, um, specific control.
And then you get a lot of observability benefits too.
Uh, you know, you're not just seeing a NAT gateway connect to your service.
You're actually seeing more individual, uh, client machines.
So from a security observability standpoint,
there's a lot of untapped benefits there, I think too.
And of course the customer that uses this
on their V6 network, I mean, it's perfect.
Yeah, they're very big network people.
It works flawlessly.
And there's a big push in US federal government
to move to V6 for obviously, you know, all
the benefits.
So we, we will see more adoption.
But I mean, this is the thing, right?
Is like, I've been in this a long time.
So have you.
And it wasn't until we were working on this, when we're like, oh, okay, in order to make
zero trust actually works, there's a very simple answer.
And it's just to, it's just to use v6 and, and apply some authentication to network connections.
Yeah.
Which is not what you want to hear to achieve something that's slightly difficult.
All you need to do is roll v6 across the whole world.
That's right.
Yeah.
But it is baked into everything these days.
Every client, every server, okay, not all the fantastic podcast websites in the world have
it enabled perhaps, but all of the client and server machines do support it. So it's not experimental, but there's a lot of effort
and it's complicated.
I mean for that customer too, you even had to roll out a couple of extra like protocol
support features. One of them was the, what is it? The privacy extension to IPv6? Tell
us about that.
Yeah. So privacy extensions essentially, I mean the original v6 was like, oh, we'll make
your address based on your Mac address. Uh, which, you know, it was crazy because then
you get individual attribution down to the hardware layer around the world, which you
can.
Well, and sometimes you're going to get collisions there too when lazy manufacturers just, you
know, have 10 Macs that they just use on everything.
Yeah. Lots of problems. So it doesn't do that anymore.
Well, for 10 years or more, hasn't been the standard.
But the privacy extensions essentially allow you
to have a dynamically generated address,
depending on the network that you're sort of connecting
through to.
So anonymizes the client,
and then you get periodic changes and updates
of the address.
So we, yeah, we love our customers that actually
push us forward and that was one of them was to support or the ability to support or not support
those dynamic changes and still have attribution of the user. Now one thing that's getting really
interesting though is you've been looking at some of the transport security options in v6 and that's
where stuff starts getting absolutely wicked from your point of view, right? Yeah, well, I still remember when AH and ESP were, you know, AH was a part of it and I
was like, oh, this is going to be fantastic.
Obviously that's not really a thing anymore.
ESP is, but it's just not the most efficient way to do it.
You know, don't encrypt it the transport layer, you know, do it at the application layer and
that's where everybody is today and that's okay.
Keying is hard, distribution of, youkeying etc is hard so I understand that but
you know would kind of be cool if you were an IPv6 CSP network everywhere like
you know I'd be a fan of that. So look while we're here I guess we should talk
about some of the use cases that are popping up for Knockknock because some
of them are kind of I mean I, I guess in retrospect, they're not surprising. But this is turning out to be
really popular with OT providers, OT admins who have to administer, you know, control systems
and whatnot and, you know, water treatment plants, whatever. Why don't you tell us why it is that,
you know, the OT types are getting all excited about this?
Why it is that the OT types are getting all excited about this? Well, the OT use case is always on access.
Why have always on from your machines, whatever the VLAN is, always talking to that environment.
Why have that if you can have an on-off switch, essentially, which Knockknock provides?
So there's the external use case where people are connecting in, but then the internal one
is getting a lot of adoption because you can control that per
individual machine, per individual network with an on-off switch when they need access,
they get just in time and every other moment their machine can't access that network full
stop.
Yeah.
And I guess there hasn't really been that many approaches for doing this, I guess, in
the past.
Yeah, not really. I mean, there is the high side low side network you can physically change
things you know go and plug in over here do your thing come back over here but pretty
quickly people don't want to do that so they either bridge the networks or they find another
way or it is a VPN or it's a jump box and a jump box is just more steps and other elements
in the way to get through to what they need to get done for their job. Yeah right so the way it would work is user wants to
access OT environment they just make sure they are SSO'd, they hit their knock knock page and bang
that opens up the firewall into that network where the OT stuff lives. Yeah and what people like about
it is it's on for an hour so So their machine has no network level access.
If the machine's owned, somebody sitting on their machine trying to look at that network, they can't see it, they can't attack it.
Only after they log in can that network actually be accessible.
So yeah, as you say, they're logged in, they click a button, it opens up that network, they do their job.
You know, it's like they've plugged the cable into that switch over there, they do their thing,
and then either log out or it times out and they're back on their normal
network, but they've obviously got access to both.
Well, I think the point is more that if someone lands on a box where someone isn't admitting
the OT from that box, like that box will just never be able to access that network, right?
That's right. Yeah. You can't access it. It's fully controlled out.
Yeah. So as I said at the intro, like this has kind of been a semi-surprising
use case because initially like it was just we thought well it's for reducing attack surface
at the outside of a network and indeed people do use it to do that. But I guess this internal use
case is really fascinating because you know there's some really great micro segmentation
products out there at the moment you think things like zero networks, but I can see the appeal of this because under that paradigm,
you're putting, you know, you're sort of micro segmenting every machine and it's like a network
wide sort of project. Whereas with this, it's just a few subtle changes and you're done.
Yeah. There's a lot of benefits to that approach having all the individual one-to-one,
but knock, knock, just you get the whole network, you get the easier implementation.
It's on or it's off as opposed to machine to machine and that level of detail.
There's one more use case we should talk about because it is another one that's like surprisingly
niche and you have got two supercomputer labs actually evaluating it at the moment and for
interesting reasons actually. tell us about that.
Yeah well that's just the mountain of data.
So there is a lot of data in those environments and having direct access and you know high
speed and then having to turn that off and take a different approach to get the data
there whatever direction is a problem and you also don't want those machines, those environments, large clusters, lots of nodes.
You don't want them being exposed to, you know,
hostile external or even hostile internal.
So knock, knock, dropping straight in,
controlling the edge to those or individual nodes
is still experimenting on the best way to get it solved
is a simple one because of that direct access, lots
of volume of data moving back and forth. I just think it's wild that there's been
like two, you know what I mean? Because it's like there's not that many
supercomputing environments in the world and when two of them reach out it's like
yeah it turns out, turns out super supercomputing environments like that
and one of the things that we're complaining about is some yeah
magic cloud like zscaler style stuff which is just too slow.
Yeah, well the other thing is they understand Linux.
The people running those worlds deeply understand Linux, the networking stack and obviously
Knockknock fits right in there.
So they see the simplicity of that.
It's not another kernel level thing that they have to add on and don't really understand
what's happening. It's more of an orchestration thing.
So it's cleaner and simpler in their world.
That's why they're evaluating it.
Yeah, yeah.
All right.
Well, we're going to wrap it up there, Adam.
Thank you so much for joining me for this conversation about Knock Knock.
Yeah, it's internal use case being really popular, how it's just crazy good with IPv6.
And we wish in a perfect world everyone was using IPv6
because then everyone would need this immediately.
Great to chat to you as always, my friend,
and we'll catch you again soon.
Thanks, Patrick.
Great to chat.
That was Adam Pointon there,
chief executive of Knock Knock with a chat about IPv6
and the internal use case for Knock Knock,
which yeah, it's funny,
but it's very popular for doing that. But that is it for this week's show I do
hope you enjoyed it I'll be back soon with more security news and analysis but
until then I've been Patrick Gray thanks for listening. Music