Risky Business - Snake Oilers: Push Security, Knocknoc and iVerify
Episode Date: April 29, 2024In this edition of Snake Oilers we’ll be hearing from: Push Security: A browser plugin-based security company that combats identity-based attacks. (Much more compe...lling that it sounds in this description.) Knocknoc: The tool Risky Business uses to protect our own applications and services. (Restrict network/port access to users who are authenticated via SSO.) iVerify: Mobile security and threat hunting for iOS and Android. (Caught Pegasus in the wild!)
Transcript
Discussion (0)
Hey everyone and welcome to this edition of Snake Oilers, the podcast we do here at Risky Biz HQ a few times a year where vendors come onto the show to pitch you their wonderful wares.
This whole thing is sponsored and that means everyone you're about to hear from in this podcast paid to be here.
If you're looking for the regular weekly podcast, just go back to one of the other podcasts in this feed that has a number on it.
So we're going to hear from three vendors today, Push Security, Knock Knock, and iVerify.
Push Security is essentially a browser plugin that is extremely useful in preventing identity-based attacks, phishing, account takeovers, and so on.
It's a much more compelling pitch than you're
expecting. I promise you that. Knock Knock is our second snake oiler. And yeah, a lot of you would
remember that for the last couple of years, I've been praying for someone to build a product that
dynamically firewalls all your enterprise crap based on a user's SSO status. And Knock Knock
have built exactly that.
And we even use it at Risky Business to lock up our content management system
and to dynamically IP restrict SSH
to people who are actually signed in.
So yeah, you can firewall off your Confluence,
your Citrix, your crummy web apps, whatever.
But when a user is authed,
they can access it like normal.
It's magical.
We love it.
And then we're going to hear from iVerify,
which originally spun out of Trail of Bits,
but is its own company now.
And iVerify is a mobile security suite
that actually identifies real threats.
They caught Pegasus in the wild with this tool,
and you can use this as a substitute
for something like MDM too, for compliance purposes.
So yeah, if you need a mobile security package for your employees, And you can use this as a substitute for something like MDM too, for compliance purposes.
So yeah, if you need a mobile security package for your employees, either because you're attracting serious attackers or for compliance purposes, it's one to look at closely.
But first, let's get into it with push security.
And I really think this one is a compelling pitch.
At the moment, enterprise security teams don't really have much visibility or control
over how identities are being used, which when you think about it is more than a little bit nuts.
We've got EDR, we've got NDR, but we can't tell when someone enters their SSO password into a
phishing site, right? So it just seems maybe that's a bit out of whack. So Push Security has developed a browser plugin
that does identity security.
And you might think, oh, a plugin, you know,
but the browser is the ingress point
for identity information.
If you wanna tackle identity-based threats,
that's where you need to be.
Adam Bateman is the co-founder and CEO of Push Security.
And he joined me to pitch Push,
and here's what he had to say.
And just as a disclosure, I'm an advisor to Push Security and an enthusiastic one at that.
Here's Adam.
When people imagine what our identity attack service looks like, I think they think about
a centralized identity store, and then every employee has one identity, which accesses
everything.
And that's definitely the state you want to get to.
But the reality is when you actually go and deploy and you look at the data, you end up
with your primary IDP withub hanging off of that and
salesforce hanging off of that and a bunch of other applications are out there as well so the
whole thing's like a big mess it's a little bit like you know you have your network diagram
looks all pretty but then you go off and do a big phone scan or like as a discovery scan and
actually it kind of looks a lot different so exactly if you're in the browser you're seeing
everything that everyone's logging into
and what you can see there.
So we have two different parts of the platform.
One side is detection and response.
So we actually draw telemetry from the browser
and you can use that to detect
and respond to different attacks.
And then the second side is more of a proactive side.
So you'd actually map out what identities are being used.
We can observe as employees create or use identities, map out which ones are vulnerable. And then we can also do things like
app control to stop people from accessing certain applications you don't want them to and things
like that. Okay. So let's start with the detection and response part of this. I mean, you and I have
spoken about this before, you know, away from interviews and whatever. And it's, you know,
it is, it's pretty cool. Like once you're in the browser, you can actually do an awful lot, but why don't you start by just explaining,
yeah, what you're doing on the detection and response side?
Yeah, definitely. So a really simple example, just to start with, and we can go into some more,
some more advanced use cases as well. But if you think about like, you've got your SIM and the big
three data sources are probably EDR, network traffic logs, like they're the ones that are
really well understood. When you add browsers browsers to that it gives you something pretty unique and different so for
example let's say that there's a phishing attack against 50 employees inside the organization you
want to know who's been who's been hit by that so if you look at your network EDR log data it's
going to show you 50 people visited a phishing site what we can do is actually say
no 50 people submitted their idp creds their octa microsoft creds into that and by the way this is
also shared with these other 20 apps so that once the attacker's got access to those credentials
they can then do password spraying or credential stuffing and everything else as well so you
actually get a level deeper. We actually then take that
level further. So one of the things we have is SSO password protection. So the browser extension
will actually observe when an employee logs into the primary IDP and then pin the password to the
official login screen so it can't be entered anywhere else. And so you can configure it
depending on which way you want to go. If you put it into sort of full mode, it will completely stop corporate password reuse. So it means that the employees
can't reuse their, say, Okta credentials in any other app at all. And before anyone freaks out
about you, you know, looking at these passwords, you just hash them and then take the back end of
the hash. And that's how you're checking, right? Absolutely. Yeah. So one of our very early customers this year a german fintech who really helped us with the privacy
side so we've engineered all our stuff very very firmly into the into the platform so yeah we do
exactly that the the extension does everything locally so we'll observe uh the password as it
gets logged in and then take a hash of it stores it as a k anonymized hash basically a hash chopped
in half and then stores that inside the browser sandbox. And then we use that to do a diff, basically, against any other future
logger, and then we can block and take action based upon that. I mean, what's funny, right,
is already what you just described, which is a very small part of this product. Like,
I guarantee you, there's like a lot of people listening to this right now who are like,
well, we should get it just for that yeah man i mean like honestly credential
phishing is still a massive problem and you can do stuff like domain categorization and you can
use like ai and you can do all these good features but it's just a really simple approach it's like
this password is important and it cannot be used anywhere else so you can't enter into a phishing
site you can't reuse it against different corporate apps done right just takes that category out like
really really strong control.
Yeah, I mean, that's a great one.
But you're also doing stuff like phish kit detection and all of that usual, you know,
cool stuff you can do once you're in the browser.
Yeah, absolutely.
So there's some really cool attacks.
Like, I mean, Evil Jinx is the big popular one
that people are talking about.
But there's also Evil VNC,
where you run VNC sessions inside the browser
and phish people that way.
And basically it allows you to steal, you know, MFA tokens and session tokens and those sorts of things as well.
So we'll detect those sorts of phishing kits running inside the browser and block those,
fire all those back to a webhook so you can push that into your sim or your saw and you can get access to it.
We also do stuff like clone site detection.
So you can actually observe as someone logs into an application,
we take a fingerprint of the app, of a legitimate app and know what that looks like and then we can actually detect and
block when there are slight variations of that that's really interesting because if attackers
come along and cloned like an important page intranet app or you know idp or whatever we can
then see that that is a potential phishing attempt in a much more generic way but it also gives us
much more generic detection around the phishing tools.
Because if you're using something like Evil Jinx
and you're relaying a legitimate page
through a framework like that,
it modifies it slightly
and we can pick that up more generically as well.
Yeah, yeah.
Now you got to tell everyone
about the stuff you're doing
with the header injection in Okta
because that's really cool too.
Yeah, so session theft detection,
this is obviously, if you're in a position then
where you've locked down the credentials, you can't gain access to the next thing that attackers
are going to do is just directly steal the session token. And once you've got that, you can relay that
against the applications and you can gain control. This is a massive problem. So what we do is just
a really, really simple, again, technique. It's always the simple ones that work. And the browser extension will actually effectively inject a one-time token into the header of an HTTP request, right? So as an
employee authenticates, we inject the one-time token into the browser. And then that token then
appears inside the IDP logs. So you can see them in your Okta or Microsoft 365 logs. What you can
then do is use the SIM look through the logs and you
basically just look for two matching session ids from two different requests where one doesn't have
our token right so effectively it's like a the browser extension doing like a stamp of approval
to say this is an official session that came from an employee if you then discover one that doesn't
have that it's clearly session hijacking.
Yeah. It's funny, man. Like just talking to you about this, it reminds me a little of like,
and I know it's a completely different product set, different problem set and everything.
But like when I first started talking to Island and people would be like,
oh, an enterprise browser, that sounds dumb. And it's dumb until you actually think about what you can do with it. And like, this is the same sort of thing, right? Like
a browser extension for security, that sounds stupid until you think about what you can do with it and like this is the same sort of thing right like a browser extension for security that sounds stupid until you think about literally like the million ways
that you could use it to make life less miserable yeah 100 and that's the thing the attacks are
moving inside the browser if you do a phishing attack that's inside the browser and so actually
moving inside the browser makes a ton of sense and you start to see you start to see people doing
things like you know you're having to do things like tls interception to try and get into the stream between the browser and
the application why not just move inside the browser and do it directly inside there so
yeah it's really effective it's a really interesting uh area well and especially when
you look at the the average log set coming out of an idp isn't really that illuminating
yeah i mean so we we do do integrations
back with idps and pull those in as well well it's illuminating once you've got something to compare
it to what i'm saying though is on their own like they're not all that you know yeah well i think
there's a couple of issues there is that if if there's a group like scattered spider or any of
the others they tend to go directly for the idp and so if you're in a position where you go the attacker goes in and compromises a privileged identity straight away they're going
to go in and start turning off different logs to hide what they're doing and so if you're just
relying on the idp logs it's you're relying on the logs from a compromised device and so you're
not going to see everything and you're kind of blinded so another reason moving into the browser is kind of kind of interesting so what
some people are actually using our extension for is exactly that you can stream back every login
event that happens inside the browser back to a sim and so if there is is a malicious event like
that you can actually correlate that back and say well this event like disabling logs didn't come
from a legitimate employee's
browser. It came from somewhere else. So you can start to pick up that kind of activity as well.
Yeah. Now, you know, we've spoken about the detection response. Let's talk about the
more proactive, preventative stuff, because yeah, there's a, again, there's a lot you can do once
you start collecting this sort of information from browsers yeah so if you're thinking about stopping identity attacks and you're looking to defend your whole
identity infrastructure there's two parts right it's reactive we've just spoken about detection
response but then there's a proactive piece and actually doing hardening so all of that's bundled
together in a single a single product so on the proactive side we observe identities as they're being created or used and
the browse extension because it can observe network traffic we can actually determine if an identity
is behind SAML or behind IODC or if it's a password login we can then observe and actually
see do they hit the MFA prompt what MFA method they're using is it fishable and all that stuff
gets reported back up to a dashboard we can then see stuff like whether it's vulnerable to cred stuffing, password reuse, and just general
things like whether that password's been leaked as part of a prior breach and a ton of stuff like
that as well. So what you end up with in the dashboard is just this full graph of, okay,
this is the percentage of apps that are off SSO, these are the ones that are on SSO, and then people
can actually use to move those over onto SSO themselves um so yeah we do a lot of stuff around that uh that obviously helps you
build out like a really good app inventory so you can see everything everyone's logging into
and putting that data in as well as a bit of a freebie in there and then we do kind of access
enforcement so you can actually start to say which apps people are allowed to access and you can
actually put out block screens to stop people from gaining access to particular applications yeah this ain't a dropbox place
buddy what are you doing get the hell out of here yeah like one of the really popular use cases that
people have been using for is things like you know there's been a big craze around you know chat gpt
or whatever um and so you can actually paste in corporate documents into them and asking for
for them to be summarized basically exactly that yeah so you can show a a banner. And pasting corporate documents into them and asking for them to be summarized, basically.
Exactly that, yeah.
So you can show a banner inside the screen,
inside the browser.
And so when an employee goes to visit the login or signup page to one of those applications,
you can just drop a banner across the top of the app,
just reminding people and saying,
hey, you can use this application,
but please don't put company data in here.
And here's our GenIO policy as more of a reminder
and you can actually tier that up to get more aggressive if you want to and make it a full
block screen and say nope you can't access to this at all all right adam baitman push security
killer pitch man uh i gotta say very cool stuff uh really enjoyed that great to talk to you again
and we'll uh we'll be doing it again soon, I'm sure.
Thanks very much, man.
That was Adam Bateman of Push Security there, and you can find them at pushsecurity.com.
Our second snake oiler today is Knock Knock, and I'm pleased to say Risky Biz is actually
a Knock Knock user.
So regular listeners would have heard me say a bunch of times that what we really need to
deal with a bunch of the threats that are plaguing enterprises lately is a product that we can plumb
through to our IDPs that can do dynamic firewalling. So think of something like RDP. Wouldn't it be
great if you could dynamically IP restrict it to users based on their authentication status? So if
someone tries to hit that port, it's closed, but if they're logged in via their IDP,
it's magically open.
You know, would this be a useful thing
to put in front of Confluence or Citrix
or all the other horrible enterprise crapware
that's hanging off your perimeter, gathering flies?
You know, your custom apps?
Yes, basically, yes.
A very useful thing.
So Dave Kempe from Knock Knock
has built exactly this solution
so yeah Knock Knock handles that plumbing for you from the IDP out to firewalls and again a
disclosure I'm in discussions with Knock Knock to be an advisor to them as well but without further
delay here is Dave Kempe talking all about Knock Knock. We're after a pragmatic solution that people
can use to ring fence their current
environments, drop in easily with a low amount of sysadmin effort, a low sort of barrier to entry,
but solves a very immediate, very real problem people have, which is that they're overly exposed.
They're absolutely overly exposed. And that can be from solutions they've picked for vendors that
should know better or from solutions they've picked which for no sort of uh you know organizational reason other than the guy retired or they ran out of funding or whatever it
might be is still in in the wrong place yeah i mean i i think about this and i think about
the problems that it solves and there's kind of two product categories that it bumps up against
right one is the you know these sort of access gateways into production environments right which
are designed to sort of ring fence prod.
That's one area where you could do this instead.
I mean, you might not get the centralized logging
and all of that sort of stuff with this, but you can do that.
Like if you want to put SSH behind this, you absolutely can.
The other area, SSH, database access, whatever.
The other area where it makes sense is in places where people might install
an identity aware proxy,
but they can be fiddly.
And even once you get them up,
sometimes the origin is often left exposed.
So you need to do some firewalling there anyway.
This just seems like it gets you the same thing,
but a lot easier, right?
So is that typically where people are?
Is that how customers are thinking about this
as sort of substitutes for those two things?
Yeah, absolutely. So the large benefit is that because of the sort of distributed and agent-based
approach, we can have a sort of unlimited flexibility in what we can integrate with.
Your favorite web server, Apache, Nginx, HAProxy, applications, WordPress, whatever it might be, databases, SSH, firewalls, your
favorite devices.
These things can all be integrated with.
And what typically happens is that a customer has a particular use case.
They have an old website that they need to lock down.
They have a copy of Confluence that shouldn't be on the internet, but still need people
from outside to access it.
Those are people they can't deploy a VPN to.
Those are people they may be over other problems getting to.
So they pick one thing, they get it deployed,
and then they realize, wait a minute,
we can use this for all sorts of other stuff
that we were previously using other solutions for
because the simple and pragmatic approach
ends up being easy to understand, easy to roll out to users,
low barrier to entry for users,
and it becomes bigger and bigger and bigger.
Yeah. Yeah, 100%. I mean, like, as I said at the intro, like, this is the sort of thing that kind
of feels like a halfway solution. And then you go, well, hang on, it's going to actually achieve
what we need it to achieve. And we can put it here, here, here, oh, there, there, there. And
that's what happened to us. When we looked at it is we started realizing all of the different places
we could use it. Yeah, absolutely. 100 hundred percent. And I think typically part of the journey customers will need
to go on is this mindset approach of looking at their system from the outside, understanding that
attack surface and then going, well, wait a minute, if we just sort of locked these things down,
what else do we need to do like and i think you actually get this
kind of moment where it's like well can it be that simple you know can i sleep at night hopefully
you know i mean it's not going to solve your volume management problem but it kind of mitigates a lot
of it right so one example that you know when i was talking about this before you'd even announced
the product right and i didn't know that you guys were building this,
was something like, you know, your FortiGates or your Citrix gear at the edge of your network.
You can absolutely use this to restrict access to those things
so that even if they have ODA in them,
no one can touch them unless they're an authenticated user.
A hundred percent.
So Citrix is a good example.
The attack surface of that is giant
and it's had a whole series of very widely publicized vulnerabilities.
So why not just completely block it?
Absolutely.
Until a simple gateway can allow it.
And we have customers where that's definitely their plan and what goes with the implementation phase of that now, the centralized authentication, the SSO integration,
and then opening a port to let people actually access Citrix
and then continue on is actually reasonably easy for users to manage.
They click here, they click there, and then they're on.
Let me cut you off there and ask you a question.
In that scenario, like where is the firewall?
Are you actually instrumenting a firewall on the Citrix box
or is there something usually in front of it?
Yeah, we would generally have a reverse proxy
in front of the Citrix virtual hosts.
So citrix.mycompany.com is actually terminated at HAProxy.
That then backends into the Citrix NET Scaler environment
or whatever it might be.
And KnockKnock is controlling an ACL on that reverse proxy.
Yeah, nice, nice.
And I believe also, like, this is a really hilarious example,
but you've got a customer at the moment who is setting it up
so that the firewall on their Fortinet device
is actually going to control access to its own VPN ports, right?
So they're actually using Knock Knock to instrument a firewall on the thing, which is quite hilarious,
right?
We're adding a feature to firewalls that doesn't exist in many cases.
Which is SSO integration.
That's right.
So exactly.
So we're bolting this feature on and the Knock Knock agent is able to dynamically add and remove people from firewall objects.
And the feature doesn't exist.
Firewall vendors will only be incentivized to add the feature for their stack.
They won't be incentivized to add a set of tools.
And typically people don't just have one vendor.
They have many different vendors and virtual hosts.
And, you know, okay, they've got a firewall that needs this feature. But then after that, they've got virtual hosts that need this
feature. They've got websites and all these other kinds of things that need this. So KnockKnock
allows them to do all of those things with the one tool set and might look simple, but then allows
all these extra integrations to be from the one place. Now from a user experience, it's pretty
straightforward, right? Which is if
they want to open up these ports, all they need to do is be authenticated, load a browser tab,
and hit a Knock Knock URL, which will then spit out a list of all of the stuff they can access.
And, you know, through the process of actually hitting that page, you know, that's how Knock
Knock collects their IP and makes the necessary changes to grant people access, right? That's correct.
It's a straightforward approach.
The source address is updated in the backend of your choosing and then the access is allowed
for a period of time, a timer starts, and the SSO integration or any other, we support
SSO local users and LDAP and we add two-factor authentication on top of those legacy authentication systems.
For SSO, we outsource that MFA to the SSO provider, and then groups are provided by that.
Groups are mapped to ACLs, and different groups of users are given access to different resources depending on which groups they're are in and away they go. So from a user's point of view,
they literally will click a button and a firewall will open because that button authenticates them
to their SSO provider. They've already logged in and away we go. And, you know, I mean,
it's one-click firewalling. I don't know if someone has a patent on that. Amazon,
hopefully they don't, but it's a one-click operation and then you're on. Yeah. And that couldn't be simpler.
So are people, I mean, I know it's early days, right?
But what are people mostly applying this to so far?
Legacy websites, Confluence.
Yeah.
It's not legacy, but hey, it's-
Well, but I mean, you could throw this
at like your file transfer appliance.
You could throw this, which would get tricky
when you've got unauthenticated users
who need to do stuff or whatever, but that's just one example.
You can throw it at your payroll system, for example.
Those things are just ready to get owned, right?
Like I had a chat with a guy from Kroll a while ago
who's predicting they're the next big category of systems
that are going to get mass owned on the internet,
and I think he's probably right.
But all of those creaky web applications,
you can lock them up pretty good.
Yeah, absolutely. And file transfer is actually uh definitely uh one that we have a number of customers uh pursuing sorry not pursuing rolled out with um and there are ways you can get around
having um you know sharing links work and all those things from a um reverse proxy url matching
point of view the acls can can aren't don't just have to be I can get in or not.
They can be I can do certain things
with an adequately featured reverse proxy like HAProxy.
You can even block HTTP verbs.
We've turned web pages read-only for certain people.
Just block a get request or a post request,
however you want it to work.
So you can be a fair bit more nuanced about that.
You can obviously have URL matching and other things and away you go.
So it doesn't have to be all or nothing either.
Yeah.
And do you expect people will start throwing at a stuff like SSH?
We already have that.
The traditional thing with SSH is maybe like restricted to an ASN or whatever,
but this is so much better.
Absolutely.
We already have that. One of our large customers, Massive Australian Telco,
uses that for SSH jump box access over the internet. They have roaming teams of network
engineers rolling out things around the world. And this is the way they've chosen to do that.
And it works great. They've got SSH restricted to knock knock, and then the SSH has 2FA on it,
and they use that as a bastion host and jump on from there.
And they find that's a fantastic mix of usability
and flexibility for their tool set.
Yeah, and it's not like you need to VPN an SSH connection,
which is always something that's my brain a little.
It's already encrypted.
It's already strongly authenticated,
but you just don't want to sit it on the internet all the time.
Now, just quickly, I want to talk about the history of the product because it does have
an interesting history. It was initially developed, I believe, for the broadcast industry as a way for
broadcasters to make video streams available when, you know, VPNs might introduce latency
and sort of problems and whatever. Often it's a fire hose of udp right so you created this product initially to allow
broadcasters to offer you know streaming video uh just over the raw internet uh um in a way that
was sort of ip restricted and and put at least some guardrails around that content yeah that's
absolutely correct and and this is not for consumer use.
This is for back-end production purposes.
Yeah, yeah.
This is when you've got a field crew who's got to get some video back to head office, right?
Exactly.
They have low ability to modify the environment they turn up to.
They turn up to a racetrack or a sports stadium,
and they've got to deal with the equipment they have.
They need to get the job done quickly.
They need the video to be low latency so they can add audio to it so you can then broadcast it. And Knock Knock is a perfect fit for that. And we've
had it rolled out for many years in that environment. And our original installation
is actually still going strong to this day. The product has evolved significantly since that
original time. And our background in Linux firewalling and web application hosting for some 25 years has created that necessity.
And as they say, you know, necessity is the mother of invention.
And we have refined the product over many years, rolled it out into a full-featured product ready for market.
And those customers will be upgraded to the new version.
They're in the process of doing that now. So the origin story
is very much one born out of necessity where the users of the application aren't necessarily
your staff. They may be vendors or they may even be customers. So the barrier to entry has to be
pretty low. You have no way of dictating how that might work. And another example for
of our original customers is in hospitals. They have ophthalmologists, they go to a hospital,
the environment is restricted. They want to be able to get to the remote access environment of
the specialist, but that's outside the hospital network. But they can't modify the hospital
computers. The SOE doesn't allow for even admin rights. So the specialist is able to do his
consultations from the hospital environment using their computers with minimal interaction with that
machine. So two things real quick, because we're running out of time. First of all, you mentioned
agents before. I presume they're agents that actually run on the boxes that are doing the ACLs,
like so that's either going to be running on a firewall or running on a proxy or whatever. That's
the agents. They're not for the users, correct?
That's right.
Agents are backend devices that update ACLs on the target machine.
Just wanted to confirm that for everybody listening.
And they run adjacent to whatever it is you want to modify.
But we should say also, just before we leave,
that Knock Knock is still pretty new, right?
Like there are still a few rough edges on it.
Like I think we need to be realistic in saying that, right? Yeah, I think that's fair enough. We're in active development. We recently added
internationalization support. That's about to be rolled out. We picked up a number of European
customers and we realized that translation's very helpful for users. We have an aggressive roadmap
to add features. But yes, we're a small startup that is have a product
that we feel is mature
and ready for market.
However, you know,
we're keen to hear from our customers,
keen to get it rolled out,
keen to get it used in their environments.
And there's no shame in it, Dave.
You're an early stage startup.
There's no shame in it.
We're getting it done, mate.
We're getting it done.
All right, Dave Kempe,
fabulous to talk to you.
So happy to finally get this interview out. i'm absolutely stoked to be working with you and uh yeah to the moon
let's go thanks patrick love your work that was dave kempi there from knock knock and that is
spelled k-n-o-c k-n-o-c and uh yeah pretty easy to find once you get the spelling right our third
and final snake oiler
today is iVerify. iVerify was originally spun up by Trail of Bits, but has since graduated into
being a fully independent company. It's a mobile security platform that can run with or without MDM
and you know, it does useful stuff. As you'll hear, they're really presenting this thing as
being like EDR for mobile. It can
find bad stuff. They do legit threat hunting. I spoke with Danny Rogers and Rocky Cole from
iVerify about their platform, and here's what they had to say. And the first voice you hear
is Danny. It used to be that you would buy an iPhone out of the box and you can consider it
secure unless you were, say, some super high-level terrorist fugitive,
right?
Unless you're Osama bin Laden, you could basically consider this phone to be secure.
And that kind of all changed in the last few years with the rise of this sort of mercenary
commercialized spyware that now anyone with, you know, what is it, 50 grand could rent
the capability to pop an iPhone.
And all of a sudden, you had to think about that.
It was sort of an uncontrolled risk.
And so the base technology within iVerify
became a really great platform to build out
what we're considering kind of the first real,
you know, true mobile threat hunting company
that's focused on this more advanced threat.
Essentially, what we've tried to do is we've,
you know, the problem,
the mobile security problem has just gotten more, you know, dire since since the last time we
checked in on I verify. I mean, I don't let me just give you a couple interesting data points.
I don't know if you guys saw these two reports a couple weeks ago, one from Kaspersky and one
from Google. Kaspersky said that about 40% of attacks these days are mobile
attacks. Now that's driven largely by adware, but a big piece of that is credential harvesting as
well. And there were these series of reports from Meta and Google that emerged a couple of weeks
back too. And Google said that about 80% of zero days they caught in 2023 were related to commercial spyware vendors.
And about half of all the zero days they found were related to mobile spyware on both Android and iOS.
And I live and breathe mobile security for a living these days.
But those numbers were frankly points to me uh suggest that essentially mobile is where desktop was about 15
years ago which is to say you know about everyone was using antivirus software of some kind but
their computers were somehow always infected anyway and the adversaries fundamentally had
the upper hand and could just attack faster than defenders could repel them. And the problem demanded a fresh approach.
And that approach looked a lot like CrowdStrike
and a lot less like traditional antivirus.
And so to answer your question,
what we're trying to do is apply some of those same historical lessons to mobile.
So what I verify is today is it's a mobile threat hunting platform
that offers a mobile
edr service that combines deep ios and android access automated detections and then expert
analysis to scale advanced threat detection while staying true to our roots as a company that puts
privacy at the center of everything we do okay so you mentioned that now it's about deep access and
instrumentation basically and you know pulling telemetry and logs off, you know, off Android and iOS devices.
That's hard though, right? Because iOS is notoriously opaque. So how on earth are you
actually able to instrument an iPhone in a way that's actually going to tell you when there's
an attacker messing with it? Secret sauce a little bit, But no, that's been the big development work that we've
done as our own company is take that base technology and build the threat hunting capability,
which is essentially kind of productizing mobile forensics. So using external tools, for example,
to rapidly pull forensic data off the operating system, to build heuristics,
to pool data from our collection of naturally occurring honeypot.
One of the neat things that stood out to me when I joined is just how widely adopted and
trusted this tool is among the frontline folks, the folks who are most in the crosshairs of
this and the most advanced threats. this tool is among the frontline folks, right? The folks who are most in the crosshairs of this,
the most advanced threats.
And so that gave us an opportunity to work collaboratively with that community to gather data
and to build a sort of collective defense
that if we all shared and pooled data,
and this is not content to be clear,
like we're not pulling, you know,
text messages and images and emails, right?
We're pulling as operating system metadata
and process information and things like that.
But I guess my question is still,
how are you getting that
when Apple takes really deliberate steps
to stop applications from being able to do that on iOS?
I mean, without getting into the details.
No, please.
Get into the details.
Yeah, well, it's not that I, I mean,
there's, there's, there's some of the secret sauce that we have in terms of how we access it. You
know, some of it is using the same Apple interfaces that exist. I don't think we're doing anything
particularly magic or particularly like we're not, we're not exploiting anything. We're not
doing anything you're not supposed to do. We're just using a lot of the existing Apple interfaces,
but, but really it's more around productizing it. There are already mobile forensic tools that you can download.
MVT is a great tool, but it's big and cumbersome and you have to have a lot of tech savvy.
So giving that to a human rights activist on the front lines in Central Asia is a non-starter.
Whereas if we can build a productized version that requires them to click two or three buttons and then all the data gets extracted and pooled and
analyzed automatically that's that's going to result in a lot more data i 100 see why you said
previously it's like you know if you had to sum up the pitch it's like crowd strike for mobile
phones right like i absolutely get it um and you know, we do obviously need something like that. The question becomes, though, like, have you actually caught stuff, you know, commercial spyware in the wild with this tool?
Oh, yes.
Yeah, very first thing we did was catch the latest copy of Pegasus, which we have and which we'll be presenting at Black Hat Asia very soon.
Nice! But we've also, I think that the real story, though,
is as we've deployed this across, you know,
everything from think tanks to enterprises,
we've caught a lot more stuff, too.
I mean, Brock, you have stories of some of our customers
catching all kinds of, like, you know, they're not as sexy,
but they're just as valuable kind of information for enterprises
in terms of identifying risk profile.
Yeah. I mean, here's one story that's just, that's frankly horrifying. I think if you're
a CISO, I mean, we have a customer who's, let's call them a large defense contractor.
We had a detection the other day that, you know, just of a malicious application running on an
Android phone. And we looked into it. And essentially, the application looks like, overtly,
that it was left there by a large telecom, a large carrier.
But when you dig a little deeper,
we found out that the same app is running on about 300 devices
in the enterprise.
I know. What is this stuff called?
It's the interface crap.
Bloatware kind of thing.
Bloatware, yeah.
No, no, there's a specific one.
Anyway, I saw one of the Asimov people do a talk on it like 10 years ago,
and it was horrifying.
But yeah.
Yeah, well, it's pretending to be like basically,
or it is or is pretending to be like a demo application that has,
I mean, when you dive into it,
it essentially has spyware-like capabilities.
It's certainly persistent,
and it's on about 300 devices floating around in this
company's fleet. And here's the interesting part. These phones were sold to them by their supplier
as brand new phones out of the box. So someone there's, there's either a supply chain vulnerability
where someone's going around harvesting demo devices from a large carrier, shipping them
overseas and selling them as new.
And they have these, you know,
essentially quasi-malicious applications that are sitting there waiting to be a backdoor for someone.
Or the telco ordered more demo phones than they needed
and somehow they got, you know, packaged up.
Something like that, I just think,
looks like a stone-cold, you know, mistake somewhere.
Whatever it is, you know, the point is that, for starters,
it was wild because
it was a carrier application
for a carrier that didn't
exist in that country.
It was a US carrier on a phone
that they had bought and only ever used in the UK.
It was like, what does this carrier even do here?
It doesn't exist here.
But when we found the original
malicious app, then they scanned the rest of
their devices and found it on 300 other phones and realized that they'd been conned by their own
mobile phone vendor, right? And then just created this huge gaping hole in their mobile security
posture on these company-owned devices, right? When you start to look under the hood, suddenly
you see the Wild West when it comes to mobile devices.
We found employees running jailbroken phones.
We found which employees are being stalked by their exes.
You just find all kinds of stuff that you would never have thought of as the original risk.
I think that's the real story. I mean, yes, we found Pegasus, but we've also found all these other kind of you know different
kinds of vulnerabilities that we never expected to find right yeah and i imagine there's like a
lot of a lot of crappy consumer apps with really bad sdks and stuff do you alert on that stuff as
well yeah i mean it depends i mean you know no no we'll never claim to have 100 coverage but
certainly like malicious apps on android we cover you know jailbreaks on iphones or just all kinds of
different things that can be vulnerable and we're adding to that list constantly too
so look uh another question i guess is which verticals is this i mean you mentioned a defense
contractor that is utterly unsurprising to me that the types of organizations that would be
buying this are the ones that are concerned by uh you know nation level threats you know intelligent they're trying to prevent things like intelligence collection
more so than crime ransomware bec that sort of stuff is that about right i think there's two
categories because because we we have this advanced detection capability we have this
threat hunting capability so you know anywhere where someone's particularly worried about their
threat profile right as you said right you have that defense and government adjacent right space industry that
kind of stuff also cryptocurrency kind of you know people that whole industry i mean they keep
huge amounts of money on their phones right yeah um so so anywhere that's a particularly juicy
target from either a you know economic or a counter espionage perspective or whatnot.
But remember, I verify does come with from these sort of privacy roots, privacy first roots,
right. And so there's a whole nother category of folks who don't, who say, like, I need some,
as you kind of said at the outset, right, I need some sort of mobile security posture.
But I don't want full blown MDM, because say I have, you know, 5,000 employees, BYOD, we need something to make sure that they're all doing some basic level of security hygiene, but they'll never let us put, you know, profiles, management profiles on their
phones or, you know, MDM is just too creepy or whatever it is. I mean, there are plenty of
places where we deploy alongside MDM, but there are also plenty of places where we're used to
achieve a basic security posture like like
i was i was a user so so what you're saying is it's in life and death cases and also compliance
well it's it's compliance where you care about like where you care about privacy or you care
about your employees feeling comfortable on their own personal devices yes of course what's neat is
actually and the overlap between is interesting, like there's some...
Well, you can do this so you don't have to do MDM.
I mean, I don't even think it's about caring about your employees.
It's just that MDM is a giant pain in the you-know-what.
Yeah, and you hear that a lot too.
We were talking to someone the other day
who manages really large political campaigns in the United States,
and he was essentially railing against the very large,
I won't name them, but the very, one of the biggest MDMs out there, if not the biggest,
you can read between the lines and figure out who it is. He was essentially, you know, saying,
I need a PhD in order to just figure out how to, how to configure it so that it doesn't break my
enterprise. Right. So there's this, there's these, there's, it's this dual opportunity of,
there are CISOs out there who think that MDMs erode trust between their office and their enterprise.
And they'd rather spend their political capital on something like two-factor authentication, which I think is totally fair.
And then there's this other aspect of it of operational efficiency, which is people, they want mobile endpoint security, but they also don't want to have to get a PhD or hire a solution engineer in order to implement it.
All right, Danny Rogers, Rocky Cole,
thank you so much for joining me to talk through the latest with iVerify.
I wish you all the best with it.
Thank you very much. Pleasure to be here.
Yeah, thanks for having us.
That was Rocky Cole and Danny Rogers from iVerify there,
and you can find them at iVerify.io.
And that is it for this edition of the Snake Oilers podcast.
I do hope you enjoyed it.
I'll be back soon enough with more risky biz for you all.
But until then, I've been Patrick Gray.
Thanks for listening.