Risky Business Episode #771: "Palo Alto's Firewall 0days Are Very, Very Stupid"

Release Date: November 20, 2024
Host: Patrick Gray
Guests: Adam Boileau, Andrew Morris
Sponsor: GreyNoise

Microsoft's New Security Enhancements

The episode kicks off with a deep dive into Microsoft's latest security initiatives, aimed at addressing vulnerabilities exposed by incidents like the CrowdStrike breach in July. Patrick Gray and Adam Boileau discuss Microsoft's announcement of a remote recovery feature that allows systems to roll back changes if the kernel becomes non-functional. This feature is intended to minimize downtime and reduce the need for physical interventions across millions of Windows machines.

Patrick Gray ([00:03]) notes, "Microsoft is trying to solve the problem that we all want to solve, which is having to roll truck in the event of an outage and physically put hands on keyboards is a thing that isn't so useful anymore."

Adam adds, "There's a bunch of moving parts here that we do need to see specific stuff like how does this interact with BitLocker, how does this interact with TPM backed BitLocker, et cetera." ([01:36]) He underscores the complexity of integrating these new features seamlessly with existing security measures.

Palo Alto's Critical Zero-Day Vulnerabilities

A major focus of the episode is the alarming discovery of multiple zero-day vulnerabilities in Palo Alto Networks' firewall products. Adam Boileau outlines two significant bugs affecting Palo Alto's management interfaces:

1. Authentication Bypass (Auth Bypass): "You send an HTTP request header to the web server of the management interface which basically just says hey, don't worry about authing me, it's fine," Adam explains ([13:50]).

2. OS Command Injection: Exploiting the username field to execute shell commands as root, Adam remarks, "What are you doing Palo Alto? This is the firewall, it's a security product from a major vendor with no auth please header." ([13:50])

These vulnerabilities allow attackers to gain unauthorized access and execute arbitrary commands, posing severe risks to network security.

Access Control Challenges in Enterprise and IoT Devices

The discussion shifts to the broader issue of access control beyond mere authentication, especially concerning vulnerable technologies like IP cameras. Patrick Gray highlights the limitations of existing solutions such as Cloudflare and Zscaler, emphasizing the need for more robust access control mechanisms.

Patrick Gray ([15:23]) states, "The stuff that really needs to be access controlled is not often the stuff that is already getting the most attention."

Adam concurs, "Access control is complicated in enterprise context because you've got to have federated AUTH and SAML and all sorts of complicated authentication things." ([16:07]) He points out the difficulty in implementing strong access controls on devices not designed for enterprise-grade security.

US Government Cybersecurity Landscape

The episode touches on recent developments within the US government’s cybersecurity framework:

• Biden and Xi Jinping's Call: Concerns were raised about ongoing cyberattacks targeting civilian critical infrastructure.

• CISA Leadership Changes: Jen Easterly's upcoming departure from CISA is discussed, with anticipation about the agency's future under the new administration.

• Ransomware Trends: Adam notes a slight decline in ransomware attacks but warns that the threat remains persistent. He mentions the emergence of lower-tier ransomware groups like Akira, suggesting that while major cartels face increased scrutiny, smaller actors continue to pose risks.

Patrick Gray ([22:09]) remarks on the efforts against ransomware, "Suppression efforts have at least done something. You're never going to get away, you're never going to completely remove ransomware as a threat."

Legal Proceedings and Cybercrime Enforcement

The episode reviews recent legal actions against individuals involved in cybercrime:

• Heather Morgan: Sentenced to 18 months for laundering $10.8 billion in Bitcoin stolen from Bitfinex in 2016.

• Larry Dean Harmon: Convicted for operating the Helix cryptocurrency mixer, Harmon faces a three-year sentence and is required to forfeit $311 million alongside other assets valued at $400 million.

Adam highlights the significance of these cases, "It's good that they are tracking down, finding the people who run the mixes and run the money laundering because that's the kind of lubricant that makes bitcoin viable and other cryptocurrencies viable as a method for doing crime." ([33:31])

Innovative Anti-Scam Measures: Daisy AI by Virgin's O2

Patrick Gray introduces Daisy, an AI-powered system developed by Virgin's O2 in the UK to combat scam calls. Daisy mimics a grandmother, engaging scammers in lengthy conversations to waste their time and frustrate their efforts. The system can keep scammers on the line for up to 40 minutes, effectively reducing the volume of scam attempts reaching legitimate users.

Patrick Gray ([36:10]) enthuses, "It's just a regular speech to text LLM style thing, text back to speech, but then runs through a sort of personality layer that adds the grandma ness."

Adam praises the innovation, stating, "This is so cool. And they actually got one of the guys that does scam baiting to help build the model." ([35:58])

Academic Insights on Phishing Training Efficacy

A noteworthy segment covers a study by the University of Chicago and UC San Diego, which claims that typical phishing training programs are ineffective. The research, involving nearly 19,000 employees in the healthcare sector, found no significant improvement in reducing phishing click-through rates.

Patrick reflects, "It's nice to have data that says actually this stuff really doesn't work because as a practitioner I feel like it doesn't work." ([38:40])

Adam concurs, emphasizing the need for security programs that don't solely rely on user behavior, "Our job is to make it safe not to tell them not to click on things." ([39:50])

Facial Recognition Controversy: Bunnings Case in Australia

The episode explores the controversy surrounding Bunnings, Australia's Home Depot equivalent, which implemented facial recognition technology to enhance staff safety. The Australian Information Commissioner ruled against Bunnings, citing privacy violations. Despite the backlash, Patrick contends that the technology was used proportionately to protect employees from threats such as naked individuals with shotguns or violent intruders.

Adam Morris ([42:46]) comments, "It seemed like they actually thought about the data retention, about the things that they were doing and that it seemed a lot more reasonable."

GreyNoise Sponsor Segment: Uncovering Mass Scanning and Zero-Day Exploits

In the sponsored segment, Andrew Morris, founder of GreyNoise, discusses the pervasive issue of mass scanning and the exploitation of zero-day vulnerabilities, particularly in edge devices like IP cameras and firewalls. He reveals that GreyNoise's latest AI-driven analysis engine, Sift, identified ongoing exploitation attempts targeting these devices globally.

Andrew Morris ([55:45]) explains, "We ended up figuring out exactly what device it was targeting and diagnosing it... there is a zero-day."

Morris emphasizes the relentless nature of these attacks, "It's constantly, constantly happening." ([46:43]) He also highlights the challenges in securing legacy systems and the resurgence of outdated attack methodologies reminiscent of the 1990s.

Patrick Gray ([49:15]) suggests, "Allow listing of some kind is the solution here," advocating for more restrictive access controls to mitigate these pervasive threats.

Conclusion

Episode #771 of Risky Business offers a comprehensive overview of critical cybersecurity issues, from emerging vulnerabilities in major security products to innovative defenses against cyber threats. The discussions underscore the evolving landscape of cyber threats and the relentless efforts required to safeguard digital infrastructure. With insights from industry experts and real-world case studies, Patrick Gray and Adam Boileau provide valuable perspectives for information security professionals navigating these challenges.

Notable Quotes:

• Patrick Gray ([00:03]): "Microsoft is trying to solve the problem that we all want to solve, which is having to roll truck in the event of an outage and physically put hands on keyboards is a thing that isn't so useful anymore."

• Adam Boileau ([13:50]): "What are you doing Palo Alto? This is the firewall, it's a security product from a major vendor with no auth please header."

• Adam Boileau ([33:31]): "It's good that they are tracking down, finding the people who run the mixes and run the money laundering because that's the kind of lubricant that makes bitcoin viable and other cryptocurrencies viable as a method for doing crime."

• Patrick Gray ([36:10]): "It's just a regular speech to text LLM style thing, text back to speech, but then runs through a sort of personality layer that adds the grandma ness."

• Patrick Gray ([38:40]): "It's nice to have data that says actually this stuff really doesn't work because as a practitioner I feel like it doesn't work."

This detailed summary captures the essential discussions, insights, and conclusions from Risky Business Episode #771, providing a comprehensive overview for those who haven't tuned in.