Risky Business - Risky Business #796 -- With special guest co-host Chris Krebs
Episode Date: June 18, 2025On this week’s show Patrick Gray and Adam Boileau are joined by special guest Chris Krebs to discuss the week’s cybersecurity news. They talk through: Israeli �...�hacktivists” take out an Iranian state-owned bank Scattered-spider and friends pivot into attacking insurers Securing identities in a cloud-first world keeps us awake at night Microsoft takes the “aas” out of SaaS for Europe, leaving us with just software! An AI prompt injection into M365 exfils corporate data This week’s episode is sponsored by Kroll’s Cyber practice. Kroll Cyber Associate Managing Director George Glass is based in London and talks through his experiences helping organisations in the UK deal with the Scattered Spider attacks. This episode is also available on Youtube. Show notes Iran’s Bank Sepah disrupted by cyberattack claimed by pro-Israel hacktivist group | CyberScoop Iran orders officials to ditch connected devices Heightened Cyberthreat Amidst Israel-Iran Conflict Threat group linked to UK, US retail attacks now targeting insurance industry | Cybersecurity Dive Coming to Apple OSes: A seamless, secure way to import and export passkeys - Ars Technica Cyberattack on Washington Post Compromises Email Accounts of Journalists Hackers impersonating US government compromise email account of prominent Russia researcher | The Record from Recorded Future News A good one to talk to Chris about: Breaking down ‘EchoLeak’, the First Zero-Click AI Vulnerability Enabling Data Exfiltration from Microsoft 365 Copilot CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws | Cybersecurity Dive Whole Foods supplier making progress on restoration after cyberattack left shelves empty | The Record from Recorded Future News Ransomware attack on ticketing platform upends South Korean entertainment industry | The Record from Recorded Future News Advisory: Cybersecurity incident
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business, my name is Patrick Gray.
We've got a great show for you this week, Adam Bualo will join me in just a moment to
talk through the week's news as will Chris Krebs who is going to be our third wheel this
week, our guest co-host, so that's going to be a bunch of fun.
This week's show is brought to you by KrollCyber and KrollCyber's George Glass is this week's
sponsor guest and he is talking to us about the retail attacks in the United
Kingdom. He's got some really interesting details there on how these scattered
spider-esque threat actors were able to compromise places like Marks and Spencer and go
after Harrods and whatnot. There's some really interesting detail in there so do
stick around for that one and indeed we're actually going to be talking about
the sponsor interview in the news this week and yes speaking of let's get into
the news now but I suppose before we do Chris I got to ask is there anything
that you can tell us about your situation at the
moment?
I'm guessing, given that you don't appear to have done any interviews about it in the
American press, that you don't have much to share.
But I would be not a very good journalist if I didn't ask.
Yeah, I have kept things pretty quiet.
Haven't done any interviews.
I'm trying to keep the fun and fun employment
rather than talking about thorny legal issues
that I'll get around to it at a time and place
of my choosing.
But in the meantime, I'm really excited
to just stick to the cybers today.
Excellent, well, let's do that.
And we've got a couple of great stories to kick off with.
I mean, obviously the big thing in the news at the moment
is this conflict between Israel and Iran.
And there's some very strange things happening on the Internet in that region, as
you would expect. Probably the biggest news story here is this attack
against a major Iranian bank called Bank Sepper, S-E-P-A-H.
This looks like it was perpetrated by the group known as Predatory Sparrow, which is
ostensibly a hacktivist group that we've always thought is, you know, the Israeli government
is behind it.
But Adam, why don't you kick us off here by actually walking us through what we know has
actually happened.
So the group behind this has put out some statements saying that they broke into the
bank, that they deleted a bunch of stuff. We've seen some reports from local Iranian media that payment systems are down,
people are unable to access their bank accounts, the physical branches are closed. So like
sounds pretty bad in terms of impact. And this particular bank is also like it's the
main state run bank in Iran, which was formed by merging a bunch of other smaller
state-run banks and does things like pay government employees,
which kind of an important function.
So, you know, we don't really know,
like some reports from Iranian press have been like,
oh, it'll be back in a few hours or days.
And then we've seen others where like,
they're completely destroyed when it's, you know,
both sides of that kind of like propaganda path. So it's a little hard to read through
all of that but either way something bad happened to them and this is a group that we've seen
do a bunch of other stuff with you know reasonable impact in Iran in the past.
Now you just said something interesting there which is that the bank is responsible for
paying government employees but even if it weren't,
if you were able to successfully RMRF a major financial institution,
I mean, you and I were talking this morning and I used the metaphor that like
the banking system is a table. And if you take out one of its legs,
it's not much use as a table anymore. Right. And the banking sector is the same.
You take out a bank like this, you destroy its backups.
This could be immensely consequential.
And indeed, many, many years ago,
when governments were still wrapping their heads
around the cybers, people like you, people like me
would wind up having conversations in various settings
with government types, and they would ask you,
what are the big risks when it comes to cyber war?
What would you do if you were gonna do a cyber war? And my answer was always, you know, what are the big risks when it comes to cyber war? You know, what would you do if you were going to do a cyber war?
And my answer was always I would disrupt the banks because that is how you
would create maximum chaos.
Chris, let's bring you into this.
I mean, if this is an attack that managed to destroy, say backups, if it, if they
actually managed to delete a bank, you would have to imagine that the consequences of this are going to be huge.
Yeah, I mean, just to Adam's point, to your point, if you really want to piss off the workforce,
if you really want to cause civil unrest and chaos, you take their money away.
How are they going to pay for things on a daily basis?
They're not going to, you know, devolve to a bartering system of commerce.
That's just not going to happen, at least anytime soon.
So I think that's a good point.
The second is the way that this bank was used to avoid sanctions could also mean that it's
a mechanism for laundering overseas payments.
So if there's funding coming in from partners, China, elsewhere, they may have broken that
link as well, or taken the evidence of that for future exploitation either by intelligence
services or whatever.
So this is a big one.
I do think that it's an interesting comparison to the beginning, for instance, of the Russia-Ukraine
invasion where everything was cyber all the time.
And we didn't really hear too much,
or we haven't heard too much yet.
Early, early days here, but this one,
and then I think if you watch some of the intelligence
sources or open source intelligence accounts
that are talking about, yeah,
there's weird stuff going on over there.
Something's about to kick off here
It does feel like we're on the edge of something quite significant
The Pentagon pizza index is off the charts if you're familiar with what that is
So so I do think that
By the end of this week at least here here in the stage or at least in the Middle East
I think it'll be a completely different landscape.
Yeah, I mean, I think my core point here
is it's not just about removing that bank.
You remove a major bank, you create a systemic problem
to the banking sector because of the interdependencies
between major banks.
So that's why I say that this could be
immensely consequential, but of course we don't know.
They might have offline backups.
Maybe their worst case scenario is reverting a week's worth of transactions, which would
be a disaster, but it wouldn't be existential.
Whereas if you are able to permanently delete a bank, that would be very, very bad.
Now, indeed, you just said there's some indications that things are going a bit sideways on the
internets in places like Iran.
I actually had a chat with Andrew Morris this morning
from Grey Noise.
And I've talked about this with you too, Adam.
They're just seeing, and we won't divulge really too many
details until they're ready to talk about it,
but they're just seeing very unusual activity
on the Iranian internet and activity emanating from Iran.
Last time Andrew saw anything like
this it was when the United States took out Qasem Soleimani. So make of that what you
will.
Yeah, like some of the stuff that's going on, like it's a little bit peppy to silver.
Like there's lots of data points and we don't really know how they join together or what
it all means, but it's pretty clear that something wacky is going on and it involves the Cybers and the internet and we don't really know. And that's,
you know, in the context of cyber war, doing something actually useful,
like in this case, taking out banks or whatever,
like anything else weird happening in the Cybers in Iran at the moment is just
kind of interesting.
Yeah. And I think, you know,
the activity that he described to me that I described to you,
you can't like look at that activity and attribute it to any sort of objective.
It just doesn't make sense.
Yeah, I have no idea what you guys are talking about,
but it makes perfect sense for at a minimum
electronic warfare jamming lines of communications,
things like that, just to completely disorient
the adversary and if this is the US combined with Israel,
I obviously have no intelligence, no insight.
In fact, I don't have a security clearance,
so I couldn't even access that stuff anymore.
But yeah, they're prepping the battlefield.
Again, every single indicator is there
that this is still early days.
And as Iran continues to respond, and particularly if they're hitting the population
centers, it's only pissing off Netanyahu even more.
So this is operational preparation of the battlefield.
Well, I mean, if you did want to confuse people, this activity is confusing.
I'm confused.
Adam's confused.
So maybe that's it.
Yeah.
And meanwhile, Iran's cyber command has ordered top officials and their security details
to not use any sort of network connected device.
I mean, what I infer from this is
that those devices have been used
to pull together target packages, which should not
at all be surprising to anyone, right?
You know, I was discussing this with a friend
and they said, oh, it'll be interesting to see
if these top officials and their security details actually stick to the advice.
But I think when the advice is, you know, ditch your personal device because the Israelis are using it to guide missiles to your location, that's a pretty strong motivator.
I mean, this is like one of my favorite details of the last five or six days. It's that nature is learning,
right? They picked up from the Hezbollah pager attacks, and now they're applying it into the
field, at least the Iranians are, in real time. It shows you that the Israelis have achieved some
level of maybe not strategic deterrence, but tactical deterrence.
They've instilled fear.
The Iranians are afraid of Israel.
They know how good they are, and they are confused.
They're going to be disoriented.
If they can't use their devices, they're going to have limited means of communications.
So it's really going to, think continue to cause chaos and you know from just from a strategic
Objective maybe with tactical impacts is there Israel's gotten right where they want them
Yeah, I think Adam you are making that point as well, which is even if they stop using their devices
You've still kind of won because they're not trusting the devices and that slows down their ability to actually do anything
Yeah
I mean the thing that occurred to me reading this is like, you know the phrase bomb them back to the Stone Age?
Like this is like just deter them ever so slightly out of the information age, right?
Slightly less kinetic, but in terms of degrading the ability to command and control and to
respond coherently, like probably quite effective.
So you know, good work I suppose.
Yeah, I mean again we will say just because people get confused when we talk about Israeli
operations, not an endorsement of Israeli policy, just an analysis of what's actually
happening so you can save your emails and angry tweets.
Thank you.
I've also linked through to, I guess, an advisory from Radware just looking about some of the
stuff that they're seeing
the Iranians pull together.
I think it's really interesting to contrast what you're seeing Iranians do, which is like
muddy water and whatever.
Oh, they might hack a water treatment plant in Minnesota, you know, ooh.
Whereas on the Iranian side, it's like we can't use our mobile phones because we're
going to die if we do, right? So sort of shows you what a mature signals intelligence,
you know, organization looks like in contrast
to what the Iranians are doing, I would think,
unless they're gonna show us something new,
but I doubt it.
I mean, what's your vibe on that, Chris?
Like, I mean, I think I just said it there, right?
Which is it contrasts a mature one
to one that just looks cool.
I think that the general concern here
is that they have a capability.
The question is, are they gonna be able to use it?
And I just don't know if they still have that ability
in place that can be directed from the high command.
Yeah, yeah, indeed.
All right, so we're gonna change gear now
and we're gonna revisit a topic
that we spoke about last week.
We've got some updated information
on the Salesforce story that we spoke about last week,
but the theme of identity-based attacks
is a big one this week.
So we'll start off with this story
from Cybersecurity Dive,
where Google Mandiant is warning that these scattered
spider-esque attacks that hit UK retailers, they are now targeting the
insurance vertical, which is interesting.
But again, identity-based social engineering.
This is something that needs to be top of mind for CISOs at the moment, Adam.
Yeah, yeah, absolutely.
I mean, regardless of which particular industry they're hitting, I mean,
the retail ones were quite flashy.
Insurance maybe is a little more boring for the average consumer, but the
methodology, which is, you know, a bunch of kids, a bunch of attackers that really
understand how modern systems work and that is identity-centric, everything,
no one cares about buffer overflows,
that's grandpa's technique,
like this is the way that people get compromised these days.
And so seeing it applied in other industries,
seems like a natural progression, right?
But everyone's gotta think about this.
Yeah, so you and I have been kicking around some thoughts.
So I will update everybody on the Salesforce thing.
So it looks like the original reporting we relied on to have last week's discussion wasn't
100% accurate, right?
So the way it had been reported is that the attackers had managed to socially engineer
people into connecting an app into a Salesforce tenant.
Looks like that's not actually what they were doing.
I spoke to someone about Salesforce about this who has the details. What they were able to do was get a cred pair basically through social engineering,
log into the Salesforce tenant and then do it themselves. Right? Still leaves us in the same
position though, which is we have all of this infrastructure as a service, all of this software
as a service, and it's not really clear how we could comprehensively apply
conditional access policies to these sorts of actions
and even how far that would get us, right?
So this is still the core issue,
which is that everything's identity now.
Now, you and I were talking about this
and say you had domain admin creds back in the day and you're a remote attacker, where do you even put
them in? You know what I mean? Like there was there seemed to be a little bit more
control about like physically where you were, what network you were on, even what
device you were using. Whereas these days we're in a zero trust sort of world, it's
less likely to be that way. Now, again, conditional access policies can get you some of the way to fixing this,
but not all of the way.
And I just have a feeling that unless you're one of the security 1% that's really put
a lot of thought into how to deal with this, you're going to have a bad time.
Yeah, absolutely agree.
And when Google gave us the sort of zero trust future,
like the Google, when we first started
seeing this idea of an organization that
didn't have a perimeter, didn't have an internal network,
everything was on the internet, Google kind of
thought about it right.
And they approached it with their level of resource
and controls and things.
But for most people moving into the cloud
and moving into the as a service world,
there was this implied second factor of somewhere you are,
which is at the office, on the local network,
on the Windows domain,
that was separate from the other sorts of authentication,
something you know, something you have.
And we got rid of some where you are.
And smart people, like places that were really well
resources, maybe replaced that with good conditional access
and bespoke apps and things like the Google way.
But for most people, we just got rid of some where you are
and gave away that whole factor without really replacing it,
compensating for that control with
other stuff. And I think that's what's coming home to Roost for us now is since we put our office
suite and our file server on the internet through SharePoint and whatever else, you know, now it's
username password, maybe you've got a fish MFA, maybe you've got a reset MFA, but you can use it
from anywhere. And to answer your question, where do you put those domain admin creds once you've got a reset MFA, but you can use it from anywhere. And to answer your question, where do you put those domain admin creds once you've got them?
You know, in the old days, it was unusual perhaps that you could just show up with
Windows creds and use them externally. You had to find a VPN, you had to find a web app,
there was domain integrated auth, you had to find some obscure network service.
Well, and that'd be a policy that might say...
You know.
That'd be a policy that might say you can't log in as a domain administrator through
the VPN because that is crazy.
Yes, or at least the VPN requires multi-factor and domain admin doesn't have a multi-factor
token so you can't log in.
And you got that kind of control even if it was by accident.
Whereas now, you know, you just, what have we got?
We put it all on the internet and we relied on identity to solve the problem without really
making identity robust.
And what does that even look like?
Well, and, and you know, this is the pitfall, I think is, is a lot of companies out there
saying, well, we'll give, you know, things like Yubikeys to our most sensitive admins.
But then these guys, they just ring up the help desk and reset the MFA, right?
So you sort of write back at square one.
So some of the stuff people are doing around this, they can use various hardware attestation
software.
Like what's the Octa one?
There's an Octa endpoint agent that'll give you, okay, this person is actually on a corporate
device and things like that.
But my point was if you've got the right identity information,
maybe you can just in tune provision yourself
like a corporate workstation or whatever.
And like, it's just, I guess the point is,
it's just getting complicated.
It's getting really complicated.
And then when you look at like the issue of OAuth grants
and things like that, as we were talking about
with Salesforce last week, well, oh,
and here's an interesting fact too about the Salesforce thing is those
creds that they were fishing, they could have got all of the data that they got.
They didn't need to connect an app.
They just did that sort of for convenience.
But if you want it to stop like an app grant, you know, that's not always to
your point last week, that's not always going to be an OAuth thing.
Sometimes that's like a, just a configuration change that you do through
some sort of control panel or whatever.
So CASB is not really going to help you there, even though there are CASB solutions that are
designed to prevent this. And it's like all very much configuration dependent. But I think really,
ultimately, the first thing people need to do in dealing with this is probably stop their call
centers from being able to reset MFA tokens. That should be an in-person sort of thing.
set MFA tokens, that should be an in-person sort of thing. Yeah, and these are all really hard issues,
because ultimately, even if we fixed every software problem,
even if there were no buffer overloads, no mem corruption,
no programming flaws, no mistakes were made ever,
we would still need functional identity.
And if that means we have to have multifactory everywhere
and for organizations that are 10,
20, 30, 100,000 people, scaling good identity and password reset flows and multifactor auth
flows and dealing with the realities of life. My dog ate my YubiKey. My kid stuck it in
the washing machine or whatever else. These things happen and scaling up in person is really hard.
And I don't know what we do, you know?
Yeah.
So Chris, Chris was sort of responsible, uh, I guess for, for, you know,
thinking about these sorts of issues for the U S government.
I mean, any thoughts here made about like how we begin to rein in some of the
problems that, uh, that are emerging because we've moved to such an identity-centric
computing model.
I've been thinking, frankly, less about the identity
problem here and more,
they were further complicating the perimeter
by bringing in all these third parties.
I mean, the Pat Opet letter from JP a couple weeks ago
or whatever it was among third party suppliers is like,
so when I'm thinking about some of these
scattered spider attacks,
that it may not even be that they're coming in
through the front door of the individual targets, right?
Social engineering, the call centers
for individual organizations.
It could be that they're coming in through a third party back door that gives
them kind of a unified point of entry across a multiplicity of
targets. And that's like, that's where my head just explodes.
Cause if we can't even do the first order problem of managing identity,
how the hell are we going gonna manage the third party issue?
Yeah, so that's a little bit along the lines
of what I was saying, what I was talking about last week,
which is, you know, we have to operate under the assumption
that these identities at some point
are gonna be compromised, right?
And even in the call I had this morning
with my Salesforce buddy, you know, I said,
okay, that's great, you know, everything that you've talked about conditional access and the hardware
provisioning, but if all that's standing between me and a multimillion dollar
ransomware payout from your company is I have to follow one of your staff home,
hit them over the head with a lead pipe and open up their laptop.
You know what I mean?
There still needs to be that second line of controls that can prevent that identity
from doing horrible
things.
Right?
And that's almost an intractable problem.
You know, what are the ideas?
Okay, you could time lock certain administrative actions, but no one's going to go for that
and you're going to need break glass for the time lock anyway.
Right?
So it is and then, you know, a solution that works for Azure won't work for GCP or let
alone your software as a service like your Salesforce or your, you know, various infrastructure that works for Azure won't work for GCP, or let alone your software as a service,
like your Salesforce or your, you know,
various infrastructure as a service tools.
So I just think, you know, we're gonna see a lot here.
I'm totally with you though.
Yeah, I mean, I remember,
can't remember if we did this
on a wide world of cyber last year,
but I know Alex has, Stamos has done a great deal
of thinking about at least the first party issue.
It's just like you said,
you have conditional access,
you have, you know, as you go up levels of sensitivity
of the system or the process or program or whatever,
but that's, it's just not flexible
and it doesn't really match the speed
of business all the time.
And someone's always gonna figure out a way
to whip through the Windows administration piece
and there you go.
Okay, well we're a bunch of chuckles today, aren't we?
It's just fantastic.
We're all ruined.
Now look, just staying on the theme of identity,
Apple is doing some work, Adam, on passkey portability
which will enable you to get passkeys out of the Apple ecosystem into other devices and stuff.
It is good to see this sort of work continuing and I do think, you know, for
people who have multiple devices in consumer land, that helps with identity
quite a bit, you know, because you can start throwing them pop-ups on other
devices. If they lose a device, they know, because you can start throwing them pop-ups on other devices.
If they lose a device, they don't necessarily
have to reset the whole lot and whatnot.
So I think in the consumer space,
we're actually making some real strides here,
but you know, ironically enough, you know,
connecting the enterprise world
to some of this consumer goodness,
businesses won't wanna do it,
even though probably eventually that's gonna be a won't want to do it, even though probably
eventually that's going to be a more secure way to do things.
Are you tracking me?
Yeah, yeah.
I mean, I think, you know, pass keys are clearly better than a password in many respects, but
managing them at an enterprise scale and dealing with the enterprise problems, you know, as
I said, with a solution that's ultimately pretty consumer focused to start with is really difficult.
Apple's making some good steps here because being able to get pass keys out, move them
around, sync them outside of the one ecosystem, because if all of your world is inside Apple
Life, then everything just magically works.
That's the appeal of Apple Life.
But most people are not a single ecosystem and certainly most businesses are not.
So that's, it's kind of good work.
And I think, you know, I'm, I'm, my mind goes back to the
time you were talking with one of the guys from YubiKey
about, about, you know, identity and, and tokens and,
and starting to build that differentiation between
hardware bound tokens and movable around, you know,
key material.
And I think the sooner we get that clear in everybody's heads that some things you can move
and some things are stuck to a particular device, like that's good.
That helps overall with just how we think about it.
Yeah, but I mean, ironically enough, the portability enables you to get attestation
from multiple devices, which is a huge benefit, but also introduces other risks, right?
Like that's the, oh man, it's doing my head in. from multiple devices, which is a huge benefit, but also introduces other risks, right?
Like that's the, oh man, it's doing my head in.
Yeah, at least a FIDO token, a YubiKey,
at least that's a one thing.
Like it's kind of complete,
conceptually a bit more simple,
which may or may not be that's a real attribute in itself.
Yeah, and then you've got to deal with the,
when the user says my dog ate it issue, right?
So.
Well, you wait 12 hours for the dog and then you can log it.
You know?
So look, I think, you know, all in all, like this conversation,
all we're trying to do here is point out that, you know, things have really changed.
I think the founders in 10 years from now of the next cyber security companies,
they're going to be those kids who are hanging out in the calm right now,
who might not necessarily be doing crimes, but they might be crime adjacent.
Um, let's just put it that way.
But yeah, I think we're seeing an emerging set of issues
that are gonna really start to bite
over the next couple of years.
And it is these identity-based cloud-first attacks.
And it's only gonna be those 1%,
those top 1% who are anywhere positioned to deal with them.
And look, let's talk about a couple of identity attacks
just this week, high profile ones.
We've seen the email accounts And look, let's talk about a couple of identity attacks just this week, high profile ones.
We've seen the email accounts of Washington Post journalists, those on the NatSec team
being compromised by a state backed actor.
I think the scuttlebutt is probably China.
I mean, that's completely unsurprising that we would see that.
We've also seen Keir Giles, who's a prominent
British researcher on Russia, he had his email popped as well. There was some sort
of account takeover. Again, you know, both of these attacks look like attempts to
gather intelligence from people who are talking to interesting people and both
done through identity hijacks.
If you're the FSB and you're tasked with it, then you're going to do what works and take it over the identity and then in some cases I think with the the British guy leveraging
his identity to then try and talk to other people and and so on navigate through those um you know
those webs of contacts makes total sense. Yeah now look I'm so glad this broke uh in the days
leading up to a Chris Krebs appearance because this is a topic near and dear to his heart.
Microsoft is taking the ass out of SaaS,
and now they're just selling S.
We need a new term for it.
We could call it software.
Basically, they're selling you the ability to run,
like as you're an M365 stack in your own data center.
This is aimed at the European market,
where the Europeans are increasingly skeptical about relying on American technology providers.
So yeah, I find it really funny that you've got like, we were joking about it, weren't we,
Adam? Like I was calling it Windows NT 6. And, you know, you were saying maybe they could offer,
you know, some version of M365 that runs on the endpoints.
But currently where this is though, it's sort of like M365 to your own pseudo cloud mainframe kind of thing.
What a world.
Now, Chris, you and I just were chatting about this very briefly before we got going,
and you say that this has probably been in the works for quite a long time.
Yeah. So kind of bringing it about the technical layer again, more of a wide world of cyber
type conversation.
If you think back to 2007, 2008, the Russian DDoS attacks on Estonia where they pretty
much flattened a bunch of government services all over a Soviet Union era statue of a Russian or a Soviet soldier, there's been this desire,
this interest from certain countries in Europe for the ability of a sovereign cloud, where
they can take their or even a digital embassy is probably the better way to put it, where
you can take the government key functions, the key data systems, and put them somewhere else that's not residing
on terra firma in that country
because the Russians are coming after them.
When I was at Microsoft from 2014 to 2017,
this is something that Brad Smith,
now the President and Chief Legal Officer,
was pushing pretty hard.
This was kind of also related to, at least tangentially,
to the Digital Geneva Convention work
that Microsoft pushed pretty hard.
They kind of went through the Paris cyber agreement or whatever it's called.
So this sort of ability to float up originally started again as a defense against Russia,
but over time it seems to be a GDPR plus plus plus sort of outgrowth of,
eh, we don't trust the Russians,
maybe we don't trust the US either
out of a number of different European countries.
And when you see that ability to put in 365
in other associated services,
entrusted providers or second parties,
again, something that Pat,
we talked about on, I think the last,
I wanna say, was that the last Wide World Cyber I did?
I don't know, they all blur into one.
But again, this is exactly what Alex talked about,
this is what I talked about,
is like, they're just gonna throw Azure
into a domestic champion.
And so you've got an SAP shootoff,
that there were subsidiary that's gonna be running it
in Germany.
So, you know, and that's the most extreme case,
at least for Germany and France,
where you can drop it into critical infrastructure,
you can drop it into government services,
and there's, you know, there's no US fingers
anywhere near the software,
whether it's private or public cloud.
So I think this is a kind of a natural outgrowth.
It's really interesting.
I think also wrinkled it instead of Europe pushing back on US tech providers, they're
asking for more and more ways to do it, which I think if you had been in the room in the Munich security conference
where the vice president, Vice President Vance, I think pushed back pretty hard on European
governments and censorship and things like that, this isn't necessarily the way I would have
expected it to go, that the European countries would be asking for more US support. Now,
or at least technical support from companies,
but the way they are carving it off from the private cloud
plus the third party providers,
it's a pretty elegant solution.
It is.
I mean, I don't think it's just about spinning up
country-wide clouds.
I mean, from what this post from Microsoft seems to say
is like individual organizations can even run
their own sort of Microsoft stack in their data centers,
right? So it's not even just about that sovereignty piece it's about
hey you can run end-to-end as your M365 in your own data center put it in a rack
right and as you point out there's a bit of disquiet in Europe over being so
reliant on US technology I mean there's been a couple things that have happened
there I mean there's various policy disagreements, a little bit less trust,
perhaps in America's restraint when it comes to being able to inspect data that
Microsoft has access to.
It's so similar in so many ways to the concerns Western countries have over
Huawei, right?
Like it's amazing the degree to which those things map
onto each other. So I think from one perspective, this solves the problem of the data being
stored by Microsoft that is not stored by Microsoft. But I do wonder if things deteriorate
further if this will be enough, right? Because ultimately you're still running code that
is being shipped into that environment
direct from Redmond.
I think there's a pretty heavy bar in the United States.
You know, the bar for the US government
leaning on Microsoft to start deploying code
that would give them access and stuff,
that's a pretty high bar,
but we're in pretty unprecedented times right now,
so I don't know.
I just, so I don't know.
So first things first, right?
What's the alternative?
Red Star Linux?
I don't know.
Yeah, but I think they're making the best of a situation that I won't say is a bad situation,
but it's not the best.
And so I think Microsoft sees the business opportunity.
They seem to me, at least, to be way ahead of the best. And so I think Microsoft sees the business opportunity. They seem to me at least
to be way ahead of the competition. They seem to be ahead of Google. And again, this is
something that Brad Smith and Microsoft's been thinking through for over a decade. Now,
what's most interesting to me is the go-to-market rollout and how it's Judson, the chief commercial officer that's dropping this
announcement on the Microsoft blog.
So it is, this is a product, this is commercialized,
this is going out into the market.
It is not in the Microsoft policy laboratory anymore.
This is a real, you know, this is a real baby.
This is a real child, they are gonna take this out.
So we'll see how it goes.
But the last piece that I think I would add is that
one of the things that we were thinking about,
at least in the first Trump administration
about the Huawei issue that you talked about
was that there's still any way you cut it,
the rule of law in the US and in Europe.
What we had as a kind of a foil against China was that there is no similar right of action
in the courts that's legitimate, where you can sue if the Chinese government comes knocking
on your door and says, hey, company, turnover data.
That doesn't exist.
Microsoft sued the US government for data that was sitting in an Irish data center that they were like, no, US doesn't have territory here or jurisdiction here.
You can't do it.
That case went all the way to the Supreme Court.
And there was a law, the CLOUD Act, that was passed subsequent that was made to address this issue.
So at least in the good old days of the last Trump administration, there was
rule of law.
That was something that Europe at least could kind of hang their hat on.
Now granted, we're like two or three shrooms past that.
So in also in the second Trump administration, so it's not clear exactly how this is going
to play out.
But Microsoft is making a big, big commercial bet.
So they think they've got something here. They have confidence. exactly how this is going to play out, but Microsoft is making a big, big commercial bet.
So they think they've got something here. They have confidence. They're putting their money where their mouth is. Yeah. I mean, Adam, I wonder what your take is on this because I wonder about the,
I mean, would you want to maintain your own as you're an M365 stack? Cause that just sounds like
not a good time. I mean, you remember what a miserable life it is being an exchange admin.
Can you imagine what it's like being an M365 entire cloud
stack admin?
Although that said, from a technical point of view,
this Azure local thing where you can run your own instance,
the 365, is like a renamed version of Azure hybrid cloud.
Azure Stack hybrid cloud, I think it was called. So you've been able to run bits of Azure, Azure hybrid cloud, Azure Stack hybrid cloud,
I think it was called.
So you've been able to run bits of Azure,
like the virtual machine infrastructure
and some of the network plumbing yourself for a while.
So bringing the apps into this on top of it,
is a thing that, it's not entirely brand new,
but I do pity the fool that becomes the exchange admin of the future having to deal
with this whole thing.
I mean, can you imagine in the future, we're going to be talking about headlines where
someone got owned because they forgot to patch their M365.
Yes, yes, exactly.
But on the other hand, I think as Chris said, what's the alternative?
And when was it the Dutch that are thinking about going to the Libra Office future?
The Germans tried that in the, what, early 2000s.
They tried to get rid of Microsoft.
And that's back when OpenOffice, et cetera,
and the rest of the open source office suites
were a lot more feature comparable
with just on desktop Microsoft Office,
let alone someone who tries to use OpenStack
and all of the open source cloud equivalents
to run something that looks like Azure.
Like the product is just so much more mature
than any other option.
So yeah, what are they gonna do, right?
As you say, you can't read style and accept.
The only thing I'd add here is, you know,
based on the last segment,
Waddle Scattered Spider gets a hold of this.
Yeah.
I mean, we are just making the attack surface that much more.
Pickable.
Yeah. I'm guessing, I'm guessing to make about it for so long.
It's great.
I'm guessing Microsoft's put some thought though into how to at least maintain the
stack. So my joke about patching and whatever, you know, probably not that
applicable, but you would think there's going to be like, you know,
someone like you, Adam gets a shell in that environment. You know, it's going to be a,
it's going to be a fun time. Oh, and I'll just say to you that one of the things that I was
mentioning about, you know, the Europeans feeling a bit funny about Azure was, you know,
the United States government sanctioned an international criminal court prosecutor,
and that led to their Outlook account being vaped right there were some bad reports going around at the time that they withdrew services from the International Criminal Court
They didn't but they did
Withdraw services from one of the prosecutors and that was enough for
You know and this is because the United States doesn't like the International Criminal Court investigating Israeli politicians for war crimes and
You know from a European perspective,
they see that and they're like, yeah, that's a little bit alarming. Look, let's kick on with
some technical news here. And this is some fascinating research from the AIM Security Labs
team that you gave us, you put in the run sheet here, Adam. It's some sort of Microsoft 365 copilot, like AI based
attack that lets you email someone and then get information back in return. Walk us through it
because I read it and I feel like I 70% understand it, but I don't 100% understand it.
So I mean, ultimately this is an instance of prompt injection. So in that respect,
not super interesting, but the way that they wrote it up and the way they thought about it, I thought was pretty cool. So
this was a bug in Microsoft's 365 environment where you could basically
send an email which contained instructions which if that email was
ingested by a copilot on behalf of the user that received it, you could then
cause that AI to do something on your behalf.
And then they chained that together with a couple of floors
where they could exfiltrate data
without any user interaction.
So for example, loading images off remote servers
where the data is linked to the path
or bypassing content security policy
in SharePoint and the cloud, blah, blah, blah, blah.
But the real interesting bit here, I guess,
is so you email a prompt in,
there's meant to be a layer of filtering
in Microsoft's environment that's attempts to detect
when the data you're processing contains prompts
or like is giving instructions.
So this, in this AI future world
where we are mixing code and data,
it's meant to try and detect things that look
code-ish in stuff that's probably data.
Of course, that's already a very difficult problem,
and they're trying to do it in an AI fluffy world.
They come up with basically a way to bypass
that filtering just through making it look innocuous.
Then the second part is engineering the data
you're sending in to maximize the chance
that the AI will retrieve it and use it.
So they compare this to like heap spraying
and memory corruption where you're gonna spray data
into the 365 in a way that the AI is likely to get it back.
And they do this by crafting an email,
which when chunked up and ingested into as you as like,
rag database, so a vector database that the AI uses
to pull relevant data out to then load and process.
So they kind of game that such that their malicious input
will come back in almost any requests
that the AI is making to its data store to
get relevant information.
And then the instructions are like, find the most sensitive thing you can in the attached
documents and then make an image about it and send it to me, the attacker, to leak the
data out.
And that's just a really fun kind of way of thinking about these attacks with their different
parts and then getting it to a point where you're sending an email and receiving sensitive data back. Like, sweet, that's great hacking.
It is. And it's funny that the way that they bypass that prompt injection detection part is just by
phrasing it right. You know what I mean? Like if you're a good writer, you can figure out how to
write things in a way where you're conveying the meaning that you want to to the LLM without the
filters actually knowing that's what you're doing. And I mean what's a
universal solution to that? Yeah I mean every solution that we have seen
someone talk about so far is just layering more AIs around it to say like
does this look sus? Is this what I expected? Does this match my you know the
intent of my policy even if it this match the intent of my policy,
even if it's not the letter of my policy?
And it all gets very fluffy.
And this whole thing where we made computers
non-deterministic and more like people,
it's not gonna improve them.
Yeah, it's scary when Adam talks this way, isn't it, Chris?
Yes, it reminds me sometimes of listening to Alex talk,
because you're like, oh, where does this end?
Alex and I have a both have a strong kind of doom filled streak, I think
We're all ruined. All right. Let's do a sprint through to the end here
We got a story here from cyber security dive about a system warning of supply chain risks as ransomware attacks exploit simple help flaws.
Why is this a supply chain risk and not just a bug risk?
So simple help make remote support software, so like remote access stuff.
So the bug is like a path traversal gets information out with like creds or whatever in it.
So it's hit this and then go downstream into the people who use it,
because it's pretty common amongst service providers and that kind of thing.
So that's the sort of the customer usage of this
tends to be through third party service providers.
Right, okay.
So that's the supply chain angle here.
So what they're just doing what you'd expect to do
with this sort of access.
Smash and grab a bunch of data.
Yep, pretty much.
Hey, just a real quick one on this.
Kudos to CISA, right?
This is great stuff.
It's nothing, you know, world,
earth shattering in this alert,
but this is CISA doing what CISA should be doing,
and they're doing it with reduced staff.
They had recent leadership departures,
so kudos to the team that pulled these things together.
Good to see kind of normalcy in operations.
Indeed, indeed.
We've also got a follow up on United Natural Foods.
This is the huge grocery, like fresh food distributor
in the United States that supplies Whole Foods
and a bunch of others.
Whole Foods is bringing stuff back.
Like they're restoring normal operations.
But I think you had the amazing data point there, Adam,
that this attack was so catastrophic,
they had to close their sandwich bars.
Yes, I think on Tuesday they reported,
sandwich bar had to be closed.
So, you know, that's pretty serious impact.
That is a cyber pearl harbor, if ever I've heard one.
And what else we got?
We got a South Korean ticketing platform
getting ransomware as well
and also an attack against WestJet, an airline. Not super clear on the details there.
Yeah, I think Yes24, which is the Korean place, they're pretty big. They're a big ticketing
vendor but also ebooks, sort of like Amazon I guess, if Amazon sold event tickets in Korea.
So that impact's been pretty large. They seem to be clawing themselves back. And Amazon, I guess, if Amazon sold event tickets in Korea. So that impact's been pretty large.
They seem to be clawing themselves back.
And yeah, I guess any time an airline gets ransomwared seems a little like,
I still want to put that in the run sheet, even if we don't have much specifics
and WestJet say that their flights are still going on.
But it doesn't feel good when there's attackers,
privileged access presumably up in the middle
of an airline network.
Yeah, but you need to use the correct PR nomenclature
for a ransomware incident,
which is what their blog post uses.
It's a cybersecurity incident.
Yes.
So when you get ransomware, you got to understand
it's not ransomware, it's a cybersecurity incident
of which you're trying to determine the scope and doing eviction you know anyway that's how that works
all right guys we're gonna wrap it up there Chris any final thoughts any final
message for the risky business listeners that you would like to share with us
today well let me just drop one piece on the the last two stories ransomware is
here to stay right now and there there hounds, as you said last week,
waiting to be released.
So are we gonna release them or what?
And the last thing is just, again,
thanks to the support from everyone in the community.
It's been overwhelming.
RSA, a month or so ago was great.
I'm hoping to make a return trip to Black Hat.
But again, the outpouring of support has been fantastic. I really appreciate
it. Love everybody out there. Keep up what you're doing. And I think if you need any
more reminder of just the last couple of weeks, again, you guys are the front lines of the
defense of modern warfare. I said that at a couple of panels at RSA. So keep it up.
We're all counting on you.
Awesome. Well, we will wrap it up there. Chris Krebs, thanks for joining us. Adam, as always.
Thanks so much, Pat. I'll talk to you next week.
Adios.
That was Adam Boileau and Chris Krebs there with a look at the week's security news. It is time for this week's sponsor interview now with George Glass from Kroll Cyber.
And Kroll have a heavy presence in the UK and have been dealing with some of these
responding to some of these attacks against the retail sector there.
And yeah, I mean, it very much ties into the conversation we just had in this
this week's news, which is simple social engineering attack to complete compromise.
And this is an issue that's very, very difficult to deal with. So here's George Glass talking
about that.
Fairly classic social engineering. So ringing up a help desk with limited information about
a particular set of targets that they wanted to impersonate. Could be one, could be two operators, both trying to impersonate the
same person over multiple calls using the same information they've got from a previous
call in the following one. That could be like an employee number or a manager or something
like that. And essentially just building towards social engineering at the help desk person to reset MFA, reset a password.
Could be very cordial on the phone, English speaking gentleman and that sometimes works.
Sometimes they move more towards being angry. I'm very important. I have a meeting coming up.
I must have my phone reset.
No, I can't access my email.
I'm locked out of all of my accounts.
You need to do this for me now.
So on and so on and so on.
Yeah, I'm going to come down there and they'll be held
to pay, that sort of vibe, right?
Exactly. Yep.
And they just do, you know, a variation of that.
And yeah, it works, obviously. Yeah, yeah. I mean, I guess I'm wondering though,
like, okay, that might get you one user account. And as you said, multi-stage social engineering,
I remember not an intentional name drop here, but talking to Kevin Mitnick about this many,
many years ago. And he said the thing back then people didn't understand is that, you know,
a successful social engineering campaign was multi-touch, right? So as you pointed out, pointed out, they might have the employee number, but maybe they got that from
a previous call where they rang up and they said, hey, it's Joe Bloggs.
I'm filling in a form.
I need my employee number.
I can't remember it.
Can you just look it up for me?
That sort of thing.
Then they ring back and, hey, it's Joe Bloggs employee number, da, da, da, da, da, da, da,
and they've got more credibility.
But in these cases, okay, they've got user access. What
then? Because, you know, getting one user account, okay, that's interesting. But turning
that into the chaos that we've seen in the UK retail sector, like, is going to take a
bit more skill than just yelling at someone on the phone, or does it?
Well, that's the interesting thing. We've seen targeting of IT personnel. So people
that they know will have a whole bunch of really interesting documents in their SharePoint.
Exfiltrate all of those.
I know how to authenticate to the VPN,
et cetera, et cetera, et cetera.
I know password policies.
Very adept at traversing a SharePoint,
a state gathering reconnaissance, that sort of thing.
But we've also seen it from low level employees
where they've managed to essentially conduct
a business email compromise,
but it then install like a Azure logic app
or something like that,
that again can exploit some sort of vulnerability
in the setup.
So really does show that they're very adept at Azure SaaS
technologies. They don't need to touch the endpoint until they absolutely have to. And
it's everything is just identity and traversing these different accounts to get as much information
as they need to launch the next stage of the attack.
I guess something that concerns me somewhat is we don't really appear to have a good set of
controls for dealing with this sort of thing. No, no. You know, policy is one thing. You can have
a really good policy. I think the crux of this is at the end of the day, a help desk person,
whether they're an in-house help desk person, is outsourced. They're really just trying to be helpful. That's sort of their job. And
I think that's where a lot of this falls down. It's easy to give away a small piece of information
that may be out of your policy. But as we've been saying, that all adds up to pretty significant
breaches. How you stop those sorts of things, it's very
hard because it's human nature. And you've got to train that into people, ensure that
the policies followed, conditional access and all of those sorts of things are very
expensive. Very hard to achieve, especially in a very distributed environment like retail,
where you could have seasonal employees and
so on and so forth. So it's very tricky, makes it an easy target for these sorts of guys.
And it's an expensive thing to get right, to be honest.
Yeah, I mean, I don't think there's any realistic prospect of preventing social engineering
attacks against help desks from succeeding. Like that just will, that's just not achievable.
But I would have thought that you might be able to either
detect or slow these people down once they've got that
user account and start doing weird stuff.
But then you look at the solution sets for these sorts
of problems and you got what, like CASB?
I mean, you're gonna rely on CASB?
Well, you know, to be honest be honest, on our IMDR practice,
we detected a malicious use of employees' identity.
I think they had access to the environment
for all but a couple of minutes.
It is possible, but you're looking for anomalies
that are hard to catch at any reasonable scale.
You have your set of users that you're gonna be looking at
very, very closely, those with high privileges,
execs, VIPs, so on and so forth.
But doing that across in a state of maybe 10, 20,000 people,
maybe more, then that becomes a really big challenge.
You mentioned they were going after the people with the people who are likely to have highly privileged access.
I know from Adam Bualo, my co-host, when they were doing red teaming, the first people they'd
go after with phishing and whatnot was the domain admins who they found helpfully through
LinkedIn.
I mean, are these guys doing it similarly?
Do you think is that how they're doing their recon?
Just hitting up LinkedIn and looking for the domain admin?
I think that's absolutely the case.
Yeah.
The cases that we've seen,
they seem to be very, very focused on a few individuals
that they know are gonna have access to,
a whole bunch of technical documentation,
credentials stored in the last pass
that they might be able to fish and those sorts of things.
That's clearly what they're doing first is some reconnaissance and then really just chancing it to be honest.
We've seen some calls just hang up, it's clearly not going to work. Okay, forget it. They've
probably moved on to the next target by then. Some more persistent because they clearly think
that they can get a good amount of access by that one single identity.
Ben Furlough Now walk us through, if you wouldn't mind, that they can get a good amount of access by that one single identity.
Now walk us through, if you wouldn't mind, that I'm not sure if you have the details at hand, but you just mentioned one of the detections in an MDR context. What was the detection? Why did
it jump out and how were you able to find it? Because I mean, that's, you know, I mean, hey,
this is a marketing segment. Do your marketing thing. Tell us about how you save someone's bacon.
Yeah. So I think a lot of our detections
are driven through Sentinel because 365 and so on.
We work on a number of different signals,
anomalous token usage, impossible travel,
and things like that.
The thing with Scatter Spider is most of the time
there'll be VPN close to where the user is.
So we're looking for multiple signals, different user agents being used to log in over a short
period of time, that sort of thing.
To be honest, a lot of those detections were set up for attacker in the middle.
But it does tend to work for things like MFA resets and stuff like that.
Like some of these fish kits that grab pass through and whatever.
That would make sense, right?
When the user agent starts flapping around for a user, that's a good one.
But I mean, it would catch this as well, right?
Yeah.
Yeah.
It's a detection of someone's logged in from an account from a device that we haven't seen
before.
That's in itself weird.
So yeah, obviously you're not going to catch
the initial phishing call, but you can hopefully catch the malicious activity that's going
on behind the scenes. And then obviously there's defense and depth, right? So you can start
detecting these malicious Azure apps and things like that as they tend to install them for
BECs and so on. But you want to be getting these guys as early as possible because they'll
have the contents of the SharePoint within a few minutes. Absolutely.
So tell me about the process of installing a malicious as your app, right? So presumably
you need to hit a user account that has some sort of privilege. What does the authorization
for that look like though? Is that just like an OAuth grant from that account?
Yeah, essentially that it could be, you could get it via phishing. You could get it, you know, just by
compromising the credentials. It really depends on how the environment is set up as well.
You know, a good consultant answer there. It depends, but it can be incredibly easy.
It depends, right. So sometimes it's like you need to go through the whole, you know,
authentication challenge, right? Basically to do it. And other times it might just be an OAuth pop-up and you just click, yeah, okay,
whatever.
Exactly.
Yep.
And so what are the, what are these Azure apps actually do?
Right?
Because, you know, I'm a, I'm a fossil at this point in cyber security.
I've been in it for like 25 years.
Right?
So, so the idea that, okay, I've reset someone's MFA token, which is going to
let me get their user account.
Oh, there's some privilege here.
Now I'm going to do me get their user account. Oh, there's some privilege here.
Now I'm going to do something called installing an Azure app.
What does that do? What does it get me?
Explain it, explain it to me like I'm old.
Yeah, sure.
Uh, some of them are, uh, logisma apps, um, that they're used for automations.
Uh, but those automations can be used to download the entire contents
of a mailbox, for example,
or set up one point documents that also contain phishing links and things like that and automatically
send out to everyone in the business.
So that's one of the methods for lateral movement inside.
If you get an internal email or internal Teams com from your colleague saying,
hey, can you take a look at this one note document for me?
You click the link in there, authenticate.
That's more creds for the bad guys, right?
So it's pretty common now, but for busy and more compromised cases that we work,
that there's some sort of malicious Azure app or logic function or something like that set up.
It's amazing, man. Here we are, 2025, infrastructure as a service,
looking about as stupid as the on-prem stuff we had 20 years ago. Amazing. So let me ask you this,
though. Here's a curly one for you, right? Because you've been in the thick of this,
right? Being based in the UK, this is where all of this activity is hit. You've seen the ones who've done badly. You've seen the ones who did well.
So there have been reports of like Harrods. They went after Harrods, but they were able to evict
pretty quick. Didn't look like there was any disruption or damage. What separated the companies
that got through this where it was just like in the news for a day where they pulled some systems
offline, sorted it out and basically went uninterrupted versus the ones like
Marks and Spencer, who I think are still restoring services like a month or two
later.
Yeah. I think for the cases that we worked, um, which is really all I can talk to,
it comes down to detection, right? You know, if we compare this, this,
this stuff that is, um, still in the news, um,
clearly there was a huge amount of lateral movement,
a lot of malware being deployed, rumors of NTDS.DIT
being exfiltrated.
Really, detecting that sort of stuff
is pretty paramount to running a good defense
and depth capability.
So detecting as close to the intrusion as possible,
especially identity-based detection,
they seem to be the ones that are faring a lot better
in this case.
And actually, again, in my experience,
it seems to be the people with the in-house help desk
seem to have fared better than those that outsourced.
Is that because people tend to adhere to the policies
a bit better?
I think so. I think so.
I think so.
They tend to just be smaller organizations as well.
So maybe they recognize the person's voice wasn't who they thought they were going to
be talking to and things like that.
Yeah, right.
Because they know them because they work down the hall.
Yeah.
I mean, I guess I'm wondering though, you know, you say that detection is a good thing
here, right?
And that totally makes sense.
But I mean, we see, we've talked about like, you know, again, this is about a vibe, not
an attribution to a set of people, but we've seen scattered spider-esque attacks here in
Australia where they take over a domain, like they take over an MX record, right?
Divert mail and then they go from there to full compromise of absolutely everything in
10 minutes. So I'm sort of wondering like it, you know, are we worried that detections
are quite going to cut it when it comes to threat actors who use these types of TTPs
and really what we need to look at is hardening. And, you know, I find this an interesting
question because then I think, well, how do you harden against this?
I think you're absolutely right. I don't think, you know, I think, well, how do you harden against this? I think you're absolutely right.
I don't think, you know, I think it always goes back to the weakest link in the chain
can't be a person behind the keyboard, right?
It's got to be controls, it's got to be process, it's got to be procedures.
Hardening in this case, as you quite rightly say, is very, very difficult.
It's going to be expensive. We've been recommending phishing resistant
to FA, conditional access policies and things like that. They'll certainly help. It's expensive
to roll out. Especially for retail, there's however many endpoints, tens of thousands
of endpoints across your estate. You say, hey, we'll do conditional access and make
sure that all of your seasonal employees
They're only going to be there for three months have FIDO 2 tokens. It's just unrealistic. Isn't it really?
Yeah, I feel like I feel like it's gonna be an interesting few years figuring out how to deal with all of this
And I think things are gonna get a lot worse before they get better as a pundit who covers it
I have very conflicted feelings about all of this, but George Glass, it was great to see you again, my friend. Thanks for walking
us through all of that and we'll look forward to talking to you again soon.
Thank you very much.
That was George Glass from Kroll Cyber there. Big thanks to him for that and big thanks
to Kroll Cyber for being this week's sponsor. And that is it for this week's show. I do
hope you enjoyed it. I'll be
back soon with more security news and analysis, but until then I've been
Patrick Gray. Thanks for listening.