Risky Business - Risky Business #794 -- Psychic Panda outgunned by Fluffy Lizard and UNC56728242
Episode Date: June 4, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: Cyber firms agree to deconflict and cross-reference hacker group names ... Russian nuclear facility blueprints gathered from public procurement websites Someone audio deepfaked the White House Chief of Staff, but for the dumbest reasons Germany identifies the Trickbot kingpin Google spots China’s MSS using Calendar events for malware C2 Meta apps abuse localhost listeners to track web sessions. This week’s episode is sponsored by automation vendor Tines. Its Field CISO, Matt Muller, joins the show to discuss an open letter penned by JP Morgan Chase’s CISO that pleads with Software as a Service suppliers to try to suck less at security. This episode is also available on Youtube. Show notes 'Forest Blizzard' vs 'Fancy Bear' - cyber companies hope to untangle weird hacker nicknames | Reuters Ukraine's Massive Drone Attack Was Powered by Open Source Software Massive security breach: Russian nuclear facilities exposed online How a Spyware App Compromised Assad’s Army - New Lines Magazine Exclusive | Federal Authorities Probe Effort to Impersonate White House Chief of Staff Susie Wiles - WSJ Malaysian home minister’s WhatsApp hacked, used to scam contacts | The Record from Recorded Future News U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams – Krebs on Security Top counter antivirus service disrupted in global takedown | CyberScoop Cops in Germany Claim They’ve ID’d the Mysterious Trickbot Ransomware Kingpin | WIRED Australian ransomware victims now must tell the government if they pay up | The Record from Recorded Future News Google: China-backed hackers hiding malware in calendar events | Cybersecurity Dive Coinbase breach linked to customer data leak in India, sources say | Reuters US military IT specialist arrested for allegedly trying to leak secrets to foreign government | The Record from Recorded Future News NSO appeals WhatsApp decision, says it can’t pay $168 million in ‘unlawful’ damages | The Record from Recorded Future News ConnectWise says nation-state attack targeted multiple ScreenConnect customers | The Record from Recorded Future News Google Online Security Blog: Sustaining Digital Certificate Security - Upcoming Changes to the Chrome Root Store Meta and Yandex are de-anonymizing Android users’ web browsing identifiers - Ars Technica An Open Letter to Third-Party Suppliers
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name is Patrick Gray. We've got a great
show for you this week. Adam and I will be chatting through all of the week's news in
just a moment and then we'll be hearing from this week's sponsor. And this week we're chatting
with Matt Muller from Tynes. Matt is the field CISO over there and he's gonna be talking to us
about an open letter written by the JP Morgan Chase CISO, Patrick Opitz I
believe his name is, and he wrote this open letter basically saying that SAS
providers need to get their act together. What I find funny about this letter is
it could have been a letter from 20 years ago talking about like on-prem
people and how they need to get their act together. So that's me just old man yelling at cloud for a moment.
But yeah that one is coming up later. Before we get into the news though I just wanted to mention
a couple of things. First off Casey Ellis the Bug Crowd founder. He's done an interview for us in
the Risky Bulletin feed. He sat down and had a chat, it was a sponsored segment,
with HD Moore, all about RunZero
and why they're integrating the Nuclei
open source vulnerability scanner into their tech.
So that's Casey's first interview with us
and we hope he's gonna do a bunch more,
so that's pretty exciting.
And I also wanted to mention something
that I forgot to mention last week
when we had Haroon Meir on the show, which is that Thinkst Canary is now 10 years old.
So there you go.
How time flies.
So happy birthday little birdie.
Well done.
But Adam, let's get into the news now.
And this first story, it's funny because it's actually turned into a thing, right?
Like everybody's talking about it.
A bunch of companies, including like including like what is it like Google and
CrowdStrike and whatnot have got together and agreed that they're gonna
spin up like a database of threat actor names so that we're all on the same page
now this has been a problem for a long time when we're dealing with you know
this threat actor is it a fuzzy lizard is it a Twinkly Hurricane or is it UNC 596121385? Threat actor
naming is a mess but every time we've seen someone try to deconflict this stuff it winds up being a
huge argument because people will say all these two groups are the same and then all the CTI people
start arguing and saying no they're an adjacent group,
and this one just used a bit of their infrastructure
and blah, blah, blah.
Why do we think it's gonna be different this time?
I mean, I think the answer is probably we don't.
I mean, there is a little bit of, you know,
it's a bunch of companies,
there's Microsoft, CrowdStrike, Palo Alto, and Google,
so that is a big group of them at least.
And maybe there is some reasoning for it this time around,
but I don't think I'm, honestly,
I don't think I'm particularly,
I don't think that I'm particularly feel like
it's gonna go super well.
It's not like they're making yet another taxonomy,
so that's good.
They didn't agree, like,
we're just gonna make new names or everything
so then we'd have an extra name to track.
So they are at least going to publish some documents describing how their individual
naming conventions overlap with each other.
Now how useful that's going to be and how much it's just going to devolve into, as
you say, a bunch of threat intel people having fisticuffs at dawn about whether or not Winti
is a real thing.
You know, I'm not sure it's going to be super helpful, but on the other hand, I mean, the amount of times on this show, like in preparation for the show, I've had to Google,
like, is this group this group or we've had to like, you know, phone a friend, ask Demetri,
you know, hey Demetri, do you remember that group called Bloody Boat? Is that the same or is that part of GIU or are they part of, you know, because trying
to understand like when we're doing a conversation about it, it was like, and we want to be able
to say it was the Chinese MSS.
And we don't care that it's, you know, as you say, a furry this or a fuzzy that, you
know, or an APT 41 or whatever.
So it would be useful to have a central kind of document
repository that covers these things, but I'm not, you know. I mean, I think it's going to work for
some stuff, right? Like for some crews, but like when you've got everything from, you know, APT 1,
which is also unit 21398 of the PLA and like that's their official designation, other people call it
different things, it just starts getting a bit confusing confusing so I think for some of the major groups it'll
work but I don't know how useful it's gonna be around the edges because these
companies need to talk to each other as well to make sure that they're talking
about the same people and I don't know how that's gonna work but I don't know
we're cynics this could work I think though you know Chris Krebs and I spoke
about this in Sydney when we recorded that live podcast and you know he's got
a beef with the way these groups are named because,
you know, you've got a news anchor talking about some nation state actor targeting
US critical infrastructure.
And it's like, we've been attacked by a fuzzy lizard, you know, and we're
not serious people, right?
So it undermines the gravity of the situation somewhat.
I mean, even, and then you look at some attributions, which aren't really attributions.
This actually came up for us last week because we spoke about a scattered spider like group
that is targeting domain registrations or targeting DNS to change MX records and then,
you know, onto full enterprise takeover.
And that was based on what your former colleagues
at CyberCX were saying.
And I got a call from one of the guys.
He was like, well, I got an email and I called him back.
But one of them was saying, well, you know, you put,
oh, it's Scattered Spider doing this in the headline.
And it's really just, you know, similar in terms of TTPs.
And then that sort of led to a conversation of,
well, what even is Scattered Spider?
You know, is Scattered Spider a group
or is it a collection of TTPs that emanate
from one community and wouldn't we think these actors
have a foot in that community anyway?
So doesn't that make them fit the TTPs,
which are the attribution?
I don't know, it just gets very confusing
and I'm not tremendously hopeful
that this will solve the entire problem.
But look, I mean, it's a positive, right?
I mean, you know, it is stupid how many names we have for these things and keeping track of them
is a pain. So if it improves that then great, you know, whether it can get past the, you know,
hoarding of information by individual companies that need to protect their own sources of their
own customers or their own turf or whatever else. And then the other projects.
I think we're probably past that part of it, I think.
I mean, I hope.
I sure hope so.
But again, as you're right,
it's not as clear cut as this is a unit of the PLA.
Like when you're dealing with something like
scattered spider or a bunch of kids
or a bunch of kids that sell access to, you know,
state groups or like it all gets very, very murky
once you start trying to over taxonomize, over taxonomize this kind of stuff.
So yeah.
Also, that was not a criticism of the guy at CyberCx who was like just a bit trepidatious
about a headline saying that it was scattered spider because he's like, well, we don't, you know,
we haven't quite made that attribution.
It's like, well, I mean, we were clear in that.
It's good to be precise.
Yeah. It's good.
But I mean, in the show we were precise, but it's like,
but that led to that conversation of well,
what even is a scattered spider?
Which is, you know, depressingly enough, a fair question.
Now, look, this is just a, I guess it's not really
a cyber security
story but it's great to have an excuse to talk about it. We've got a report here
from 404 media from Matthew Galt looking at the open source software that powered
those Ukrainian drones that blew up a bunch of Russian airplanes a couple of
days ago. You know I'm guessing most people who
listen to this would have seen that news where the Ukrainians managed to smuggle a
couple of trucks, a few trucks into far-flung places in Russia and like as
far north as like Siberia, and at a certain time the roof of the trucks popped
open and a bunch of drones flew out and started blowing up Russia's long-range
strategic bombers.
You know, the Ukrainians say they killed 40 of these planes, which can't be replaced,
mind you, they're Cold War production.
You know, the true number is probably substantially less than that, but more than what the Russians
are saying, which is like, I'm going to go with 20.
Just you know, gut feel.
And rumors of like some very valuable defense material being blown up.
But it turns out, chances are, these drones were running a piece of software called ArduPilot,
which you're familiar with, Adam.
Yeah, so it's an open source flight control firmware for drones, for UAVs and things,
and then also ground station software
and all of the comms mechanisms, that kind of thing.
And actually I had a drone that ran that stuff.
The original developer of RGU pilot
actually used to, I think, be the editor-in-chief of Wired.
Yeah, Chris Anderson.
Left in 2012 to found a company, was it?
3D?
3D robotics that made, so I had a 3D robotics drone,
which is kind of where I knew the stuff from.
And yeah, it's good quality open source software.
And they, I think he was posting on maybe LinkedIn or something saying,
oh look, that's my software guiding these drones
onto Russian backfire bombers or whatever else, which
you know, I know a lot of open source developers that do feel funny about seeing some of their code pop up in military applications or other strange places.
But yeah, it's just-
He doesn't seem upset.
He doesn't seem upset.
He doesn't seem-
Yes.
Well, part of the pitch of 3D Robotics, the drone company, was to be a domestic US drone
manufacturer that didn't rely entirely on overseas everything.
And then they pivoted actually into selling drones
into the national security space.
So like, you know, take from that what you will, I suppose.
But yeah, just kind of funny that, you know,
all of this open source stuff, you know,
very low cost software and hardware, you know,
being used to take out very, very expensive,
I imagine, old Russian, you know, Cold War,
as you say, Soviet era military
hardware.
Well, it's like the meme, we can't even build this anymore.
You know what I mean?
Like that's the issue with those planes that have been destroyed is that they don't have
the ability to replace them.
So it is, I mean, what I find fascinating about this is it's quite, as you say, it's
these modern essentially toys, you know, running open source software that are being used to hit one of the legs of Russia's nuclear triad, which is just amazing.
And there's a bunch of people listening to this show who work in the national defence
space who have to think about this now.
And
Well, yeah, yeah, yeah, exactly right.
It's pretty serious business.
Because I mean, you could also imagine this being scaled up into terrorist operations,
for example, and there's a lot of planes, you know, sitting around in mean, you could also imagine this being scaled up into terrorist operations, for example. I mean, there's a lot of planes sitting around in airports.
You could do similar things to civilian aircraft or other infrastructure.
There's a lot of lessons to be learned from the Russia-Ukraine conflict.
And very few of them are about the cyber war, like we were expecting.
And Between Two Nerds has opined at length about how useless the cybers have been.
But there are certainly a lot of lessons to learn from other aspects of this conflict.
Yeah. And I mean, we are talking about, you know, commodity open technology.
I mean, it's it's hard to think through the steps of what the national
defense implications of this are, because I had one person say,
oh, it could be used for terrorism.
I'm like, look, you know, the Oklahoma City bombing was a truck bomb.
You know, you don't need to get fancy.
You need explosives.
And that's where a lot of the counterterrorism efforts focus is trying to detect when people
who shouldn't have them are like pulling together, you know, large quantities of explosives
and whatnot. But when it comes to, you know, countries try to do this to like state adversaries,
you know, it's certainly something
to think about.
Moving on, and this one is interesting, again, not necessarily a cyber story, but definitely
ties into the sort of stuff we talk about, which is the Spiegel and Danwatch managed
to pull together a whole bunch of public documents that gave staggering insight into Russia's
nuclear program and the modernization of its nuclear program, various underground facilities
and whatnot.
And they were able to do this by siphoning off tender documents from public sources.
This is despite the Russian government passing a law in 2020 that asked construction companies
and stuff to stop publishing sensitive material into public tender documents, but they sort
of didn't do it and this is the result.
Yeah, they've appeared to have been scraping some of these Russian government procurement
systems for quite some time and extracting the documents and analyzing it.
And they've got all sorts of details about the construction specifics of nuclear missile
silos and air bases and as you say underground facilities that are being built to connect
these things together and details about just sort of pattern of life stuff I guess, like
where do the soldiers sleep?
How do they get in and out? Some details like what are the signs on the soldiers sleep? How do they, you know, how do they get in and out? What are the in the some details like what are the signs on the walls say?
And so this is all I imagine pretty interesting stuff
and if you were you know, I'm sure if you were like American defense establishment, you probably got this kind of Intel already but
You know having it just out there in public places for people to rummage around and find I mean
That's a very 2025 kind of story, isn't it?
Yeah, it sure is.
We've also got this piece from New Lines magazine to talk about this week.
And it's look, honestly, from from the perspective of someone
who reports on cyber security stuff and, you know, cyber enabled intelligence,
it's not a great story in terms of the way it's constructed,
because it has looked at this dodgy app
that was promoted to Syrian soldiers like six months before the regime there
collapsed and it seems clear that whoever was promoting this app and
getting Syrian soldiers to install it on their devices was using it as a
means to collect intelligence. The story sort of intimates that this helped accelerate the fall of the regime,
but then it doesn't even really make an effort to understand
the attribution here, like who was behind this app? Was it Americans? Was it the
Israelis? Was it HDS? They don't really have any answers there, and yet the
story does really try to link the use of this app, or spread of this app to the downfall of the Syrian regime.
So I don't think it sheds any light on the actual interesting things here.
It strikes me as a reporter who doesn't know a tremendous amount about this sort of stuff, getting a bit excited when discovering this story.
But nonetheless, it is interesting to see, you you know reports of an app like this
spreading amongst the rank-and-file in Syria with a decent enough lure.
Well that's the thing that I found interesting about this is that the lure is pretty good.
So the trick here was this app was promoted as kind of being related to a humanitarian organization run by Bashar Al-Assad's wife, the Syria
Trust for Development.
And part of the shtick of this is that it would offer small financial subsidies or payments
to people who are in need or whatever.
And if you were a defender of the regime, you could sign up for this, fill in a bunch of forms explaining what you were and what units you were in and what you were a defender of the regime, you could kind of sign up for this,
fill in a bunch of forms explaining what you were
and what units you were in and what you're doing,
what your rank was, all that kind of very useful data
at the promise of some relatively small payments
being sent to you via some app payment system
in the country.
And it was a little bit unclear from reading
if people were getting these cash transfers.
It does seem like maybe they were.
And so basically paying people to install these apps
on their phones, and then it would drop a off the shelf
Android, real and access Trojan,
so that the attackers had a bunch of details
about the users from the signup process
and then access to their devices,
which then from then what know, then what?
The then what part of the story is not particularly clear, but the idea of just straight up paying,
you know, a foreign military to install your app, you know, with a convincing enough lure,
like that makes total sense.
And why wouldn't you do that?
So yeah.
I mean, I think the main thing is here though, that the average rank and file
Syrian army soldier probably wasn't getting paid properly at all. And, you know, this is just the
sort of thing that's going to happen when you've got an army being asked to do horrible things and
not really paid for it. Yeah. And plus, you know, horrific amounts of inflation, meaning that the
salaries are worthless and, you know, endemic corruption. And with some of the, some of the stories here around,
you know, like, uh, you know,
army leadership selling material or selling supplies that the soldiers would
normally have get to kind of line their own pockets. That's sort of,
in a military where those sorts of things are happening,
the idea that people would install a random app and give up their details for
40 bucks. Yeah. Not, not, I'm not exactly surprised,
but also that's not the sort of army
that's going to win a war.
So linking cyber to this seemed like a bit of a stretch
given all of the other things that were going on.
Yeah, well, let's see, you know,
now that this initial report is out there,
we might discover more in the future, who knows.
Now, something a little bit more bread and butter.
This one's interesting.
This seems to me to be a case of a scammer who, like,
the dog who caught the car kind of thing.
Exactly.
This is how this reads.
Federal authorities in the United States
are investigating an effort to impersonate the White House
chief of staff, Suzy Wiles.
And it looks like what happened is someone managed
to obtain her address book, her contacts,
and has been then using like deep fake audio to try to talk
to some of these contacts, but really like low effort stuff,
like ringing from a different number saying, Hey, it's Susie Wiles here.
You know, can you send me some money? Uh, kind of stuff.
So I'm stuck in Venezuela and I've lost my passport. Exactly, right? So this is like low
effort scamming that just happened to have hit someone, you know, where there's going to be a
response to this, surely. The Wall Street Journal has a write-up here from Josh Dorsey. Pretty
interesting story. Yeah, yeah it is. And you know, you do wonder whether, as you say, like it's just
someone who kind of didn't really think this through.
We're not clear if the address book contacts
are from her phone, from an online service,
from data leaks, from, there's all sorts of ways.
I think this was particularly her personal phones
and not a government one.
So that detail, that data could have come from anywhere,
I guess, there's so many places you might have leaked that.
But then, yeah, just the brazenness of,
I'm gonna make an audio deep fake of
a high ranking US White House official
and try and scam their friends for money.
Like, what thought process goes through your head
to arrive that that's a good idea to do?
So, yeah, I don't know, man. Yeah, well, we've got another example here from the record.
Dorina Antoniuk has reported on this one.
The Home Minister in Malaysia, apparently,
their WhatsApp account wound up spamming all of its,
you know, contacts and whatnot,
similar sort of stuff, like low-level scamming.
I just find it fascinating that they really are
just like us in the sense that they're using the same tech
That we are and are susceptible to the same sort of same sort of scams. So, you know, this is two in one week
I just think that's interesting. Yeah. Yeah. Well, that's exactly the point that you ended up making about the signal chat
But is it in the end?
There's just no safe way to use civilian tech for core government stuff and not expect
You know some crossover at the
edges and the Atlantic guy ending up in the Huthi bombing channel, whatever else.
These things happen when you use the same infrastructure and the same ecosystem.
So yeah.
Yeah.
Crazy times.
It's rough.
All right.
So now let's have a look at some reporting from Krebs on security about this cloud provider funnel,
which is based in the Philippines.
It has now been sanctioned by the United States government
for being an enabler of pig butchering scams.
You know, this is the stuff that we,
you know, we've been saying for a couple of years,
like sanctions activity will, you know,
scale up against these sorts of operations
because they exist at
the sort of scale where sanctions can actually be helpful.
And we've seen a bunch in the last few weeks.
And this is just another case of that.
And that's great.
I'm all for it.
Yeah.
This is absolutely the place to target these kinds of operations because they share infrastructure
and organizations like this that were,
this is essentially like a criminal CDN.
They provided a mechanism to get end users
through a set of infrastructure to the scanners,
to their infrastructure.
So kind of like Cloudflare, I guess, in a way, or Akmai,
but the same thing for criminal services.
And they handled all of the fiddly bits of moving domain names around and having a bunch
of CNAMES to redirect things and a bunch of cloud services in, I think, Azure and Amazon
they're primarily using to eventually get this traffic through to where it needs to
get to.
And it's a service that if you're just trying to do crime, you don't really want
to specialize in providing infrastructure plumbing like this. It makes sense to buy
it off the shelf and have somebody else deal with those problems. And indeed, I think on
the back of some of the reporting around this, Microsoft appears to have thrown them out
of their infrastructure. Amazon's still struggling a little bit apparently. But yeah, anything that increases friction for these kinds of big butchering large-scale
cybercrime operations, hey, it's great.
Yeah, yeah, indeed.
What else have we got here?
We've got another takedown of underground surface here, which is AV check, which I guess
is kind of like a virus total know, virus total for criminals where
they can throw stuff at it and see if they're going to fire any detections.
Um, and you know, it's been who took it down DOJ secret service and, uh, the police somewhere.
I can't remember.
Sorry.
Yeah, I think this was a operation end game, which was a big kind of coordinated internationals
take down of various bits of cybercrime stuff.
So this was, you know, we've, we've seen details, I think last week we covered some bits. So we're just kind of seeing more and more stuff.
Yeah. It was the Dutch. Sorry. It was the Dutch and the Finnish police as well as the Justice
Department FBI Secret Service. So yeah, nice one. But I mean, you know, these sorts of things, right?
I think there's a theme here, which is they're going after anything that just makes it easy
and is operating at scale because why wouldn't you?
Yeah. And these kinds of things are legitimately handy. I mean when when I was back at Insomnia slash CyberCX, you know, we built an internal
one of these for testing our payloads against stuff because it's just like you
know you need one you need to be able to know is my payload gonna trigger you
know F secure or Norton or whatever
else.
And it's maintaining a stack of here's the 10, 15 antivirus products we're likely to
see, keeping them running, licensed, operational, running in a sandbox in a way that's not going
to leak your detections up, provide telemetry back to the vendors, but still detect properly.
That's a lot of fiddle work.
Yeah, I mean, there's some real effort involved in that.
You just made me remember a funny story,
which was your colleague pipes.
I think one of your tools got snapped once by,
I think it was like FireEye or someone,
and they wound up writing a blog post about it,
like talking about like this unknown threat actor who,
you know, we snapped their malware and
whatever and it was your stuff. That was pretty funny.
Yeah, yeah, yeah. That was um, Cartel, Thomas, Thomas Hibbett, rest in peace.
Unfortunately, but yeah, that was his work.
And he was very pleased actually when he saw that right up by he was quite chuffed.
Did he ever tell them? Did you guys ever tell them that it was yours?
I don't know if we did.
Like it's a little bit orcs to have to say actually, by the way, this malware was just,
you know, was just us on a gig.
I don't know, he told a few people on the quiet,
but I don't know if we ever made a song and dance out of it.
Yeah, fun stuff.
All right, now we've got the German police claiming
they have ID'd the kingpin behind the Trickbot malware.
This is pretty big news.
Yeah, Trickbot's been around for a long time,
and that sort of family of, you know,
that's got lineage back into Conti
and all sorts of other groups that, you know,
have been kicking around for a long time.
And the main dude behind Trickbot
who went by the alias Stern,
we've seen, you know, sanctions around it.
We've seen a bunch of, you know,
charges filed over the years,
but no one was ever particularly clear
or had ever really attributed it to a real world person.
And it was complicated by the fact
that one of the people behind Trickbot
had a nickname, had a handle they used
that then somebody else in the group
also used at later dates, and all the very murky.
But anyway, the German Federal Police have decided
that the guy is actually a Russian man,
Vitaly Nikolaevich
Kovalev, 35, 36 year old Russian man, and clearly still inside Russia, so not going
to go anywhere. And that's a guy that, when we saw that the chat logs of Conti and Tricbot
leaked, this is the guy that many of the people inside the group thought was their tie to the Russian security apparatus.
So he was the dude that had the relationships with the FSB and so on and so forth, and was ultimately responsible for their state cover.
So, interesting detail. I don't know whether he will ever face any justice for it though.
Well, let's see if he tries to go to bloody Disney World in Orlando or something, right?
You always think, oh, these guys will never get caught.
And then they just do something really dumb.
Yeah, go to Thailand or whatever.
Yeah, exactly.
But I don't think so.
After this, you would think he would be staying put.
Some news from here in Australia.
Alexander Martin has reported on this for the record.
We are going to be the first country in the world that requires victims of ransomware
attacks to notify the government of extortion payments made.
This only applies to companies with a turnover in excess of 3 million Australian dollars,
which is about 2 million US dollars.
And you know, I think this is a good first step.
So they were mulling a ransomware payments ban initially, and they've settled on this
first, which I believe is a good step in working out whether or not you want to impose a ban
which is let's start by understanding who's paying and what the circumstances
are when they're when they're paying. So I've seen some people bizarrely
criticize this as oh well this isn't going to do anything to stop ransomware
it's not really designed to do anything to stop ransomware. It's not really designed to do anything to stop ransomware. It's designed to give the government a better understanding
of the scope of the problem. And I think that's a really good bit of policy, personally.
Yeah, now that makes total sense to me. And it's, as you say, there's a limit on the size
of the business, so it's meant to affect only kind of large things. I think they said the
top six and a half percent of businesses in Australia meet that kind of threshold, but that does cover a
pretty significant portion of the economy. And given the high profile, number
of high profile ransomware attacks and data leaks, data extortions that you've
had in Australia, you know, over the last few years, like it kind of makes sense
for the government to do something to get an idea. And as you say, there's no
point whacking a ban in
without understanding the impact and the circumstances
and the scale and so on.
So yeah, makes total sense.
Well, and if you were to introduce a ban
that had carve outs where someone could pay,
but they would have to notify the government,
you would wanna understand,
well, hey, what's our evaluation criteria gonna be?
It can't just be some random bureaucrat goes,
nah, I don't think you should pay that
and you could just have to go bankrupt.
They need to actually do the policy development work
if they're going to introduce some sort of control
and payments.
And that policy framework needs to be good.
So honestly, I think this is the right way forward.
But let's see if they collect a bunch of data.
And in two years, they decide to do something crazy.
Because you never know.
You never know.
Now let's talk about a novel type of C2.
Apparently Chinese threat actors are using
Google Calendar events as a command and control.
Which look, you and I have spoken about this
over the last few days,
because this is something that immunity,
Day by Tell's company back in the day.
I mean, they came up with similar approaches to C2 20 years ago.
They really did.
You know, they even had a proof of concept that could do C2 through comments
on Britney Spears' Instagram.
Like this is not a new approach, but it is interesting.
Finally, 20 years later, we get to see it in the wild.
I mean, I'm surprised it's taken this long because yeah,
I mean, it just seems to me to be a much more stealthy way to do it,
but everyone always argues back and they're right.
Why would you do this if you don't have to and people don't have to?
So maybe this is a sign that certain crews are getting snapped on the network.
And they just, they have to do this.
Yeah, I mean that's that's a great spin of this into like a legitimately good news story and that honestly
I think makes a whole bunch of sense. This is
the research came out of Google's threat intelligence group and they said they had spotted
APT-41 which is Chinese Ministry of State Security if my memory is correct.
And the fact that they were actually using this like they were storing data in APT 41, which is Chinese Ministry of State Security, if my memory is correct.
And the fact that they were actually using this, like they were storing data in calendar invites for a particular date, and then the malware would poll Google, check the calendar, get its commands,
return the results of command execution in that meeting invite in the calendar on a particular day.
The 30th of January, February, March, April, May, May,
30th of May, 2023 was the date that they were using. And yeah, it makes sense. It looks
on the wire. It's a proper TLS scripted connections to Google. Looks totally normal. It's going
to blend in with enterprise traffic. Like if you're going to pick a covert channel,
like totally seems a reasonable place to put it. So like good work MSS but yeah the fact that we are at the point in history where people
you know must be getting snapped on the wire enough that this is worth doing
then yeah good. They should have been getting snapped ten years ago but I think
one big development we had in security was this huge push to the end point
right where companies like CrowdStrike, you know, Sentinel One, Microsoft
with its defender and whatever like endpoint security solutions
actually got pretty good.
So that meant that people, I do really think they neglected network detection.
I think stuff like Corlite, you know, full disclaimer, they're a sponsor,
but you can use their open source, you know, Zeke sensors and whatever
to spot stuff on the wire.
But honestly, a lot of people just don't bother. Right. And I think perhaps, you know, Zeke sensors and whatever to spot stuff on the wire. But honestly, a lot of people just don't bother. Right.
And I think perhaps, you know, network detection, if it is having a
resurgence, that could explain this move, but you do wonder where it's going to go.
Right.
And like, okay, say your endpoint protection has been bypassed.
You ain't going to see this stuff on the network as you pointed out earlier.
Right.
Like, so this, you know, I don't know, it's, it's, it's always made me a bit funny.
That whole paradigm of like using legitimate services for C2.
Conversely though, you know, once there is a detection, it's going to be pretty
easy to roll, roll up a campaign like for Google.
Oh, well they're using our calendar service.
They can go hunting for it and roll it up, but then you've got redundancy and
whatever, maybe then they moved to Britney Spears' Instagram posts or whatever. But
yeah, you wonder if this is the future of C2. I've thought it was, but I've been wrong
because I've thought that for 15 years.
Yeah, clearly if this was going to be a game changer, they would have already done it.
And then part of me thinks about every time whatever Israeli university is that does all
of the radio side channel stuff and it's like maybe we'll move to modulating the data out
of the VGA cable or out the HDMI cable by flickering a little pattern of bits somewhere
on the display and that wouldn't you see too.
But yeah, there's always exotic things to do.
But the reality is most people, yeah, just bung it down a TCP socket on the wire and Bob is your uncle. Yeah you just showed your age a
little bit there with that VGA reference guy. I know. What next? They're gonna sneak it out through the parallel port.
Okay what else have we got here? Oh we got more details on the Coinbase, the
Coinbase bridge where it looks like the root of this.
I mean, this is a story from Reuters that says really what was happening here is it's outsourced
customer service agents in India. They worked for a firm called Taskus.
We're sitting there taking photographs of their work computers with their personal
phones in order to get the data out, and they were doing this for bribes.
And I was just thinking, you know, if you've got a bunch of sort of, you know, people in
not great working conditions getting paid awfully, while they're watching just rivers
of crypto money flowing all around them, of course this is going to happen.
I mean, yeah, exactly.
Right.
What did you expect?
And I mean, yeah, exactly. What do you expect? And I mean, yeah, what do you do?
You can't detect this with endpoint.
You're not going to spot this with your data leak prevention
software.
That analog gap is a very real thing.
And ultimately, as you say, it comes down to inequality.
And if you have to pay your customer services people for Coinbase or whatever they were
doing for Coinbase, sufficient to handle security and the physical, like personal finger level
security of multimillionaires or billionaires of the crypto world, then that gets a lot
more expensive than I imagine many places are willing to pay., how many people's fingers do you got to get chopped
off before it's worth paying these people such that they don't want to take bribes?
I don't know.
Well, and then you look at the alternatives to this, which are just really oppressive
levels of surveillance on the staff where you've got cameras on them making sure they're
not pulling their phones out of their pockets or doing anything weird or stripping them
of their devices before they can come into work.
And I don't know, man, it's not going to make them love you more.
You know, I just think this insider threat for any cryptocurrency platform at scale is
always going to be a big problem.
Yeah.
And the interesting thing is this feels like a thing the regular financial industry has
largely solved through having transactions that are more reversible or more inspectable or, you
know, more regulatory oversight or, you know, all that stuff that we threw out as, you know,
boring fiat currency, you know, manipulatory.
Mutability is a feature, not a bug, I would say, of the financial system. I think that's
what we're going with that. And look, speaking of insider threat, a civilian IT specialist, this is a piece from James
Radek over at The Record, a civilian IT specialist at the Defense Intelligence Agency has been
arrested for trying to sell or exchange classified material to a friendly government in exchange
for citizenship because he doesn't like Donald Trump.
I mean, he's kind of got a point perhaps.
Yeah, this is a funny story also because the guy worked for the Defense Intelligence Agency
in the insider threat division, which, yeah, irony much, yes.
But of course he fell for a FBI sting, offered classified data to FBI agents, turned up on a park bench or whatever with the thumb
drive full of confidential classified information, and then, needless to say, is now probably
going to go to jail.
So, yeah, he did not get as far as he did.
Nathan Willis Latch, 28 years old.
So, but yeah, pretty funny that he was with the military agencies inside a threat division.
Yeah, I mean, you know, I guess he had some ideas of what he could do, but yeah, that's,
I don't know. How do you deal with that? You know, that's, well, I guess this is how you deal.
You entrap them and put them in jail. You know, it's really funny just you saying,
oh, he might have a point that Donald Trump is no bueno, is going to be enough to get his mail and
like downvotes on YouTube. Like there is not a more fragile group in the world than Trump supporters
because they get so sad when someone just says, I don't like the leader that you
like. They're like, no, down vote, you know, angry emails.
Pretty funny. Anyway, look forward to reading them all. Not.
Suzanne Smalley for the record has reported a bunch of places are reporting
this that NSO group is appealing the damages awarded to Metta in that lawsuit.
You know, they're saying $168 million, you know, goes against Supreme Court precedents,
which should limit, you know, damages to being a certain multiple of compensatory damages
and blah, blah, blah, blah, blah.
They're saying they can't pay, which I just think, you know,
lol, good, and you know, there was always gonna be
an appeal on this one, so I don't think
this is terribly surprising.
No, you're right, there was always gonna be an appeal,
and you know, they would find something to appeal about.
In this case, you know, they are claiming that
the damages are sufficient, that the damages are the jury
deciding to bankrupt NSO and that should therefore be beyond their remit or whatever else.
So, yeah, appeal is going to grind on and we'll see you in a couple of years with an
update.
Yeah, exactly.
Now, we've got some updates here.
Another one from the record, John Greig, with this report about ConnectWise.
Now, we saw some time ago that there was some sort of campaign, some sort of threat actor updates here, another one from the record, John Greig, with this report about ConnectWise.
Now we saw some time ago that there was some sort of campaign, some sort of threat actor
using ConnectWise to breach all sorts of organisations. Details were never pinned down particularly,
but it looks like this was nation-state backed attackers doing this. That's the new info
here, I guess.
Yeah, so the company Connectwise says that
it's engaged mandiant because it has found some
nation state foreigners, whatever,
inside their environment and that has then been used
to attack some of their customers,
let's say a small number as they normally say.
And they have had a pretty rough ride.
I'm pretty sure we did see the Chinese using
one of the earlier Connectwise bugs, because they had like a CVS s10
You know where you could just like show up talk to the web appliance or whatever and say like please create a user through the
Setup top. Yeah, SPX whatever it was. So we saw those bugs being used
And it would make sense
I guess that you know, they probably got into connect wise as well
And you know as avenues onwards once you've you know
Realized that a piece of software like this gets you into places that you want to go, why not keep going?
Yeah, yeah, that's it. More details to come on that one, I guess.
Google, meanwhile, has booted a couple of CAs out of its trust store.
It doesn't look like anything necessarily nefarious here, just they look like really incompetent CAs.
There's
Chung Hua, Telecom and Netlock. Bye bye into the bin with you. And Google has
cited that they just you know haven't made any improvements, they keep getting
owned and not really changing anything so they're getting booted out. Yes, yes
they certainly are. I think Chung Hua, Telecom is very Taiwanese and NetLock from Hungary.
So if you were relying on those particular CAs,
then your stuff will stop working when they ship out
Chrome 1.3.9.
Yep.
Now, the last thing we're going to talk about this week
is a piece from Dan Gooden looking
at what Meta and Yandex are doing in terms of de-anonymizing and tracking
Android users and the technical details here are actually quite interesting.
Yeah, so the deal here is that if you're on a mobile device, and this is specific to Android
in this case, and you've got say like the Facebook app, so Instagram or actual Facebook app,
they will fire up a local network listener on localhost on the device.
Then when you hit a site on the Internet in your browser,
that's using Meta's tracking JavaScript or Yandex is tracking JavaScript in the Yandex case,
it will attempt to connect
to localhost on a specific port and then provide a bunch of details about the session to the
Facebook app, which then calls it back to Facebook's graph API or whatever and sticks
it in its database so they can track that you are visiting sites and that bypasses things
like incognito mode, it bypasses things like clearing cookies because they've got a way to tie the app on your phone
to browser activity and that ability of a web browser to talk to a web server or
localhost is a thing that it's kind of by design there's a bunch of complexity
these days in doing that you know. And part of the interesting bit here is that Facebook
was actually using technical tricks to bypass
some of those controls.
So they were using, for example, WebRTC media connection,
like session setup that would use for video conferencing
or whatever else.
So they'd go out and then back in sort of thing.
No, this was, they were basically video conferencing
to localhost and then sticking the data
inside the setup messages for the session.
I mean, at this point, it's kind of hacking.
You know what I mean?
And that's what makes this interesting.
Yes, exactly, yes.
Yeah, it's creepy.
Yeah, like legit hacking.
They had like three or four different techniques
where they were kind of abusing browser
functionality to be able to connect to localhost in ways that you weren't
really meant to be able to do and browser manufacturers have been
somewhat tightening up on this stuff when we've seen it being abused for
things like attacking people's home networks and home routers through
cross site requests, forgery type stuff. But, you know, pretty scummy for, I mean, Yandex,
okay, I can imagine Yandex doing scummy stuff,
but like Facebook, come on, like you're meant to be
a grown-up corporation, you know, that behaves by the rules,
you know, plays by the rules, and this is just kind of
weasely hacker crap, and ain't no one got time
for hacker crap.
Why does the Facebook app need to spin up a service
on local host though?
Well that's exactly it and there is no good reason for it to be doing so except for this kind of type of shenanigans. Yeah and I believe that you know the iOS restrictions on you know
communications to local host I mean they're a lot tighter right so it looks like this is not
necessarily working on iOS but I mean this is really bad like it is really bad working on iOS. But I mean, this is really bad.
Like it is really bad.
It is, right?
It, you know, there's the technical part of it,
like they're doing hacking in a sense,
but there's also the, like,
your users expect some certain things,
and I've given you kind of consent,
be it implied or explicit, to do some certain things,
but you're kind of circumventing
the intent of that
relationship, right? Your users are using incognito mode in their browser because they don't want you
to track them and associate this activity with their Facebook account. That's what they are
saying they want by doing that and you're doing the opposite. So, you know, weasel, nasty, no biscuit,
bad Facebook. I mean, it's funny, I think the difference between you and me on this one is I am not surprised at all.
I am Jack's complete lack of surprise that Metta would be doing something like this.
No, I mean, I am not surprised either. I'm just disappointed.
You're still disappointed, man. You're an eternal optimist.
Alright, we are going to wrap it up.
That's why I don't have a Facebook account.
We're going to wrap it up there.
Adam Boileau, thank you so much for joining me to walk through this week's news.
A pleasure as always.
Yeah, thanks, Pat.
I'll talk to you next week.
That was Adam Boileau there with a check of the week's security news. Big thanks to him
for that. It is time for this week's sponsor interview now with the field CISO from Tynes,
Mr Matt Muller. Tynes is a terrific automation platform that is indeed very popular with
a large section of risky business listeners. Just very, very useful stuff. You can find
them at tynes.com if you're looking
to automate certain tasks. Like people in security might use it for stuff like phishing response
automation. That's just one example. But it is very much a Swiss Army knife and yeah, very,
very cool stuff. So check them out. But today we are not talking about tines stuff. We are talking
about SAS and how woeful it is, according to Patrick Opit,
who is the Chief Information Security Officer
of JP Morgan Chase.
He has published an open letter titled,
An Open Letter to Third Party Suppliers,
in which he gives SaaS companies a serve
for really not having their act together
when it comes to security, doing all of the usual stuff
like prioritizing feature expansion over security and whatnot, the stuff we've been complaining about when it comes to vendors
writ large for a couple of decades now. So here is Matt Muller walking us through Patrick Opert's
letter all about how SaaS companies basically suck. Here it is. Yeah, I mean, you know, it's,
he calls it a call to action. I suspect it may have been a little cathartic for him to write this letter as well. But Patrick calls out a couple core
things about the fundamental state of cybersecurity in the SAS world. First, he says, you know,
software providers need to prioritize security over rushed features, which, yep, absolutely
agree. He says we need to modernize security architecture
to optimize SaaS integration. Again, totally agree. And he says security practitioners need
to be more collaborative in solving the security problems that this new generation of highly
interconnected systems has created. And if you pull 100 out of 100 CISOs, I'm fairly certain
you'll get similar sentiments,
at least on an individual level.
But I think what's driving so much attention
around this letter in particular
is the fact that it's coming from JP Morgan.
And forget about being a big player in the market.
I mean, JP Morgan often is the market
in a lot of senses in the financial system.
So it's causing people to pay attention.
What's amazing about everything that you just said, though,
people would have said 15, 20 years ago about non-SaaS tech,
which is, oh, we've got to break down silos
and get everyone working together.
And maybe they could architect this in a less insane way.
And jeez, look at all of these useless features
that they're building just for one client
and shipping to everybody. It is amazing how much stuff doesn't really change, right?
I mean, Microsoft had a whole, you know, trusted computing initiative over,
I think, similar, similar sentiments, right? So everything old is new again.
Yeah. So I mean, what do you see as, I mean, you're a sat, you are,
Tynes is essentially a SaaS, right? So what do you see as being the major issues with SAS?
Like, what lit a fire under this guy
to go and write this letter, in your view?
What sort of specific issues?
Because it's one thing to sort of wave your hands and say,
oh, people need to break down silos.
But concretely, what sort of challenges
are we actually talking about here?
Yeah, I mean, I'll be honest.
When I first read this letter,
my first question was, OK, what happened, right?
Because if you see a sign that says,
no riding motorcycles on the casino floor,
you sort of suspect there may have been an incident that
caused that sign to be put up, right?
It's funny, actually, at the hospital
where my son was born, there is actually
a sign in the parking lot of someone
like riding a motorcycle on one wheel,
a little drawing of it with the circle and the slash.
And you're like, okay, that's interesting.
So I know exactly what you mean.
Yeah, so you sort of suspect,
there may have been a root cause here,
but that certainly doesn't have to be the case, right?
And if you look at some of the examples
that he calls out in the letter,
like AI integrations into calendar apps. You also
suspect that, you know, maybe just the influx of AI tooling and the demand from the business
to integrate AI into everything everywhere all the time, maybe, you know, may have caused a little
bit of a tipping point here? Well, in compliance headaches is what I'm hearing too about AI
everywhere, is people are literally selling products now to help you block it
from browser extensions, from browsers generally, from users visiting sites that use them.
It's a headache.
Yeah.
I think JP Morgan has a very strong security reputation, but I can imagine even within
their walls, there are people that are clamoring for AI use cases.
I can certainly imagine being in his shoes
and looking out at the world with a little bit of despair
because you look at even common platforms
that everybody uses, like Google Workspace,
and it still lacks, I think, a lot of the security features
that you sort of expect from enterprise tooling.
I thought it was sort of interesting that,
in his letter, he calls back to the old days
when you had network segmentation and these things,
and we can maybe quibble over whether
moat and castle security was actually more secure,
but there certainly was more inspectability, right?
You were literally able to sniff all the network traffic
and had a lot more visibility into the hosts
that were running and so on and so forth. And so that lack of inspectability in a lot of tools, I think,
is killer for folks. Yeah. I mean, I certainly see where you're coming from there. I mean,
the lack of sort of a standard way to look at logs out of these services. I mean, I do think
it's changing, right? Like there's a bunch of good products now that'll take logs out of cloud trail.
They'll take logs out of
your m365 and your google workspace and they'll actually be able to do stuff but they're all
really expensive like third-party solutions right like you would think a lot of this stuff should
just be built in absolutely and you know ironically one of the reasons that you know before i joined
tines i was a tines customer and one of the reasons why I used Tynes was because,
again, going back to this Google Workspace example,
you had to dramatically over-provision admin users
to get some basic security incident response stuff done.
And even though Google has an audit log,
it's a little bit lacking in detail in some areas.
And so we said, it's insane to give a massive team,
50 super admin roles in our Google Workspace tenant.
Maybe we just do one, use it through Tynes,
and have that audit trail, have that inspectability,
and have that control that, again, quite frankly,
I would sort of expect to see some of these major SaaS
providers starting to build in if they're taking
a true secure by design approach.
Yeah, I mean, I remember like 10 years ago, the whole thinking was, oh my god, apps to build in, right? If they're taking a true secure by design approach. Yeah, I mean, I remember like 10 years ago,
the whole thinking was, oh my God,
apps are eating everything, right?
Like everything's gonna be a web app.
And it seems like we're in the midst of something now
where everything's gonna be SaaS.
And I mean, everything, like it is absolutely insane
the degree to which core enterprise functions
are now done in third party,
you know, on third party sites
and how are people authenticating to them?
I don't know.
I mean, we set up SSO,
but there's like a bunch of other methods that work
and like, how are we logging them?
Well, we get a little bit here and a little bit there
and we sort of throw it onto a disc
and you know, grab it occasionally.
But I mean, it is the case that SAS
is just eating enterprise computing now as well, isn't it?
It absolutely is. And you know, I think one of the things that this is just eating enterprise computing now as well, isn't it? It absolutely is.
And I think one of the things that this letter calls for is better collaboration around solving
some of these problems.
But right now, vendors and software makers just aren't particularly incentivized to go
do so.
And I think it's going to take people like Patrick Opet and the JP Morgan team and a lot more CISOs saying,
these are the standards that we expect from our software
provider.
In the absence of any particular regulation demanding this,
the market has to demand it instead.
And that's, I think, what we're starting to see here.
Now, you're a SaaS.
What are you doing to not be one of these sasses
that he's complaining
about?
Yes, our belief is build the software you want to use in the world.
And so that includes everything from deep inspectability of everything that happens
within the Tynes tenant to making sure that we're following secure by design principles.
And the future of the CISA secure by design pledge
itself is a little bit murky at the moment.
But, you know, we signed on to that because we realized,
like, this is how we've been building software, right?
We realized that we're a pretty critical part of the software
supply chain.
And we don't want to be the place that CISOs are worried
about a security breach occurring.
And the other thing as well is, you know, you don't have to deploy the place that CISOs are worried about a security breach occurring. And the other thing as well is you don't have
to deploy Tynes as SAS.
We do have a fully air-gapped, self-hosted model
where you, as a customer, can have full control over where
and how you deploy Tynes.
And so we recognize that everybody's security models
are a little different.
And we want to be able to make sure that even
if you're using Tynes default security mechanisms, you're protected out of the box, but you can customize that pretty much however you want.
You know, to me, it felt like, and you did an firewalls and VPNs and things like that, which were the really
sort of, you know, the quality just wasn't there, right?
So how does Secure by Design apply to SaaS though?
You know, like, because it didn't seem like they were really targeting SaaS with this
initiative.
Yeah, I mean, you know, if you look at the SaaS world, I do think that, you know, again,
a lot of the inspectability that you get when you have full control over your own hardware
and software stack often isn't there, right?
And oftentimes, security features are gated behind, you know, a higher subscription tier
or what have you.
You know, things like, you Things like there's literally a website
that tracks the SSO tax that different providers have.
And so I think even for SaaS providers,
there is absolutely an obligation
to make sure that they're abiding by these principles
and making sure that defenders have the ability
to use SaaS platforms in a way that makes them comfortable.
Everything from how they do RBAC to how, to how they make sure that, you know, you can,
you can do incident response, even if it's an Avengers platform.
Now, you know, Tynes is an automation platform, right?
Used to do like it's, it's a generic tool, right?
You can use it to basically kick off any sort of automation you want.
Now you've talked about inspectability.
What sort of logs are people grabbing and what are they doing with them, right?
Because it's so generic, I mean, that's a pretty wide gamut of activity that you're
going to be logging.
So how are people even using Tynes logs?
Or is it more that they're just storing them and it's got a complete picture of what's
happened in case they need to go and like just scroll back and look?
A little bit more of the latter.
You know, we make sure that every action that's taken within the tines tenant is instrumented
So you can get a sense, you know full kind of replay ability of who has done what which is great from an admin point
Of view and then you know even within the workflows that run those also have their own separate
Audit trails of what credentials were used what actions actions were taken, what data was sent and received.
And so again, there's a very clear trail
of what's happening within the platform.
It's not some opaque system where you throw data in one end
and hope you know what's going to come out the other end.
You get to see the full chain of what's actually happening.
It's funny that you mentioned Google Workspace.
We're a workspace shop.
And there's people out there who will have cloud security
platforms and whatever that will promote features that
are designed to do things that you can already do in workspace,
but it's all click ops and really frustrating.
So they're like, look, you can just press this button
and get a list of users who don't have MFA.
Whereas you can do that in workspace,
but it's not a fun experience, right?
Yeah, and you see vendors do some very eyebrow-raising things
when it comes to operating on some of those features.
I've seen vendors say, provision us
with an actual user account, and we're
going to do some sort of magic screen
reading with those super admin privileged credentials
in order to do the click ops for you, which, I mean,
it's a little bit of an interesting approach, not
necessarily one I'd recommend.
I think this is, again, one where the world collectively,
hopefully Google is listening and understanding
that to truly serve enterprise clients,
you have to be available over API.
Again, this world talks about SaaS,
but I do think APIs and programmatic access
to all these platforms has to be the future.
Well, it gets interesting.
Like, you just touched on something interesting there,
which is a bunch of these products.
A bunch of these SaaS products are designed to do things
to other SaaS products, right?
So they need highly privileged access to them.
And the way that access is provisioned
is sometimes quite insane. You've got, just going back to cloud security platforms, you got a lot
of these where you have to give them, you know, really highly privileged roles so
that they can go and remediate some of these issues and that means there's like,
you know, very powerful credentials just sitting around in these SaaS's which
means if they get owned, oh man, you've got problems. I feel like that
could be one area where that's
the one area where I look at SaaS and I'm a little bit worried. And you've even got
situations where you can OAuth add other SaaS apps to one big SaaS app that's acting as
a root of trust. So it's almost like some of these SaaS apps are even acting as identity
providers for other SaaS apps, which are outside your your SSO It just gets real confusing real quick
Yeah, and it's so funny too because you know
Oh, oh, I was supposed to solve the problem with the fact that we were all storing passwords everywhere
And now he just oh off everywhere, right? We just moved the problem a little bit and and made it a little bit more complicated
Yeah, great news. Great news everyone. All right, Matt Mueller
Thank you so much for joining us to have a bit of a chat about that letter from JP Morgan Chase and about how Tynes is trying to not be the subject of the next letter.
Yeah, absolutely.
Thanks so much for having me, Patrick.
That was Matt Muller there from Tynes.
Big thanks to him for that and big thanks to Tynes for being the risky business sponsor
this week.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back soon with more security news and analysis, but until then, I've been
Patrick Gray. Thanks for listening.