Risky Business #766 – China Hacks America's Lawful Intercept Systems

Release Date: October 16, 2024

Hosts: Patrick Gray and Adam Boileau

1. Introduction

Patrick Gray welcomes listeners back to "Risky Business" after a short hiatus, sharing anecdotes from his time off in New South Wales, Australia. He introduces this episode's sponsor, Panther, and previews an upcoming discussion on the future of Security Information and Event Management (SIEM).

2. Main Story: China Hacks America’s Lawful Intercept Systems

[00:04 - 05:12]
Patrick Gray opens the episode by addressing inquiries from listeners about his unexpected break. He then transitions into the week's main story, where Chinese Advanced Persistent Threat (APT) actors have reportedly breached components of American telecommunications lawful intercept systems, such as those used by AT&T, Verizon, and Lumen. The primary concern is not the potential for direct wiretapping, but rather the ability to identify targets of FBI surveillance.

Notable Quotes:

• Patrick Gray [04:19]:
  “Are we going to argue seriously that the FBI shouldn't be able to tap phones with a warrant?”

• Adam Boileau [03:19]:
  “Access to lawful intercept is a thing that a very powerful B. A traditional target of intelligence agencies.”

Discussion Highlights:

• China's Objectives:
  Both hosts agree that the breach likely serves counterintelligence purposes, allowing China to identify who is being monitored by U.S. authorities rather than conducting their own wiretaps.

• Historical Context:
  Adam references past operations like Operation Aurora (2008-2009) to illustrate the longstanding nature of such intelligence activities.

• Complexity of the Breach:
  They discuss the technical challenges of breaching multiple telcos and the sophistication required to access and manipulate lawful intercept systems.

• Adam's Penetration Testing Story [07:21 - 11:24]:
  Adam shares a personal anecdote about attempting to breach a lawful intercept system during his tenure as a penetration tester. Despite robust security measures, he eventually gained root access through a serial connection, highlighting the persistent vulnerabilities in such critical systems.

3. Additional Security News

3.1. Internet Archive Data Breach and DDoS Attack

[07:40 - 12:42]
The Internet Archive experienced a significant data breach affecting over 30 million users, followed by a DDoS attack purportedly from a Russian group motivated by the Palestinian cause. While the compromised passwords were bcrypt hashed, Adam notes that the sheer volume still poses a threat:

• Adam Boileau [12:00]:
  “They're pretty well hashed. So it probably isn't the world's most useful password, but 31 million... still useful for something.”

3.2. Microsoft's Latest Threat Report

[12:42 - 17:17]
Patrick critiques Microsoft's comprehensive threat report, focusing on confusing statistics related to ransomware. He questions the assertion of a "threefold decrease in ransomware attacks reaching the encryption stage," expressing frustration over ambiguous metrics.

• Patrick Gray [16:15]:
  “How do you decrease something by threefold? Does that mean it starts at 100 and then winds up at minus 200?”

3.3. Ukrainian Cyber Attack on Russian Courts

[17:17 - 20:37]
An attack by Ukrainian-affiliated hackers, likely in collaboration with Ukrainian intelligence, targeted Russian court systems, resulting in server and backup deletions. Patrick remarks on the ongoing cyber harassment amid the geopolitical conflict.

3.4. Trump Campaign's Use of Secure Phones

[20:37 - 23:07]
Donald Trump's election campaign is utilizing specialized secure phones from Greenhill Software to safeguard communications against potential foreign interference. The discussion touches on broader implications for political cybersecurity and the potential need for government support in securing political entities.

3.5. FBI’s Crypto Sting Operation

[23:07 - 24:45]
The FBI orchestrated a sting operation by creating a crypto token named "Next Fund AI," enticing cybercriminals to engage in illicit activities. This operation successfully led to multiple indictments, highlighting the pervasive criminality within the crypto ecosystem.

• Adam Boileau [24:00]:
  “...the entire crypto ecosystem is just one big crime scam.”

3.6. Enterprise Security Software Vulnerabilities

[24:45 - 28:43]
Adam discusses critical vulnerabilities found in Fortinet and Palo Alto products, including exploitable format string bugs and insecure web application configurations. These flaws underscore significant security oversights in widely-used enterprise security tools.

3.7. Young Bug Hunter Exploits Zendesk

[28:43 - 32:29]
A purported 15-year-old bug hunter named Daniel discovered a vulnerability in Zendesk that allowed access to company Slack accounts. After initial dismissal from Zendesk's bug bounty program, Daniel exploited the flaw to earn substantial bounties, exposing weaknesses in bug triaging processes.

Notable Quote:

• Patrick Gray [31:35]:
  “HackerOne people came back and they're like, but you didn't tell us you could use it to do, you know, a Slack takeover.”

3.8. Tor Browser Exploit Misreporting

[32:29 - 33:48]
A recently patched Firefox zero-day was inaccurately reported as being exploited against Tor Browser users. Both Tor and Mozilla clarified the misinformation, revealing that the exploitation claims were unfounded.

3.9. Russian Air Gap Hopping Malware

[33:48 - 35:05]
ESET reports on sophisticated malware attributed to Russia, designed to bypass air-gapped systems via USB keys. This malware targets high-security environments like embassies but remains a niche threat.

3.10. Monetizing LLM Access: Brian Krebs' Report

[35:05 - 37:48]
Brian Krebs highlights how attackers are hijacking access to large language models (LLMs) and reselling it for illicit purposes, such as creating AI-driven chatbots. This innovation marks a new trend in cybercriminal monetization strategies.

Notable Quote:

• Adam Boileau [36:32]:
  “...stealing access to LLMs ... can be stolen and monetized. Then, you'll see new crime types.”

3.11. Washington Post's Cyber Sleuth Story

[38:04 - 39:10]
Patrick recommends a Washington Post feature about an IRS investigator involved in blockchain investigations, offering insights into the complexities of blockchain forensics and crypto-related criminal activities.

4. Sponsor Interview: Panther’s Casey Hill on the Future of SIEM

[40:47 - 53:29]
Patrick Gray conducts an in-depth interview with Casey Hill, Product Manager at Panther, focusing on the evolution and future of SIEM solutions.

Key Discussion Points:

• Shift Beyond Data Lakes:
  Historically, organizations relied on data lakes to store vast amounts of logs with minimal structure, which often led to inefficiencies. Casey explains that while data lakes are not entirely obsolete, there's a growing need for structured data formats to facilitate meaningful analysis.

  • Casey Hill [42:05]:
    “...if you don't have the data structured in a way that makes sense and is actually useful, then you're just spending time elsewhere.”

• Panther’s Innovative Approach:
  Panther emphasizes organizing data effectively for real-time analysis and detection, moving away from the traditional "throw it all into a data lake" methodology. They assist customers in structuring and querying high-volume, custom logs efficiently.

• Future SIEM Trends:
  The future of SIEM lies in enhanced security engineering and technical proficiency within security teams. Panther supports this by providing flexible data ingestion, infrastructure as code workflows, and real-time detection capabilities.

  • Casey Hill [43:41]:
    “...how can I have a SIEM that allows me to do things that are a little bit more high leverage with my security engineers.”

• Customer Use Cases:
  Panther caters primarily to cloud-native, high-tech companies dealing with terabytes of data monthly. These organizations benefit from Panther's ability to manage extensive log data and integrate seamlessly with existing cloud infrastructure.

Notable Quote:

• Casey Hill [51:51]:
  “We have customers who... have a balanced team... looking for how can I have a SIEM that allows me to do things that are a little bit more high leverage with my security engineers.”

5. Conclusion

Patrick Gray wraps up the episode by thanking Adam Boileau for his insightful news segment and expressing gratitude to Panther for their sponsorship. He highlights the episode's efficient structure and previews next week's show, promising more in-depth security discussions.

Notable Quote:

• Patrick Gray [39:29]:
  “We've managed to keep it pretty tight... the show's not an hour and a half. So that's great.”

Final Thoughts

In this episode, Patrick Gray and Adam Boileau provide a comprehensive overview of significant cybersecurity threats and developments, with a particular focus on China's infiltration of American lawful intercept systems. The discussion is enriched by personal anecdotes, critical analysis of industry reports, and an expert interview with Panther's Casey Hill, offering listeners valuable insights into the evolving landscape of information security.