Risky Business - Risky Business #803 -- Oracle's CSO Mary Ann Davidson quietly departs
Episode Date: August 20, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Oracle’s long term CSO departs, and we’re not that sad ab...out it Canada’s House of Commons gets popped through a Microsoft bug Russia degrades voice calls via Whatsapp and Telegram to push people towards Max South-East Asian scam compounds are also behind child sextortion Reports that the UK has backed down on Apple crypto are… strange Oh and of course there’s a Fortinet bug! There’s always a Fortinet bug! This week’s episode is sponsored by open source identity provider Authentik. CEO Fletcher Heisler joins the show this week, and explains the journey of implementing SSO backed login on Windows, Mac and Linux. You’ll never guess which one was a few lines of PAM config, and which was a multi-month engineering project! This episode is also available on Youtube. Show notes Is Oracle facing headwinds? After layoffs, its 4-decade veteran Chief Security Officer Mary Ann Davidson departs Oracle CSO blasted over anti-security research rant - iTnews New York lawsuit against Zelle creator alleges features allowed $1 billion in thefts | The Record from Recorded Future News Mobile Phishers Target Brokerage Accounts in ‘Ramp and Dump’ Cashout Scheme – Krebs on Security How we found TeaOnHer spilling users' driver's licenses in less than 10 minutes | TechCrunch UK has backed down on demand to access US Apple user data, spy chief says DNI Tulsi Gabbard on X: "As a result, the UK has agreed to drop its mandate for" Hackers target Workday in social engineering attack Russia curbs WhatsApp, Telegram calls to counter cybercrime | The Record from Recorded Future News Hackers reportedly compromise Canadian House of Commons through Microsoft vulnerability | The Record from Recorded Future News Norway police believe pro-Russian hackers were behind April dam sabotage | The Record from Recorded Future News US agencies, international allies issue guidance on OT asset inventorying | Cybersecurity Dive FortMajeure: Authentication Bypass in FortiWeb (CVE-2025-52970) U.S. State Dept - Near Eastern Affairs on X: "He did not claim diplomatic immunity and was released by a state judge" 493 Cases of Sextortion Against Children Linked to Notorious Scam Compounds | WIRED .:: Phrack Magazine ::. Accenture to buy Australian cyber security firm CyberCX - iTnews
Transcript
Discussion (0)
Hey everyone and welcome to risky business.
My name's Patrick Gray.
We've got a great show for you this week.
We're going to jump into it in just a moment with Adam Barlow
and talk about all of the week's cyber security news.
And then we'll be hearing from this week's sponsor.
And this week's show is brought to you by Authentic,
which is an open source IDP.
Now, of course, you can get it with some paid-for enterprise-y sort of features.
But the whole thing is sort of inspectable.
open source goodness, and the CEO of Authentic Fletcher Heisler will be joining us a little bit later
on to talk about, I guess, some new features that they've introduced.
One of them is, you know, and it's been a process to get this one working, but one of the
new features is you can, you know, enter your SSO creds into your workstation to unlock your
workstation.
So that's sort of unified single sign-on, which is actually single sign-on.
So that's cool.
And we'll talk to him about how it was a little bit trickier.
that feature for Windows as compared to, say, Linux.
That one's coming up later, but first up, of course,
it is time for a check with the Wix Security News with Adam Bwilow.
And I guess the big news this week,
especially for those of us who've been in the industry for so long, Adam,
is that Marianne Davidson,
the nemesis in many ways of the hacker community,
is no longer at Oracle.
She is out, and it's not really clear why.
but her departure did come very shortly
after that massive incident
affecting the Oracle's cloud
and you do wonder if those two things are connected.
It would make sense that they would be connected
and like that particular incident with Oracle Cloud
was also not handled particularly well.
It was quite a bit of
oh it wasn't our real cloud
it was our backup cloud or our, you know,
it was a legacy cloud.
That's what they called it, legacy cloud.
First of all, they denied the incident.
So there was that, they were all,
They were bullshitting. And I'm sorry to production people for having to beep that, but that's what they were doing. When this happened, they said, oh, no, our cloud was not owned. And then later on it turned into, well, our real, yeah, our real cloud wasn't owned, but there was some legacy cloud. But, you know, you and I talked about that. And if they left old rotting boxes hanging around in their cloud environment and people were able to own them, that would have given them, you know, perhaps better access to even the more modern cloud, cloud bits and pieces. So it was,
Yeah, it was a bad incident, and the comms and handling of it were terrible.
And you do wonder, well, is that what maybe led to her departure here?
Yeah, yeah.
I mean, that certainly kind of makes sense.
And I mean, she had also a pretty long history with Oracle.
And as you suggested in the, you know, in the intro there, like, we weren't super fond of
Oracle's, you know, kind of positioning around, you know, full disclosure around how
bugs should be handled.
And even, you know, she made a blog post once in a time about, you know, how we shouldn't
reverse any of our Oracle products.
violating their licenses or their intellectual property or whatever by looking at it
yeah she was like don't go looking for bugs in our products that's our job and we will pursue
legal action against people who are reverse engineering our products and and keep in mind like
this is when oracles products are just like every every time anyone would pick one up and
shake it around a little bit like just CVS 10's flying out of them right and they're like
no don't go looking for bugs we've got that it's under control so i mean in some ways though
this counts against the theory that her departure is linked to this incident because
it would be the first time Oracle actually took any concrete step in response to something bad going on with security, right?
Yeah, yeah, exactly, exactly.
And, you know, she's been there a long time, like 40 years, you know, this is not like, you know,
we're not a giant Japanese zibatsu where you work for life, you know, this is, you know,
computers tend to be, you know, people don't stay there for 40 years.
So, you know, she's worked the way up and I imagine she has done many good things.
but, you know, Oracle, and especially like when they introduced that like unbreakable as their sort of, you know, tagline for their Linux.
Like I remember that as being the butt of the industry's jokes for such a long time because, you know, the Oracle stuff very clearly was not.
And then they also aggravated this by buying and killing Sun, which, you know, all those old Unix nerds liked Sun Microsystems and did not like Oracle and then them, you know, killing the Sun, you know, the Sun vision of the network computer.
You know, lots of us were still salty about that for a long time.
So maybe she's not the only old person that's interesting that needs to go.
I don't know.
Well, I mean, I'm just remembering back to the unbreakable stuff where David Litchfield,
who I believe now works at Apple, David Litchfield back in the day, you know, he's very well known,
was very well known back in the day for being the guy who would find Oracle bugs, right?
Like in their database stuff.
And I think he managed to find something like 20 CVEs in an Oracle product like during the first
24 hours after they announced their unbreakable thing, you know, which just to just to point out how
ridiculous of a whole idea that is. So I guess it's not controversial to say that, you know,
among security researchers and the, you know, security community as it was 20 years ago, she's a
pretty controversial figure. And a lot of people are like literally going to be dancing on a,
on a professional grave here. Like, you know, it's unfortunate, I guess, but it is what it is.
I mean, it certainly is, you know, and I know when, you know, I found bugs and Oracle products over
the years and the idea of responsibly disclosing them to Oracle as opposed to just like
using them and then putting them on the shelf or selling them live on stage during a keynote which
I did once in Canberra which is fun um you know that kind of relationship with researchers
it does cost you if you burn it and on the same time if you have a good relationship it like it helps
you know get those bugs out of the community maybe not pay such top dollar for them I mean
But hang on, hang on, counterpoint, right?
You say, well, it does damage you.
How was Oracle damaged?
I mean, Oracle's just to the moon, right?
Oracle's done fine.
So I think the lesson here could be you can treat security researchers like absolute trash
over 27 years where she was the CSO and nothing bad happens.
Yeah, that's very true, yeah.
Maybe they get to buy a TikTok and everyone can live happily ever after in the Oracle future.
Yeah, I mean, look, it's entirely possible that Marianne Davidson has just decided to retire.
She's been the CSO over there for 27 years.
it's entirely possible that's the case but it does come very shortly after this cloud
incident and i do sort of think i mean you and i when we spoke about this incident
sort of said you know we agreed right that it was sort of unforgivable that they had such
ancient uh boxes running in their cloud environment like what was it it was like oracle
11 it was um sonos 10 sorry sorry sorry yeah yeah that's what i mean um so yeah like just just sort of
unforgivable and we were sort of saying like it's pretty obvious that they weren't doing any
sort of asset discovery in their cloud environment and that's like what like that is just
completely insane um so yeah who knows might have just retired but either way mary ann davidson is
no longer at oracle so yeah i guess we'll see we'll see who replaces her and whether they are
worse introducing our new CEO satan let's see maybe it's a little bit unfair to compare her to
Satan, but you know, you never know.
All right, so maybe a little unfair.
So let's move on now and talk about a lawsuit in the US that's been kicked off by New York Attorney General, Letitia James.
So this is a lawsuit against Zell, the payment platform in the US.
And this was the payment platform that was spun up by some of the major banks when they were
facing, you know, instant payments competition from the likes of like, I don't know, cash app or whatever.
I'm not American.
and, you know, those apps.
So they started their own one,
and the lawsuit alleges that they really didn't do anything about fraud
just to prioritize growth.
And if you click through and read the lawsuit document,
so we're going off a story written by John Greig over at the record,
but you can click through to the actual lawsuit.
And what it says is that Zell actually came up with a whole suite of protections
in 2019 that would have really helped to combat
some of the easiest fraud that was taking place,
and they just never implemented them
because they wanted to prioritise growth.
They wound up implementing them in 2023
and despite Zell just growing like mad,
fraud actually went down by hundreds of millions of dollars a year.
So the lawsuit is basically alleging
that what they did in 2019
by not introducing these very reasonable controls
was wrong and bad
and they're going to sue them
and I imagine go after them for huge fines or something.
Yeah, which I guess, you know,
kind of makes sense
platform or any kind of big platform these days, you know, security isn't a thing that
you can just bolt on afterwards and hope, right?
I mean, well, the irony is it is, because that's exactly what everybody does.
But, you know, in the ideal world, in the world that the, you know, the Attorney General's
office would like to create and tasked with creating, that's, you know, fair and reasonable
and equitable and all those kinds of things, you know, you shouldn't be able to just
yolo your security and your fraud and all of your other controls in favor of getting enough
market share to become too big to fail, which, you know, you look at the rise of Uber and the
rise of a bunch of other companies where they, you know, that's sort of the concept of regulatory
escape velocity. We just got to outrun the regulators and the, you know, SEC and investors and
everybody else so that you get so big, so quick it doesn't matter. And that's kind of what this
lawsuit, I think, has taken aim at as that sort of growth hecken.
Now, look, staying with the theme of fraud,
Brian Krebs has an excellent write-up on this, I guess,
fraud organization that he has been tracking for a while based out of China.
So this was the group that was doing a lot of, like, Apple Wallet,
mobile wallet payments fraud and stuff,
and even those relay attacks we've spoken about it a couple of times.
Apparently, they've now pivoted pretty hard into obtaining access to people's
brokerage accounts so that they can dump all of their,
their blue chip stocks and then use it to buy penny stocks for at inflated costs that these
attackers already have, you know, owned, right?
So they go in, they buy a bunch of penny stocks, and then they hack brokerage accounts and
buy the penny stocks from them at inflated prices.
And it looks like, I mean, this is a feature, right, that Brian's written here.
But, I mean, what's amazing about this is like every time he writes about this group,
the amazing thing here is the industrial scale that they're operating at.
I think if you work in risk at one of the brokerage companies,
like you've got to have a pretty solid look at this one.
Yeah, yeah, it's a really good kind of write-up of a story that we've seen.
You know, we've covered it as it sort of bubbled up over the last, you know,
kind of three months or so as various brokerages and, you know, exchanges and stuff
have had, you know, weird, fraudulent activity.
But kind of tying it together into a big picture is what Brian's good at.
And this group, he says it was doing kind of industrial scale fishing of like bank
accounts and other financial institutions. But as the security controls around those have become
more robust, they've pivoted towards using brokerage accounts as a way to kind of turn
computers into money. And also by kind of using the brokerage accounts to, as you said, buy
cheap stocks or sell people's existing stocks, buy cheap ones that they already own, they can kind
of decouple themselves from it as a sort of alternative to money laundering, I guess, because
you've got that level of indirection that the stock market is providing you that kind of
reduces some of the money laundering complexity but they're well i don't know man i mean it's pretty
easy to trace some of this back i mean i think that's why they're using like um you know
chinese penny stocks for this sort of thing so i guess i guess yes but it's always going to be very
clear what happened and who done it it's just like well what's your legal remedy i guess yeah yeah
so it does provide sort of a degree of indirection i suppose is yeah's what brian says um but yeah
These are also the group that has been, you know, selling preloaded mobile phones with, you know, online banking, you know, electronic payment loaded on them and that kind of thing.
So they're a pretty flexible and diverse and, as you say, industrial scale financial fraud operation.
And, you know, that's a thing that, yeah, if you work in not just core finance industry, but anything kind of on the edge, you know, probably you need to be aware what's going on.
Well, and, you know, once this gets under control, it seems like these are the sort of people who are just going to pivot into the next thing, right?
Because they are operating their cybercrime group like a proper business.
Yeah, they're agile and responsive, and they are.
Now, let's talk about tea on her, because a while back we spoke about this breach at an app called T, which is the app that allowed women to share, I guess, intelligence on men.
that they were dating or planning to date or whatever they could find out if a guy was a creep
or if he was like really nice or whatever um obviously this is the sort of app that made like
you know in cell losers feel really sad so some in cell loser uh actually cobbled together
a opposing app you see called tea on her you get it you get it it's very clever you see
uh and they did a wonderful job with the security here uh adam like uh you know as good if not better
than the actual tea app.
Yes, so TechCrunch, Zach Whitaker at TechCrunch
had written up the story of this tea on her app
when it broke and they started looking into it
because there had been, you know,
obviously vulnerability with tea and information leak
and so they went to go look at this thing
to see how it was built.
And it turned out to be not only at least as bad, if not worse,
they found bugs in the first 10 minutes of looking at it
that were, you know, pretty catastrophic.
And this, you know, Zach, right?
writes up that process that they went through.
The core guts of it was, you know,
clearly this guy had vibe coded it together in the weekend.
There was an API server that basically implemented all the functionality of the app.
And it just had no off.
You could just connect to the APIs and do as you please.
And all of the data that people were submitting when they signed up,
the identity scans, because they did the same thing as T in terms of how they,
you know, were trying to validate that all the users were men's.
so they did the same sort of thing
and even worse
except that at least
people were using tea
tea on her
you know not so much
for us you know much smaller
well because the sort of people
who are going to sign up to a service like that
probably not the sort of people
who actually date a lot
I'm going to just go out on a limb here you know
I mean you're not wrong
it's going to be full of a bunch of
redditors complaining about women
who never called them back
I suspect it's going to be the core complaints
among this particular population.
But yeah, the funny thing was that when Tech Grants tried to report the issues to the guy
that wrote it, he was like, no, no, no, you must be confusing us with the actual T app
because the bugs were so similar.
And they're like, nobody, have you tried, like, did you have to enter a password at any point
in the development of this thing?
And he was like, oh, so, yeah, funny.
Yes, yes, bit of a bit of a, yeah, bit of a comedy story for the week.
now look here's a really weird yarn this week and it's doing the rounds everywhere
we're going with the guardian version here because I think they did a good job
their headline is UK has backed down on demand to access US Apple user data
spy chief said now that is a very tightly scoped headline
because really this whole thing hinges on a tweet
by Tulsi Gabbard who's the what is she the director of national intelligence
or whatnot in the in the United States
and she has said, you know, now Apple will, you know, will no longer be, you know,
the UK government is no longer demanding that Apple expose the encrypted data of American citizens.
And that's the interesting part.
So all of this goes back to, I think there was a technical capability notice issued by the Brits to Apple,
which Apple are apparently fighting, but it did result in Apple turning off advanced data protection
for new accounts in the UK and rolling out a plan to actually disable it for people who already
had it. I don't know if that's still a plan, but that was that was what happened at the time.
So, and then it was very controversial because Gabbard was like saying, oh, you know, the Brits
want to be able to have a capability to reach in and get your Americans data where, I mean,
we haven't seen the TCN, so we can't say. But I would imagine that if this is the status quo where
it's wound up, which is that ADP has just turned off for Brits, they don't need that TCN to be
acted on. So it might have just, you know, all of this might have just come down to the fact that
Apple is just going to leave ADP turned off for Brits, and that's where this is settled.
And now Gabbert is trying to turn this into some huge victory.
So I don't know what the actual story is here.
Like I think perhaps it was like the Brits saying, we need to be able to access this sort of information.
And Apple's saying, well, we're not going to build that for you, but we can turn off ADP.
And the Brits said, okay, and that's just where it landed.
And now they've dropped the request to have like a capability developed that would allow them to break E2E.
you know, backups or whatnot.
Anyway, my point is
it's really unclear what's happened here
and there's a lot of reporting based
on a single tweet. And I think the Guardian
has done the best job here of just saying
you know, of looking at
the tightly scoped wording that Gabbard's
used and actually pulling that into the headline.
So good job Guardian.
Yeah, it doesn't make a whole bunch
of sense because, you know,
a UK technical capability notice
wouldn't result
in American's data being collected anyway.
I mean, that the point of it is it would be a British jurisdiction thing.
And I guess, you know, Americans in the UK, maybe there's some edge cases there.
But, like, as a general kind of thing, it didn't make a whole, like, the American angle to it didn't make a whole bunch of sense here.
And as you say, like, it's not clear what has changed and what the backing down would be.
So it feels like political talkie-talkie and not actual thing happened.
But, you know, I don't know.
And then, you know, there's also the added wrinkle that Apple's advanced data protection
is one aspect of their end-to-endness.
And so things like IMessage and FaceTime and so on are E2E independently from the ADP feature set.
Like that was about some things, some specific data types that get stored in ICloud.
But there are other things that are stored in my cloud that are still end-to-end encrypted
that weren't covered by ADP.
So like in the whole, you know, in terms of what does it mean?
for the average Apple user in Britain probably not a whole bunch and then what
Americans have to do with it who knows yeah yeah so the whole thing is just
really weird I mean maybe we'll find out more later but who knows now let's
talk about a announcement from workday where they've had an interesting
incident where someone has owned their staffs accounts at their upstream
CRM and they're using that to then attack their customers so
this is interesting this is one of those security breaches affecting you know it's a security
breach affecting workday that didn't touch their systems at all sign of the times and it's and it's
like a com adjacent you know scattered spider slash shiny hunters thing you know and they're the
sort of people who are doing this sort of social engineering uh and in this case like going after tickets
in their CRM platform yeah I think this is part of that larger campaign that we've reported on
I think a few companies having their Salesforce accounts compromised
that is social engineering someone without access
and then leveraging that into Salesforce,
harvesting the data out,
and then attempting to ransom the organization whose data it is
for some kind of payment.
And we saw Google reported on the group that were doing it
and also said, by the way, our Salesforce,
Google Salesforce, got data compromised out of it as well.
And the nature of the data that got taken from Workday Salesforce
also a bunch of the other ones, is pretty much like customer contact information,
which if you are trying to turn it into fraud, can be useful
because you can target those, you know, fishes or whatever else more effectively.
Yeah, but it's not like ransom gold, right?
Like, it's not the sort of stuff people are going to pay to stop leaking.
No, and I don't know, you know, we don't know how many organizations may have paid them,
presumably they wouldn't be shaking people down for it if it was actually,
if it wasn't working at all, they must have got some, perhaps.
But I think, you know, probably there is a reasonable amount of, you know, there's so much data extortion going on and people don't want to be in the media.
And, you know, even when it smells like, oh God, this could look terrible, let's just pay them and then asking for much, make it go away.
Maybe that's enough to make it worthwhile doing.
And then on the other hand, maybe us covering people who are getting compromised like this is actually helping the scammers, you know, apply leverage and get paid.
So it's always, you know, this kind of like extortion, you know, data extortion is just kind of weird like that, especially when you have to report on it.
Yeah, yeah.
I mean, nowhere in this is Salesforce mentioned, by the way, so I'll just point that out.
It just says CRM, but there has been a lot of activity targeting Salesforce.
But I mean, are you just making an assumption there or have you heard something?
I'm making an assumption because the axes sound the same.
The wording third-party CRM platform is pretty much what a bunch of the other.
Salesforce customers have used when they've been talking about it.
So probably Salesforce asking them to use that.
That's the kind of vibe that I get, yes.
Now, a couple weeks back, we had our colleague, Ambley Jack, on the show,
talking about Max Messenger, which is Russia's answer to WeChat.
And, you know, we predicted when we had that conversation that Russia was going to start
making WhatsApp unreliable, start restricting it, trying to squeeze more people onto this
max platform.
that is now happening.
So we've got some reporting here from Dorena Antinuk
over at the record, which looks at what Russia is doing
to curb WhatsApp and Telegram use.
And you've got to love the pretext here,
which is they're saying they are curbing access
to these applications because of cyber crime.
Yeah, that's sort of some irony there, isn't there?
I mean, I'm surprised they're not saying, you know,
WhatsApp and Telegram have WMDs, right?
Like, it's like such an obviously bo-com.
pretext. Yeah, yeah, exactly. So people have been reporting that call set up has been
failing across some of the messages or the quality of the call has been degraded to the point
that it's just garble, garble, you know, compression artifacts. Whereas, of course, Max works
flawlessly and is easily available and will soon be installed by default on every phone
in Russia. So, yeah. And there's no cybercrime happens on it. Absolutely zero crimes
happen on Max. Yes, so a little bit transparent there, Russia, but hey,
what are we going to do about it? That's how Russia rolls.
Yeah, and I just want to say one thing about the WMD joke there, because it's funny,
I don't know if you've noticed this, but when you talk to people who are just a bit younger than us,
like not even a lot younger than us, just a bit younger than us, they remember the invasion,
you know, they know about the invasion of Iraq and that the pretext was wrong.
What they don't know is that everybody in the world knew that the pretext was bullshit at the time.
And it's amazing how this is a bit of, this is a key aspect.
to the history that's just been lost, which is everybody knew there were no WMDs in Iraq
and that it was just a pretext. It's sort of like Trump's stuff about tariffs on Canada
being about fentanyl, which they're clearly not. It's just a, it's a silly pretext that everybody
knows is a lie. It was the same way in 2003. And I don't know why I felt I needed to get that
off my chest, but it's so that you understand the joke, you see. It's so that you understand
the joke. Jokes playing for the children who are listening. Yeah, exactly, right?
And by children, we mean people who are like 35 and younger.
Yeah, I've got to, yeah, anyway, anyway.
Speaking of Canada,
there has been a compromise at the House of Commons,
apparently through a Microsoft vulnerability.
We're going to go ahead and guess that's a sharepoint,
you know, the sharepoint on-prem bug.
Yeah, that seems like they said it was like something that was passed recently.
and yeah we've got a good set of Microsoft bugs lately could be anything
the nature of the data taken was employee details
so job titles and locations and emails but also information about
their managed computers and devices so that kind of feels like they've landed
probably in a SharePoint site that was involved in you know device management and so on
so you know we I think this has been sort of attributed-ish towards China
like we haven't seen a concrete attribution but you know China attacking Parliament
of Five Ice countries
is a thing that both your country
and my country have experience
so it makes sense
that Canada would be on that list as well
I mean it's not exactly
advanced Cludo is it
you know it was China
with the sharepoint bug
in the drawing room
you know like it's just
come on
who else
who else
now let's
turn our attention to Norway
and the police there believe
that pro-Russian
hackers were behind an attack against a dam's industrial control systems.
Now, this attack didn't really result in anything terribly bad happening because it was a
well-designed system, but nonetheless, you got hacktivists starting to flip switches and
open valves at dams, kind of newsworthy.
Yeah, it's not, it's certainly not great.
And I don't know that when we originally talked about this, you know, it wasn't
attribute to do it on, but it certainly felt like it was probably hacktivists of some sort.
And Russia Link totally makes sense, so no real surprises there.
The dam in question was not hydro.
It was like fishing related, I think.
And, you know, the operator of dam say there wasn't any much particular impact.
But as you say, yeah, like when you've got people busted in
and just, you know, flip and switches, opening stuff,
trying to cause damage even when it's not effective.
Yeah, it's not great.
Now, speaking of operational technology, industrial control systems and whatnot,
CISA and a bunch of other agencies not just American agencies the Australia's
own signals directorate was involved for example they've released a 31-page
document and its guidance on on OT asset inventorying so how to discover how
to catalog how to you know how to think about you know maintaining an asset
inventory of IOT systems I think this is like people underestimate the
degree to which guidance like this is actually necessary because so many
of the operators of critical infrastructure don't even have security teams, you know, or if they
do, it's like one person. I'm thinking about like municipalities and, you know, in Australia,
we call them local governments where, you know, you and I both know someone who works for one
of these, one of these local governments. And, you know, it's like one person who's all of a
sudden being told, oh, by the way, you know, all of this critical infrastructure, you know, make that
secure while they're also trying to, you know, run the desktop environment and whatever. So,
I think this is a good move. I've had a thumb through the guidance. It looks pretty sensible.
Yeah, yeah. But I know, you know, guidance like this is just really helpful to put in front of your leadership
when you're trying to secure some budget or present a plan for how you're going to address, you know,
the high-level goals of let's not get hacked. Let's not be insecure. But the actual concrete steps of that,
you know, are quite involved. And this document's good because it's sort of a blend of high-level guidance,
but also they've got a bunch of examples, like worked examples of here is how,
You know, we worked through this with, you know, an electricity provider,
and here's how he did it with a water provider,
and just kind of give you some good ideas to look at.
And things as simple as, like, what data should an asset register
for an OT environment contain?
Like, what things do we need to collect?
And how important are they?
And that's the kind of stuff that, you know,
if you have to work on that stuff from scratch,
you know, you spend three months coming out with a taxonomy
before you even started doing any actual use for work.
is a thing that you can basically kind of pull off and start applying straight away.
And that's just really helpful guidance.
It's useful, you know, it's more useful than immediately regulating the crap out of everyone with
no guidance or giving them token amounts of money to go spend with commercial providers
that are going to, you know, are incentivized to not necessarily help them, but sell them
things.
So this is a good approach and applies, you know, from small up to very big organizations.
Now we're going to talk about something we never, ever, ever talk about.
about?
This brand new, very exciting.
I've never seen this before.
It's a fortinet bug.
Hey, did you do.
Oh, dear.
Man, this bug, so it's called Fort Majure, Fort Mejure, which I think is very good name
for a fortinet bug.
And the person who found it has written it up on a blog post about it.
It's Orth Bypass leading to access in FortyWeb.
What's a Forteweb?
So that's the web app management interface for their web app firewall.
Okay.
I guess that's what I'm trying to say.
And as you say, we've had so many fortinet bugs,
and in that respect, it is no different than any other fortinet bug.
It's just trash.
The reason I wanted to talk about this one is that this bug is, basically,
in one of the authentication headers,
there is a value which is used to look up and some encryption keys in a table
in memory. So there's an array in memory of encryption keys and there is an index which
tells it which encryption key this particular message is going to be, this cookie is going to be
encrypted with. You could just provide very big values for that and read off the end of that
array into other memory, which might in fact be zeros. And then at that point you've zeroed out
the crypto keys and you can write your own cookies and north bypass and onwards. And that's
an interesting kind of bug. But the thing that aggravated me is that is trivially discoverable
through fuzzing.
Yeah.
And this means that Fortuna did not fuzz
their web app firewall's authentication functions.
And that offends me in that kind of, you know, security, deep security place.
Yes.
That us old commasions have,
the way we feel like people ought to be doing things properly.
And then you see something that just proves to you that,
no, they really don't do it properly.
They really don't.
They do not.
Yeah.
It's just, it aggravates me.
And I want it to fend about.
on the show and here I am.
Do you feel better?
I feel better now.
Okay, excellent.
Now, we're just going to touch on this briefly because it's, you know, there's been a bit
of a scandal around Black Hat, which is an Israeli citizen who apparently works for the
Israeli government in some sort of cyber, you know, important cyber role.
His name is Tom Artium Alexandrovich.
He was arrested in Las Vegas after some sort of sting involving child sex crimes.
I think it was one of those things where you have the FBI pretending to be someone
underage and someone organizes a meeting and whatever and he got arrested. He was bailed and went
back to Israel. There was some reporting not, I can't really say from incredibly credible sources or
at least sources that I'm aware of that the Trump administration intervened to get this guy bailed
and back on a plane to Israel. Now we've got the state department actually denying it saying he did
not claim diplomatic immunity and was released by a state judge pending a court date. Any claims
that the US government intervened are false. So, I mean, this.
has got everything right for online controversy which is you know allegations of white
house impropriety senior Israeli official given you know the relationship between the
US and and Israel has a huge spotlight I'm like it's just I mean it's like a controversy
sandwich this one yeah yeah it's headline bait is what it is yes yeah crazy and look we've
got another story here we're getting towards the end but Matt Burgess and Lily Hay
Newman have a write up here from Wired
about how these Southeast Asian like pig butchering and scam compounds
are now being linked to sextortion against children,
which in my view is, you know, the worst online crime.
It results in suicide.
Horrible, horrible.
I think, you know, there's an argument to be made for the death penalty
for people who engage in this sort of thing.
And now it looks like it's happening at industrial scale
thanks to these compounds.
Yeah, so the wide reporting is based on some work by the international justice mission
that looked at cases where, you know, online fraud was happening and they had IP address records
and things and they tried to correlate, you know, where on the internet the people carrying out
these, you know, the fraud campaigns were coming from and they tied it back to, I think,
40 out of 44 scam compounds in Cambodia, Myanmar and Laos, and linked them to cases where, you know,
young people, vulnerable people were being extorted.
You know, typically this is the kind of thing where they, you know, get involved in some online
relationship, get convinced to send, you know, compromising pictures or whatever else,
and then extorted to not, you know, share those with their family and friends or social media
or whatever else.
So they tied them back to, you know, source their peer addresses.
and used that the kind of cluster and the conclusion is that like this isn't just one or two scam comments
that this is really widespread amongst those scamming communities,
scamming businesses, I guess, because this is not just recreational,
and that that's a thing that we should take into account when we think about how we regulate them.
And of course, as scam compounding spreads to other parts of the world, right,
that it's not just financial crime, it's not just crypto, you know, that sort of the pig-butchering stuff
doesn't necessarily just stop there, right?
There are other types of scamming that they're doing,
and yeah, it's pretty gross stuff.
When you think about the human misery
that these compounds are responsible for,
now whether that's old people being fleeced out of their life savings,
which is horrible,
whether it's this stuff,
which somehow manages to be even worse,
or the fact that the people who are perpetrating these crimes
are being held against their will and forced to do it
under threat of violence,
My lord, you know, the people really at the top of this stuff, you know, I wish for the most horrible things imaginable to happen to them because they're the ones doing this, you know, making a business decision to pivot into these types of crimes. It's a business decision. It's for money. It's, yeah, it's the sort of thing that just you read about it, you want to have a shower.
Yeah, yeah. It really is, it really is pretty gross.
And I think the research here said that, like, although they've managed to tie something like 500 reports of child sex torsion to these organizations, the data suggests that there is actually, you know, so, so much more because, like, there's so many areas where the data is incomplete, and they're doing things like relying on data from ad brokers and stuff to try and tie things together.
So, like, the data, the source data is already patchy and incomplete.
But, you know, we've already talked, we've talked at length,
about kind of like the sheer scale of these compounds.
And, of course, it makes sense that this is also scaled far, far beyond that.
I think the IGM team said something like 18,000 cases, they reckon they could probably
tie together based on the data they've got, which, you know, given they've tied five,
they can actually kind of more concretely attribute 500, it kind of gives you a sense.
for how big the actual iceberg is, you know?
Yeah, yeah, horrid.
All right, pallet cleanser now.
Let's follow this up with a happy chaser,
which is that it's FRAC's 40th anniversary edition,
is out the legendary frack e-zine, Adam.
Yes, yeah, in Fract 72, I think this is the 72nd issue.
They started in 1985,
and as usual, it's in a much the same kind of format.
Text, you know, zine,
although there's some more artwork these days.
It's not just ASCII.
And yeah, good collection of stories.
I haven't read through everything in this drop yet,
but it's always a great read and an important part of our hacker history.
So good job frack team and good job all the contributors.
Now, we're going to wrap up this week's news section
by talking about an acquisition that just happened in Australia.
And it is an interesting one and it is directly relevant to you
because Accenture has bought the Australian cyber security firm,
CyberCX. Now what makes CyberCX interesting is it was like a public a private equity
driven roll-up of a whole bunch of pen testing and consulting firms in Australia
including Insomnia which you worked for for a long time and part owned in fact.
So the idea was they they got all of these consultancies I think like something
like a dozen of them rolled them together pumped it full of money to expand and
grow the business with the idea of turning it into a real force and they did
this. CyberCX today apparently has
1400 staff
and yeah it's just
been apparently there's been an acquisition agreement
inked with Accenture
for around a billion Australian dollars
which I think at the moment is
650 million US dollars or so
which means that all of the
founders of those PENTAS companies
people like yourself are now actually getting
paid right because this was part
of it there was a bit of upfront money
and then the idea was eventually when this thing is
built and is sold everybody gets
gets paid quite well. So congratulations to you, first of all. Also, congratulations to all of the
people I know who are a part of this, because there's a lot of them, right? So this is very good news
for an awful lot of people who worked very hard to make this happen. But I guess the reason I wanted
to talk about it on the show, and the reason it has sort of relevance for an audience outside
of Australia, is this is the first time I can think of where a PE roll-up like this has actually
worked. Because what would happen previously is people had bundled together a few of these
consultancies, do some sort of deal. Then all of the founders would hit their earnouts,
leave, start new consultancies and the other thing would just wither and die. I think what
CyberCX is successfully done here is grown to such a scale that it's not going to be threatened
by a bunch of people leaving now that they're getting their earnout to spin up boutique
consultancies. This isn't going to damage or harm or threaten CyberCX or Accenture, I don't think.
I mean, let's see how it plays out, but I can't think of another one of these that has done this
well. Yeah, I mean, I am pleased to be involved in a thing that has actually worked out.
And I know when we were originally in conversation with the mergers and acquisitions team
that the private equity firm behind CyberCX had put together, you know, there was a bit of doubt
as to whether we would be able to pull it off,
whether it was going to work,
because, as you say,
there are so many examples of this not working out well.
And I think, to my mind,
the thing that they got right here is,
so they rolled up a bunch of pen test firms,
but they also rolled in incident response firms,
managed security services and like SOC operating teams,
some cloud people,
and they got to the point where they had built,
a thing that could combine all those disciplines.
Because when we started insomnia back in the day,
we thought we're going to be just hacking.
We're not going to do any fixing.
We're not going to do any building.
All we're going to do is here is a report
about the things that we found,
the technical evidence that supports,
you know, your risk decision-making.
And that's the only thing we'll do it.
We'll do one thing.
We'll do it well.
And after 10, 15 years of doing that,
it became clear that it needed more than that.
And you, you know, we would have customers
that were phoned us up,
that we had a long relationship with saying, hey, we've been hacked. We need, you know,
what do? And we would have to say, like, despite us knowing your infrastructure really well
and knowing your software and knowing your stack, we don't do an instant response. And you
don't want us to come in and do a half-ass job, you know, go get someone else. And the thing
that CCX got right, in my opinion, is by blending those things together, they were able to
deliver good value, right? And by integrating the managed security people and the same company
doing all of those things. It worked out pretty well. It also means that no one founder now released
from their, you know, their handcuffs is going to be able to go build something that can do all of
those things. One part of it maybe, like maybe instant response, maybe managed security service,
but no one's going to do the whole thing. And security is now sufficiently important that you have
to get all of those parts together. And that's kind of why I felt like it worked this time,
as opposed to, you know, the ones that didn't work
because they were, you know, a bit too limited in their ambition and in their scope.
Yeah, I mean, it was a big play and it's, I mean, it's been many years now, right?
And I think you sold off insomnia in, what, 2020, just as the pandemic was kicking off, I think.
Yeah, just going into the pandemic was when we started, like, when we inked the original deal,
and then, of course, we had, you know, many years before you can move onwards.
Yeah.
Well, and it's really sad for you, I guess, because you joined Risky Business Media a little while ago,
full time and I bet you're really disappointed because you could be working at Accenture soon
if you had to stay. I'm not sure that I can contractually at this point at time answer that question
I'll comment on that subject. No but I mean look it's a different discipline now right like it is
it is a more serious thing you know the days of beardy hacker dudes like you you know running running the
serious consultancies I don't know maybe it's better we get the big
companies to do it now, you know? I don't know. Maybe we've moved on from that era, I guess,
is what I'm saying. Yes, yeah, absolutely. Like, so much has changed and, you know, I look back to
how it was when we started infosec consultancies. And, like, not just us and so many, but all
around the world, like the hacker kids that kind of grew up in the 90s and early 2000s,
then went onwards to start consultancy businesses. You know, we had a lot of fun and we did a lot
of good work, but ultimately, security didn't matter until, you know, real crime, you know, real
espionage, real, like, until serious business got involved. And to be honest, you know,
solving these problems takes more serious business than, you know, a bunch of hoodie wearing
bogan t-shirt wearing nerds who just like computer hacking, you know.
Well, look, congratulations again. I want to say a special congratulations in particular to
Alastair McGibbon, who has been kicking around in Aussie Infosec for a long time. He was originally
with the Australian Federal Police and then bounced out. He worked for Malcolm Turnbull for a while.
you know, as a sort of national cyber security advisor or whatnot.
And, you know, he was really one of the driving forces in pulling this whole thing together.
And I just know how insanely hard he has worked over the last, you know, half a decade plus to make this whole happen.
So Al Mack, congratulations to you.
But Adam, that is actually it for the week's news.
Big thanks for joining me to talk through all of that.
And we'll do it all again next week.
Cheers.
Thanks most, Pat.
We certainly will.
I'll see you then.
That was Adam Bualo there, who was just taking a break from shopping for his new set of ivory backscratches in wake of the CyberCX acquisition to slum it with the rest of us to talk about the week's cybersecurity news.
Big thanks to him for that.
Okay, it is time for this week's sponsor interview now with Fletcher Heisler, who's the chief executive at Authentic.
Authentic is an open source-based IDP.
So, you know, Entra, Octa, Ping, whatever.
You've got Authentic, which is open source, you know, most of it's free.
There's some enterprise features that you'll pay for, but the point is the core of it is open source
and, you know, you can go and inspect it, you can extend it, you can integrate other things with it.
It's much more flexible.
And you can run it on-prem, which is a huge thing for a lot of people.
So Fletcher joined me for this conversation, though, about the work that they've had to do.
to unify their IDP with Windows logins, right?
So a user can go to their workstation,
enter in their IDP credits, and bang,
unlock their workstation and go through and, you know, true SSO.
So here's Fletcher Heisler talking about all of that.
Enjoy.
It is a very tough journey.
We try to be very standards compliant and vendor agnostic.
And when you get into the OS level of things,
that could be pretty tough.
Because you guys are all like,
hey, we're in the cloud.
It's all Sammel and, you know,
blobs of jason and you know browsers and stuff and now all of a sudden you know and then you're
using some win 32 API from the 90s yeah exactly you're up to your ears in windows internals and like
i you know how is that man it was tough i mean so we developed this you know individually very much so
for windows for mac and for for linux in terms of registration and login and so forth and
the custom credential provider for windows these are all still a work in progress but it's taken months
of some pretty tough work and a couple restarts to decide what is the best way to do this.
How do we even do this?
Some uncharted territory there for sure.
The Mac version, we already integrated with Shared Signals framework for Apple Business Manager and so forth.
So we kind of had a foot in the door of how should this be done.
That took a couple weeks.
Yens came back with a Linux PAM integration after a weekend.
So that was a nice refreshing little little bit.
jaunt through a hackathon after the challenge of the Windows side.
But we figured that would be the challenging one,
but would have a lot of interest on the enterprise side
for so many Windows desktops that you want to secure once
and not have to do that extra hop.
Well, I mean, that's the thing.
Like the Linux one was easy.
Yay, that's great for the 1,000 people in the world
who actually use Linux on the desktop, right?
Yeah.
Unfortunately, that ain't where the market is.
So, you know, I mean, God, I just don't even know where you would begin when trying to put something like this together.
Why did you give us a rough idea about how that process actually works?
Because I wouldn't have the foggiest of where to begin.
How does this work?
Like, you know, what directory has to be working?
Is it like, are you doing something based on the windows, you know, that Windows login from a lock screen?
Is it then kicking off some other process that is doing the SSO for the, you know, the more webby stuff in the background?
or are you actually changing that log on screen and that's some sort of, you know, custom binary
or, you know, your own application, which is then handling the unlock.
I can't imagine that's the case.
But, like, walk us through, like, the way that would even work because I don't know.
Well, I am not the one who's developed this.
So, you know, I may not be the one to get too deep into the internals, but we did, you know,
bring out a couple contractors who are experts in the various parts of Windows API internals.
It was even a question of what language do we write this in?
We ended up somewhere between CC++.
But to have the flexibility of authentic so that you can say at the desktop, we want you to enable biometrics or use your ubiquit or whatever that means.
We needed a few different executables packaged up because we needed to launch an eye frame essentially at the end of the day that is authentic.
And that is your sort of login portal from there.
The mess that led up to getting to there, I still don't totally understand, but, you know, Yens can can rehash that over the next few hours, probably, in terms of the internals on the window side.
So was this something where there was like a lot of customer demand for this or like what actually spurred on the idea of like, oh, yes, make.
And you know, it's really funny that you're talking about this because people listening might think, oh, okay, well, you're just saving people from having to, you know, put their creds in a couple of times, right?
Like, big deal.
Yeah.
It's amazing what a barrier to sales for like certain like security products that I know of where there might be a clunky second step or something, right, involved and they like they won't do the deal.
Yeah.
Because there's executives who don't want to have to put in like two passwords or something like that.
Like it is absolutely a deal killer.
Was that why you, you know, decided to prioritize this?
We've had a lot of interest on the, say, federal side in terms of air gap instances and so forth.
where every step of the way that you can lock down more is a major improvement.
I'll give a specific example, though.
So one of our customers is the 911 Center for the state of Washington.
So that's a whole Windows environment where everybody is swapping around workstations.
They have, you know, biometric requirements, lots of specific, you know, compliance-based
requirements that they have to meet.
And these are usually older folks swapping around to a new machine every day.
need to log in and start taking calls, and that's literally life and death sometimes,
that they need to be able to get into that machine and not go, where did I keep my post-it
note? Why isn't my fingerprint scanner working? Whatever the problem happens to be there. So
every step of the way that you can condense that and make it easier and more streamlined for them
is a huge win. Yeah, I mean, I'd imagine that this would be already pretty popular in the
Microsoft ecosystem, right? Like for people who are using Windows and Entra, like it would already
do this, right? Yeah, yeah. The challenge is, you know, bridging across those different
ecosystems, right? If you are wholly bought 100% into the Microsoft ecosystem, there are a lot of
interesting things you can do with Windows plus Entra, plus, et cetera. If you have any other
devices or applications that don't speak as well, that's often when we come into the conversation
as well to say, let's be that final mile to get you integrated with everybody else.
Well, I mean, I can't think of too many enterprises of any scale either that are purely Microsoft, right?
Like, there's always going to have been a merger and acquisition.
There's always going to have been some weird project that took off over here and then wound up becoming a department or something like that and they're doing it a little bit differently.
I'd imagine that's where this stuff is going to plug in, right?
Definitely. And sometimes vice versa.
Like, we acquired something that's all AD and we can't quite get rid of it, but we're not sure how to talk with it with our existing systems.
Yeah, right.
That's why we try to be very broad.
in terms of, you know, what, what can we talk to? How can we dynamically situate that in your
existing IDP ecosystem? Because that's, that's really what it is when you get to a big enough
enterprise. Now, is this all open source, you know, free and open source this stuff as well,
like the rest of Authentic? It will definitely be source available. We're deciding basically what
to do about it in terms of what makes the most sense. Well, that's what I was wondering,
because this is a pretty enterprise-y sort of deal, right?
Like, is that a part of it that you want to give away,
or is that a part of it you want to license?
Yeah, we've had a pretty clear black and white so far
of this makes sense for HomeLab users,
these features, you're probably a pretty big company
with these sorts of compliance needs and so forth.
And we've been really fortunate to be able to draw that line really clearly.
I think we might just need some community feedback as well
if folks say,
here's a really clear reason why I need this particular
feature integration you know we we took the remote access control and moved that to community
because we saw more home lab users interested in it and so that that made sense to move that to
open source so it also might be something that we kind of explore over time too yeah i mean like the
linux pam integration bit like yeah you might community that but the windows bit yeah you can pay for
that you know what you've convinced me that that sounds pretty pretty straightforward to say
Linux, bam, you're probably a home lab user. Yeah. I just got back from DefCon and speaking to
the many dozens of Linux desktop users who are running authentic in their home lab. So I'm sure
they'd enjoy that. Yeah, yeah. So I guess the other reason I asked if it was open source is because
you're dealing with something that you've developed in C++ that handles authentication and plums
into Windows internals. The other reason I asked if it was open source, and you said it is going to be
code available is like I imagine like auditing slash pen testing slash you know like red teaming
a feature like this is going to be fraught like have you actually done that yet or are you is that
pending we have engaged some experts who know that area very well specifically that they're going
to take a look as well because you know even if it doesn't seem like there are practical avenues
because this is you know a thing running on your machine it's it's pretty core and important so
we want to make sure we don't have any loose ends there for sure you need like
windows internals rain man basically to look at something like yes it's not it's not for
normal people right like you need to have a certain type of mind to look at this and see
where the pitfalls might be uh so is that like is that through like a security firm or is it just
like a contractor or like i'm just curious how you even begin to look at a thing like this
yeah um through a firm who who i know has those sorts of experts um i don't know if we've
signed anything officially yet but you know we we basically publish the results of
all of our tests as well so we're getting up on our annual pen test as well
hopefully with the same firm so we'll we'll have that all published in another month or two
we'll see how it goes all right now uh we're getting towards the end here but i did want to ask
you about back channel log out like this is another thing that you've now got in uh authentic
great idea but only works if app providers actually integrate it the idea here
is like it's like universal logout right for um for sessions and this is one of the big
problems with like web-based SSO is a user exits a session the SaaS apps don't know to
invalidate their sessions so they just stay open right and this could be a really big problem
particularly around things like incident response where you've got an attacker who's
managed to you know hijack about a bunch of authenticated sessions and there's not really an easy
way to invalidate them so back channel logouts one way to do that I think octa's got their own
as well. So it seems like there's, there's, you know, there's a couple of ways for SaaS providers
to do this. The problem is more that they're not doing it. You know, so you've now done
back channel logout. Like, what's the reception being among the actual app makers and SaaS
providers to you doing this? Have you had any conversations with them? So Octa's universal
logout, I believe is limited to applications that the application or ACTA has integrated with
in some way and written that logout flow. So you can also already do that inauthentic,
just with expression policies and so forth. That was why in part we were dragging our heels a bit
on implementing back channel logout. That's actually up and coming with our next release
later on this month, because, as you say, there aren't a whole lot of applications that support it.
I think one of the few IDPs that also does so is key cloak, and so that was one of the applications
we were testing against was authentic plus key cloak and logging you out of each system with
each system. So there are a few important ones. I would love there to be more in the world as well
because it is a great standard and should be implemented for the security reasons you mentioned.
We'll also be implementing SAML single logout, but, you know, the idea that you can log out of your IDP and have that, you know, transfer to all of your other applications is just a no-brainer.
Should be the way that things happen.
Similarly, you have, you know, some sort of signals of someone, you know, left a group or some other suspicious signal, maybe even a login from an unexpected location.
those should also dynamically be able to send out those logout requests on your behalf through the back channel.
So we'd love to see that happen more.
I remember having one of the OCTA people on the show talking about this.
And from what they were saying, like this is not rocket science, like getting the invalidating these sessions when a user is logged out.
It's not rocket science.
The problem is really the application providers aren't integrating them.
I think there was one thing they were pushing on pretty hard, which is they were begging the risky business audience to start putting this as a requirement into procurement documents, which I think it would, I think that is the smart way to fix this.
Yeah, yeah.
Well, we're going to be heading out to Django Khan next month and thinking about some various hackathon ideas of, you know, helping people work on Authentic.
If you have your own application, I'd love to help you implement back down a log out there.
So that might be a good push that way to get it out in the community.
All right, Fletcher Heisler, thank you so much for joining me
from a very late recording session in London.
A pleasure to chat to you, my friend.
I'll look forward to doing it again soon.
Thanks so much.
That was Fletcher Heisler there from Authentic.
Big thanks to them for that.
And that is it for this week's show.
I do hope you've enjoyed it.
I'll be back this Friday with a fresh edition
of the wide world of cyber podcast with Chris Krebs and Alex Stamos.
But until then, I've been Patrick Gray.
Thanks for listening.
Thank you.