Risky Business - Risky Business #789 -- Apple's AirPlay vulns are surprisingly awful

Episode Date: April 30, 2025

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: British retail stalwart Marks & Spencer gets cybered South Korean ...telco sets out to replace all its subscriber SIMs after (we assume) it lost the keymat It’s a good exploit week! Bugs in Apple Airplay, SAP webservers, Erlang SSH and CommVault backups Juice jacking! No, really! Some researchers actually did it (so still not in the wild, then) Anti-DOGE whistleblower sure sounds like he has a point This week’s episode is sponsored by Knocknoc, who let you glue your firewalls to your single sign on. Knocknoc’s CEO Adam Pointon talks about the joy that having end-to-end IPv6 would bring for zero-trust access control. He also touches on people using Knocknoc inside their network to isolate critical systems. Editors Note : Pat also gives Adam (Boileau) stick in the sponsor interview about the Risky Biz webserver not having IPv6 enabled, which fact-checking during the edit says is FAKE NEWS. Just uh, don’t look at how fresh that AAAA record in the DNS is, friends 😉 This episode is also available on Youtube. Show notes British retailer M&S confirms being hit by ‘cyber incident’ amid store delays | The Record from Recorded Future News M&S cyber-attack linked to hacking group Scattered Spider | Marks & Spencer | The Guardian Bina Puri shares, Warrant B close sharply lower day after hacking Bina Puri, Pos Malaysia tumble following hacking incident | FMT Japan warns of hundreds of millions of dollars in unauthorized trades from hacked accounts | The Record from Recorded Future News US conducts cyberattacks against major Chinese commercial encryption provider: report - Global Times Iran says major cyberattack on infrastructure repelled | Iran International Spain rules out cyber attack - but what could have caused power cut? South Korea's SK Telecom begins SIM card replacement after data breach AirBorne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk | Oligo Security | Oligo Security iOS and Android juice jacking defenses have been trivial to bypass for years - Ars Technica How Android 16's new security mode will stop USB-based attacks - Android Authority Researchers warn of critical flaw found in Erlang OTP SSH | Cybersecurity Dive Critical vulnerability in SAP NetWeaver under threat of active exploitation | Cybersecurity Dive CVE-2025-31324: Critical SAP Flaw Explained | Strobes Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028) Risky Bulletin: NFC card malware keeps evolving in Russia, a bad omen for the future - Risky Business Media Hegseth had unsecured internet line in Pentagon for Signal, sources say | AP News Whistleblower: DOGE Siphoned NLRB Case Data – Krebs on Security 2025_0414_Berulis-Disclosure-with-Exhibits.s.pdf CISA gets a deputy director as it braces for major layoffs | Cybersecurity Dive Two top cyber officials resign from CISA | The Record from Recorded Future News Ex-CISA chief Chris Krebs leaving SentinelOne following Trump pressure | Reuters Former cyber official targeted by Trump speaks out after cuts to digital defense Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries | SentinelOne ZachXBT on X: "Nine hours ago a suspicious transfer was made from a potential victim for 3520 BTC ($330.7M)"

Transcript
Discussion (0)
Starting point is 00:00:00 Hey everyone and welcome back to Risky Business. My name is Patrick Gray. This week's show is brought to you by Knock Knock. Knock Knock is a company that I'm actually on the board of and they make a really cool technology that allows you to orchestrate network controls via your single sign-on, right? So basically you can have a dynamic allow list, you can have a network resource that nobody can connect to until they SSO and say, yes, let me have access to that resource. Knock Knock's CEO, Adam Pointon,
Starting point is 00:00:34 will join us in this week's sponsor interview to talk about a couple of things. First of all, it's actually turned out to be surprisingly popular for internal use. Places like OT networks, super computing environments and whatnot. So that's, that's an interesting thing. And we're also going to riff a bit on IPv6 and just like the staggering security benefit that v6 can deliver.
Starting point is 00:00:58 It really is the thing that unlocks the zero trust model. And you know, once you're playing around with the technology like this You start seeing that really really clearly so that's a fun chat and it's coming up After the news with Adam Boileau which starts now and Adam we're gonna kick off with the news that a ransomware incident at the British retailer Marks and Spencer this has sort of been unfolding over the last week It started with reports of as these often It started with reports of, as these often do, started with reports of a minor cyber incident, you know, nothing to worry about, everything's fine. Then you flash forward a week, they've lost half a billion pounds in market cap from their share price tanking,
Starting point is 00:01:36 they're standing down hundreds of staff, online sales disabled, just a complete mess. Yeah, there's, you know, pictures of empty shelves and that's just not a good look for a retailer, that's for sure. We have seen reports that this may involve Scattered Spider, which is a group that was behind the attacks on the casinos in Las Vegas sometime last year. They may have deployed ransomware into Marks and Spencer. And that's kind of interesting because they've been pretty quiet lately, you know, after a bit of law enforcement attention, you know, after the casino attacks and other things.
Starting point is 00:02:13 Yeah, that was actually in 2023. I just checked that while you were chatting. Yeah, I know. That's why it's like time, time just flies, but it is interesting seeing a group. Well, I mean a group in air quotes, like scattered spider, which is, yeah, it's like you've got the com and then you've got these sort of adjacent clusters, I guess, like scattered spider, lapsus and whatnot. But they tend to be young people in English speaking countries doing this stuff. And I'm guessing something like this, you would have to think they're going to get caught, right? Like a lot of the people behind the MGM stuff did. Yeah, you would kind of expect so.
Starting point is 00:02:49 And, you know, Marks & Spencer is such sort of British institution that I can see it being a sensible target for, you know, the kind of British kids that are going to be part of that, you know, the calm, scattered spider, octopus, lapsus, you know, kind of crowd, you know, just because of the publicity it's going to get, but it is going to get law enforcement attention. And that crew is not really known for their opsec. So yeah, probably going to end badly. I was predicting very quick arrests after the last time we saw this particular cluster of people, you know, doing the casino hacks and stuff,
Starting point is 00:03:27 I expected handcuffs on them the next week and it did take a while. It did. Yeah, and I guess there's, you know, there's a lot of people involved, there's a lot to unwrap them and, you know, it's not much fun for law enforcement having to dig through these kinds of communities to make the connections, but yeah, OpsSec is not their watchword. So I'm sure in time we will see people in cuffs. Yeah, they'll get, they'll catch up with them eventually, I think seems to be the connections, but yeah, Opsic is not their watchword. So I'm sure in time we will see people in cuffs. Yeah, they'll get, they'll catch up with them eventually, I think seems to be the thing now. In other sort of criminal activity on the internets,
Starting point is 00:03:54 we're seeing reports out of both Malaysia and Japan of attackers obtaining access to brokerage accounts, like owning people's, you people's stockbroking accounts. And what they do once they've obtained access to those accounts is they sell all of that customer, all of the shares in that account, and then they use the funds in the account again to buy penny stocks that they already own, right?
Starting point is 00:04:19 So they'll buy some penny stocks in some Chinese company or whatever, or in this case, one of these cases, a Malaysian company, and then they just buy, buy, buy, buy, buy, which pushes the prices price up as well. And, you know, just gets all of the money out of that account and into their pockets. I mean, one of the things that's kept a lid on these types of scams in the past is financial regulators, right, are able to, you know, in some cases, roll back trades and, you know, very easily track who was behind this trading activity. But I guess the thing that makes it
Starting point is 00:04:50 different in this case is, you know, it's a much more, you know, interconnected world these days. And if you can do this with like Chinese penny stocks, I mean, good luck catching the people who did it. Yeah, yeah, exactly. Like as we get more and more interconnected in terms of financial markets and things, it just unraveling the stuff becomes more and more difficult. And I think in both of these cases, we're seeing sort of a password reuse. So account takeover because they've got either infrastealers or reusing credentials
Starting point is 00:05:23 from other cred dumps or whatever else. So pretty normal from a cyber technique point of view, but we've often talked about how innovation and turning cyber skills into money is where we see crime really boom. When you come up with a new way to cash out, then off you go and repeat that around the world. Yeah. I mean, this is not a new thing. We've been seeing this sort of thing done many, many times over the world. Yeah, I mean this is not a new thing. We've been seeing this sort of thing done
Starting point is 00:05:46 many many times over the years. I think one thing that's interesting here though is the scale. So I think in Japan the regulators there are reporting that something like yeah 350 million dollars worth of shares were cashed out and they used those funds to purchase of shares were cashed out and they used those funds to purchase $315 million of that was used then to bid up penny stocks, which is just crazy. Yeah, yeah, yeah. We've seen some quite large price changes in markets in Malaysia as a result. So yeah, the scale of this I think is what made us want to stick it in the list to talk about this week because two in the same week and both of
Starting point is 00:06:25 them pretty reasonable size. Yeah, it's interesting. Yeah. I mean, I think the reporting here from Japan is sort of describing more of an ongoing activity and the one in Malaysia was just one event. But yeah, we've dropped links into this week's show notes. Everybody can go have a look at that. Speaking of markets and price movements, this one's just too funny not to include. But someone stole 3520 Bitcoin, I'm guessing from it. It just says from a potential victim, we're going off a Zach XBT tweet here. So about $330 million worth of Bitcoin. And to launder it, they just decided, hey, I'm going to just throw it all into Monero. And the hilarious thing was it caused the price of Monero to spike 50%
Starting point is 00:07:09 because there were so many bids on it. Right. It's kind of funny when you see that, you know, the scale of cryptocurrency things that you can do, like when you're stealing that kind of amount of money, trying to launder it all at once, you know, it kind of makes me wonder whether, you know, can you make more money than you stole through this kind of amount of money, trying to launder it all at once. You know, it kind of makes me wonder whether, you know, can you make more money than you stole through this kind of like manipulating the pricing in the money laundering markets? Because I don't know, it's all pretty wild.
Starting point is 00:07:35 I mean, I did see some other reporting. I think Catalan had some reporting in today's newsletter that we were proofreading earlier that said it was like an individual private investor lost the 300 and whatever million so it sucks to be them but yeah like it's just it's it's so funny watching a speed run all of this you know financial crime learning all at once. Yeah now we've got a report from the Global Times the Chinese Global Times and so reliable so reliable so reliable um so this is very very, uh, for reasons that will become obvious very soon.
Starting point is 00:08:11 Let me just read from it. China's cyber space security association revealed in a report on Monday that the country's national computer network emergency response technical team, CNSERT, had detected and handled a cyber attack launched by US intelligence agencies against a major Chinese commercial encryption provider. So you hear that Adam? They detected it and it's handled. It's handled. And then you read the report and it talks about how throughout 2024 suspected US intelligence agencies owned their CRM and
Starting point is 00:08:47 also owned their repos and stole something like 950 megabytes and then something like 6.2 gigabytes. So by handled, I don't know exactly what they mean by handled. You know, they handled it, they repelled it after all of their source was stolen and all of their CRM data was stolen. But look, you alluded to this as well, like who knows what actually happened here. Well, yeah, exactly. I know when we were talking about this beforehand, the thing that came to my mind was, well,
Starting point is 00:09:17 when the Chinese hacked RSA and stole all of their key material for all of their hardware RSA tokens, the secure ID tokens. I guess RSA handled that too. Yeah. Having to reissue all of the tokens to their entire customer base after it had been used to break into military industrial complex companies and onwards.
Starting point is 00:09:35 Yeah, totally handled. But yeah, it's always funny when we see China do the same kind of name and shamey sort of attribution that we have been doing to them for so long, but just kind of less well. Yeah, I mean, there is that. I mean, I think also the story talks about how there is a concern that the source
Starting point is 00:09:58 code for this stuff was tampered with. So again, well handled. It's been totally handled when all of your source code is gone and you wonder about the integrity of it. I just say, yeah, I just find that very, very Chinese media, right? Yeah, I mean, it's a good thing that the US doesn't have a background in, you know, manipulating other people's crypto systems for long term access and profit. Yeah. Dear, oh dear. Sucks to be you, China. Yeah. Dear oh dear.
Starting point is 00:10:22 Sucks to be you, China. Now also, Iran has also repelled a major cyber attack on its infrastructure, it says. Now this comes hot on the heels of a giant fire which ripped through a port, which who knows what was behind that. But when things start going bang in Iran, when Donald Trump is president, you do kind of wonder if a lot of the bad things are happening as a result of the US government or perhaps the Israeli government. But yeah, apparently Iran said it has foiled a major cyber attack. I mean, yeah, they haven't provided details except that it was very complicated and very
Starting point is 00:10:59 big and very taken care of and don't worry about a thing. And presumably unrelated to the fact that their containers full of rocket fuel blew up in the port. Yes, complete coincidence. Yes, again they handled it. They foiled it by turning it into atmospheric pollution. That's right, they foiled an attack after it happened. But no, look I have no doubt that they probably found some other stuff had happened. But no, look, I have no doubt that they probably, you know, found some other some other stuff and whatnot. Now look in news out of Europe, a lot of people would have seen that there was a major blackout like a power systems failure
Starting point is 00:11:34 in Spain and Portugal earlier this week and the usual people were sort of jumping up and down and saying, oh, what if this is cyber war? Could be Russia? Usual people were sort of jumping up and down and saying, oh, what if this is cyber war could be Russia? Indeed, I think one Spanish government body actually said, oh, we think this might be a cyber attack But then they quickly walked it back Portugal says no to cyber as well. And now it looks like Spain has ruled it out So probably a squirrel Probably yeah, I did see some conversation about the amount of renewable energy resources Probably, yeah. I did see some conversation about the amount of renewable energy resources in Spain,
Starting point is 00:12:07 and we have seen plenty of speculation about the ability to attack those and cause downstream problems in the rest of the power grid. But yeah, there is just no suggestion that it's anything other than Spanish squirrels. Yeah, and it's interesting that you mentioned that though, because the research that we spoke about recently was really about how you could
Starting point is 00:12:25 manipulate some of these like solar controllers and stuff to desynchronize them from the grid, which is actually what happened in this case. There was a desync. The, you know, the frequency of the power actually dropped below 50 Hertz, which caused a cascading failure and whatnot, but you know, probably some damage to a line or something like that. And you know, again, not even probably due to renewables per se. But moving on, and this one is interesting. Something really bad happened to a South Korean telecom called SK Telecom because they are replacing the SIM cards of all of their customers.
Starting point is 00:13:02 They have 20 million-ish customers, I think, and they only have a million SIM cards on hand, so they're having to order a bunch more and this is going to be a bit of a long-term project. But you and I were talking about this and the only thing that we can come up with is that the key material, the private key material for those SIM cards, must have been stored somewhere in the telco and someone got their hands on it. Well, yeah, that's the conclusion you end up arriving at because I've been in plenty of telco security meetings and the level of badness that it would take for them to roll, like physically replace the SIM cards of the entire subscriber base, like no one wants to say
Starting point is 00:13:39 yes to that. No one wants to do that. So it has to be like nose rubbing in bad for them to suck it up and do it. So presumably someone was in a position to get to the HLR, the place where the keys are stored for those SIM cards. The way SIM keying works, there is basically a symmetric key that's stored in the SIM and at the telco. And if you nick it, now you can clone SIM cards, you can become anybody, et cetera, et cetera. You just answered the question I was gonna have, which is why are they storing private keys?
Starting point is 00:14:11 Yeah, so it is actually symmetric because this stuff goes back to the GSM era when doing asymmetric crypto in a tiny SIM card probably wasn't super feasible. So anyway, that's what I imagine what happened. Early reports. So, Catalan had some coverage of SK Telecom having an issue, I want to say, a couple of weeks ago. And that said, it made it sound like there had been some data theft. Like, they had a machine compromised and they had access to some customer data and they were, you know,
Starting point is 00:14:40 sort of warning customers. But it sounds like, you know, I guess it had access to maybe backups of the HLR, maybe the HLR itself, or they pulled the thread and realized that it wasn't just a single machine, it was actually domain admin and everything, and oh God, you know, and here we are, you know, trying to, like, there's apparently queues outside mobile phone stores in South Korea
Starting point is 00:15:01 where customers have been told they have to show up and get a new SIM card, and then the store's like we only had a hundred, now what are we going to do? So it's all very big mess. It's funny what you mentioned about reports of a data breach in a telco. It's usually like, a subscriber names, addresses, emails, right? You just sort of read that and think, whatever. And then it's like, oh no, they stole the keys for everybody. And whoever did it, good job, good job. Yeah. Now let's talk about some awesome research here from a company called
Starting point is 00:15:29 Aligo Security, which is having a look in the Airplay protocol, Apple's Airplay, excuse me, Airplay protocol and the implementation thereof. They've found a bunch of really cool bugs in Airplay. So if you could get on the WiFi network, the same WiFi network as an AirPlay device, you can own it. And this is not just, this doesn't just affect Apple devices, this affects third-party devices as well, which I think is probably the more insidious bit to this
Starting point is 00:15:59 because Apple's patched this stuff, right? Like you probably installed the patch for this months ago. Whereas, you know, if you've got some Sony TV or whatever that supports AirPlay, these bugs are going to be in stuff like that forever. Yeah, so a lot of other companies that implement AirPlay use Apple's SDKs to do so. Some of these bugs are in code that's part of those SDKs. There's also bits of AirPlay shared in things like CarPlay. So these bugs are applicable to plugging an Apple
Starting point is 00:16:33 device into your car and doing the screen sharing, audio sharing thing. There's a range of bugs. At least one of them is like kind of zero user interaction required affected Mac OS and the other Apple system as well. The guts of it comes down to that in the network protocol, they use Apple's plist format, which is a sort of a, I guess, kind of like imagine like the Windows registry format, plists are kind of used in similar sorts of ways for storing key and value pairs and then either on disk or passing them around. Anyway, the parsing code for the P lists used to parse information for the AirPlay wire protocol
Starting point is 00:17:11 is a been a bit fast and loose. And there's some like use after freeze and some other bits and pieces like that. You know, you don't really expect from Apple these days, but there's probably quite a long tail on this code base. But yeah, this company has pulled that thread, identified a number of bugs, and demonstrated exploitability,
Starting point is 00:17:29 some with zero interaction, some with some degree of user interaction required across Apple devices, third party things like AirPlay speakers and TVs, and car head-end units via CarPlay. So pretty comprehensive research. Uh, and yes, the long tail of non-Apple devices is the real problem here. Yeah.
Starting point is 00:17:50 It's interesting what you say about this stuff, probably dating quite, you know, a ways back because you read about these bugs and they feel old school, right? Like it doesn't feel like the sort of stuff that you should find in a modern Apple device. No, no. I find that's, you know, you know, they've been writing code for a long time and, you know, this is, you know, I guess a sort of an obscure-ish corner of their code base compared to like, you know, WebKit or iCloud or, you know, things like that that get a whole bunch of attention
Starting point is 00:18:17 like iOS bootloaders and things like that. So yeah, interesting niche and I, you know, I was reminded of like Mark Dowd bugs in like the airdrop sharing protocols as well. And that also was like super weird old school, like UNIX CPIO archive path traversal or something. So, you know, there are some corpses in Apple's cupboard, Apple's closet, wherever you put corpses in the metaphor. I don't know. I actually I was in Sydney last week on my break, had a wonderful time down there, went with the whole family and I actually had a chance to have dinner with Mark Dowd last week.
Starting point is 00:18:54 Oh nice. So that was a lot of fun as well. So I joked on Blue Sky, I went to Sydney and saw the sights, like the Sydney Harbour Bridge, the Opera House and of course, Mark Dowd. Yes. I tell you, he's still very much enjoying hacking the internets, which is good to see. It's good when your, when your friends have a passion. It's great.
Starting point is 00:19:13 Or sickness. Exactly. And he sure does have it. He's one or the other. You're quite right. Now let's have a chat about juice jacking, right? Because this is one of those things where, you know, the advice for so many years is like don't use public wifi and never plug your phone into the, you know, this is sort
Starting point is 00:19:31 of out of date advice that doesn't really, you know, help anyone. But we're actually, we've actually got some research here into a potential juice jacking attack that would have worked quite well. Thank you very much. This is a bit of research. It's called our choice jacking attack that would have worked quite well. Thank you very much. This is a bit of research. It's called Choice Jacking. We've got Dan Gooden's write-up on this one from Ars Technica. Yeah, when I was going through preparing the run sheet for the show and I saw the juice jacking in the headline and I just immediately went, paste down next, didn't even read it. And then I'm like, it is a Dan article. Like he probably, I guess I'll go back around. I'm really glad I did,
Starting point is 00:20:05 because it is actually what you want in a juice jacking bug. I think there's some researchers from, were they an Austrian university maybe? Yes, a university in Austria. And they came up with the actual juice jacking bug that you want. Plug in a modern fully packedpathed Apple device or Android into what you think is a power-only connector
Starting point is 00:20:29 and receive disk access to the device and steal data off it, right? That's, you know, with no user interaction required. And that's, like, I was super curious, like, how did they actually do it? How did it work? And it's super interesting. So if you'll indulge me, I'll walk you through the bug.
Starting point is 00:20:43 Well, that was gonna be my next question. How does it work? I'm afraid to tell Adam. I'm gonna tell you, even if you hadn't asked, I'm gonna tell you. So this is super cool. So you plug in the USB device, it initially pretends to be a keyboard.
Starting point is 00:20:55 It injects keystrokes into the device to get to the Bluetooth pairing settings menu, triggers Bluetooth discovery, and then at that point, the device that's attacking you stands up a Bluetooth keyboard, and then you accept the Bluetooth pairing with this fake Bluetooth keyboard.
Starting point is 00:21:13 So now there is two keyboard paths, one via the USB connection and one via Bluetooth. Then you reconnect the USB via the USB power delivery mechanism where you can change the role of USB devices between host and client. So then you change it so that the attacker is now a host device, sorry, is now a client device and then the phone spins up its share media with a printer, you know, whatever thing. And then you use the Bluetooth keyboard that you've got connected to accept the prompts to say, yes, please do it.
Starting point is 00:21:49 And that's the kind of the whole process end to end. So by changing client server role and then using Bluetooth as a side channel, because you can't do keyboard at the same time as being a USB client device. That's how they circumvent on the application. In the Android case, there are some other tricks of using out-of-state messages in the USB stack to do the same kind of thing.
Starting point is 00:22:11 But honestly, super cool research. And I just loved that, let's just make a second keyboard via Bluetooth. So yeah, just cool work. I mean, it is. And it doesn't involve any sort of O-Day memory corruption. It is just like old school logic hackery.
Starting point is 00:22:32 It's fun. Using the brain. It's funny actually, because when I had dinner with Mark, and he's a very, very well-known iOS security expert, and we were just chatting about what a hard time it must be for companies like Celebrite and like Greylock and, and, or Greykey or whatever they're called, because, you know, to do this sort of stuff, because the attack surface for this is just so tiny.
Starting point is 00:22:58 Um, you know, so literally having that conversation last week, and then we see this research and it's like, wow, you know, when there's a will, there's a way. Hey, yeah, yeah, yeah. I mean. We just got to love it. You know, it's as good. This was just such good work. Now, if your computer will allow you to move over to the tab containing the article, the next article we're going to talk about, because it's on a website called Android authority that I think the ads were chewing what a whole core on your computer. All of my course, all of the cores of my CPU are pegged at 100% on this website because of the amount of advertising. So turn off the JavaScript and then look at it if you're clicking on the link, dear listeners.
Starting point is 00:23:34 Yeah, so apparently there is actually some new stuff coming in Android 16 that is designed to prevent USB-based attacks. And this is part of Android's whole, they're building some, you know, advanced security mode that is similar to the, what's the upper one called? Lockdown. Lockdown mode. Yeah, yeah. So they're building a mode that's similar to that. And they're, you know, introducing some changes to the way Android handles USB connections. Walk us through them. Yeah. I mean, the basic gist of this is that you'll be able to tell it that when the device is locked, physically disable the USB port, or this is that you'll be able to tell it that when the device is locked,
Starting point is 00:24:05 physically disable the USB port, or at least like make it so that it doesn't work, so that exactly this kind of juice jacking thing isn't viable unless your device is unlocked. Then, like that's basically the guts, but there's a bunch of other changes they have been making as they design this advanced protection mode. But certainly, if you were Greicy or Celebrite, this kind of thing is probably a death now for a lot of your business. So yeah, bad times to be them and good times for Android users. Yeah, yeah.
Starting point is 00:24:38 If they're using that mode, I guess, would be the caveat there. Now let's talk about a critical bug in Erlang OTP SSH. Now, whenever I hear the word Erlang as someone who did a, you know, communications and electronics degree a million years ago, I get triggered. Uh, cause an Erlang is actually a unit that measures traffic on a, on a telco network. Um, so of course, anytime I hear the word Erlang, you know, I just immediately
Starting point is 00:25:03 associate that with telcos. I'm guessing Erlang OTP SSH is found in telco environments, Adam. Yes. So Erlang, in this context, is a language slash runtime environment from Ericsson and very heavily used in the telco environment. And systems built in Erlang tend to be used in big communication systems that need to have very high availability
Starting point is 00:25:27 because you can kind of hot patch it and keep the system running whilst you work on it. Anyway, there is a SSH implementation in OTP which is basically the de facto standard library for Erlang applications and this SSH server has a bug that is CVSS 10 out of 10 no-auth remote command exec and that's bad. I mean you don't often hear the words CVSS 10 and SSH in the same sentence right? Well, well yes. Because people are like oh why are they talking about some bug in SSH? I mean CVSS 10, SSH.
Starting point is 00:26:03 CVSS 10 and obviously this is just Erlang's implementation of it. But the thing that really touched my heart reading the story is the guts of the bug is that you can basically send out of state messages down the SSH protocol channel pre-authentication saying, hey, please open up a command prompt and run a command and when I was doing my work on weird out of protocol SSH out of state like weird protocol stuff in SSH for SSH Jack back in 2005-06 I went and looked for this bug in open SSH and a number of other implementations of SSH on Unix I didn't look at the Erlang one because I wasn't in a telco.
Starting point is 00:26:47 And this bug didn't exist in any of the ones I looked at, but it was a bug that I thought about and that I went looking for. So seeing someone else find it now all these years, that just warms my heart, like it fills me with joy and love. So good job, researcher who found this. Sucks to be everyone running Erlang anything with SSH. On the plus side, you can probably hot patch it. So yeah.
Starting point is 00:27:09 So you feel vindicated because you would have spent a few days on that 20 years ago. And now you understand that that wasn't a waste of time. Yes, exactly. I feel justified. My instincts were good, man. They were good. Now look, I mean, we're going to continue talking
Starting point is 00:27:24 about a few bugs because it's just a big week for bugs this week. So we've got two more to talk to. And one of them is in SAP. SAP NetWeaver. This is under active exploitation, and it's a bad one. Yeah, this is straight up Arnold-Wolfe code exact.
Starting point is 00:27:39 Once again, CVS, S10 out of 10. This is a bug in the SAP web server component. There is like a service discovery and registration endpoint. They use a UDDI, which is like a Java. Java people use it for doing service discovery. Anyway, it just has no auth and the net result is you can connect to it, kind of reroute services inside it, inside the big applications, and then leverage that upwards to code execution,
Starting point is 00:28:08 which is wonderful and great. And there is quite a lot of this on the internet. And for internal networks and SAP environments, this bug would be a wonder. Like you would have such a great time in an enterprise. So yeah, once again, fills me with joy. Yeah, I think it's a CVSS 9.9. So, so close to being perfect. I wonder
Starting point is 00:28:26 how they lost that 0.1 percent, 0.1 point. Probably because you have to think about Java and that's enough to put off you know some percentage of attackers. A large part of them actually. We saw that with log4j you know like people only ever used ready-made exploits for that one like wow as far as we know anyway. Yeah. And then there's some nasty stuff in Commvault as well. Yes, the Commvault backup system, there's a bug in it. Watchtower Labs have their usual very high grade, you know, meme heavy write-up. Like, I just can't give enough props to Watchtower because so many advisories that we read have zero detail and seeing someone
Starting point is 00:29:05 actually work through and work up the exploit and give you all of the details that you actually want fills me with joy again. This is just a wonderful week. I'm having a great time this week in the show. And this is once again Java bugs processing a zip file with pass traversal that leads to unzipping a you know a JSB file or malicious code inside the web root of the Commvault Java web application and they talk through their auto think approach which is once again exactly how I approach auto think Java web apps like this so yeah I felt right at home it was a good time if you run Commvault. Oh boy oh boy
Starting point is 00:29:44 yeah it's gonna be time to patch, I'm afraid, cause yeah, this is straight up code executive backup server, and then you restore the backups of the domain controller, steal all of the keymat, and Bob is your domain admin having uncle. Yeah, yeah, and I think this is being exploded in the wild now, isn't it, since this write up?
Starting point is 00:30:03 Yeah, I think so, like the write-up is super clear, and Watchtower has what they call their euphemism for a POC, a Detection Artifact Generator. So yes, easy times for everybody who is near a Comm Vault. Yeah, there you go. Now let's look at future trouble, right? So we've spoken about it on the show before about how Chinese crooks are really scaling up
Starting point is 00:30:28 a lot of these scams where they get people to, they obtain one-time passcodes to enroll people's card information into like Apple wallets or whatever, where they're in China. And then they're doing relay attacks to post terminals or ATMs or whatnot in targeted countries. So that's interesting.
Starting point is 00:30:46 But Karel and Kim Parnu, our colleague, and you know, we keep talking about his work this week. If you want to read this stuff yourself, go to Risky.biz and subscribe to our newsletters and you'll get this in your inbox. And you don't have to listen to us talking about it, which I guess we don't want that, do we? Anyway, but go subscribe to his newsletter anyway, because it's really good. But he's done a bit of a deep dive
Starting point is 00:31:07 into what Russian crews are doing with NFC card malware. So this is different to the enrollment scams and more about being able to relay sort of NFC-based information, I guess, that unlocks transactions off to other locations and whatnot. I guess the point he's making is that this stuff is on the up, right? So between what the Chinese are doing with this stuff and what the Russians are doing with this stuff, it feels like mobile payments fraud is about to become an issue.
Starting point is 00:31:38 Yeah. I think the ubiquity of NFC payment cards and equipment in the forms of mobile phones has just like, it's giving opportunities for new ways to do crime. And the enrolling stuff into Apple Pay, enrolling cards into Apple Pay through social engineering to get the enrollment one-time code or whatever, that's really smart. And then this Russian stuff where they get a piece of malware on your phone, you know, through all the normal mechanisms and then social engineer you into holding your card near it
Starting point is 00:32:10 and then relaying it. Like both of those are, what can we do when we have, you know, card readers in everyone's pocket? And I'm sure there's going to be a bunch of other really interesting ways to attack the payment ecosystem that we will see over the years. It's also transferable between markets.
Starting point is 00:32:28 We're seeing it mostly in Russia, mostly in China, but it's going to appear in other markets because the techniques are the same, the cards are basically all the same, the phones are all the same. There's no reason we're not going to see it elsewhere. Catalin's been pretty good at giving everybody a heads up of what's coming down in other places as well. So if you're in that payment space, definitely go read, because it's a good write up. Yeah, I remember like 10 years ago watching Nick VD
Starting point is 00:32:52 doing like a NFC relay demo at KiwiCon and just thinking, oh, this could turn into a problem, I guess. And yeah, here we are. Took 10 years. Yeah, took a while, but it was fiddly, because I work with him on some of the implementation of those attacks and getting the timing working and stuff. but it was fiddly because I worked with him on some of the implementation of those attacks and getting the timing working and stuff. It was fiddly, it wasn't complicated, but it was just, there was fiddles that you didn't
Starting point is 00:33:12 really appreciate. So doing it in the wild is pretty cool work. Well, we've also seen, and I don't think it's necessarily applicable in this case, but we often see too when technology companies lay out a foundation for something that can be done really, really securely and amazingly, they don't use all of the features that would enable them to do it really, really awesomely and securely. So you think back to when Chip and Pin was kind of new. And I think Australia and New Zealand were certainly ahead of the United States in terms
Starting point is 00:33:41 of having Chip and Pin. So there were a lot of people doing research on that stuff here. And, you know, just they, there were so many ways they could have implemented it that they didn't, you know, so you could do things like replay attacks and whatever. And like, yeah, anyway, let's just see how bad it gets. I get, I'm guessing there's already some work being done on countermeasures to a lot of this stuff, but, you know,
Starting point is 00:34:03 there's a lot of banks in the world. Yeah. And it's also so applicable to other things like, you know, car, remote unlocking cars via the key fobs and stuff. Like once, as those radio systems converge and become more and more in common, you know, and people are using, you know, their phones to unlock their cars or whatever, like there's just a bunch of building access control. Like there's so many hotels, like so many places this research is applicable even beyond payment cards. Yeah. Yeah. All right so now we're gonna talk about US government stuff and you notice that I buried this towards the back of the news because it's just the US government. Yeah. Yeah. So you remember when the whole Signal you know Hoofie Signal group chat came out I
Starting point is 00:34:44 speculated well they're gonna be using, you know, Hoofy signal group chat came out, I speculated, well, they're going to be using probably, you know, not just the mobile app, they'll probably have it on their desktop as well. And they're probably not running that on government computers because that's against policy. Turns out Pete Hegseth actually had a personal computer, like a non-government computer in his office and was even provisioned a like commercial you know internet access to that machine so that he could use signal on that machine so that's a report from AP it just really confirms our vibes on this when it all first started I guess which is why I mentioned it yeah yeah exactly I've been
Starting point is 00:35:18 typing all those things on your little phone keyboard as a pain using a real keyboard a real screen super super convenient, and yeah, you can see why. And then you've got to wonder, like, what else does that machine have access to? What does its microphone listen to? How difficult is it really to compromise Pete Hegg's dirty computer? Yeah, his unsanctioned computer. And this was always my concern, right, is if you've got, like, if you spider out the number of people in these sort of group chats, right, and the number of devices, okay, if they're all
Starting point is 00:35:47 just using the phone app, you know, as I often say on this show, I don't use the Signal desktop app for this reason. And you would just think one of those, yeah, one of those devices somewhere along in these group chats would have been compromised almost certainly. Uh, but we've also got, uh, so this is a story from April 21. I'm choosing to include in this week's show notes Brian Krebs's write up of this because it is superb. It is really good.
Starting point is 00:36:13 A whistleblower from the National Labor Relations Board has filed a complaint. This guy's name is Daniel J. Baroulis. He's 38 years old. And he's come out and made a series of allegations about the way that the Doge people were handling data and access into this organization's environment. And you read the complaint, and it's pretty mind-blowing stuff.
Starting point is 00:36:42 Now, we've got to keep in mind that these are just allegations, but there is some evidence provided, like various photos of consoles and whatnot. But I mean, walk us through this one, Adam, because it is a wild time. I mean, just before you do that, I will say that very early on when we started talking about this Doge stuff, we said, look, there's probably a data governance issue here because it doesn't seem like they're following many procedures. And, you know, I expected it could be quite bad but this is even worse than I thought it would be. Yeah so this is a relatively smallish government agency that you know handles relations with unions and other you know kind of labour related stuff and interestingly as an aside a thing
Starting point is 00:37:18 that Elon Musk and Tesla and SpaceX and so on have had some beef with over the years you know whether that means, I don't know. I think they're suing this NLRB, right? So, I mean, it's not just a bit of beef. This is, this is an organization that is loathed by Elon Musk, but anyway. Anyway. So this guy worked in the like network and computer governance bits of this organization, and he was told that Doge people
Starting point is 00:37:47 were coming in and they needed access to the environments. The Doge people in question were provisioned tenant admin level access to their Microsoft 365 environments in contravention of all of their normal policies and processes. And then they started seeing sort of signs in their logging and signs in like usage accounting and stuff in there as your environment that just looked kind of weird. They started pulling threads. They found things like user accounts being created, you know, for Doge people.
Starting point is 00:38:20 And these accounts are like, some of them have like fake names or had generic kind of names. They also saw records of these accounts are like something like fake names or generic kind of names They also saw records of these accounts being logged into with the correct username and password From IPs geo located into Russia within you know like 15 minutes of the accounts being created Well, I mean they weren't successful logons, right? Okay, so they were they were successful. They were the right creds. The reason this guy thinks they were the right creds is because the logins failed on the geo block side of things, right? Um, but not,
Starting point is 00:38:53 they didn't fail at the, at the point of credential entry, which suggests that, you know, probably these doge people, I mean, if this is true, it would suggest that one of the Doge people's systems that is involved in provisioning these accounts is compromised. Yeah, either compromised or the Doge kids are using commercial VPN providers with boxes that happen to be based in Russia for whatever reasons. Because you think about the ties of some of these guys to cybercrime and stuff in the past, it wouldn't be super unreasonable for them to be using VPNs or whatever.
Starting point is 00:39:33 So could be that if it was Russia on Doge employees systems, you wouldn't imagine they would log in too much. I feel like the Doge people using cheap ass VPNs is probably more likely. What if it was the Canadians trying to get them to think it was the Russians? Maybe false flag, that's also entirely crazy possible. It's the Canadians false flagging. Yes. But anyway, so this guy's got a whole list of complaints and weird stuff that they've seen. He raised it with his management and eventually their investigation of it got shut down and the guy got his access revoked and he's currently on paid leave or something. I think they all got their access revoked. Yes, like the entire IT team or whatever it was at this organization. So like really kind of
Starting point is 00:40:14 weird looking and the thing that strikes me about it, you know, having been an auditor, having been a pen test, something that goes into other people's environments to go look at stuff. Quite often you do end up saying, look, just give me root, just give me admin and we'll sort ourselves out because understanding the local policies and processes and all of the weird account types and rules
Starting point is 00:40:37 of any particular organization takes longer than the job is worth. And I get the vibe that DogeKids, like they're going into hundreds of organizations, everyone's got different setups and policies, just asking and demanding Tenon Abin because you can, is pretty easy. Like it's, it means you can use the same rule book and the same playbook for everything, you know, and that's efficiency. But... Sure, but they're going in there and they're flipping off logging spinning up a bunch of new users running random containers
Starting point is 00:41:06 Like I mean I get that that is the easy way to get it done But I go back to that whole thing which is this is a data governance and process problem, right? Because they're not adhering to any processes like they're not logging what they're doing and a lot of this is sensitive daughter It's just nuts. Yeah, I mean I think like both of these things are true, right? this is the easiest way to get the job done. And I have been on the other side of this where you need to get the job done. And, you know, you do circumvent all these processes and controls because, hey, you're there for a week.
Starting point is 00:41:34 You've got an outcome to get. You ain't got time for their stuff. You just go get it done and tidy up after yourself and hope you don't make any mistakes. Right. And that's it's not great. But rules, rules, sometimes they don't apply any mistakes, right? And that's, it's not great, but you know, sometimes- Rules, rules, they don't apply to us, Adam. It's what you gotta do. But, at the other hand, these are government organizations with very real data, you know, governance requirements
Starting point is 00:41:55 and obligations that exist for a reason. And just cause it's easy and you're 23 and you've got a boss providing top cover that says you can go anywhere in government and do whatever the hell you want, yeah, doesn't mean it's the right thing. Yeah well staying with US Government News and Cicero is getting a new deputy director Madhu Gotumukala who is the CIO of South Dakota is the number two pick. I think the nominee for the director position that's still being held up by Ron Wyden who's waiting for them to
Starting point is 00:42:31 release a report into SS7 from 2022 because reasons. But yes, CISA now has a deputy inbound apparently, starting with CISA News and Bob Lord, who I've interviewed him before. He was the CISO of Twitter a long time ago and then went and did a bunch of work with the DNC to secure their campaign. He is leaving CISA. He was a senior technical advisor there and he was working on Secure by Divine and also Lauren Zabierak, who worked there on the same stuff. She is also leaving so it looks like things are a little uncertain for the Secure by Design
Starting point is 00:43:11 initiative. And of course the Axis is about to fall on a zillion employees there so yes the doging continues at CISA. And now a quick follow up on the Chris Krebs situation. He was, of course, was the first director of CISA and, you know, is being, he's subject to an investigation now ordered by Donald Trump himself into God knows what. But yeah, he was put in an untenable position. He has resigned from Sentinel One as we predicted and promptly turned up at RSA and bucketed the Trump administration for all its cups of cyber agencies.
Starting point is 00:43:48 So yeah, I think Trump's earned himself a new thorn in his side for the next couple of years while Chris goes on a warpath. And one more thing we wanted to touch on quickly, just very quickly, is there's a blog post from Chris's former employer called Top Tier Target, what it takes to defend a cybersecurity company from today's adversaries. I actually spoke to like the head of Threat Intel, Steve Stone and Alex Damos yesterday. We did an event, I just joined by Zoom, an event in around RSA to talk through all of this, but it was actually really interesting research and I figured you'd want to chime in your two cents on this as well. Yeah, well, this is a super interesting write-up
Starting point is 00:44:29 of the sorts of attacks that Sentinel One have seen against themselves and other peer companies in the industry that do important security work. And attacking security vendors, there's a long and proud tradition of that. And it's just, you know, it's very rare that anyone comes out and talks about it. So it's really nice seeing a write-up of some of the things that they have experienced. One example is North Korean IT workers, you
Starting point is 00:44:57 know, and how they went and kind of worked with their HR team, recruiting team to sort of spot some of that stuff early on. So that was super interesting. And then also some of the work on when cybercrime actors are renting access to EDR products to be able to test stuff and to be able to kind of get into even some people's production environments like where there's EDR consoles on the internet, some of the attacks around their products and how the customer's using it. I thought that was kind of an interesting thing that you don't often see vendors talking about, you know, compared with like Fortinet, who every time they have a
Starting point is 00:45:32 bug, they just find a bug in somebody else's product and quickly drop a press release to distract you from the fact that, you know, 40 everything is getting your own. So it's just really nice seeing this kind of detail. Yeah. And it's, really nice seeing this kind of detail. Yeah. And it's from a vendor. It was a great conversation. I'm still waiting on the video feeds from the other side. And once we get them, we're going to chop that all up into a podcast. It'll go out next week. It's our first wide world of cyber without Chris,
Starting point is 00:45:55 which was a bit strange. But anyway, and for anyone wondering, Chris Krebs will absolutely be back on Risky Business. It's just a matter of how long he's a little bit busy right now, as you can imagine. Yeah. So that's actually it for the week's news, but I'm going to do something now, which we don't normally do, which is just chat to you a little bit about this week's sponsor interview,
Starting point is 00:46:14 because part of it was inspired by conversations you and I have been having about IPv6 and the adoption of IPv6. Because, so Knock Knock is this week's sponsor. They make a technology that orchestrates your firewalls and it's tied to SSO. So basically you SSO to a web page which is the Knock Knock page and you just press authenticate with SSO and then it opens up network access to the resources that you want to access. So unless you've done that you just
Starting point is 00:46:42 can't even get a port to these resources. Now it's funny because a lot of what, and I'm on the board of this company, right? I work really closely with them. And a lot of what we spend our time thinking about is like how to get around the fact that occasionally someone's going to want to connect from a CGNAT gateway that's shared access that has possibly some compromised bot machines behind it, right? You are then opening up to them. So what do you do? And there's a few approaches there. You can have gray noise risk scoring,
Starting point is 00:47:11 where you can say, well, you know, we've seen some bad activity from that IP, so just don't allow that user to connect from that IP. That's one way to do it. Or if they wanna connect to a web application, you can shunt them into a ID aware proxy. Right? That's another way.
Starting point is 00:47:27 And that also works for stuff like RDP because there's, you know, various stacks where you can basically Webify RDP and whatnot. But then you look at like the experience of one of their customers who's an IPv6 shop and just the way they use it, you don't need to do any of that with IPv6. And then you quickly realize that IPv6
Starting point is 00:47:46 is going to be the foundation of the zero trust future. And of course I have this conversation with you and then you say, but v6 is nowhere near ready. And it's like, oh, he's kind of right, but he's kind of not. But it is true, isn't it, that v6 just solves so many problems. Yeah. I mean, the ability to be able to individually address computers on the internet is a thing we have given up on over the years because of V4 exhaustion and the complexity of networks and things like that, breaking that kind of... The way that networks were meant to be end-to-end reachable and the return to the end-to-end internet is a thing that a lot of people are not really ready for, but this kind of use case of doing access control based on source IP address is exactly why end-to-end addressing is so great.
Starting point is 00:48:31 And in the old days, there was this idea that IPv6 was going to have built-in kind of IPsec style VPNing and stuff that would have delivered also confidentiality and integrity on top of it, but then the standards were so complicated no one implemented an IP6 terrible and blah blah blah but you know just being able to identify who you're talking to is super super valuable and we've forgotten how valuable because of the the sands of time in v4. We've learned to deal with it right and that's the thing like until you say oh well actually things would just be so much better if we just all used V6. If the entire internet moved to V6, then everything would be super great.
Starting point is 00:49:09 Yeah. Yeah. Well, that's the funny thing in this interview. As everybody's getting here, there's a moment where it's like, Oh, it's easy. All we've got to do is get everyone in the world to use V6 and then it's, you know, problem solved. We can go get a coffee. But yeah, I'm going to intro the interview now. Adam, thank you so much for, for joining me for a discussion of this week's news. It's great to be back. Yeah, it's really good to be back.
Starting point is 00:49:29 And yes, I will talk to you next week. That was Adam Boyle there with a check of the week's security news. And as you just heard, we're going to chat with Adam Pointon, who's the chief executive of Knock Knock. Now about IPv6 really, and the security benefits it unlocks, which are many. And we're also gonna talk about a couple of use cases that they have, that are turning out to be really popular for Knock Knock.
Starting point is 00:50:00 And one of them is internal use to segregate a production network from an OT network. It's a really clean way to do that. And other approaches can be a bit more fiddly like VPNs internally. Yeah, you can do that. It's a bit more fiddly. Jump boxes again, a bit more fiddly. You can micro segment the entire network, but that's like a lot of work, right?
Starting point is 00:50:20 So people are finding that, yeah, you can just drop in knock, knock, add a few firewall rules and orchestrate it that way. And it's really working, working well. So I will drop you in here though, where I first off asked Adam, you know, if he agrees with the proposition that IPv6 really unlocks massive security wins. And here's what he said. That's very true. It really does. You get precision. You get precision attribution. You get precision direction of the flow of traffic. And it's just, unlock is the right word.
Starting point is 00:50:54 It's one of those sort of words. But it is very true. You get absolute precision attribution of the client, of the server. You get orchestration at the firewall level. You don't have to have all this nat. And the whole nat-ed, walled garden thing, everybody, you know, NAT came around, everybody had their nice soft and squishy internal networks, but don't worry, NAT prevented anybody
Starting point is 00:51:14 getting in from external. And IPv6 is a little bit of fear still around that, a bit of confusion, lack of understanding, but the world is almost there at IPv6. The rate of adoption now and we're above 50%. It's quietly happening in the background and we love IPv6 because it allows that precision of attribution and target what server, what service and other benefits of IPv6 that it brings. Yeah, that 50% figure is now like 50% of Google visits us in the United States are served over v6, but the problem with v6, right, is you can't be guaranteed that you're going figure is now like 50% of Google visits us in the United States are served over v6 but the problem with v6 right is you can't be guaranteed that you're going to
Starting point is 00:51:48 get it from your provider like if you're out on the road right you're connecting to the hotel Wi-Fi there is no guarantee that you're going to be able to get v6 you know this is just the problem with it so we are really talking about an ideal world kind of scenario but you know once we imagine a world where you have to authenticate a completely unique IP before it can connect into our services, you'd imagine that you would just do this on every network and oh my God, the benefits would be just incredible. Incredible. It's almost comes back to the micro segmentation piece you said before where
Starting point is 00:52:19 you've got individual client, individual host, individual services obviously at a massive scale and the ability to have you know single pinpoint between the two as opposed to you know allowing broad networks through. It'll take a little bit of time to get there but it's it's happening it is actually happening. People probably don't realize. Yeah I mean I think there's a couple things there though right so you've got the ISPs who've got to support it. And then a lot of enterprises, they don't have the, I mean, I don't even think we've got, we're serving our website via v6 at the moment, right? Like which is terrible and we're going to have to fix that.
Starting point is 00:52:54 But that's my point is like when I talk about this with Adam Bailo, he's like, well v6, if you want to roll v6, it's a whole other network. You know, I mean, it's on the same equipment, but you need to be maintaining essentially a dual network if you wanna run V4 and V6. So I don't know, like, how long is it gonna be before we can reliably get V6 everywhere? We are gonna get there. It is a whole lot on the network.
Starting point is 00:53:16 It is complicated. There's a lot more to it. There's other security elements of it that aren't fantastic, but there's a lot of pros. But personally, I love the ability to pinpoint a client and a machine and, and have that, um, specific control. And then you get a lot of observability benefits too. Uh, you know, you're not just seeing a NAT gateway connect to your service.
Starting point is 00:53:40 You're actually seeing more individual, uh, client machines. So from a security observability standpoint, there's a lot of untapped benefits there, I think too. And of course the customer that uses this on their V6 network, I mean, it's perfect. Yeah, they're very big network people. It works flawlessly. And there's a big push in US federal government
Starting point is 00:54:03 to move to V6 for obviously, you know, all the benefits. So we, we will see more adoption. But I mean, this is the thing, right? Is like, I've been in this a long time. So have you. And it wasn't until we were working on this, when we're like, oh, okay, in order to make zero trust actually works, there's a very simple answer.
Starting point is 00:54:18 And it's just to, it's just to use v6 and, and apply some authentication to network connections. Yeah. Which is not what you want to hear to achieve something that's slightly difficult. All you need to do is roll v6 across the whole world. That's right. Yeah. But it is baked into everything these days. Every client, every server, okay, not all the fantastic podcast websites in the world have
Starting point is 00:54:41 it enabled perhaps, but all of the client and server machines do support it. So it's not experimental, but there's a lot of effort and it's complicated. I mean for that customer too, you even had to roll out a couple of extra like protocol support features. One of them was the, what is it? The privacy extension to IPv6? Tell us about that. Yeah. So privacy extensions essentially, I mean the original v6 was like, oh, we'll make your address based on your Mac address. Uh, which, you know, it was crazy because then you get individual attribution down to the hardware layer around the world, which you
Starting point is 00:55:16 can. Well, and sometimes you're going to get collisions there too when lazy manufacturers just, you know, have 10 Macs that they just use on everything. Yeah. Lots of problems. So it doesn't do that anymore. Well, for 10 years or more, hasn't been the standard. But the privacy extensions essentially allow you to have a dynamically generated address, depending on the network that you're sort of connecting
Starting point is 00:55:36 through to. So anonymizes the client, and then you get periodic changes and updates of the address. So we, yeah, we love our customers that actually push us forward and that was one of them was to support or the ability to support or not support those dynamic changes and still have attribution of the user. Now one thing that's getting really interesting though is you've been looking at some of the transport security options in v6 and that's
Starting point is 00:56:00 where stuff starts getting absolutely wicked from your point of view, right? Yeah, well, I still remember when AH and ESP were, you know, AH was a part of it and I was like, oh, this is going to be fantastic. Obviously that's not really a thing anymore. ESP is, but it's just not the most efficient way to do it. You know, don't encrypt it the transport layer, you know, do it at the application layer and that's where everybody is today and that's okay. Keying is hard, distribution of, youkeying etc is hard so I understand that but you know would kind of be cool if you were an IPv6 CSP network everywhere like
Starting point is 00:56:35 you know I'd be a fan of that. So look while we're here I guess we should talk about some of the use cases that are popping up for Knockknock because some of them are kind of I mean I, I guess in retrospect, they're not surprising. But this is turning out to be really popular with OT providers, OT admins who have to administer, you know, control systems and whatnot and, you know, water treatment plants, whatever. Why don't you tell us why it is that, you know, the OT types are getting all excited about this? Why it is that the OT types are getting all excited about this? Well, the OT use case is always on access. Why have always on from your machines, whatever the VLAN is, always talking to that environment.
Starting point is 00:57:13 Why have that if you can have an on-off switch, essentially, which Knockknock provides? So there's the external use case where people are connecting in, but then the internal one is getting a lot of adoption because you can control that per individual machine, per individual network with an on-off switch when they need access, they get just in time and every other moment their machine can't access that network full stop. Yeah. And I guess there hasn't really been that many approaches for doing this, I guess, in
Starting point is 00:57:42 the past. Yeah, not really. I mean, there is the high side low side network you can physically change things you know go and plug in over here do your thing come back over here but pretty quickly people don't want to do that so they either bridge the networks or they find another way or it is a VPN or it's a jump box and a jump box is just more steps and other elements in the way to get through to what they need to get done for their job. Yeah right so the way it would work is user wants to access OT environment they just make sure they are SSO'd, they hit their knock knock page and bang that opens up the firewall into that network where the OT stuff lives. Yeah and what people like about
Starting point is 00:58:22 it is it's on for an hour so So their machine has no network level access. If the machine's owned, somebody sitting on their machine trying to look at that network, they can't see it, they can't attack it. Only after they log in can that network actually be accessible. So yeah, as you say, they're logged in, they click a button, it opens up that network, they do their job. You know, it's like they've plugged the cable into that switch over there, they do their thing, and then either log out or it times out and they're back on their normal network, but they've obviously got access to both. Well, I think the point is more that if someone lands on a box where someone isn't admitting
Starting point is 00:58:53 the OT from that box, like that box will just never be able to access that network, right? That's right. Yeah. You can't access it. It's fully controlled out. Yeah. So as I said at the intro, like this has kind of been a semi-surprising use case because initially like it was just we thought well it's for reducing attack surface at the outside of a network and indeed people do use it to do that. But I guess this internal use case is really fascinating because you know there's some really great micro segmentation products out there at the moment you think things like zero networks, but I can see the appeal of this because under that paradigm, you're putting, you know, you're sort of micro segmenting every machine and it's like a network
Starting point is 00:59:34 wide sort of project. Whereas with this, it's just a few subtle changes and you're done. Yeah. There's a lot of benefits to that approach having all the individual one-to-one, but knock, knock, just you get the whole network, you get the easier implementation. It's on or it's off as opposed to machine to machine and that level of detail. There's one more use case we should talk about because it is another one that's like surprisingly niche and you have got two supercomputer labs actually evaluating it at the moment and for interesting reasons actually. tell us about that. Yeah well that's just the mountain of data.
Starting point is 01:00:09 So there is a lot of data in those environments and having direct access and you know high speed and then having to turn that off and take a different approach to get the data there whatever direction is a problem and you also don't want those machines, those environments, large clusters, lots of nodes. You don't want them being exposed to, you know, hostile external or even hostile internal. So knock, knock, dropping straight in, controlling the edge to those or individual nodes is still experimenting on the best way to get it solved
Starting point is 01:00:42 is a simple one because of that direct access, lots of volume of data moving back and forth. I just think it's wild that there's been like two, you know what I mean? Because it's like there's not that many supercomputing environments in the world and when two of them reach out it's like yeah it turns out, turns out super supercomputing environments like that and one of the things that we're complaining about is some yeah magic cloud like zscaler style stuff which is just too slow. Yeah, well the other thing is they understand Linux.
Starting point is 01:01:10 The people running those worlds deeply understand Linux, the networking stack and obviously Knockknock fits right in there. So they see the simplicity of that. It's not another kernel level thing that they have to add on and don't really understand what's happening. It's more of an orchestration thing. So it's cleaner and simpler in their world. That's why they're evaluating it. Yeah, yeah.
Starting point is 01:01:32 All right. Well, we're going to wrap it up there, Adam. Thank you so much for joining me for this conversation about Knock Knock. Yeah, it's internal use case being really popular, how it's just crazy good with IPv6. And we wish in a perfect world everyone was using IPv6 because then everyone would need this immediately. Great to chat to you as always, my friend, and we'll catch you again soon.
Starting point is 01:01:52 Thanks, Patrick. Great to chat. That was Adam Pointon there, chief executive of Knock Knock with a chat about IPv6 and the internal use case for Knock Knock, which yeah, it's funny, but it's very popular for doing that. But that is it for this week's show I do hope you enjoyed it I'll be back soon with more security news and analysis but
Starting point is 01:02:13 until then I've been Patrick Gray thanks for listening. Music

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.