Risky Business #765 -- The Kaspersky switcheroo - Risky Business

Summary6 min read

Risky Business #765 — The Kaspersky Switcheroo
Released on September 25, 2024
Host: Patrick Gray
Guests: Adam Boileau, Rob Joyce
Sponsor Interview: Mike Wiresek, Founder of Stairwell

1. Introduction and Weekly Security News Overview

Patrick Gray kicks off the episode with a personal anecdote about successfully potty-training his three-year-old, drawing a parallel to corporate entities yielding under external pressure. He then transitions to the week's security news with guest co-hosts Adam Boileau and Rob Joyce, a former US Presidential Cybersecurity Advisor and NSA Cybersecurity Director.

Notable Quote:
“At the end of the day, you have to pick your trusted partners.” — Rob Joyce [19:12]

2. Elon Musk's X (Twitter) in Brazil

Patrick discusses Elon Musk's recent concession in Brazil regarding X's compliance with Supreme Court directives. Despite initial resistance against censoring accounts, the platform "folded like cheap lawn furniture" after weeks of pressure.

Notable Quote:
“It’s just kind of a different kettle of fish. Not everywhere is the U.S.” — Adam Boileau [02:49]

Rob Joyce emphasizes the business decision behind Musk's compliance, highlighting the balance between free speech and sustaining operations in foreign markets.

3. Telegram's Cooperation with Authorities

The conversation shifts to Telegram's update of its privacy policy, agreeing to share user information with law enforcement. Adam critiques Pavel Durov's compliance, suggesting it's a strategic retreat to maintain operational viability.

Notable Quote:
“They're willing to share these identifiers with law enforcement as part of legitimate investigations.” — Adam Boileau [05:08]

Rob points out Telegram's history with the Russian government, asserting that cooperation with Russian authorities likely influenced their stance with Western governments.

4. TikTok Bans RT Accounts

Patrick highlights TikTok's removal of RT accounts following similar moves by Meta, positioning it as an attempt to appear responsible amid concerns over misinformation. The discussion touches on ByteDance's forthcoming divestiture from TikTok in the US.

Notable Quote:
“TikTok is trying to put up a bit of a fig leaf here.” — Adam Boileau [11:33]

Rob Joyce speculates on the Biden administration's consistent pressure on Chinese tech firms, hinting that TikTok’s actions are preemptive moves to retain operability in the US market.

5. Biden Administration's Automotive Software Ban

The Biden administration proposes a rule banning Chinese and Russian automotive software from US cars starting model year 2027, raising concerns about economic and technological repercussions.

Notable Quote:
“The regret factor is going to be super high if you let the Chinese run through the infrastructure we use for self-driving cars.” — Rob Joyce [14:38]

Patrick expresses apprehension about potential declines in automotive quality, given China's dominance in the sector.

6. Kaspersky's Withdrawal from the US Market

Kaspersky has ceased operations in the US, automatically replacing installations with Ultra AV, an American-owned antivirus solution. While some criticize the abrupt switch, both Patrick and Rob view it as a responsible move to ensure continued protection for users.

Notable Quote:
“Many didn't realize how much control the antivirus software has.” — Rob Joyce [19:12]

Rob further critiques Kaspersky's execution, noting poor communication and the inadvertent education of users about the vulnerabilities of untrusted AV software.

7. Australian Cybercrime Arrests

The Australian Federal Police successfully dismantled Ghost, a crime phone network, arresting its Australian founder. The operation showcased effective law enforcement tactics, including infiltrating update servers to collect intelligence.

Notable Quote:
“They became the bright, shiny object for law enforcement to target.” — Rob Joyce [26:51]

Adam underscores the importance of threat modeling and jurisdictional considerations for cybercriminals.

8. Israeli Operation Against Hezbollah

Patrick examines a possible Israeli mission involving the insertion of explosives into Hezbollah’s communication devices. He references a blog post by Bunny Studios detailing how such an operation might be technically feasible.

Notable Quote:
“These actions achieved the objective of severely injuring fighters and undermining command and control.” — Rob Joyce [30:00]

The discussion delves into the effectiveness and ethical implications of using booby-trapped devices in military operations, with Patrick addressing backlash and clarifying the legitimacy of the operation based on expert sources.

9. Iranian Interference in US Elections

Rob and Patrick discuss recent attempts by Iran to influence the US election by stealing and disseminating documents. While acknowledging these tactics as expected state-sponsored interference, they note the increased public awareness and resilient response mechanisms in place.

Notable Quote:
“We just want to make sure it’s our politicians and our electorate that are influencing and being influenced.” — Rob Joyce [39:01]

The segment touches on House Republicans' demands for FBI investigations, with Rob emphasizing the importance of safeguarding electoral integrity against foreign manipulation.

10. Timing Attacks on Ricochet Messaging Tool

A technical discussion unfolds around German authorities executing timing attacks on Ricochet, a metadata-resistant instant messaging tool. Patrick reflects on his past involvement and expresses regret over its misuse by malicious actors.

Notable Quote:
“Law enforcement have got to the point where they can and do use these capabilities.” — Adam Boileau [41:14]

Rob explains the limitations and necessary adaptations for anonymity tools in the face of advancing surveillance techniques.

11. Crypto Theft Case

Patrick briefly covers a DOJ case involving young hackers stealing $230 million in cryptocurrency from an investor in Washington D.C., highlighting both the audacity and technical sophistication of the operation.

Notable Quote:
“It probably does work enough. So like, my hat is off to them for just the sheer brazenness of it.” — Adam Boileau [44:08]

12. iPhone Mirroring Feature in macOS

Adam shares insights on the latest macOS feature enabling iPhone mirroring, noting Apple’s efforts to minimize security risks. While recognizing its practicality for average users, Patrick remains cautious about using it to prevent potential compromises.

Notable Quote:
“Rob Joyce: ... Apple can do a pretty good job with security. And it looks like there's some new attack surface in any new feature, but I think they're putting a lot of effort into protecting it.” — Rob Joyce [47:34]

13. Sponsor Interview: Stairwell and Malware Evasion

In the sponsored segment, Mike Wiresek discusses Stairwell, a platform designed to analyze organizational files to detect and track malware variants. He explains how advanced adversaries avoid platforms like VirusTotal by maintaining their own testing environments, emphasizing the need for continuous retroactive analysis to counter sophisticated evasion tactics.

Notable Quote:
“We're connecting security operations, threat analysis, and incident response into one platform.” — Mike Wiresek [58:07]

Wiresek highlights Stairwell’s ability to provide comprehensive threat intelligence and facilitate effective incident response, positioning it as a critical tool for modern cybersecurity defenses.

Conclusion

Patrick wraps up the episode, thanking guests Adam Boileau and Rob Joyce for their insights and previewing upcoming editions. He reiterates the importance of understanding and adapting to the evolving cybersecurity landscape, emphasizing continual vigilance and the adoption of advanced protective measures.

Key Takeaways:

Compliance vs. Principles: High-profile platforms like X and Telegram often balance operational viability with adherence to local laws, sometimes compromising on initial principles.
Geopolitical Tech Pressures: US regulations targeting Chinese and Russian tech firms reflect ongoing geopolitical tensions, with significant implications for global markets.
Cybersecurity Tool Vulnerabilities: Advanced adversaries employ sophisticated tactics to evade detection, necessitating robust and adaptive security solutions like Stairwell.
Law Enforcement Effectiveness: Coordinated efforts by agencies globally are increasingly successful in dismantling cybercrime operations, underscoring the importance of threat modeling and jurisdictional awareness.

Notable Guest Insights:

Rob Joyce: Emphasizes the importance of trusted partnerships in cybersecurity and critiques the execution of corporate compliance movements.
Adam Boileau: Highlights the evolving capabilities of law enforcement in countering cyber threats and the necessity for continuous security advancements.
Mike Wiresek: Discusses the challenges of malware evasion and the critical role of comprehensive analysis platforms in modern cybersecurity strategies.

For more insights and updates on information security, subscribe to Risky Business and stay informed on the latest in the cybersecurity landscape.

Loading summary

Transcript88 lines

[00:06]
Patrick Gray
Hi, everyone, and welcome to Risky Business. My name's Patrick Gray. This week's show is brought to you by Stairwell. And Stairwell's founder Mike Wiresek will be along in this week's sponsor interview to talk about how people are using their platform to hunt down detection resistant malware. That is coming up later. But first up, it's time for a check of the week's security news with Adam Boileau and our spare special guest, co host, former US Presidential Cybersecurity Advisor and NSA Cybersecurity director, Rob Joyce. These days, Rob is advising startups as well as some very large companies about all things cybersecurity. And of course, he has time to join us here on Risky Business every now and then, which is great. So, guys, we're going to get into the news and I'm going to find a slightly odd way to start this week's discussion by talking about a little victory I had as a parent recently. So I have two kids. One is six years old, one is three years old, and my three year old boy was just steadfastly refusing to use a nappy or a diaper for our American friends when he wanted to do a number two. So he'd always come up and say, yes, I'm ready for my nappy because I need to do a number two. And we'd be like, buddy, can't you use the potty? Can't you use the toilet? And he'd always say, absolutely not. He'd jump up and down and scream and the whole sort of thing. So it's been an ongoing battle until recently where I said, that's it. You will not have any dessert, you will not have anything sweet, you will not have any treats until you learn to use a potty. And of course, there was a lot of jumping up and down and screaming. After two days, he cracked and he is now using a potty. Very proud of himself. Huge parenting win. Really good. Now, something similar has happened in Brazil with Elon Musk's ex, right? Which is after all of the sound, all of the sound and the fury around this ban on X and X, refusing to censor accounts or to take down accounts as demanded by the Supreme Court and saying that the Supreme Court judge was a dictator and they're going to stand for free speech and there's going to be protests and there's going to be this. And they folded like cheap lawn furniture after a couple of weeks of a ban. I am not surprised by this and I am surprised that other people are surprised by this. First we saw the SpaceX capitulate and block X. Now we've seen X is reappointing local council in Brazil. They're paying the fines that they owe to the Brazilian government and they've agreed to act on the Supreme Court judge's orders. Adam, let's start with you on this. Are you surprised?
[02:50]
Adam Boileau
No, I'm not at all surprised. I mean, the idea that Elon Musk would have to go potty, like I'm here for that. And no, not even slightly surprised. And I think it's, you know, it's one thing to fight the free speech fight in the us, but the moment you show up in Brazil or India or all sorts of other places around the world, you know, it's just kind of a different kettle of fish. Not everywhere is the U.S. and, you know, you can't be the same free speech man child everywhere.
[03:24]
Patrick Gray
Yeah, I mean, I love how they're so committed to free speech until they're mildly inconvenienced, which seems to be the case here. And I would note too, that in India and Turkey, they have no problem whatsoever nuking accounts at request of the government. You know, we do have an American with us though, Rob, who I imagine is deeply committed to First Amendment principles. You know, what have you made of this whole episode?
[03:46]
Rob Joyce
You know, I love a good free speech, but the reality is these are sovereign countries and Musk is a businessman, so he's got a choice between staying in the country or having his free speech. And it's clear that he voted. He wants to stay with the capitalism, not the free speech side.
[04:06]
Patrick Gray
Yeah, I mean, you do wonder, though. I mean, okay, he is a businessman, but he doesn't really tend to run X like it's a business, which is perhaps why revenue has collapsed by something like 83% according to reports. But yeah, look, the other one that we're going to talk about this week too is telegram, because same thing, you know, Pavel Durov did not want to go potty. He did not want to go potty. And then he was arrested for basically, you know, facilitating all manner of crimes. And now he said, okay, I'm going to. I'm going to use the potty, basically. Adam, let's get your take on this. I mean, again, I mean, what they're saying now is, look, we've updated our privacy policy and we'll provide user information like IP addresses and whatnot in response to law enforcement requests. You know, I mean, again, are you surprised here? Because I am definitely not. I think, given the choice between sharing a cell with a bank robber in France or continuing to fly around the world on your private jet with your Instagram model girlfriends. Seems like a pretty clear decision for him.
[05:08]
Adam Boileau
Yeah, yeah, it certainly does. And I think the question here is going to be exactly how does, what form does this cooperation take? Like, they're willing to share these identifiers with law enforcement as part of what they said, like, you know, legitimate law enforcement investigations or something. But, you know, doing that consistently, building the frameworks, building the, you know, the mechanisms for law enforcement to submit those requests, servicing them in reasonable time, providing the data, like the proof is going to be in the pudding. With Telegram, at least with X in Brazil, it's pretty clear it's either blocked or not blocked or the people are deleted or not deleted. We can kind of see that response, Telegram, you know, we'll have to wait and see whether they do actually make a good faith effort of it or not.
[05:49]
Patrick Gray
Yeah. In which jurisdictions they're going to be responsive in. Rob, I did have a question for you on this, which is so much of the discourse around cybersecurity and, you know, online privacy and stuff focuses on anonymizing technologies and E2EE. But ultimately, even if you've just got a service like this, like Telegram, which just uses basic TLS encryption for its users, they might be collecting logs and whatever, but if they're not going to cooperate with law enforcement, I mean, the people using it are kind of enjoying the benefits of anonymity anyway. Right. So you don't need to be using some crazy Tor based thing to get that benefit. I mean, how much of that. You know, I understand that you're limited in what you can say here, but how much of a problem is it just when you're dealing with platforms that just won't cooperate with governments? You know, when you're in a, either in a SIGINT agency or, you know, your friends at the FBI and whatever, how much of a problem is that compared to the Hardacore, you know, anonymization tech?
[06:50]
Rob Joyce
Yeah, I really think the, you know, the services like Telegram and some of the other major platforms have been growing their ability to provide warrant proof communications. Clearly, France thought that Telegram either could or should supply information and they, they went at them hard and Durov blinked. So I think, I think the fact that the French went to this extreme shows that it's a real problem and they were concerned. And I think you've seen some laws, you know, like even in Australia, where the law is kind of indifferent as to how you supply the information. But you've got to make sure that you can respond to a lawful intercept request. And, you know, I do believe over time that companies do need to figure that out. You know, civil society needs the ability to enforce the rule of law, and that's what we're talking about here.
[07:49]
Patrick Gray
Yeah, we've got another piece on this that we're going to talk about later, and I've definitely got something to add on that. Just while we're on Telegram, though. The Ukrainian authorities have now banned the use of Telegram across. Across military, critical infrastructure and a bunch of, you know, government departments and whatnot. Kirillov Budanov, who's one of the intelligence chiefs in Ukraine, has said there's solid evidence and substantiated data that Telegram is cooperating with Russian authorities. I think that's an interesting angle to this whole thing as well, which is. It does seem there's a lot of smoke around that that Telegram was cooperating with Russian authorities, but not with Western authorities, which I think is. Was even more of a motivator for the French. Would you agree with that?
[08:32]
Rob Joyce
Oh, absolutely. You know, you look, Telegram has a long history, and Durov has a long history with the Russian government. He made a big deal of trying to stand up to the FSB way back in 2013 and departed Russia, you know, when they were squeezing him. But he quietly returned to his home base in St. Petersburg in 2014, and he's been able to come and go from Russia ever since. Right. And that tells you something, because the Russians have a very strict law. It's the SORM law, S O R M. And, you know, it started with telephone and cellular intercept, and then it moved into Internet in, like, 1999, and then it grew in 2014 to include all forms of comms, to include social media. And, you know, the idea that he could come and go while defying Russ is inconceivable. It is very clear that he reached some sort of agreement. The Russian government got what they want, both under law and just under what the FSB can demand. And they've even made some statements, you know, in the Russian government that they found a compromise with the fsb. There was a quote that Telegram installed the equipment so that it can monitor all dangerous subjects and dangerous subjects. That's a pretty wide lane to drive through, through when you're the Russian government. So I am highly confident, based on a lot of public information, that, you know, Telegram is absolutely cooperative and the Ukrainians are super wise to get. Get out of dodge. And make sure that their information is not on telegram.
[10:21]
Patrick Gray
Yeah, I mean, I think what you say, the fact that he was not arrested by the Russians gives you an indication there, you know, but it's just, I guess it's a bit of a plot twist that he gets arrested by the French. Now, let's move on to another story here, and this one I find pretty interesting, which is TikTok has now, you know, we spoke last week about how Meta has basically kicked RT off its platforms. Given recent revelations from US Authorities that say that RT is acting as an extension of Russia's intelligence community, we've now seen TikTok follow suit, which I guess, you know, TikTok people forget it might be owned by ByteDance, which is a Chinese controlled company with major, I think, Western shareholders, but they don't really have the controlling authority over the company or whatever. But TikTok is really the Western facing app. There's another one that ByteDance operates for the Chinese domestic market. So this isn't like they've removed RT for, you know, their Chinese audience. But I do find it interesting that, you know, TikTok is at least trying to put up a bit of a fig leaf here and say, see, we're not a malign influence. You know, we're deeply concerned about misinformation. Adam, let's start with you. What did you make of this?
[11:34]
Adam Boileau
I mean, I guess it makes sense for them and it's an easy move, right? You're following Meta. There's not going to be any pushback. And as you say, it's good for them to be able to have something to say, point out and say, hey, look, we are playing by the rules. We are part of your media ecosystem and we're doing what you want. But it does fall a little flat for people like us that have been following this story all along and kind of know about how the Chinese work. So, you know, good for them. But, you know, come on, I think we can see through it, right?
[12:06]
Patrick Gray
Yeah, exactly. I mean, I do think it's. I also think the, you know, people have kind of forgotten that ByteDance is going to be forced to divest TikTok, like actually quite soon, that's coming up in January and there's court challenges and whatever, and I think everybody's in a holding pattern to see who's going to win the next US Federal election. But I would think that this is a sensible thing to do if you want to at least reserve the option to maintain that respectability so that you might be able to Find a US consortium to actually buy the thing. What's your sense, Rob, on how this is actually going to play out? Do you think that. Look, let's just assume for a moment and it could be a dangerous assumption. We know what's going to happen under a Trump admin, which is that the ban won't go through. But if Harris wins the next election, you know, how do you see this playing out? Do you think that TikTok will wind up being divested or do you think the CCP will just put pressure on the company to shut it down as kind of like on the principles sort of thing?
[13:11]
Rob Joyce
Yeah. I don't know where the China government goes. I don't think Harris administration blinks. Right. I think its policy on China is going to be fairly consistent with the current administration. And Congress has been very clear about where they stand. Right. This was also almost a bipartisan issue where everybody could rally behind. So I think the US is going to continue that pressure. I just don't know if China will allow their company to be seen buckling under in almost Elon Musk Brazil fashion. Right.
[13:50]
Patrick Gray
Yeah. Let's see if they go potty. Right.
[13:55]
Adam Boileau
Are we going to end up with like Oracle TikTok? Yay.
[13:59]
Patrick Gray
I know, right? Crazy stuff. Now look, we included this one this week, Rob, because you're joining us and I figured you'd have plenty to say about it. The Biden administration is proposing a rule that would ban Chinese and Russian like automotive software from cars sold in the United States. It looks like the idea is this would take effect for model years from 2027 and the ban would become law in the year 20. You know, this is something I know you have opinions on, so I wanted to get your thoughts on whether or not you think this is a positive development. I'm going to just go ahead and guess that you think it's a good thing.
[14:39]
Rob Joyce
I think it's an important thing. I realize it's going to come with a lot of pain both economically, technically and in business and even international relationships. But the reality is the regret factor is going to be super high if you let the Chinese throughout the, throughout the infrastructure that we use to do self driving cars and automation in that space. So it took an enormous amount of effort to highlight the Huawei challenge and you know, both financially and technologically, that was a huge, huge problem. We got to the point where there weren't western options. So I think the intent here is to get ahead of the challenge while there still can be western options before the this market is completely mature and get those Western options in there so there can be a trusted provider.
[15:37]
Patrick Gray
I mean, the Chinese automotive industry is just a juggernaut. I mean, there's no other way you can put it. You know, I live in a country where we don't have tariffs on Chinese cars and because we don't really have a local car industry to protect anymore. And Chinese cars are just everywhere and they're quite good. My last two cars are not from Chinese brands, but they were both made in China. My Tesla that we got rid of because of Elon was made in China, and then we replaced that with a BMW iX3, which was also made in China. So just even on the manufacturing scale side, China's just come out of nowhere to be such a major player in automotive. So I think what you're saying about this, trying to encourage others to serve the US market, you know, I really get what you're saying there. I do fear that perhaps, you know, Americans might wind up driving inferior cars as a result, though, if the innovation is going to continue as it has in China.
[16:37]
Rob Joyce
Yeah, they certainly are. Manufacturing powerhouse, but we've got to get some alternate supply chains.
[16:43]
Patrick Gray
Yep. Yep. Now, another topic near and dear to your heart is Kaspersky. And this week it looks like they have completed their withdrawal from the US market by switching over the installations on computers in the United States. Basically, Kaspersky users in the US woke up and Kaspersky was gone and something called Ultra AV was installed in its place. There was initially some confusion here and people saying that they had no idea this was going to happen, although it does look like Kaspersky had notified its customers via email that they were going to make the switch. Ultra AV is owned by an American company. Personally, I think this was a responsible thing for Kaspersky to do because it means that users will continue to enjoy some level of protection. Whereas if Kaspersky had to stop shipping signature updates, you know, there was going to be some bit rot there. So I think they kind of did the right thing here. Adam, let's start with you. Do you agree with me that they actually did the right thing here? Because they're getting a lot of flak for it, but I kind of think it was justified.
[17:51]
Adam Boileau
Yeah, I mean, I think, you know, you're right, like for them not shipping an update and just letting it bit rot and letting people think they were still getting, you know, updates and still being protected, you know, that was not the responsible choice. So finding someone to buy it, take over that installation, ship a smooth update process. I mean, and this argument about exactly how smooth it was, like that's the right thing to try and do. I mean, I'd never heard of Ultra av and certainly the impression you get from some of the Kaspersky forums is that nobody seems to have heard of Ultra AV before. But, but, you know, I guess as long as it does something, maybe we, you know, remain to be seen whether it's any good. But yeah, the Kaspersky forums, like I tried to read them to get some vibes and like, it's just such a frothing mess of, you know, of people who don't understand what antivirus software is or how computers work and, you know, just so much frothing at the mouth that was kind of like I ended up just closing the tab and deciding I didn't want to think about it anymore.
[18:49]
Patrick Gray
Yeah, I mean, I've met Eugene Kaspersky a bunch of times. He seems like, you know, when it would come to something like this, he would be motivated by trying to do the right thing. I think protecting, you know, the average Internet user at scale is something that he does personally care a lot about. I think it's been his sort of driving motivation throughout his career. But Rob, what's your, what's your opinion here? Do you think they did the right thing?
[19:12]
Rob Joyce
Yeah. So two points, Patrick. One, I do think it was reasonable to replace the AV and to have a plan to do it. I think they executed really poorly. You know, there are a bunch of people. I went to the same forums, Adam, and yes, it was angry people with pitchforks and torches, but many of them said I definitively didn't get an email. Right. They went back through and, you know, I'm sure some of them hit the delete key. Some of them ignored it, but I am also certain many didn't get an email. And there was a big question as to why they just didn't get a pop up that they had to click through on their Kaspersky, you know, a week or a day or some period of time beforehand, saying, hey, this is what's happening. Because there were others who read the thing that said they'd be transitioned and you know, they assumed they'd get, you know, a key code for their new AV that they would download and install. The second point I'd make is this was an educational moment for a lot of people. It really woke them up to why we were saying having an untrusted AV in a position of root access on your computer is not the place you want to be. And you know, when Kaspersky disappeared and all of a sudden this new program was automagically installed with no user action. There were people that were dumbfounded. Now, many of the listeners of this program will understand that, yes, that's a very achievable thing for the level of excess that your AV has, but there are a lot of people who didn't realize it. And that just drives home the point of how much control the antivirus has. And it doesn't matter whether it's a Western American antivirus or a Russian or a Chinese. You have to pick your, your trusted partners. And this is, to me, it's akin to when TikTok, you know, went ahead and messaged all their users with the phone numbers of their congressmen and incited them to call congressional offices. Right. It just told everybody the position of power they had. And that, you know, was a shoot yourself in the foot moment for TikTok. I, I think, you know, if Kaspersky had any chance in this space, this was a shoot yourself in the foot, no, recover, recovery. Not that, you know, they were likely to be able to recover anyway.
[21:46]
Patrick Gray
But yeah, look, I think, I think, Rob, they knew that the US is a market that's a door that's closed to them forever. The TikTok thing that you mentioned, I almost mentioned it earlier, which was, I mean, that was the most spectacularly idiotic bit of government relations I've ever seen. When they were literally giving people, and they gave people pop ups where you could actually just tap the number to call directly off your, off your phones. Absolutely insane. Hardened the resolve, really turned things around. I mean, if you're looking for, you know, a couple of key things that really did tick tock in, it was a lot of the content that was on there pertaining to the Israel Gaza situation and then that bit of, that bit of absolutely insane government relations work. That's.
[22:30]
Rob Joyce
So I think both of these, you know, both of these actions will go down in corporate history as, you know, bad, bad own goals, where they did themselves a disservice.
[22:42]
Patrick Gray
Now, real quick, Dr. Webb, which is another Russian cybersecurity firm, they shut down a bunch of services after claiming that they had been attacked. I mean, we don't really know much here. This could be hacktivists, this could be just Ukrainians who want to cause some damage. It could be SIGINT agencies. I mean, I would think it would be a hard time to be a Russian software vendor with a presence in a lot of Russian networks, Rob. I mean, I'm sure you would agree with that.
[23:12]
Rob Joyce
I do. Right. I think all of those and their friends are coming after these opportunities. We just got through talking about what a position of privilege an AV provider has. And so if you want to brick a bunch of machines, if you want to understand and get data back about the structure of networks and the places they're located, that's a position of power. So it doesn't surprise me that somebody's coming at them hard.
[23:43]
Patrick Gray
Now we've got some news out of Australia, which is Ghost, the crime phone network, which was sort of smaller than a lot of the other ones that we've seen, but it was starting to grow, was starting to really take off. The guy was running it was actually Australian, 32 years old, JG Yoon Jung, and he's been arrested and charged with running the platform. And it looks like the Australian Federal Police were all over it in, you know, it's a classic of the genre, right. They managed to somehow access their update server and push an update. I'm guessing it was signed out to all of the handsets, collect a bunch of intelligence, then drop the hammer. I mean, I'm, you know, it's just insane, I think, for an Australian citizen to be running a service like this when we have entirely competent law enforcement agencies who are going to catch you. Was that your impression too, Adam, when you read about this?
[24:41]
Adam Boileau
Yeah, I think it does show some poor threat modelling on behalf of a person deciding to stand up a crime network, especially given the history of attacks by the Australian law enforcement and also other law enforcement as well. But picking a jurisdiction to, to operate that kind of business in seems a pretty important choice. But, you know, I guess a lot of people fall into this, like they start small, they start making it for some friends or some associates and then it, you know, kind of balloons out of control pretty quick. So maybe there wasn't a lot of thought upfront, but, I mean, you know, advice from risky biz to aspiring criminals is if you're going to run the replacement crime for a network, maybe choose a different jurisdiction, maybe think about your OPSEC early on, you know, do it.
[25:23]
Patrick Gray
From a country where you can bribe the local law enforcement so you don't wind up in prison, I think is the boilerplate advice for something like this. And also, you know, the Australian Federal Police were really all over the ANOM operation, working with the FBI and showed that they were very happy to act extremely aggressively on operations like this. I'm just, you know, as. Again, I'm just. This guy was always going to get caught. Was that sort of your impression as well, Rob?
[25:51]
Rob Joyce
Oh, I love what law enforcement's doing in this space. Right. You talked about how fast Ghost grew. They grew fast because law enforcement pulled all their competitors off the playing field. And so, you know, when people looked around and tried to find the next best thing, there was Ghost. So they became the bright, shiny object for law enforcement to target and they had a spectacular win. You go back, you mentioned anam, but Phantom Secure Encroachment, Sky Global, there's a whole, you know, just parade of entities that have been pulled down. And now, you know, there's everybody looking over their shoulder about who knows what and who's been pressured because there's evidence against them and have flipped who's in the chats in other places. And this is just the gift that keeps on giving. So this is, this is wonderful work by all the law enforcement folks that continue to squeeze the criminal forum.
[26:52]
Patrick Gray
Now we've got a blog post to talk about quickly, which is from Bunny Studios. And it really looks at how the Israelis might have been able to sneak explosives into pages that were detonated about a week ago across Lebanon belonging to people in the military wing of Hezbollah. So last week I said I'd seen some speculation that the explosive charge may have been contained in the batteries. It looks like that's a pretty plausible theory. Adam, you found this blog post and yeah, walk us through the gist of it.
[27:30]
Adam Boileau
Yeah, so Bunny Huang is a guy that's been in the infrast scene, but has done a lot of hardware work over the years, a lot in like games, consoles and other kind of, you know, hardware adjacent hacking stuff. And he's also built a bunch of products including custom battery manufacturing. And he talks through like, how do you produce lithium pouch battery cells? What kind of machines are used? How do you manufacture them, how much is the equipment to buy them? And like, if you wanted to build a battery that contained a layer of plastic explosives and then lay that up inside the batteries and then trigger it through the battery using the existing circuitry without having to do much, you know, much too much custom work like using the existing microelectronics to control it, talks through that process, describes how to detonate it, etc, and you know, it's all thought experiments, but it's thought experiments by a guy who has a bunch of experience building these batteries and kind of what's involved in getting the equipment and doing it yourself. So I found it really interesting just from a, like, you know, this is, you know, you always want to read the nitty gritty details. Right. And our audience is into that kind of thing. So I thought that was super interesting. You know, there's no, you know, we don't know how Israel actually did it, but this certainly seemed pretty plausible to my reading.
[28:47]
Patrick Gray
Yeah, well, and I, you know, my thinking around this is that Hezbollah, you know, have a pretty sophisticated counterintelligence operation and they would have inspected these things and hiding an explosive charge in the battery would be one way that they would be able to get these things into the hands of fighters without them realising that was what was happening. Rob, I wanted to get your thoughts broadly on this operation because it occurs to me that as someone with a long history and, you know, a significant signals intelligence agency, this is the sort of thing you would look at and say, I mean, in some ways just wow, because it achieved a couple of objectives, one of which was to severely injure a whole bunch of fighters. And the other thing that they did was really undermine their command and control. I mean, I would think you would be watching this and thinking that it was an effective operation. But, you know, do you have any feelings about how much of a military benefit there would have been from the Israelis actually carrying out this operation? Because of course, when we spoke last week, it was just the pages. Of course, the next day there were walkie talkies that went off as well, you know. So what are your thoughts on how effective this may have been from both, you know, degrading their C2 and personnel kind of perspectives?
[30:00]
Rob Joyce
Yeah, so I think it's going to be highly effective for a window of time. Right. The reason that Hezbollah went to pagers was because they had been shaped off cell phones. They had watched people have very bad experiences from using cell phones, having cell phones around them and communicating on cell phones. And so they decided they needed a one way communication that was safer. And pagers certainly are that. And now they've gotten to the point where it's very clear that they can't trust pagers, at least for the time being. Right?
[30:38]
Patrick Gray
Yeah.
[30:38]
Rob Joyce
And, you know, where else do you go? You go to tactical push to talk radios, and they can't trust those for a period of time. So, you know, a whole series of the infrastructure was taken down and the pagers that didn't explode. You can bet the people that own those have no desire to clip those onto their body. So, you know, the actual interaction and communications that that have to happen in a time of tension and war. There's a lot of friction now. And you know, I've watched A couple of the, you know, there's been a couple of high profile strikes by the Israelis as well. And you've got to wonder if those became opportunities because people had to use insecure or insecure comms or they were shaped into comms that were exploitable. But wow, it's, you know, at least in the short term, it's going to have a pretty devastating effect on their ability to coordinate and orchestrate.
[31:39]
Patrick Gray
Well, indeed. We've seen a series of airstrikes now targeting, targeting southern Lebanon. And you get the impression the pages and the walkie talkies were sort of the opening salvo in what looks to be a much bigger campaign targeting Hezbollah. It's interesting because last week I described the operation, you know, I said it was very sad that a child had died. And it is, it's tremendously sad. It's a tragedy when a child is killed, you know, an innocent child is killed. But, you know, people were very angry at me and they said that I had just mentioned that in a token way, even though our conversation really did talk about the civilian deaths that occurred as a result of this military action, the reaction to this one has been quite extreme, really, and it's made me go back and just check my work, actually, because the other thing that people took issue with is I described this as a legitimate operation. So I've been to two people who are experts in international humanitarian law to ask them if this was indeed a legitimate operation. I'm going to read from the replies that I got here just because I want to cover this off, because I've been getting a lot of hate on social media for what I said last week. And I will just say too, that if you describe something as legitimate, that's very different to saying that it's a, that it's an excellent idea that's going to achieve your long term policy goals. Right. So just something to keep in mind. But this source said, look, I listened to your show last week and your analysis, of course, was correct. Step one, there's an ongoing armed conflict between Israel and Hezbollah. Step two, there is a military benefit and lots of it to be had by disrupting military command and control and also killing fighters and commanders. Step three, the means used plainly show targeting of those military means and capabilities. Step four, as you said, this actually seems much more protective against collateral damage than an airstrike. Step five, as we discussed, it's not a violation of the booby trap rule either. So there's been a lot of people saying, oh, there's, you know, conventions against booby traps. Those conventions are really designed to stop militaries. Booby trapping devices that might be picked up by, you know, might be left behind by retreating soldiers and then picked up by advancing troops or even civilians. Not really about, you know, you know, giving, you know, giving someone a Trojan device in this way. So I've got it on two sources, from two sources that they do not believe that that convention has been violated. Unfortunately, these sources do not want to talk about this publicly because they are concerned at the social media reaction. They just want to stay out of it. So I can't tell you all in the audience who they are, but I have told you, Rob, and I have told you, Adam, who my sources are, and I'm sure you would agree with me that they are impeccable sources on this.
[34:22]
Rob Joyce
They're world class.
[34:23]
Adam Boileau
Yeah, yeah.
[34:24]
Rob Joyce
And the other key piece of the analysis, Patrick, is, you know, these were communication devices intended for participants in military active action, right?
[34:37]
Patrick Gray
Yes. I mean, this was. And that's the other thing, too. Overwhelmingly, these pages were. Were carried by people, you know, Hezbollah officers in the military. Right. So these were not distributed to, as best we can tell, to people who, you know, work in the civil service side of Hezbollah, despite the Iranians actually coming out and saying they were primarily used by kindergarten teachers, which I thought was like, my Lord, that's a bit rich. Right. So that they could warn about incoming airstrikes and whatnot. And I just think, you know, people are saying, oh, you know, but civilians were killed, therefore it's a war crime. I mean, you know, this is what war looks like. You go back to the explosion on the Kerch bridge that connects Crimea to Russia that resulted in the death of the poor truck driver who was carrying the bomb, unbeknownst to him, and a car containing a couple who just happened to be driving past at that moment. Civilians are killed in these sorts of actions. Civilians are killed in airstrikes. And one interesting thing that my source did say on this, which was, so why so much angst going the other way? Simple. First, as we saw 20 years ago with early drone strikes, technical novelty combined with attacks that catch military targets out in civilian settings lead many people to just categorise the whole thing as something other than war, especially if it is attributed to an intelligence agency and not the military. So, look, I don't want to bang on about it, but I did just want to cover that off because I've had, you know, just people really saying some pretty hostile stuff to me over the last week when really What I'm trying to say is, is this in terms of like war, history is up there with the Trojan horse. Okay. This is a remarkable, incredible operation. It was legitimately targeted and as best I can tell from the sources that I've spoken to, it does comply with international humanitarian law. So, you know, I'm just here to report what expert sources tell me. So please, you can stop with the messages. Let's move on though, to something else. And again, Rob, I'm glad you're here to talk about this one this week because it looks like the Iranians are still going after the Trump campaign, stealing documents and trying to send them off to the Harris campaign journalists, anyone who's going to actually do something with the material. The funny thing is though, everybody just seems to be completely ignoring Iranians bearing documents. Right. So this is a, this is a, you know, it's a, it's a, it's a weird old world world at the moment.
[37:05]
Rob Joyce
Yeah. Would you expect the Iranians to do any less? Right. I don't think they would. They would run the first operation and said, shucks, we were caught, we're done. I expect that, you know, this is not the last of some of the nation state interference or at least interference efforts. But the good news is we're so much more educated, having lived through a couple cycles of the, this, you know, there was the, the, the previous election where there was attempts by the Iranians to weaponize a Proud Boy video. And the US came out and pre bunked it, got in front of it as it was about to run and talked about it. And that just brought a lot of people to understand the games that were trying to be played in this case. You know, the media has been super ultra responsible, looking at these things that are coming in and just understanding that, you know, they intended as pawns in this disinformation, misinformation. And so they're taking a knee and thinking about it. I am sure if something amazingly newsworthy were dangled in front of some reporters, it will get some press. But the good news is this is kind of pedestrian tactics and the immune response is dealing with it.
[38:24]
Patrick Gray
Yeah. Meanwhile, House Republican leaders have sent a letter to the FBI and they're sort of demanding an investigation into this. And, and I would think that's a reason they're demanding a hearing and I would think that would be a reasonable thing for them to request. But you do get the impression that probably the intent here is to beat up the FBI in a hearing and sort of make it look somehow equivalent to the Russia hoax from 2016. So you do worry that perhaps this is a bad faith request. I know it's going to be. I mean, look, I can ask you this question now that you don't work for the US government anymore. Is that your read on this as well, Rob?
[39:01]
Rob Joyce
You know, elections are influence operations, but I can ask. Yeah, elections at their core are influence operations. We just want to make sure that it's our politicians and our electorate that are influencing and being influenced. Right. We don't want any external manipulators. And so, you know, the, the hearings are part of the politics and they certainly will have players in them that have some intent both to defend an attack and so you can still dodge.
[39:34]
Patrick Gray
A question like a senior. I love it.
[39:36]
Adam Boileau
I was sitting there like Masterclass.
[39:38]
Patrick Gray
That's like Neo from the Matrix dodging that question. Slow motion. Very well done, Rob. We're going to move on to a more technical item here.
[39:45]
Adam Boileau
Golf Clap.
[39:47]
Patrick Gray
A more technical item here. We've got some reporting here from Germany and it looks like they were able to run some timing attacks against users of a secure metadata resistant instant messaging tool called Ricochet that I actually have some history with. Something like a decade ago, I helped them get a grant. I was all hopped up on the Snowden leaks and thought it would be great to have this sort of anonymizing technology in the hands of ordinary people. Very quickly though, you know, it was sort of made, not usable in places like China where people could benefit from it. And you know, these days is used mostly by Nazis and people who like to distribute child sex abuse material. So, you know, I hate to say it, but I do kind of regret my involvement with this, with this project. Even though the people involved, it's not a slight against them, they're all very well intentioned people. But yes, it looks like the German authorities were able to run some sort of timing based attack against the Tor network to find some pretty awful people involved in csam. And yeah, I mean that's, that's the story, Adam. I don't think we should be that surprised, should we, that if you've got enough passive visibility over the Internet that you can, over a long period of time, you could start to hone in on people who are operating. You know, this service operates by using Tor hidden services to enable chat. So, you know, it makes sense, doesn't it, that you'd be able to gradually figure it out.
[41:14]
Adam Boileau
Yeah, like if you've got enough visibility of the, you know, the entry and exit points to the Tor network or to the things where the hidden services are entering the Tor network. Yeah, given enough visibility, you're going to be able to figure out over time and because of, you know, the sort of the jurisdictional reality, so much Tor infrastructure is in, you know, Germany and the Netherlands and bits of Europe. Like it's quite concentrated in places where, you know, the overall environment is amenable to anonymity services. But, but now that we're at the point where law enforcement are cooperating, you do have enough visibility, I guess, to be able to do this kind of work. And we've seen the Tor project talk about introducing chaffing and things to kind of complicate timing attacks. And no one's been really keen to do it because Tor is already so slow that adding those kind of technical countermeasures was always going to come at a usability cost. But I think we're going to see steps towards that because, you know, clearly law enforcement have got to the point where, you know, it's a capability they can and do use.
[42:18]
Patrick Gray
Yeah, I mean, this doesn't affect the Tor browser necessarily, but yeah, I mean, Ricochet, the way that it works is, you know, hidden service based. I think newer versions might not even be vulnerable to this particular type of timing attack. I'm not 100% on that. But Rob, I want to bring you in on this because one thing that I've noticed is we never hear the five Eyes agencies ever complaining about Tor, which to me, you know, they'll complain about end to end encryption. Encryption, they never complain about Tor. What can we infer from this?
[42:46]
Rob Joyce
Well, I think the reality is that it is one of many things and when people talk about end to end encryption, they're talking about Tor as well. But in reality you've got to figure out the way to get at the targets you're looking for. And that may mean going to the endpoints before it's encrypted. And that's, you know, that's one way around Tor. You know, you've seen the law enforcement solution here. I think overall when you're denied access, people are going to get creative to figure out how they can do the collection to chase the targets that they need to go after.
[43:26]
Patrick Gray
Yeah, quickly, we don't, we've kind of run out of time here. But the DOJ in the US has charged a bunch of hackers for stealing $230 million dollars in crypto from an individual investor, it looks like. And you know, the investor was in Washington D.C. and this is a 20 year old and a 21 year old and yeah, they went out and they were spending their money on luxury cars and just having a great time and now they are busted. So having less of a great time. Adam, I wanted to get your thoughts on this one from Brian Krebs. From Krebs on security. It's just a novel fish, but I just, everybody who's read this is like talking about it because it's really dumb and really clever all at the same time. Walk us through it.
[44:09]
Adam Boileau
Yeah, this is great comedy. So this was a fish that showed up and said, hey look, there's some security vulnerabilities in your GitHub repo. Click here to see the details and then it throws you to a webpage that has a capture. And the capture you need to prove that you're human. And the way that you prove that you're human is by pressing Windows R and then Control V and then Enter, which means open the windows, run prompt, paste in the contents of the clipboard that the web app put in there for you, and then receive your PowerShell dropped info stealer Trojan, which anyone technical is going to look at that and go, excuse me, you what now? But I mean it's.
[44:50]
Patrick Gray
But the average user got to work.
[44:52]
Adam Boileau
And it probably does work enough. So like, like my hat is off to them for just the sheer sort of brazenness of it. Because like I wouldn't, I mean if someone came to me, you know, on a pen test gig and said I want to try this against our target, I'm like, oh come on, like, you know, work harder, go find some bugs and you know, shell them the old fashioned way. Don't get lazy. But hey, if it works, it ain't dumb.
[45:16]
Patrick Gray
Now we just got one more thing we're going to talk about before we wrap it up. And Adam, you actually have been playing around with the iPhone mirroring feature that shipped with the latest version of macOS. Of course. We last spoke, we first spoke about that when Rob was on the show last and we all got it spectacularly wrong because there was some bad reporting early on that suggested this was going to be like a cloud service. It's really not that. And Apple really does seem to have put some effort into making it not present insane security risks. So you've been using it. What are your general impressions?
[45:50]
Adam Boileau
So, yeah, it seems pretty sensible. It's based, I think as we discussed last time on CarPlay or that kind of like remote control infrastructure that already exists. So there's a pairing process. You do Via, you know, your icloud accounts. But after that, you know, you have to authenticate to your local machine, you know, so on my Mac, for example, it prompts me to biometric auth and then it connects to your phone and you can use it. You get pop ups on the phone when it's being used. And then one of the questions I had was like, well, how much access do you have to the phone? Does it do things differently than when you're physically at the phone? And so for example, if you're in the Settings app, the like FaceTime, the face ID and pin changing functionality, that menu option doesn't even appear in Settings when you're connecting to it from the remote thing. And if you try and do something that does require face ID auth, then it will prompt you to go use your real phone. So there's like a few little edge cases that are, you know, I'm glad that they thought about, you know, whether long term this exposes, you know, get, gets abused in ways that we haven't really thought of. We're gonna have to wait and see. But like they've made a reasonable effort, which is kind of what you expect from Apple. Right? To have at least thought somewhat about it.
[47:03]
Patrick Gray
Yeah, yeah. I mean, I think it's, it's, it's one of those things where we did. Our initial reaction on it was wrong. It looks like they've done it sensibly. I mean, I still want, I mean, you saw me earlier in this, in this podcast that for the people watching on YouTube, you would have seen me reading off my phone from a source who I didn't want to identify. I don't want to expose that conversation to the screen on my Mac because it is much easier to get a shell off my Mac than it is off my phone. Right. So even just from the point of view of wanting to avoid screen recorders, I don't feel comfortable using it. But I think for the average person it's fine. Rob, any thoughts here?
[47:35]
Rob Joyce
Yeah, I think as the details have been coming out, you know, Apple's got a lot of smart people and they have the advantage of that closed ecosystem where they start all the way down at a hardware root of trust and build up through their stack. So when they put their mind to it, they can do a pretty good job with security. And it looks like there's some new attack surface in any new feature, but I think they're putting a lot of effort into protecting it.
[48:04]
Patrick Gray
Yeah. So apologies to Apple people who no doubt wanted to throw their idevice that they were listening to the podcast on out the Window when we had that initial conversation. But it looks like, yeah, bravo, job well done or job done as best you can do with that sort of thing. And yeah, they've certainly crossed their T's and dotted their I's, but we're going to wrap it up there. Adam Boileau, thanks for, thanks for joining us. And Rob as well, thank you very much for coming back to co host with us again and we'll look forward to doing it again with both of you soon enough. Cheers.
[48:37]
Rob Joyce
Thanks a lot.
[48:38]
Adam Boileau
Thanks so much, Pat.
[48:45]
Patrick Gray
That was Adam Boileau and Rob Joyce there with a check of the week's security news. It is time for this week's sponsor interview now with Mike Wiasek, the founder of Stairwell. Stairwell is a really interesting platform that does analysis of all of the files present in your organization to help you do things like track down malware variants that might not be known about yet. I once described Stairwell as kind of like a NDR platform but for files instead of network data. And funnily enough, Mike actually liked that one, so I'm going to stick with it. But yeah, the idea is Stairwell ingests a copy of every single executable file in your organization and lets you do all sorts of analysis on that corpus of data. So you might find some malware on your network and then you can go to Stairwell and say something like show me similar files. And it does. And that's very handy. So today we're talking to Mike about the efforts malware crews and APT operators are putting into evading detection. The amateur crews are still getting snapped because they're doing things like uploading their samples to VirusTotal to see if they're going to be detected. But the real professionals have built their own testing rigs and are a little bit more advanced. Here's Mike.
[49:59]
D
When you start talking about the really high end adversaries, they're not uploading it to VirusTotal. They're probably replicating a copy of something like VirusTotal internally. If you think as a software engineering, as a software engineering company, you have continuous integration, continuous deployment tests. You're running end to end tests, you're running unit tests that if you are a malware developer or a team of malware developers, you can pick what term you want to use. You spend money developing your tools, you spend money developing your capabilities and you want to get an ROI on that. And so there's an economic argument here, here that it doesn't cost Very much to set up a bunch of VMs running the latest builds that are kept up to date of AV products, EDR products, so on and so forth. And you want to make sure that as part of your testing process that you don't get caught before you ship this. And so that kind of makes, that kind of raises the question of, well, if the bad guys are able to test in advance, how do we protect ourselves from someone who already knows that they're going to walk by? That's kind of the, that's kind of the unspoken truth that we're trying to talk about today.
[51:17]
Patrick Gray
Even what you described, which is having a bunch of VMs with the latest EDR and stuff in them, that's still risky, right? Because it's not like the old days of like, you know, little engines that would just sit there doing detections. These days, everything's instrumented, everything's going back to a team. Whether it's like, you know, in the case of your EDR vendors, it's like, like you're up against teams at Microsoft CrowdStrike, Sentinel 1. You know, you got to make sure this thing really doesn't get detected. So you know, it's. There was the virus total risk where you'd submit something to virustotal and then people would run it down. I think there's still a bit of a risk, even if you're doing this as an adversary that you're going to burn your stuff. So I mean, to a degree I'm kind of surprised that people would still expose their like O day malware to some of these contemporary instrumented scanning engines.
[52:02]
D
I mean you still have to think about the fact is like a, a laptop that's in airplane mode can still have a bad thumb drive plugged into it. Right? So like the fundamental challenge with the products is so what, you can just.
[52:16]
Patrick Gray
Run them offline, right?
[52:17]
D
Yeah, I mean, I wouldn't run these VMS connected because I don't know what the answer is going. If I was doing it, I wouldn't know what the answer is going to be a priori at all. And I think like that is, that's fundamentally, you know, you have to support it. You can't run, run. I will run a less than best effort attempt to secure a device just because I can't be on the Internet. Right. Like you never know what's going to be connected to it, what people will share via airdrop or so on and so forth, that these are the concerns real. And so it's actually not, it should not Be hard to test because the products have an obligation to do what they're designed and sold to do, which is protect people.
[52:54]
Patrick Gray
Yeah. So when I think of Stairwell, I kind of think of it as being akin to the tools that are actually used by those companies, you know, in their offices to, you know, obtain information about files and various artifacts and whatever, and do the analysis work that helps them drive their products. But with Stairwell, you get to do that yourself. So, you know, I imagine you would have had customers who have used Stairwell to play that cat and mouse game with crews that are trying to do evasion. Like, why don't you walk us through a couple of examples there?
[53:26]
D
Yeah, so I think you have those cases where, you know, the fundamental way that Stairwell works, we try to build it from an architectural sense to make it resistant to attempts like this. So with Stable, when people install our file forwarder on a machine, it sends us a copy of any preexisting or new executable or executable like files. Because, you know, we would take, we would consider Python scripts and Ruby scripts and stuff like PowerShell scripts as executables under that definition. But the file forwarder has no real security logic to it. When it sees a new file, if we've never seen that file from that particular customer before, it uploads a copy to us. So that fundamentally, again, at that economic level, changes the argument that there is no feedback loop to that machine in real time that says there firewall thinks that this file is good or bad. It simply.
[54:24]
Patrick Gray
Yeah, I mean, if you want to, if you want to get that insight, you need to be a customer who's got access to like a console. Right? Like, exactly.
[54:29]
D
You would need to be a customer who has access to a console. But also even then, the adjudication is not necessarily going to be the same from customer A to customer B.
[54:38]
Patrick Gray
Exactly. Because it depends what else has been in that environment and how it's changed over time.
[54:42]
D
Exactly. What's common here is not common there. So if you think about just taking extreme ends here, what's common software on computers on a offshore oil rig is probably not the same software and files that would be common at weta. Visual Effects kind of pops into my head. So we're thinking of New Zealand for a second. But like, you know, they're going to have a different set of unique software footprints that would not be found on offshore oil rig. And so when you start thinking about that, you start taking into account like the vertical and the. In the space that's. That's there the risk factors change. It's much like, you know, I often tell the story that if you're walking down the street and you see in a credit card and it has the name Bill Gates on it, it probably is a pretty high credit limit. And what would set off an alarm for, for my sad little credit card would not set off the alarm for Bill Gates. His credit card. Right. It's, it makes, allows you to offer a much more tailored approach. The challenge here is not necessarily to sit down and say we're going to have better detections, we always try to. But the logic at the end of the day is to say, how do I remove the certainty from the other, from the attacker's ability to operate? And so since we are preserving all those files we're collecting, we have a really unique capability of doing detection work. But then we're also doing continuous retroactive analysis of those files. Files as well. And so that means as we change our models, if you think how often your EDR updates, if they're distributing new updates every hour or every couple of days, whichever the interval is, any new change in our own internal models and detection profiles, we reevaluate the history of everything that has ever been or is on a particular device. And so that means if we make an improvement and we realize, hey, this is a new way to detect something bad and we find that we can actually come back to a customer and say, you know, three months ago there was a RAT of some sort on this machine. It's not there anymore. The machine's been reimaged, but we have a copy of it and we know what else was happening on that machine around the point in time when that RAT was on there. That allows us to bridge. There's a mental chasm that exists between threat intel, security operations and incident response work. And I often tell people, stairwell is security operations, threat analysis, incident response done. Well, because when you actually look at the way we approach the problem, we're actually really connecting these three fundamental areas together. We have a lot of threat intelligence, big data analysis at the core of our system, but it allows you to do detections across time. And so then you start thinking about, well, you get told about a detection that happened two months ago versus detection that's happening literally two minutes ago ago. You can kind of triage, diagnose and debug all of this stuff in one spot so that you effectively can turn any Tier 1 SoC analyst into someone who has the equivalent of years of experience working at like a high end incident response firm or a top tier threat hunting firm, literally with a day or so of training on how to use the product and start thinking like that. That a lot of the hard work. I think as we were talking earlier, you mentioned that startups are, you said it best. How did you put about edge cases?
[58:07]
Patrick Gray
Well, yeah, it's my saying these days, which is that a startup. Well, a software product is not its core features. If you want to make it mature and something that people buy, you have to turn it into a collection of solved edge cases. Really, because you can build a core product, that's fine. And then, oh, look, I've been using it for half a day and it fell over or doesn't do this or doesn't do that because of this weird thing that popped up. Right. So yeah, it's a, it's a collection of solved edge cases. That's the hard part.
[58:35]
D
That's absolutely the case. And I think the thing is in security, security lives in the edge cases. The more we try and think of like there is a playbook to solve every problem or address every issue, you know, it's again an area that I think bad guys almost bank on when you start thinking about like I, I often think my mental model for a lot of the way security products work is if you remember, if you think back to like old black and white, like prison escape movies or something, they're in the prison yard walking along the wall, and for some reason, as long as that moving spotlight does not illuminate them, they're invisible. No one will ever see them. And so you always see them trying to duck down or hide behind the spotlight. And so if you know the pattern where the spotlight's moving, you just walk around it. And I think like, you know, that's not how the real world works. And so you need to basically have ways to detect and see and observe things and also plan for failure. Right? Like no one catches everything. There are no magic bullets. And I think, you know, as security account executives get a bad rap because they will often like tell you that they solve all of the world's problems. And I think one of the things that I really try and stand on with stairwell is like, look, I can't solve all the problems. No one can. However, you know, we've baked into our design at that fundamental architectural level because we are trying to build a platform that bad guys cannot study and evade anywhere near as easily as you can with more traditional solutions. We're bringing in the concept of incident response into a security operations team. Like they can sit down and say like, hey, there's this weird file in this machine. My EDR told me there was. And then it's like, hey, sterile. Can you enrich this? And our ability to go over and say, oh, there were similar files on these other machines two weeks ago.
[60:27]
Patrick Gray
So that was really the question I was asking earlier, which is can you think of examples where customers have actually used this to counter evasion in exactly like that scenario, I'm guessing there have been instances where, where customers have had an alert on something that their EDR/EPP has identified and then they've been able to pivot off that and find other variants that the EDR wasn't detecting.
[60:49]
D
So, so there was.
[60:50]
Patrick Gray
Or is it more like. Or is the scenario more likely to be that you then find historical stuff that the EDR would catch now but didn't catch then because they didn't have that detection then?
[61:03]
D
Both. I think there's, there's been cases where, geez, going back there was, there was a case earlier this year, our research team wrote a publication about viral RAT and it was undetected by things in the past. And so when we finally discovered viral RAT in like our global object set, which is basically just amalgamation of a bunch of different malware feeds, we were able to go search for that across our customer environments and we were able to go to a couple customers and actually say, hey, hey, several months ago you had viral RAT on these machines and here's exactly where it was and so forth. And it actually kind of requires a bit of a mental leap to understand what do I do about that? Right? Because immediately the first thing is like, I know how to handle if it's there right now, I quarantined the machine. But then you start thinking about, well, there was a rat, a malicious rat on a couple of systems months ago. Those systems were acting be odd, so they got reimaged. But now you actually still do have to think about like what is your incident response plan? Just because the immediate threat is not there, that doesn't mean there was not a risk to the business or anything along those lines. Like the question I have is what did those machines have access to? If I were to actually kind of segues nicely from that would be. There was one particular case where we had a customer who was running a top tier EDR platform and someone plugged a thumb drive onto that machine and the malware that was on there was apt malware, we'll leave the country and all that off. But it did not run. And since it did not run their particular EDR did not generate any sort of an alert or an alarm about it.
[62:56]
Patrick Gray
But it's nice to know, isn't it, that someone, you know, tried. And I was just thinking, as you were saying that too, like, you know, historical information about boxes that got popped. It's probably useful to go. To go back and have a look, well, how did that box get popped? What other compensating controls can we put around these sort of things like that shouldn't happen, right?
[63:12]
D
Exactly. I mean, exactly. I think that's exactly the point where we're going. And the other part for that was that machine with the thumb drive. That thumb drive was then plugged into another device that was not capable of running an EDR platform. And so then the question is, what happened on that other device? And so once you start thinking about it like that, there is a. I hate to bring in, like, you know, I hate when people make biological analogies with cybersecurity. But, like, there is some sense of a herd immunity, right? Like, it's not just one machine. If one machine's one cell and then you have another machine being another cell, not all the cells are equal. And so while this machine, had that malware run on that machine, it would have been flagged instantly. It was an older strain of some malware, but that was a point to catch it. And then what happens when it's plugged into another machine that's not able to run a sophisticated EDR package on there due to resource constraints or so forth? Did that execute on that machine? And that was the actual target? I have to think about these things in terms of a network effect or not, as isolated instance is. And that's like one of the, for us, one of the true value parts of the platform is we've built it.
[64:24]
Patrick Gray
Everything is connected. Everything, everything is connected. All right, Mike Wiseck, thank you so much for joining us on the show to have a little bit of a chat about the, you know, current state of play when it comes to adversaries trying to be very sneaky, which they are. Want to do. Great to see you as always. And we'll chat to chat with you again soon.
[64:42]
D
Cheers.
[64:44]
Patrick Gray
That was Mike Wiresec there with a chat about malware evading detection. I do hope you enjoyed that. And you can find them@stairwell.com don't forget, you don't need to be sending all of your company's files to Stairwell to actually use the platform. You can kind of use it like a private virus total if that's something that interests you. So, yeah, go and sign up@stairwell.com and you can have a play with the tool. But that is it for this week's show. I do hope you enjoyed it. I'll be back next week with a Snake Oilers edition of Risky Business, but until then I've been Patrick Gray. Thanks for listening, SA.