Risky Business #768 – CSRB to Investigate China's Wiretap Hacks

Release Date: October 30, 2024

Hosts: Patrick Gray and Adam Boileau
Sponsor: Material Security

1. Correction on Apple’s CA Browser Forum Certificate Lifespan

Timestamp: [00:05 - 01:40]

Patrick Gray began the episode by issuing a correction regarding last week's discussion about Apple's request to the CA Browser Forum to reduce certificate lifespans to 10 days. He clarified that the actual figure is 45 days, still considered short but a critical detail.

Patrick Gray [00:57]: "It's 45 days, which is still a very short time... we got that mixed up and we didn't check it."

Adam Boileau concurred, emphasizing that 45 days remains too brief for manual handling.

Adam Boileau [00:51]: "45 days is still short enough that you really can't do it by hand."

2. Chinese APT Intrusion into US Telcos and CSRB Investigation

Timestamp: [01:40 - 04:41]

The major headline of the week revolves around the Salt Typhoon intrusion, where Chinese Advanced Persistent Threats (APTs) infiltrated American and other telcos, specifically targeting wiretap provisioning systems. Initially believed to be an attempt to identify FBI wiretap activities, reports now indicate that the APTs engaged in live monitoring of calls, including those of political staffers and campaign members from both the Trump and Harris campaigns. The Cybersecurity Review Board (CSRB) will investigate this breach.

Adam Boileau [03:18]: "Provisioning your own wiretaps of political staffers like that definitely is a little more... rude."

Patrick expressed optimism about the CSRB’s investigation, though he noted potential limitations due to classified information.

Patrick Gray [03:50]: "The good news is here we should find out a lot more given that the CSRB is going to look into this."

3. Operation Magnus: Takedown of Info Dealers Redline and Meta

Timestamp: [07:08 - 09:06]

Operation Magnus was a coordinated effort by multiple international law enforcement agencies to dismantle the Redline and Meta info-stealer botnets. Authorities seized numerous servers and domain names, arrested customers in Belgium, and indicted the Russian operator, though he remains at large in Russia. The Dutch police engaged in public shaming tactics against the operator, leveraging tips from private sector infosec firms.

Adam Boileau [07:56]: "They made a little video about the most recent update to the software, which basically said... good luck with that."

Patrick likened the operation to 90s-style IRC troll wars, highlighting the theatrical nature of modern cyber takedowns.

4. Crypto Theft from US Government Wallet

Timestamp: [09:06 - 12:24]

A bizarre incident unfolded where nearly $20 million was stolen from a US government-controlled cryptocurrency wallet, originally seized from the Bitfinex hack investigation. Blockchain investigators, including Zach XBT, detected the unauthorized movement of funds. Interestingly, the attacker returned the money, suggesting either a lack of understanding of ownership or an attempt to evade detection.

Patrick Gray [10:14]: "I wouldn't want to be the guy that nicked it."

Adam reflected on the incident with humor, noting the chaotic nature of crypto security.

Adam Boileau [10:58]: "It's very funny."

Additionally, Zach XBT's dedication to blockchain investigations was highlighted, showcasing his transition from a donation-based model to a more professional framework.

5. Iranian Radar Systems Breached Before Israeli Counterstrikes

Timestamp: [12:24 - 14:00]

A report from the Jerusalem Post claimed that Iran’s radar systems were breached prior to Israel's recent counterstrikes. However, the report lacked detailed information, leaving many questions unanswered about the nature and method of the breach. Both hosts expressed a desire for more transparency and details.

Adam Boileau [14:00]: "But we just know nothing and I would very much like to know more."

6. Legal Battle Between Delta and CrowdStrike

Timestamp: [14:00 - 15:32]

Delta Airlines filed a $500 million lawsuit against CrowdStrike, accusing them of failing to respond adequately to security threats. In retaliation, CrowdStrike is countersuing Delta for defamatory statements. The conflict appears to stem from differing views on the efficacy and response times of CrowdStrike's security solutions.

Patrick Gray [14:59]: "Their argument is that... Delta's argument is... We'll let the lawyers argue."

Adam criticized Delta's stance, pointing out inconsistencies in their claims about security patching.

7. Canada Revenue Agency’s False Tax Returns Issue

Timestamp: [15:32 - 18:22]

The Canada Revenue Agency (CRA) is grappling with an onslaught of false tax returns, attributed to a major breach at H&R Block. Approximately $6 million has been siphoned from redirected refunds. This mirrors similar challenges faced by the IRS in previous years, emphasizing the universal nature of such threats to tax authorities.

Adam Boileau [17:54]: "So if you are at a tax agency anywhere else, you know, this is the sort of thing... you'll have to have some defenses in place."

Patrick highlighted the potential for this issue to escalate politically within Canada.

8. Microsoft CEO Satya Nadella Reduces Compensation Amid Security Failings

Timestamp: [18:22 - 19:34]

Microsoft CEO Satya Nadella requested a reduction in his annual compensation by $10 million in response to recent security failures under his leadership. Although this act demonstrates accountability, Nadella's total compensation remains substantial at approximately $79 million.

Patrick Gray [18:51]: "This seems a little bit performative... a gesture that doesn't really hurt him much."

Adam noted that while the reduction is symbolic, it may not significantly impact Nadella financially.

9. Revil Ransomware Gang Members Sentenced in Russia

Timestamp: [19:34 - 21:35]

Four members of the notorious Revil ransomware gang have been sentenced to over four years in a Russian military court. This surprising development raises questions about the gang's internal dynamics and the effectiveness of Russia's approach to cybercriminals.

Adam Boileau [20:06]: "I can't imagine it's a great time."

Patrick expressed confusion over why a military court was chosen for the sentencing, as it is uncommon for such proceedings.

10. Linus Torvalds Removes Russian Linux Maintainers

Timestamp: [21:35 - 23:19]

Linus Torvalds announced the removal of approximately a dozen Russian contributors from the Linux kernel. This decision aligns with sanctions and affiliations linking these maintainers to the Russian government. Torvalds emphasized compliance over personal sentiment.

Patrick Gray [22:26]: "It feels like this is more of a compliance thing than... just kicking out Russians."

Adam discussed the challenges Russia might face in attempting to create a parallel Linux community, noting the strength and collaborative nature of the existing ecosystem.

11. Apple Launches New AI Cloud Bug Bounty Program

Timestamp: [25:14 - 27:11]

Apple unveiled a bug bounty program for its private AI cloud, inviting security researchers to identify vulnerabilities. Participants gain access to sophisticated tools and environments, with rewards reaching up to $1 million for critical code execution exploits. The program aims to enhance transparency and security within Apple’s AI infrastructure.

Adam Boileau [25:31]: "I think this is a great move... I'm looking forward to seeing what researchers find."

Patrick inquired about the program’s accessibility, to which Adam speculated it might be more open compared to previous restricted initiatives.

12. Ongoing Vulnerabilities in Security Software

Timestamp: [27:11 - 31:12]

The hosts discussed multiple security vulnerabilities affecting popular security appliances:

• SonicWall Firewalls: Exploited in a ransomware campaign targeting over 30 organizations through an SSL VPN access bug. Adam recommended using Knock Knock to restrict access.

Patrick Gray [28:13]: "Just a reminder, you can use Knock Knock to restrict access to these sorts of things."

• Fortinet: Continual issues with Fortinet products being compromised, often requiring the use of additional security measures to protect networks.

• Cisco Gear: A recent vulnerability related to brute force attacks remains poorly communicated, causing confusion about remediation steps.

Adam Boileau [30:41]: "If the bug exhausts resources, cause denial of service and a reload."

Patrick humorously lamented the ongoing chaos with VPN security.

Patrick Gray [31:12]: "Computers were a mistake."

13. US Election Influence Campaigns by China and Iran

Timestamp: [31:12 - 36:56]

The episode delved into foreign influence operations targeting the US elections, particularly by China and Iran. These campaigns are focusing on down-ballot races, employing anti-Semitic messages and corruption accusations to sway public opinion. Unlike previous cycles, the impact seems limited, with major disinformation efforts not gaining significant traction.

Adam Boileau [32:11]: "It suggests an intent and a focus that is quite alarming."

Additionally, Russia propagated a viral video falsely depicting Pennsylvania ballots being ripped up, aiming to undermine trust in the electoral process. Despite swift debunking by US authorities, the long-term effects on public perception remain uncertain.

Patrick concluded that, compared to 2016, foreign disinformation campaigns this cycle have been less effective and prominent.

Patrick Gray [36:41]: "Foreign disinformation... haven't featured majorly in this thing."

14. Sponsor Interview: Material Security on Securing M365 and Workspace Data

Timestamp: [37:36 - 51:04]

The episode featured an interview with Daniel Ayala, Chief Security and Trust Officer at Dot Matics, and Rajan Kapoor from Material Security. The discussion focused on securing Microsoft 365 (M365) and Google Workspace data, particularly addressing access control issues and accidental data exposures.

Key Points:

• Data Exposure Challenges: The emergence of tools like Microsoft’s Delve has increased visibility into previously obscure access permissions, revealing sensitive information inadvertently shared or forgotten over time.

Daniel Ayala [38:43]: "...access models in all these platforms are so all over the place and hard to manage..."

• Material Security's Solution: Rajan Kapoor explained that Material Security addresses these challenges by structuring large datasets and utilizing APIs to provide comprehensive visibility and control over data in both files and emails.

Rajan Kapoor [43:43]: "We figured out how to take large data sets and structure them."

• Awareness and Prioritization: While many CISOs prioritize file security, Rajan emphasized the often-overlooked risks associated with email data, advocating for a unified approach to secure all collaboration tools.

Rajan Kapoor [42:45]: "...when I ask them, how concerned are you about your email... they just don't care."

• Holistic Security Approach: The integration of email and file security offers a holistic view, enabling organizations to better protect sensitive information across all platforms within M365 and Workspace environments.

Patrick Gray [46:10]: "It's a way in for sure... we're not just going to help you with your data in files..."

Notable Insights:

• Manual vs. Automated Remediation: Without robust tools, addressing data exposures in emails and files remains a manual and time-consuming process. Material Security aims to streamline this with automated solutions.

• CISO Challenges: CISOs often struggle with balancing the visibility and control over extensive data sets, particularly in cloud-based environments where traditional security measures fall short.

Patrick Gray [49:56]: "Is it more balanced... but how can you say you don't care about something when you don't even have visibility into what's in there?"

Conclusion

Risky Business #768 provided an in-depth analysis of significant security incidents, legal battles, and emerging threats shaping the information security landscape. From high-profile intrusions and ransomware takedowns to influence campaigns in elections, the episode underscored the evolving nature of cyber threats. The sponsor interview highlighted critical challenges in securing cloud-based collaboration tools, offering insights into effective access control and data protection strategies.

Notable Quotes:

• Patrick Gray [00:57]: "It's 45 days, which is still a very short time..."
• Adam Boileau [03:18]: "Provisioning your own wiretaps of political staffers like that definitely is a little more... rude."
• Rajan Kapoor [43:43]: "We figured out how to take large data sets and structure them."
• Adam Boileau [32:11]: "It suggests an intent and a focus that is quite alarming."

For more detailed discussions and insights, listeners are encouraged to subscribe to Risky Business and explore the show notes for additional resources.