Risky Business #768 -- CSRB will investigate China's Wiretap Hacks - Risky Business

Summary9 min read

Risky Business #768 – CSRB to Investigate China's Wiretap Hacks

Release Date: October 30, 2024

Hosts: Patrick Gray and Adam Boileau
Sponsor: Material Security

1. Correction on Apple’s CA Browser Forum Certificate Lifespan

Timestamp: [00:05 - 01:40]

Patrick Gray began the episode by issuing a correction regarding last week's discussion about Apple's request to the CA Browser Forum to reduce certificate lifespans to 10 days. He clarified that the actual figure is 45 days, still considered short but a critical detail.

Patrick Gray [00:57]: "It's 45 days, which is still a very short time... we got that mixed up and we didn't check it."

Adam Boileau concurred, emphasizing that 45 days remains too brief for manual handling.

Adam Boileau [00:51]: "45 days is still short enough that you really can't do it by hand."

2. Chinese APT Intrusion into US Telcos and CSRB Investigation

Timestamp: [01:40 - 04:41]

The major headline of the week revolves around the Salt Typhoon intrusion, where Chinese Advanced Persistent Threats (APTs) infiltrated American and other telcos, specifically targeting wiretap provisioning systems. Initially believed to be an attempt to identify FBI wiretap activities, reports now indicate that the APTs engaged in live monitoring of calls, including those of political staffers and campaign members from both the Trump and Harris campaigns. The Cybersecurity Review Board (CSRB) will investigate this breach.

Adam Boileau [03:18]: "Provisioning your own wiretaps of political staffers like that definitely is a little more... rude."

Patrick expressed optimism about the CSRB’s investigation, though he noted potential limitations due to classified information.

Patrick Gray [03:50]: "The good news is here we should find out a lot more given that the CSRB is going to look into this."

3. Operation Magnus: Takedown of Info Dealers Redline and Meta

Timestamp: [07:08 - 09:06]

Operation Magnus was a coordinated effort by multiple international law enforcement agencies to dismantle the Redline and Meta info-stealer botnets. Authorities seized numerous servers and domain names, arrested customers in Belgium, and indicted the Russian operator, though he remains at large in Russia. The Dutch police engaged in public shaming tactics against the operator, leveraging tips from private sector infosec firms.

Adam Boileau [07:56]: "They made a little video about the most recent update to the software, which basically said... good luck with that."

Patrick likened the operation to 90s-style IRC troll wars, highlighting the theatrical nature of modern cyber takedowns.

4. Crypto Theft from US Government Wallet

Timestamp: [09:06 - 12:24]

A bizarre incident unfolded where nearly $20 million was stolen from a US government-controlled cryptocurrency wallet, originally seized from the Bitfinex hack investigation. Blockchain investigators, including Zach XBT, detected the unauthorized movement of funds. Interestingly, the attacker returned the money, suggesting either a lack of understanding of ownership or an attempt to evade detection.

Patrick Gray [10:14]: "I wouldn't want to be the guy that nicked it."

Adam reflected on the incident with humor, noting the chaotic nature of crypto security.

Adam Boileau [10:58]: "It's very funny."

Additionally, Zach XBT's dedication to blockchain investigations was highlighted, showcasing his transition from a donation-based model to a more professional framework.

5. Iranian Radar Systems Breached Before Israeli Counterstrikes

Timestamp: [12:24 - 14:00]

A report from the Jerusalem Post claimed that Iran’s radar systems were breached prior to Israel's recent counterstrikes. However, the report lacked detailed information, leaving many questions unanswered about the nature and method of the breach. Both hosts expressed a desire for more transparency and details.

Adam Boileau [14:00]: "But we just know nothing and I would very much like to know more."

6. Legal Battle Between Delta and CrowdStrike

Timestamp: [14:00 - 15:32]

Delta Airlines filed a $500 million lawsuit against CrowdStrike, accusing them of failing to respond adequately to security threats. In retaliation, CrowdStrike is countersuing Delta for defamatory statements. The conflict appears to stem from differing views on the efficacy and response times of CrowdStrike's security solutions.

Patrick Gray [14:59]: "Their argument is that... Delta's argument is... We'll let the lawyers argue."

Adam criticized Delta's stance, pointing out inconsistencies in their claims about security patching.

7. Canada Revenue Agency’s False Tax Returns Issue

Timestamp: [15:32 - 18:22]

The Canada Revenue Agency (CRA) is grappling with an onslaught of false tax returns, attributed to a major breach at H&R Block. Approximately $6 million has been siphoned from redirected refunds. This mirrors similar challenges faced by the IRS in previous years, emphasizing the universal nature of such threats to tax authorities.

Adam Boileau [17:54]: "So if you are at a tax agency anywhere else, you know, this is the sort of thing... you'll have to have some defenses in place."

Patrick highlighted the potential for this issue to escalate politically within Canada.

8. Microsoft CEO Satya Nadella Reduces Compensation Amid Security Failings

Timestamp: [18:22 - 19:34]

Microsoft CEO Satya Nadella requested a reduction in his annual compensation by $10 million in response to recent security failures under his leadership. Although this act demonstrates accountability, Nadella's total compensation remains substantial at approximately $79 million.

Patrick Gray [18:51]: "This seems a little bit performative... a gesture that doesn't really hurt him much."

Adam noted that while the reduction is symbolic, it may not significantly impact Nadella financially.

9. Revil Ransomware Gang Members Sentenced in Russia

Timestamp: [19:34 - 21:35]

Four members of the notorious Revil ransomware gang have been sentenced to over four years in a Russian military court. This surprising development raises questions about the gang's internal dynamics and the effectiveness of Russia's approach to cybercriminals.

Adam Boileau [20:06]: "I can't imagine it's a great time."

Patrick expressed confusion over why a military court was chosen for the sentencing, as it is uncommon for such proceedings.

10. Linus Torvalds Removes Russian Linux Maintainers

Timestamp: [21:35 - 23:19]

Linus Torvalds announced the removal of approximately a dozen Russian contributors from the Linux kernel. This decision aligns with sanctions and affiliations linking these maintainers to the Russian government. Torvalds emphasized compliance over personal sentiment.

Patrick Gray [22:26]: "It feels like this is more of a compliance thing than... just kicking out Russians."

Adam discussed the challenges Russia might face in attempting to create a parallel Linux community, noting the strength and collaborative nature of the existing ecosystem.

11. Apple Launches New AI Cloud Bug Bounty Program

Timestamp: [25:14 - 27:11]

Apple unveiled a bug bounty program for its private AI cloud, inviting security researchers to identify vulnerabilities. Participants gain access to sophisticated tools and environments, with rewards reaching up to $1 million for critical code execution exploits. The program aims to enhance transparency and security within Apple’s AI infrastructure.

Adam Boileau [25:31]: "I think this is a great move... I'm looking forward to seeing what researchers find."

Patrick inquired about the program’s accessibility, to which Adam speculated it might be more open compared to previous restricted initiatives.

12. Ongoing Vulnerabilities in Security Software

Timestamp: [27:11 - 31:12]

The hosts discussed multiple security vulnerabilities affecting popular security appliances:

SonicWall Firewalls: Exploited in a ransomware campaign targeting over 30 organizations through an SSL VPN access bug. Adam recommended using Knock Knock to restrict access.

Patrick Gray [28:13]: "Just a reminder, you can use Knock Knock to restrict access to these sorts of things."

Fortinet: Continual issues with Fortinet products being compromised, often requiring the use of additional security measures to protect networks.
Cisco Gear: A recent vulnerability related to brute force attacks remains poorly communicated, causing confusion about remediation steps.

Adam Boileau [30:41]: "If the bug exhausts resources, cause denial of service and a reload."

Patrick humorously lamented the ongoing chaos with VPN security.

Patrick Gray [31:12]: "Computers were a mistake."

13. US Election Influence Campaigns by China and Iran

Timestamp: [31:12 - 36:56]

The episode delved into foreign influence operations targeting the US elections, particularly by China and Iran. These campaigns are focusing on down-ballot races, employing anti-Semitic messages and corruption accusations to sway public opinion. Unlike previous cycles, the impact seems limited, with major disinformation efforts not gaining significant traction.

Adam Boileau [32:11]: "It suggests an intent and a focus that is quite alarming."

Additionally, Russia propagated a viral video falsely depicting Pennsylvania ballots being ripped up, aiming to undermine trust in the electoral process. Despite swift debunking by US authorities, the long-term effects on public perception remain uncertain.

Patrick concluded that, compared to 2016, foreign disinformation campaigns this cycle have been less effective and prominent.

Patrick Gray [36:41]: "Foreign disinformation... haven't featured majorly in this thing."

14. Sponsor Interview: Material Security on Securing M365 and Workspace Data

Timestamp: [37:36 - 51:04]

The episode featured an interview with Daniel Ayala, Chief Security and Trust Officer at Dot Matics, and Rajan Kapoor from Material Security. The discussion focused on securing Microsoft 365 (M365) and Google Workspace data, particularly addressing access control issues and accidental data exposures.

Key Points:

Data Exposure Challenges: The emergence of tools like Microsoft’s Delve has increased visibility into previously obscure access permissions, revealing sensitive information inadvertently shared or forgotten over time.

Daniel Ayala [38:43]: "...access models in all these platforms are so all over the place and hard to manage..."

Material Security's Solution: Rajan Kapoor explained that Material Security addresses these challenges by structuring large datasets and utilizing APIs to provide comprehensive visibility and control over data in both files and emails.

Rajan Kapoor [43:43]: "We figured out how to take large data sets and structure them."

Awareness and Prioritization: While many CISOs prioritize file security, Rajan emphasized the often-overlooked risks associated with email data, advocating for a unified approach to secure all collaboration tools.

Rajan Kapoor [42:45]: "...when I ask them, how concerned are you about your email... they just don't care."

Holistic Security Approach: The integration of email and file security offers a holistic view, enabling organizations to better protect sensitive information across all platforms within M365 and Workspace environments.

Patrick Gray [46:10]: "It's a way in for sure... we're not just going to help you with your data in files..."

Notable Insights:

Manual vs. Automated Remediation: Without robust tools, addressing data exposures in emails and files remains a manual and time-consuming process. Material Security aims to streamline this with automated solutions.
CISO Challenges: CISOs often struggle with balancing the visibility and control over extensive data sets, particularly in cloud-based environments where traditional security measures fall short.

Patrick Gray [49:56]: "Is it more balanced... but how can you say you don't care about something when you don't even have visibility into what's in there?"

Conclusion

Risky Business #768 provided an in-depth analysis of significant security incidents, legal battles, and emerging threats shaping the information security landscape. From high-profile intrusions and ransomware takedowns to influence campaigns in elections, the episode underscored the evolving nature of cyber threats. The sponsor interview highlighted critical challenges in securing cloud-based collaboration tools, offering insights into effective access control and data protection strategies.

Notable Quotes:

Patrick Gray [00:57]: "It's 45 days, which is still a very short time..."
Adam Boileau [03:18]: "Provisioning your own wiretaps of political staffers like that definitely is a little more... rude."
Rajan Kapoor [43:43]: "We figured out how to take large data sets and structure them."
Adam Boileau [32:11]: "It suggests an intent and a focus that is quite alarming."

For more detailed discussions and insights, listeners are encouraged to subscribe to Risky Business and explore the show notes for additional resources.

Loading summary

Transcript121 lines

[00:05]
Patrick Gray
Hi, everyone, and welcome to Risky Business. My name's Patrick Gray. We'll be chatting with Adam Boileau in just a moment about all the week's security news. And then we'll be hearing from this week's sponsor, Material Security. More accurately, we'll be hearing from Material and one of its customers. Daniel Ayala is the chief security and trust officer of Dot Matics. And he'll be joining us as Will Materials Securities Rajan Kapoor. And we're basically talking about what a mess M365 and workspace are from an access control point of view. It's a great chat and it's coming up later. But first off, let's get into the news now with Adam Boileau. And Adam, it's good to be back on deck and feeling a little bit better. I had a pretty rough week. I'm still not 100%, but I just wanted to say thanks to everyone who sent me well wishes. Yeah.
[00:52]
Adam Boileau
Now, you certainly were having a rough time, and it's nice to see you starting to bounce back, starting baby steps.
[00:58]
Patrick Gray
Right. But look, we're going to actually start this week's news section with a correction, which is last week we spoke about how Apple was in the, you know, the CA browser forum asking for certificate life to be dropped down as low as 10 days. It turns out we actually got that wrong. It's 45 days, which is still a very short time, but that's a detail we got wrong. And it's because when Catalyn prepared the report, and I'm not blaming him for this, by the way, we always, you know, we all make mistakes. He was looking at the wrong table when he came up with the 10 day figure. That 10 days is for, I think, validation, data reuse. And we just, you know, got that mixed up and we didn't check it. So that's why we got that wrong. I don't think it really changes anything that we said last week, though.
[01:40]
Adam Boileau
No, no, I don't think so. And 45 days is still short enough that you really can't do it by hand. And that's the important thing, right?
[01:46]
Patrick Gray
Yeah. And that was the guts of what we said last week. So I just wanted to make that correction before we got into the rest of the show. And of course, the big news this week is that, you know, we've. We've talked about this intrusion into American and other telcos, not just confined to America, but all of the news is centered on America. This intru. This salt typhoon intrusion where Chinese apts have got into American telcos and targeted the systems that provision wiretaps. Early on, the reporting seemed to suggest that the actors were interested in finding out who the FBI was wiretapping. For example, it looks like now it looks like they were actually living, listening in on some calls, including, you know, political staffers and whatnot, members of the Trump campaign, the Harris campaign, and they did actually target some of the candidates phones. But it's no word on whether or not they actually intercepted any, any audio there. But this thing has, has blown up and it looks like it's the next CSRB investigation as well.
[02:44]
Adam Boileau
Yeah, because when we were talking about this in the previous episode, you know, it was kind of counts like it looked like counter, counterintelligence like that they were trying to figure out who was being wiretapped. And in some respects that felt like, you know, that's just kind of normal spying, you know, and not, you know, it's, it's, it's a bit sneaky getting in there and checking for yourself. But I meant kind of probably within the bounds of the, of the great game. But actually provisioning your own wiretaps of political staffers like that definitely is a little more, you know, a little more rude.
[03:19]
Patrick Gray
We don't 100% know if they provisioned them as wiretaps or if they just used the, you know, widespread. I think someone described it as exquisite access, that they had to do it some other way. But I think the good news is here we should find out a lot more given that the Cybersafety Review Board is going to look into this. Although I do worry that they're going to get hampered a little bit by classification and whatnot and there's, there's probably some details they won't be able to talk about, you know, in their final report. But, you know, their reports so far have been good, so fingers crossed.
[03:50]
Adam Boileau
Yeah, I was certainly heartened to see that the CSRB was going to look at this because I have so many questions because having done some of this stuff myself, I'm professionally nosy about what they did and how they did it and how they provisioned their access and so on and so forth. I think you're right that they will be slightly hampered by the classifications and security controls around some of this infrastructure. But I am certainly hanging out to read the report because as you say, the previous ones have been really pretty good and I think, you know, overall the CSRB has been a, you know, much better than we could have hoped for. I think, because we've seen so many calls for that type of investigative body before, but the kind of the makeup of it and the nature of their output, you know, I find, you know, really pretty best case.
[04:42]
Patrick Gray
Yeah, I mean, I was expecting them to look into the CrowdStrike thing, but I guess I don't know what else there is to learn there that would require the board. You know, like Microsoft is looking at kernel restrictions and there's been a lot of work done there. And I think what happened there is pretty well Understood, which is CrowdStrike made a big whoopsie, basically. So I think this is a good use of the board's time, interestingly enough. I mean, so it's Ellen Nakashima over at the Washington Post with Josh Dorsey who came up with the scoop that audio was intercepted. But even they point out in this piece that, you know, end to end encrypted communications, such as those on the signal platform, are believed not to have been hacked. I mean, obviously. But it's. Yeah, it is interesting because recently we also spoke about how the Trump campaign was using these specialist secure Android devices from a company called Green Hills. Right. So you wonder what they got, I guess is what I'm getting at.
[05:41]
Adam Boileau
Yeah, yeah. I mean the contents of phone calls and text messages, I guess is what you'd expect to be able to get along with call metadata, I suppose, which are still useful things. But these days, as you say, so much communication is done through over the top apps with end to end crypto in some cases. So, yeah, of less utility limits, more limited utility than it once would have been. But I mean, still I can, you know, so many people fall back on PSTN phone calls because it's just easy and ubiquitous and works everywhere and there's no interoperability problems or whatever else.
[06:16]
Patrick Gray
So I mean, so many people do, you're right, but do the people working for president campaigns that are being targeted by Iranian hackers and it's been known that they've been targeted by Iranian hackers. You know, in this case it's the Chinese, but you know what I'm saying, Right, like they know they're a target. Yeah, I'm guessing they're using signal most of the time. Right. Like, and it just reinforces the point you're making, which is this, this doesn't get you as much as it used to.
[06:41]
Adam Boileau
Yes, exactly. And you know, I'm sure they are probably using something like signal for anything juicy. But you know, sometimes in the, you know, for the sake of expediency, sometimes a phone call is just what people do without necessarily stopping to think, you know, about exactly what they're saying and where they're saying. But as you say, if you are working for the Trump campaign, by this time, probably you should have pretty good instincts about what to say and what not to say and over what medium.
[07:08]
Patrick Gray
Yeah, yeah. Now let's talk about Operation Magnus. This was a, you know, a bunch of different police services and authorities were involved in this. It was a takedown against a couple of info dealers. What was it? Redline and what's the other one called?
[07:23]
Adam Boileau
One's called Meta, somewhat confusingly.
[07:25]
Patrick Gray
Yes. So Redline and Meta, you know, authorities seized a bunch of servers and domain names. They arrested a couple of people in Belgium who I believe are customers of these info stealer botnets. And they've also indicted, presumably in absentia, the Russian fellow who runs the whole thing. You know, just a pretty nice textbook take down here, including some very high quality krebsing in the DOJ's indictment of the guy who runs Advocate. Yeah, it totally reads like a Krebs piece, that indictment.
[07:57]
Adam Boileau
It really does. Yes. They ended up doxing this guy, I think, based on some tips from private sector infosec firms. But he had been using like his hacker Nick on like Russian dating forums and stuff going back I think like 12 years or so. So, you know, there's some challenges to using the same Persona when you're trying to pick up a date as also selling your wares on crime forums. So, you know, as you say, I think he's still in Russia. So probably other than it being a little bit embarrassing, he may not face much retribution. But the Dutch police, I think, or one of the Europe, whichever European police force put together the sort of the domain and the package did do some reasonable trolling. They made a little video about the most recent update to the software, which basically said, hey, we've got all of the customer data and we're going to be sharing with all your local law enforcement friends, so good luck with that. So, yeah, good, good work, police. And it's kind of like we've talked about how it feels like IRC troll wars from the 90s when it's law enforcement versus cyber crooks and yeah, totally here for that.
[09:06]
Patrick Gray
Yeah, 100%. Now, this one is a more recent type of phenomenon, right. Which is, you know, crypto theft and stuff is probably, I mean, to be appreciated for not being something that was happening in the 90s. At least it's something new. A really bizarre sit situation unfolded over the last week where someone stole nearly $20 million or around $20 million from a US government controlled crypto wallet. And these were funds that were seized as part of an investigation into the hack of Binance. Right. But the funds were in the control of the US government. And blockchain investigators, including like Zach xbt, started noticing this money moving around in a way that made it really obvious that someone had stolen it. The reason it's funny is because the attacker has since returned the funds, saying, I mean, I'm guessing they're saying, my bad. So you wonder if they just didn't know that they were stealing funds, you know, probably From like the U.S. department of justice or one of its, one of its agencies. Right, like, whoops.
[10:14]
Adam Boileau
Yeah, exactly. I would have liked to have been in the chat channel, like in the Telegram or wherever it was where the people were coordinating that and kind of seen the, you know, being a fly on the wall to the. Excuse me, you just stole $20 million from the US feds. Like you're gonna need to give that back right now because we've, you know, we've made lots of jokes over the years about the dog that catches the car, you know, when it's chasing it down the street. And that kind of is the vibe that you get here. I think the funds in question were from the Bitfinex hack. Not good finances were involved in investigating this, but I think the actual hacked funds came from, from Bitfinex. But either way it's very funny.
[10:58]
Patrick Gray
I'm sorry, yeah, you're right. It's Bitfinex, not Binance. They all blend into one. They all sell.
[11:02]
Adam Boileau
Exactly. It makes no difference. Same, same. It's all just a bunch of crypto skullduggery, tomfoolery, jibbery, pokery rubbish. So yeah, anyway, the Fed's got it back, but I wouldn't want to be the guy that nicked it.
[11:17]
Patrick Gray
No, no. And the idea that you're going to dodge the heat by just giving the money back, you're probably better off keeping it, you know, like, seriously, the crime is done. You can't undo the crime. I'd just haul ass to a non extradition country. Don't give it back. You're going to need that money to stay on the run.
[11:34]
Adam Boileau
Exactly, exactly.
[11:35]
Patrick Gray
But yeah, what a world. What a world. And you know, we just mentioned Zach XBT and Andy Greenberg at Wired has like what I would describe as a really nice write up for those who are unfamiliar. Zach XBT is someone who does lot of blockchain investigations and stuff quite openly. Helps people recover money. Had been, had been operating mostly under like a donation model. People would donate money. But he recently accepted payment to help someone investigate something. And he's, he's thinking about, you know, turning it into a more professional thing. But you read this whole thing and you get the impression that this is not someone who's really, at least at this point, not really someone who's, who's in it for the money. They're just really into trying to right wrongs, right like that sort of motivated by justice kind of thing. It's a heartwarming read, I gotta say.
[12:24]
Adam Boileau
It is. And it's nice when you see these kind of, you know, slice of life write ups of, you know, what it's like being someone like that and you know, just spending, you know, all day, every day in front of your blockchain, slaving over a hot blockchain, you know, trying to figure out what's going on. And yeah, you do get the impression that, you know, it's just a, you know, a guy that wants to right wrongs in the world and you know, there's not, there's not many people that do that. So good for him. And yeah, definitely, if you follow, you know, blockchain drama. Definitely worth reading reading this particular write up because, yeah, it's good, it's good insight.
[12:58]
Patrick Gray
Yeah. Now we're going to switch to a report from the Jerusalem Post which has got to be the most vague write up of a thing I've ever seen where it said that it says the headline is radar systems in Iran breached prior to Israel's Saturday counterstrike report. So they write that radar screens in Iran froze and this helped Israel to perform a bunch of airstrikes targeting I think mostly air defence sites in Iran. But there are no details on like how, why, what, you know, like there's just zero details in here. We don't know if it was some sort of EW based attack, if it was cyber enabled, if it actually attacked the equipment itself on the ground like the S3 hundreds or whatever, or whether it attacked some sort of, you know, centralized facility that maybe did have network connectivity. Like just unbelievably light on detail here, but I just thought I'd flag it because if it's true, it's pretty interesting.
[14:00]
Adam Boileau
I know when I think Catalyn pasted this into our slack and we had a good conversation about what it could be and all those sorts of things, but yeah, we just know nothing and I would very much like to know more.
[14:11]
Patrick Gray
Yeah, yeah, exactly. So we'll move on from that one, but we flagged it and we'll see if more details come out later. Delta and CrowdStrike are still screeching at each other in the wake of. When was that? I think it was back in July, wasn't it? The CrowdStrike apocalypse. But yeah, you know, we saw Delta saying they were going to sue CrowdStrike. They have now launched a web a lawsuit for $500 million. And I think CrowdStrike's countersuing them for saying nasty things about them. And it's just, it's gone exactly where we expected it to go. And I've got no idea how this is going to play out. I think CrowdStrike is going to dig its heels in here. I mean, their argument is that, you know, well, all your competitors got back online quicker than you. You know, you're just not very good at it. And, you know, Delta's argument is, well, no, you just vaped all of our, all of our systems. So we'll let the lawyers argue. That's my opinion on this one.
[14:59]
Adam Boileau
Yeah, I don't know that Delta really did themselves many favors because there's a bunch of details in here where they said, like, look, we didn't patch any of our stuff, so how come CrowdStrike broke it? I think if your defense is, well, we didn't patch our security software. It doesn't necessarily paint you in the best light either.
[15:15]
Patrick Gray
We're not very good at it.
[15:18]
Adam Boileau
Therefore, why did our IT change and brag. Yes, it's so I don't. Yeah, once again, this, this is for the courts and lawyers to argue about and make fat bank out of. But, you know, we'll just sit here and quietly watch and enjoy the show.
[15:33]
Patrick Gray
Now let's turn our attention to Canada and the Canada Revenue Agency, which is their tax office up there, is having some issues with a bunch of false returns. And it looks like there's some feeling there that this could be because of a major breach at the firm HR block. Now, I find this one interesting for a bunch of reasons because we saw the IRS go through something similar a few years ago. And you remember in response to that, they were using like a third party facial recognition service. And that was very controversial and whatever, but they had to really scramble to put a lid on these. On these false returns. And it looks like, you know, an organized campaign has pocketed something like $6 million lodging false returns and getting those funds redirected to attackers because of information that wasn't even stolen from the tax Office. These sorts of campaigns, these sorts of crimes are a real problem for tax officers around the world. And I think any tax office that isn't dealing with this right now is going to at some point in the future. And that's why I wanted to talk about this one.
[16:40]
Adam Boileau
Yeah, and I think that's a really interesting point to this because the hard part of computer crime is figuring out ways to monetize access to data. But once you've got a model that works, then everywhere you can reuse that model is another opportunity for you. And so this model of in this case they stole electronic filing credentials from HR Block is the accusation HR H&R Block has said that it wasn't them. Of course we should say that. But that model, stealing those credentials, changing the bank account details for a refund, filing a false return, pocketing the refund faster than the taxation agency can follow it, is going to work, you know, in all sorts of places. And so if you are at a tax agency anywhere else, you know, this is the sort of thing I'm sure you're very much keeping on top of because you're going to have to have some defenses in place, some detection and be able to respond to it. But this does seem like a bit of a mess in Canada that's going to turn political in some respects because I think some journalists dug up the story and now there's, you know, sort of accusations being thrown back and forward in Parliament in Canada. So it's, it's pretty messy. And you would hope that, you know, this is a lesson that tax agencies would learn all at once together. But that's not how the world works.
[17:54]
Patrick Gray
No, I mean, I suppose the silver lining here is that $6 million in the context of Canada's tax revenue is probably not really that much. But it's also one of those things where you sort of get the sense that it could spiral if they don't get on top of it. And unfortunately getting on top of something like this is quite difficult. So I guess the reason I mention it is like if you work in anti fraud in a tax office somewhere, maybe have a think about how you'd respond to something like this happening. Because it's probably going to happen at some point.
[18:23]
Adam Boileau
Exactly. Yeah, exactly.
[18:24]
Patrick Gray
Now, a report that we also carried is that Satya Nadella of Microsoft actually, you know, he's the chair of the board, he's the CEO, he actually asked the board to reduce part of his annual compensation. He said, I don't want that $10 million, you know, cash Component of my comp. Because there were security failings and it happened on my watch. And I think he still. His total comp was still 79 million. I think they didn't even take away all of that cash comp.
[18:52]
Adam Boileau
I think they gave him half of it. Yeah.
[18:54]
Patrick Gray
So this seems a little bit performative, if I'm honest. It's contrition. That doesn't really hurt him, I guess, But. But then again, kind of sends a good message. I. I don't know. I don't know what to think about this.
[19:10]
Adam Boileau
Yeah. I mean, 5 million bucks is still, you know, that's a lot of money in anyone's book, even if you're, you know, a very rich person. But as you say, like, it doesn't really hurt him that much, I would imagine. You know, when the package is. What was it? Yeah, 7.7ish. 70ish million. And that's 63% up over what he made last year. So. Yeah. Yeah. Really, really suffering there, buddy.
[19:34]
Patrick Gray
Well, but I mean, again, the reason I don't know what to think about this is it is really hard to argue that he's not doing a good job as CEO when you look at.
[19:41]
Adam Boileau
Well, yeah. Right.
[19:42]
Patrick Gray
When you look at the business. Right. But then. Yeah. Anyway, it hurts. Hurts. My brain hurts. Now, here's a. Here's a bit of an odd one. Four members of the Revil ransomware gang have been sentenced to four years plus in prison in Russia. John Greig has this one for the record. We also covered it in Risky Business News. I mean, you don't really expect to see that, do you?
[20:06]
Adam Boileau
No, it did seem a little startling, and I, you know, kind of makes you wonder how badly they screwed up to end up being put in prison in Russia in. In a penal colony. It was, I think, a standard penal colony, like, not the really severe ones that they send the bad people to. So, you know, but still, I can't imagine it's a great time.
[20:25]
Patrick Gray
Yeah. I don't think, you know, all the nice Russian penal colony.
[20:29]
Rajan Kapoor
Right.
[20:29]
Patrick Gray
Like, I don't think that's really a thing. Adam.
[20:34]
Adam Boileau
I think you pointed out when we were talking about this in. In our slack that there's very few details and they were tried in a military court in some. In St. Petersburg rather than a, you know, kind of open one. So we don't have much data because military courts are relatively closed and there's no real clear idea why.
[20:54]
Patrick Gray
Yeah, I mean, I just flagged that because Catalan had reported that it was a military court, and I Just asked him when we were going over the news script for one of our news bulletins in the Risky Business news channel, which you should all subscribe to. I just asked him, I'm like, why did they do this in a military court? And you know, he had looked into that and he's like, look, I couldn't pin it down, you know, because none of the reporting explained why they were tried by a military court. So that is one odd feature here.
[21:20]
Adam Boileau
Yeah, I think Catelyn's work in theory was that a military court can have closed proceedings whereas a civilian court in Russia there isn't really a mechanism for sealing stuff. So maybe that's it. But yeah, we're guessing so yeah, yeah, 100%, who knows.
[21:35]
Patrick Gray
Staying with Russia and Linus Torvald has expressed support for the removal of around a dozen Russians from a list of Linux kernel maintainers. We got. We're going to link through to Dzarina Antonio's write up for the record here. I mean this isn't just, they're not just kicking out Russians. These particular kernel maintainers were linked to organizations that have been either linked onwards, linked to the Russian government or are sanctioned. Right. So it feels like this is more of a compliance thing than a, you know, let's just kick all Russians out of being able to be Linux maintainers. Funny thing here though was Torvalds saying, you know, I'm Finnish, what did you think I would think about this? Who is, you know, Torvalds is famously grumpy and yeah, he's like, he does not seem to be a fan of Russian foreign policy, let's put it that way.
[22:26]
Adam Boileau
Yeah, that seems pretty fair. And I think on the mailing list there was some conversation that Linux foundation had received some legal advice and they weren't, you know, the maintainers. Linus and Greg KH who landed the patch that did this said like we're not discuss the advice that we got, but this is just how it is. And Torvald's basically said, yeah, deal with it, it's how it be.
[22:47]
Patrick Gray
Yeah, yeah. And meanwhile Russia is saying it's going to build its own Linux community which. Sure. But I don't know, going it alone, I mean Linux at this point, I mean you think about the number of hours that have gone into it, the fact that it is just such a gigantic community with genuine support behind it and so much, I guess sponsorship from large companies that pay people to contribute to it, you know, they'll just hire people full time to be doing that sort of dev I don't know how well Russia's going to go with, you know. Russia, Russia, Linux, you know, I don't know.
[23:19]
Adam Boileau
Yeah, it's a hard road forking any piece of open source software and maintaining it yourself in the future. And you know, Russia has tried it with Red Star with their particular Linux, the North Koreans have tried it with their Red Star Linux. So, you know, there is some precedent for it, but it's a hard road to make a good Linux. And of course, every time you fork off from the main thing, all of your adversaries, second agencies start, you know, chuckling and rubbing their hands because now the patches are going to take even longer to get there and good times ahead.
[23:49]
Patrick Gray
Yeah, exactly. Better make sure you don't make any mistakes. See, and that's, you know, the vulnerabilities equities process looks a bit different in those scenarios as well. Meanwhile, Dina Temple Raston and James Reddick are also for the record have reported that Nigeria has dropped charges against that Binance investigator who's, what's his name? Tigran Gambari Gambarian. He has been held in Nigeria since February, basically on charges of like manipulating Nigeria's currency because, you know, a lot of people in Nigeria were using crypto because the local currency was kind of unstable and it kind of tanked the currency and they're, you know, they just wanted to hold someone basically. So you do get the sense that what was happening to this guy was not fair. And you also get the sense that there may have been some sort of diplomacy involved in securing this guy's release. I mean, he had malaria in custody, he was not in good shape and you know, the court has said they have allowed him to travel abroad for medical treatment. So you do get the impression that maybe there was a bit of pressure applied here.
[24:52]
Adam Boileau
Yeah, and, and that that sounds like the right thing to do because this guy was, you know, previously at the IRS and was integral in the takedown of Silk Road, arrested Ross ULBRICHT Takedown of AlphaBay. You know, so like he's, you know, he has done a lot of good in this world. And yeah, it was always, you know, the story was kind of sad seeing him just rotten and rotten in jail in Nigeria.
[25:15]
Patrick Gray
Now Apple has introduced a new bug bounty program involving its private AI cloud. And it looks like a pretty interesting program, as in participants will get to actually access cool stuff. And, you know, we love this.
[25:32]
Adam Boileau
Yeah, I think this is a great move. I mean, Apple has been learning the lessons of where it needs to be open and have public scrutiny in order to kind of back up some of its claims over the years. And I think this private cloud compute is a pretty major shift for them. And you can see sort of the roots in some of the security programs for iPhone and bug bounty programs, researcher phones, those kinds of things. Like all of the hard work that people inside Apple did to build those up proved that it's viable. And now we've really seen it writ large with the plan for private cloud compute. So they've released a bunch of the software components, a virtual environment where you can run up the server side of their private cloud compute system. It'll use your local GPU on your Mac to do the AI parts of it, so you can kind of exercise the whole system. And then the bug bounty has a bunch of things that will pay out, I think up to a million US dollars for code exec. But there's a bunch of other of aspects as well. And even things like they've included their thing that sends logs off the splunk so that you can verify what it's logging, how it's logging it, and then they've got a bunch of transparency things so you can kind of in the future see that the code that they're running in production matches what's been seen publicly. So really very well thought out. And, you know, I'm looking forward to seeing what researchers dig up and find.
[26:53]
Patrick Gray
Do we know if this is like, open to everyone or is this one of those ones where you have to kind of apply?
[26:58]
Adam Boileau
I'm not 100% sure. I think some of the things I read suggested it is a bit more open than the researcher only phones that really were very difficult to get hold of. So I think it is more open than that. But proof will be in the pudding.
[27:11]
Patrick Gray
Yep. Yep. All right, well, we've dropped all the links into this week's show. Notes on that one. Now let's do the usual section where we talk about how people are getting owned via their, like, security software and security appliances. This is like an evergreen.
[27:25]
Adam Boileau
That's the regular feature. Yes.
[27:27]
Patrick Gray
Yeah, an evergreen section. So sonicwall firewalls appear to be the common link in a ransomware campaign that's hit something like 30 different targets. Matt Kapko has the report for cybersecurity Dive.
[27:40]
Adam Boileau
Yeah, we don't know the specifics of the bug. I think was one that they patched was like an access control bug that got patched back, I think in what, August or something earlier this year at some point. Anyway, it's being picked up and is being used in a campaign targeting the SSL VPN access. And then onwards to ransomware. I think in some cases we've seen ransomware within hours to, you know, not even a day or two between initial point of entry and onwards to ransomware. So, yeah, if you have one of those, you're probably already having a bad time.
[28:14]
Patrick Gray
Yeah. Just a reminder, you can use Knock Knock to restrict access to these sorts of things. Right.
[28:19]
Adam Boileau
If you don't own. Good choice.
[28:21]
Patrick Gray
Yeah. But I'm guessing the average company that's using Sonicwall probably skews a bit smaller. I mean, you know, I'm not saying that Knock Knock doesn't work for smaller companies. I guess I'm saying that they're going to be the people who are least likely to understand that they would need to do something. And yeah, there's more Fortinet drama. I mean, it all blends into one. It's like every week we're talking about Fortinet bugs being used to own people. Like, I don't even know if these are the bugs from last week or the week before, but another report from Matt Kapco here at Cybersecurity Dive talking about, you know, oh, this is the fortimager stuff. This is the stuff we talked about last week. Right?
[28:57]
Adam Boileau
Okay, yeah, it's the same, same bug, but I think it looks like someone hit a bunch of managed service providers, went downstream to customers and did it at a slightly larger scale. But either way, it's just every week for to fail. And you know, at this point I've got a Fortinet on the edge of your network. You either need to not have a Fortinet or you need to lock it up behind Knock Knock.
[29:20]
Patrick Gray
And there's been some stuff going on with Cisco Gear which has been poorly communicated in my view because we were trying to report the other day on they released a new feature which is designed to make brute forcing impractical against various devices, which. Okay, cool. But then in the same breath they're saying, oh yeah, because there was a zero day being used as part of a brute force campaign. But they don't actually tell us much about the bug. I mean, do we have any clarity on what they're on about?
[29:52]
Adam Boileau
No, the Cisco advisory is pretty unclear. There's like a bug that they refer to which is like CVSS 5.8 and they claim that they have fixed it and it's related to brute force denial of service through authentication. And then it's also listed on CISA's Kev list and then, you know. So it's a little bit unclear that. My best guess is that this is a mechanism to allow you to bypass rate limiting or lockouts whilst brute forcing credentials. Cisco says that the bug exhaust resources, cause denial of service and a reload. So it may well be that you can try a bunch of creds, lock out an account, reload the VPN service, try a bunch more. That's what it feels like. But no one actually says that.
[30:42]
Patrick Gray
And again, we're guessing. We shouldn't be guessing about this, right?
[30:45]
Adam Boileau
We should not. It's year 2024. We should have good quality information.
[30:47]
Patrick Gray
If the case is that there was rate limiting and there are already protections there, then why are they issuing, releasing new features to address that? Like that's the other part that's not clear here.
[30:55]
Adam Boileau
Yeah, it is. It is unclear. I mean, I guess all we really know is that people are getting brute forced via their VPNs and Cisco is doing something and it's bad enough that it made it to the Kev list, which, yeah, not reassuring or particularly helpful for the people who are, you know, who have that equipment on their network.
[31:13]
Patrick Gray
Yeah, man. What chaos, right? Just chaos everywhere with VPNs. VPNs were a mistake.
[31:22]
Adam Boileau
Computers were a mistake.
[31:24]
Patrick Gray
That's right. Now we're going to turn our attention, Adam, to the all of the wonderful stuff happening in the US election. There are influence campaigns trying to swing the election. They're coming from every single corner of the world. We got a great write up here from Chris Bing and AJ Vicenz, who is now over at Reuters. We congratulated him when he got the gig recently. So it's great to see those two bylines together. They're looking at how a Chinese influence operation is targeting down ballot rate races in the US which is, which is interesting because we've seen these big sort of disinformation campaigns and influence campaigns trying to swing things towards Trump or away from, away from Trump or whatever. But when they're actually targeting specific down ballot races, that suggests a level of sort of planning that's quite alarming, I guess.
[32:11]
Adam Boileau
Yeah, yeah, it does. And they're not particularly sophisticated campaigns, but that's kind of not really the point. Right. I mean, this is, you know, sending anti Semitic messages and parroting accusations of corruption and things like that, like. But, you know, stuff that can move the needle on, especially on a platform as messy as X. And yeah, the targeting, I guess, is more interesting than the actual techniques.
[32:37]
Patrick Gray
Right.
[32:37]
Adam Boileau
Because it suggests an intent and A focus and a degree of research that, you know is not casual.
[32:45]
Patrick Gray
No, agreed. And look, another one from Chris Bing. This one also with Rafael Satter and Graham Slattery over at Reuters. They've looked at. Look, I'm going to take a bit of an issue with the headline here. They've said, exclusive, accused Iranian hackers successfully peddle stolen Trump emails. And it's because a blog called American Muckrackers, they have published some of the material stolen by Iran. And it also popped up on someone's substack. To me, this is not successful. Okay. To me, this, you know, success looks like it did in 2016 when you had all of the major media outlets in the United States talking nonstop about the DNC leaks. That's what a successful hack and leak campaign looks like. I think getting it out there via a few blogs is not successful. I mean, it's still a great write up and it's very interesting. My issue is with the headline, but did you have the same reaction there?
[33:41]
Adam Boileau
Yeah, exactly. I mean, this does not feel like success, especially by comparison to the two election cycles ago. And some of the details are interesting. It's a good write up, but that was exactly my reaction as well. This does not feel like they're going to get their bonus, the people who are running this particular campaign. And nothing like the success of the 2016, where all of the coverage was focused on that one, that one issue with Guccifer and Hillary's emails. And you know, to this day we still talk about Hillary's emails.
[34:16]
Patrick Gray
Yeah, I mean, I think something that's interesting here is that Muckrackers is like a pack. So it's a political action committee or whatever they call them. But. So that's an interesting aspect here. But I mean, the fact that you need Reuters to talk about it for it to matter kind of suggests that it doesn't.
[34:33]
Adam Boileau
Yeah, yeah, agree completely. So, I mean, if anything, it's kind of nice. It feels like we've made some progress at being a bit more resilient against these kinds of hack and leak and info ops, which is good. It just means that we'll have to come up with new and novel ways to influence people.
[34:49]
Patrick Gray
Yeah. And meanwhile, Russia managed to get itself a bit of a, bit of a viral video happening with them, like, ripping up. There was a video of like Pennsylvania ballots being ripped up that turned out to be fake and made by Russia. And it was interesting that this, they were able to get that out quickly and say, no, this is fake. It was made by Russia. I mean, I don't know if some of the targets of this sort of disinfo are going to believe U.S. authorities when they, when they say that it was fabricated. But, you know, I guess they got it, they got to try, right?
[35:17]
Adam Boileau
Yeah. And of course this was distributed initially on X as has become the fashion. So that's. Yeah. When we look back on this election, like the whole Musk slash X mess that this has become is probably going to be one of the defining bits of the, of the disinfo part of this, of the story. But yeah.
[35:40]
Patrick Gray
I've never thought that Twitter really had any influence on anyone's political destiny. And that's before Musk. Right. So I don't know why people now think that because he's taken it over and he's pumping just non stop Looney Tunes stuff that it's actually going to move the needle. I think the people who are buying into that, who are all over X, I mean they're the people who already believe that stuff. Yeah, you're probably right. Yeah, that's what I think with that. And you know, as much as I find him odious and I think, you know, he just tells, you know, he just talks absolute nonsense 247 these days. I just don't know how much it's going to impact things. But we're going to know in a week, aren't we?
[36:12]
Adam Boileau
Yeah, well, exactly. We've got, we've got some outcomes based metrics which.
[36:16]
Patrick Gray
Yeah, called the election. And I think, you know, look, we're close enough now. It's been, you know, we've got a week remaining. I think we can say that, you know, foreign disinformation, foreign influence operations haven't featured majorly in this thing. There's been some stuff around the edges. We've talked about it, but I think we can say, you know, in no universe was this at all close to being a rerun of, you know, 2016. I think we've, I think we're in a better place.
[36:42]
Adam Boileau
Yeah, I mean, you know, all of the madness has been largely US domestic and it doesn't feel like it's been. Yeah. In the same way as it was two cycles ago. So I guess, I guess that's good, right?
[36:56]
Patrick Gray
Yeah, we'll be, we'll be recording next week as they are counting the votes. Right. Which is. It's always an interesting day in Australia. It'll be a Wednesday here and then, you know, you get to, you get to stream a bit of cable tv. And it's funny, I read A story recently about Americans in Australia and how they're sort of dismayed that Australians treat this like it's a big reality TV contest. You know, they're like, are you gonna have an election party? Like, where are we going to watch it? We'll go to the pub. And they're just like, oh, my God, no, that's not thinking about this one. But yeah, certainly I will be grabbing some popcorn. Well, Adam, that's actually it for the week's news. Thank you so much for joining me. Great to chat to you. And we'll do it all again next week.
[37:37]
Adam Boileau
Yeah, thanks very much, Pat. And best of luck to all our American friends.
[37:44]
Patrick Gray
That was Adam Boileau there with a look at the week's security news. Big thanks. Thanks to him for that. It is time for this week's sponsor interview now with Materials Securities Rajan Kapoor and materials customer Daniel Ayala, who is the chief Security and Trust officer at Matics. Material Security makes a product that can help secure M365 and workspace data at rest, which is handy if one of your users accounts gets compromised. They lock up sensitive information in your inboxes, you know, and they can find other stuff too, like files that have been shared externally or company wide that shouldn't have been. I actually published a demo of Material Security last week and I'll drop a link into the show notes if you want to check that out. But yeah, the idea is they're trying to sort out some of M365 and workspaces like security dysfunction. So I'll begin this interview. I'll drop you in here with Daniel Ayala. And I asked him why he started looking at tooling to try to get a handle on things like accidental exposures via M365. And here's what he had to say.
[38:43]
Daniel Ayala
I go back to the delve day, the day that delve came out. And I think this encompasses so much of my problem with some of these, with these collaboration suites is there's all this exposure. The access models in all these platforms are so all over the place and hard to manage that there's documents, there's email, there's sharing, there's access that has previously been hidden by obscurity. People didn't know they had the access. And the day delve showed up and now doubled with, you know, some of the better search and some of the new AI tools that are layering on all this stuff became exposed, became visible to people in a way that had never been before. So, yes, there's an email problem. Yes, there's business email compromise that keep us all up at night, but there's also all of this stuff that people previously didn't know they had access to, including attackers that might get into that box that we now have to figure out how to wrangle. And some of this is really back history. Like some of this goes back a decade and trying to figure out what that is.
[39:51]
Patrick Gray
Tell me about this Delve thing because. Are you talking about some sort of discovery tool? Because I got to be honest, I haven't heard of it.
[39:57]
Daniel Ayala
Yeah, Microsoft, what is it? Eight, nine years ago, released Delve as part of Office 365. It was one of their first discovery tools that you could do a search and it would show you the answers to all the things that you, that match that search, including documents that you never knew you had access to. And enter an access model in, you know, in Office365 that was, you know, open and you'd share a HR would have had a file out there that they said, sure, anybody in the company can see, but we'll only send the link to these people. But it had SSNS in it. Now when I go search for my name, let's say, or someone else's name, that document is going to show up. And again, this is eight, nine years ago. So we've had this access problem for a while, but it's only gotten more magnificent as the, you know, as the ability to search and, and dive into this stuff has advanced. And now with, you know, the rise of some of the really easy search queries, you know, to take away the need to know how to search to find stuff and make it as simple as show me all the things with SSNs and you'll be able to pop it all up. You know, all this stuff scares the, the life out of me.
[41:05]
Patrick Gray
Yeah, no, I, I don't blame you. And I mean there's not really, and this is kind of what I was getting at earlier, there's not really much of a straightforward way to remediate this as yet, is there? Which just seems a little bit insane. Like what, you know, pre tooling, what's, what are your options there in terms of like, you know, I've done a search, I found a bunch of stuff. Is there some way to easily or programmatically like, you know, remediate that hand cleanup?
[41:26]
Daniel Ayala
I mean, I'm sure there's, I'm sure with PowerShell you can go through and make all sorts of, of batch things, but those are more of sledgehammer approaches. And a lot of these things require a more scalpel approach where you go one by one to the owner. You do a search that says, show me all the files that are there that include SSNs or this, you know, this with this masking, but that are owned by. And then show me them by owner. And we go to that owner and say, hey, go fix these 20 documents, go fix the permissions on these. That kind of thing. It was really, really manual.
[41:57]
Patrick Gray
Yeah.
[41:57]
Daniel Ayala
And yes, there's DLP stuff that looks at that as it exits, but there really isn't much that looks at it in, you know, in stationary.
[42:06]
Patrick Gray
Yeah, yeah. So I mean, Rajan's here as well from Material. I mean, you know, it's funny, right, because you did start off the company more as a way to restrict access to email data. And obviously people still buy material for that. But, you know, more and more you realized while you're in there fiddling with these APIs, like the file share problem in, you know, M365 is just, it's a big one and it's one that's kind of slept on. Like, I know of other vendors who try to chip away at this, right. Some of them more successfully than others. But, you know, it's the sort of thing where you wonder if people truly understand what their exposure is. Like, what's your sense of how aware people are that this is a problem to begin with?
[42:46]
Rajan Kapoor
It's very interesting because when I talk to people and ask, you know, when I talk to CISOs and I ask them, you know, how concerned are you about your email, how concerned are you about your files? The common response is they're somewhat concerned about files, but with email they just don't care. Literally just don't care. And my follow up question is always, but do you even know what's in there? Like, how can you say you don't care about something when you don't even have visibility into what's in there? And I think it's the analogy I like to use is when you fly, when you go to the airport and you fly, people worry about the plane having a problem, but you're more likely to get into a problem driving to and from the airport. And we've just kind of accepted email as like the car ride. We're not really worried about it because we haven't been able to do anything about it for so long. But that's, you know, it's interesting because the problem that we solved at Material actually wasn't an email problem to Begin with, it was a data warehouse problem. We figured out how to take large data sets and structure them.
[43:44]
Patrick Gray
Well, I mean it's, I mean, I've always described it as like an access control product. Really? Like when it comes to. Yeah, when it comes to locking away sensitive information in inboxes and stuff.
[43:54]
Rajan Kapoor
Yeah. My point there is like, you can't even get to that if you can't like structure those emails.
[43:59]
Patrick Gray
Right.
[43:59]
Rajan Kapoor
Because you have to scan them, you have to read them, you have to look at them. And that's the hard problem that we solved. And so now we can build files. On top of that, we can ingest APIs. Right. And this has been the reason, I think, that a lot of people have not really tackled this problem. The data sets were just too large to deal with. And so what would you do as a CISO if your board was like, hey, what are we going to do about email? Well, we'll do inbound threat detection and remediation, but beyond that there's not much I can do. And what's also changed is you actually have a way to get to that data at rest. Right. You can leverage APIs. Now, we lost control of the infrastructure when we went to SaaS. Right. But we now have a way to get back to that data at rest and do things with it. And that's where APIs come in. Right. So you take APIs, you take a good data warehouse and you can start building a whole bunch of magic on top of that.
[44:49]
Patrick Gray
I mean, it seemed like what you were saying, because I was asking you about awareness, about the sort of shared files issue and like overly loose access to sensitive information containing files. You seem to be saying that, that, you know, overly loose access to sensitive information contained in shared files. Sounds like you think that that is more of an understood issue, which kind of surprises me because it's not one that I hear people talking about all that much.
[45:13]
Rajan Kapoor
I think it's an issue that when we bring up, when I bring up, people will click on that much more quickly than they will with email. They'll say, you're right, I don't know what's happening with my files. I used to work at Dropbox. We can credit Dropbox with making people worried about files. Right. And so I think it is easier to. And if you look at the DLP space in general, a lot of it's focused on what's in your files. Right. And so, you know, you end up with security teams that are. It's easier for them to wrap their head around the risk with data in files than it is for them to wrap their head around the risk with data and email.
[45:50]
Patrick Gray
So I guess it's an easier sell is what you're saying. Right?
[45:53]
Rajan Kapoor
Which makes sense 100%.
[45:55]
Patrick Gray
Yeah. Yeah. That's crazy. That's crazy because you know, again, like this is your add on feature, right? Like it's not what you originally built. So do you find that that's actually a way into deals for you is like, you know, they'll take the meeting for the files and then buy for the email.
[46:11]
Rajan Kapoor
It's a way in for sure. We're building another product called Unified Detections and that's also been a great way in. But what we've seen with our existing customers is almost every single one of them is interested in drive. Right. So it becomes a very complimentary solution. Right. It's like, hey, we're not just going to help you with your data in files, we're not just going to help you with your data in email. And if you think about Microsoft 365 and Google Workspace, where else is your data but files and email? Right?
[46:37]
Patrick Gray
Yeah.
[46:38]
Rajan Kapoor
And so they become, you start to get this really, really holistic view and control over your data wherever it is in those two suites.
[46:47]
Patrick Gray
I mean, I think the other component to this whole equation is the identity side and authorized applications and whatnot, which I know isn't really something that you guys focus on so much. But that's the other part. I think there's a bit of a triad with those cloud environments. Dan, I want to go back to you, you know, you dealing with your board as I imagine you do. Like, did you experience what Rajan said? You know, is the case that, that people are generally, you know, where people internally much more concerned with data in files than in emails.
[47:20]
Daniel Ayala
I think it's actually a little more balanced than that and a lot of it is due to once you've gotten burned by email, by data and email, I think you get the religion. And so, I mean, most, most of my peers have gone through some kind of email based attack that has done something or has shown that light. And I, and you know, I fully admit that I, you know, I do not, I can't represent every CISO or every security organization out there, but I think it's a growing area of understanding and it's not hard to paint that picture quickly to say, you know, hey, look, look at this thing that we found in your mail and what could this enable or you know, this thing you forgot about that's Buried, you know, six months ago that we can, you know, that we can put a shield in front of if, if an outsider got a hold of this, what could they do with it? You know, I use the, I use the. What happens if this ends up on the front page of the Wall Street Journal story a lot. I use that analogy a lot. And finding a piece of email that contains some sensitive information that tends to paint the picture pretty well and pretty quickly. Or if you say to somebody, you know, hey, think back six months to a deal you just finished, or a contract or a negotiation or an H R discussion, all of those things quickly get people, you know, rather clenched as they think about the thing that might have been found, that might have been used by an outsider. And then you relay it to some of the extortion attacks that are happening and the method, that method of attack rather than, yeah, ransomware for disrupting business, now extortion to collect money because backups have become prevalent. And think about the things that show up. You see passports that show in the evidence that they put out there to prove that they actually, you know, that they've actually been in. They'll take a passport picture that came out of an email. Email. They'll take a, you know, a screenshot that you emailed somebody of notes that you hand wrote. Those kinds of things are pretty quick eye openers.
[49:30]
Rajan Kapoor
I mean, it's the attackers, Patrick, the attackers are kind of telling us that, right? If you look at like when Storm hacked, you know, the State Department's M365 infrastructure and when Midnight Blizzard, you know, went after Microsoft themselves on their Microsoft 365 infrastructure, they went right for email. Right? That's like the thing they did a beeline for because they know that like it's still the number one collaboration tool in the world, right? That is where everything happens. And if they're going right for email, like what are we doing to stop them from getting there once they've popped the account?
[50:04]
Patrick Gray
Yeah, I just want to ask you Dan too, as we wrap this up. You've been in this business for a long time, right, like stretching back to the 90s. Do you also find it funny that like state backed espionage these days looks a little bit like 1990s scene war hacking with people grabbing each other's mail spools. Like this is something we pretty regularly have a chuckle about on the, on the, you know, the main show. And I just, you know, does it also boggle your mind?
[50:31]
Daniel Ayala
Yeah, it really does. It's a Back to basics applies to so many different parts of this field in terms of, you know, figuring out the things that you have and watch them and roll them out as completely as you can and do them well. But the kind of thing we're back to the same kind of basic attacks partly because we've lost sight of watching basics as a, you know, as security teams. We've gotten a little distracted at times by shiny things.
[50:56]
Patrick Gray
All right, Dan Ayala, Rajan Kapoor, thank you so much for joining me for that discussion. Very interesting stuff.
[51:02]
Rajan Kapoor
Thanks, Matt.
[51:03]
Adam Boileau
Thank you.
[51:05]
Patrick Gray
That was Daniel Ayala there from Dot Matics and Rajan Kapoor from Material Security there. And you could find them at Material Security. Big thanks to them for sponsoring this week's edition of the show. And that is it for this week's podcast. I do hope you enjoyed it. I'll be back with more Risky Business for you all very soon. But until then I've been Patrick Gray, thanks for listening.