
PLUS: The bad old days return with Blue Yonder ransomware attack...
Loading summary
Patrick Gray
Hey, everyone, and welcome to another edition of the Risky Business Podcast. My name is Patrick Gray. We will be chatting with Adam Boileau about all of the week's security news in just a moment. And then we're going to hear from this week's sponsor and we're hearing from Matt Muller over at Tynes, and we're going to be talking about some rather puzzling work out of Gartner, where they've said that soar, which is. What's that? Security Orchestration, Automation and response. Soar is dead. Except for the new stuff. It's just, you know, we spend a big part of that interview trying to sort of divine what Gartner was actually, actually meant by all of that. So that one's coming up later. But, Adam, let's get into the news now. And I'm going to start with a slight correction, because last week I said, well, Jen Easterly is leaving sissa. She's decided not to stay. And that's probably for the best because it could get awkward. Turns out, you know, the US and someone pointed this out to me, she's a political appointment. Right. So the normal thing to happen would be for her to resign at that time. And that sent me down the rabbit hole of looking at political appointments in the United States and there's like thousands of them. And it's quite unusual, which is why, to my innocent Australian eyes, I thought it was a different situation. But, yes, the normal thing is for her to resign. And I guess her announcing it just means she wasn't asked to stay.
Adam Boileau
Yeah, I guess so. Like, I also, that nuance was kind of lost on me as well. But, I mean, the whole American political system is a little bit opaque to us foreigners sometimes. So, yeah, that's good to clarify.
Patrick Gray
Yeah. I mean, even some of the people who are sort of appointed through political processes here, they will survive a transition in the government. I mean, I can think of, you know, Mike Burgess, for example, who's run asd, and now asio. He has served both sides of politics, you know, and that's not really a problem here. But I guess, you know, America's just built a little different, isn't it? So, yes, there will be several thousand people automatically resigning on Inauguration Day because. Because reasons, I guess. Anyway, let's move on to this week's fresh news, and we're going to start off with the ransomware attack. So I, I, you, you know, this is my fault because on last week's show, I said, gee, it's been a while since we've Seen a major sort of significant ransomware attack. And next minute, what do we have here? A major, significant ransomware attack which is affecting a company called Blue Yonder. And Blue Yonder does sort of supply chain management for grocery stores and whatnot, but they also have like, HR management stuff. And it's all sort of as a service software. They've been absolutely wrecked. A bit thin on details, but it's clear they got absolutely wrecked. Walk us through what we know here.
Adam Boileau
So it sounds like, yeah, they have been wrecked. They had a whole bunch of stuff that they provide as a service. It appears to be all gone. And their statements on the subject basically are like, we're working on it. You know, things are bad and there's really very, very little data. We don't know, for example, which ransomware crew was involved. We don't know, like, what kind of money we're talking about. So not a lot of details. There's a little bit of kind of, you know, rumors as to, like, how their technology works and those kinds of things. But either way it seems bad. And it's just, it's a big. It's one of those kind of big organizations that's important to so many places that you've just never really heard of. And they're multinational, provide services, you know, all over the place. So I mean, it's not clear even kind of what this means in terms of, you know, supply of goods to the companies that use them, et cetera, et cetera. So other than it's probably bad, we don't know much.
Patrick Gray
Yeah, I mean, I'm not expecting all of their customers to, like, go out of business, but it is a hassle, right? So Starbucks has had to fall back to, you know, manual processes for figuring out things like timesheets, by the looks of things, because this HR software that they manage for their customers, like, that's what it does. So I think there's a lot of falling back to two other processes. And I think in the context of like, grocery logistics, I mean, it's like what we saw in Covid, right? Like some stuff you might not be able to get, but you're still going to be able to walk home with a bag full of groceries and cook dinner, but just, you know, drama and a significant event. And look, if we do look at the update page from Blue Yonder, it's very vague, you know. As part of our continued commitment to transparency with our valued customers and partners, we are providing a further update on the restoration of our managed services hosted environment. The Blue Yonder team is continuing to work around the clock together with our external cybersecurity firms to safely restore systems, resulting in steady progress, blah, blah, blah, blah, blah. We'll continue to update. You know, at this point in time we do not have a timeline for restoration. That was on November 23rd. On November 24th, they say there are no additional updates to share at this time with regard to our restoration timeline following our post yesterday. So very transparent, very transparent. I mean this feels to me like they're probably negotiating with the attackers because look, if rumors to be believed, we had, you know, Kevin Beaumont posting on Mastodon. No sourcing on this, just pure rumor. You know, he was saying that the attackers got their disaster recovery and backups and you know, locked up five data, all five of their, you know, data center environments, which if that's the case, they're going to have to pay.
Adam Boileau
I mean, yeah, if that is as reported, then they are in a tough.
Patrick Gray
Place, as rumored, I would put it.
Adam Boileau
Yes. Because so many places have not really tested their resilience against malicious events.
Patrick Gray
Right.
Adam Boileau
Those kinds of disaster systems where everything's online. In some clouds, you've got multi clouds, you've got cross data center replication, whatever it is, it's all online. And if you can make it not exist anymore, then starting from scratch is, I mean, what options do you have other than pay, you know?
Patrick Gray
Yeah, well, I mean this is yet one more example of why I'm against a payments ban. You know, imagine you're them. Imagine that rumor is true. You've lost all of your backups, all of your doctor all of your data centers are just, you know, encrypted soup and you can't pay, what then?
Adam Boileau
Yeah, yeah, I mean, I guess the other side to that though is if we say you can pay ransomware, you know, if they do it really good, then that means that ransomware operators are incentivized to do it really?
Patrick Gray
Well, I think they're already incentivized to do that though, you know what I mean? So I don't know that that's much of a case. So let's see what the government response is to this as well. We don't have any information on which crew is behind this and normally in these high profile incidents you have some indication pretty quick because the crew will be all over a leak site putting pressure on the target to pay. Right. So they're saying, we've got all of your data centers, we've got all of this, there's no way back. And you know, really trying to put the message out there to like, investors or, you know, this isn't a public company in this case. I think it's owned by Panasonic. But we haven't seen any of that. And I do find that interesting as well.
Adam Boileau
Yeah, I mean, some, some of the leaks in the past when we've seen this have been because like the ransomware crews, leak portals, you can kind of like look up. You don't necessarily need to know the names or whatever. There's no like, secrets in the like, web system for who the victims are. Like, you can just kind of increment a number and see who victim number437 is or whatever else and kind of get hints. So some of the more modern ransomware crews have engineered their systems to be a bit better. You know, the chat systems or the whatever, the support systems are not, you know, not wide open like they used to be. You know, people would be snooping on ransomware negotiations all the time back in the, in the old days. So, you know, depending on the type of crew. But also, you know, it could be that, you know, the kind of pressure that we've seen applied to high profile ransomware groups makes them want to be a little more quiet about this process.
Patrick Gray
So.
Adam Boileau
Yeah, we don't know.
Patrick Gray
Well, yeah, that's the thing. I mean, we don't know. But normally by this stage you'd have an, you'd have an indication, you know, you think back to Colonial Pipeline, you know, whatever. You just always have a bit of an idea. Anyway, moving on, we got a great story here from Andy Greenberg over at Wired. And he's written up a talk delivered by one of the team at Velexity at. I think it was cyber walk on the reporting. It's a little, little breathless, I guess because it says Russian spies jumped from one network to another via wi fi in an unprecedented hack. So basically the story is here that APT28 managed, they had a target in mind in the United States. So they hacked on, hacked their way onto a device next door and then use the WI FI on that device to attack their true target through their WI FI network. Now that's cool. It's not something that you see often in public sort of incident reports, but it's not unprecedented and it's not necessarily a very new technique. But, you know, I mean, you've done similar stuff to this in Red Team engagements.
Adam Boileau
Yeah, exactly. I found some of this reporting just a little bit, a little bit frustrating because, yeah, as you. I have done this, I guess it's interesting to see APT28 doing it, but we have also seen them doing wireless proximity attacks, physically driving around or visiting areas near the target to do this kind of thing. And so it's not much of a stretch to do it from somebody else's machine. So yeah, either way, it's still interesting reporting, right? I'm not, you know.
Patrick Gray
Yeah, no, 100%. And again, to have figured this out in incident response engagement is extremely cool, right? It's very, very cool. But I just, Yeah, I would be very surprised if this is the first time this has happened. Now look, let's talk about Salt Typhoon because the more and more reporting we get on this, it just keeps getting more interesting. We've got a, we've got a bunch of reports here. One's from Darina Antonio at, at the Record. We've got another pretty exhaustive one from the New York Times by David E. Sanger and Julian E. Barnes, Devlin Barrett and Adam Goldman. That's a byline for you. And we' indeed got some reporting also from the Washington Post by Alan Nakashima. And you know, it looks like our day one take on this might have been right, which is that what the Chinese were after is a list of people under surveillance by the FBI. But there's more to it than that. They did, it looks like dip into listening to a few calls and like looking at a few text messages and stuff. But one thing that's really got the FBI spooked is that it might have given up sources because the FBI, you know, FBI people calling their sources from FBI phones, that is information that these attackers may have had access to. So that puts some of those people in a really dangerous situation. It also looks like, you know, Microsoft had a hand in tipping the telcos off. I think their threat team somehow stumbled across some of this stuff and that the breach involved going after networking equipment like routers and switches. So, you know, just bypass that EDR instrumented Windows Network and go straight for the ancient telco gear. And you know, in all of the coverage there's a theme emerging which is that these networks are just ancient and they're not properly secured. So I think this is the process of policymakers in the United States realizing that they've got a real problem here because this is not going to be a quick fix.
Adam Boileau
Yeah, absolutely. I mean, I have spent my fair share of time inside telco networks, both from a like, you know, security reviewing point of view, but also as a, you know, adversarially as a red teamer or whatever. So like telco networks are a wonderland for attackers because there is so much super old gear, there's so much obscure stuff. As you say, there's no EDR anywhere that isn't corporate windows. And if you stay the hell away from that, then it's really, you know, it's easy money inside telcos. I mean, the hard part is finding where in the network your actual business target is. Like, if it's stealing call data or if it's stealing text messages or whatever. I was like actually getting into the SMSC or getting into the call records or whatever else. That's the hard part. Because they're such big networks and the US ones in particular because of their very long history and the amount of innovation technically, but also the commercial maneuverings of the US telco world. It's only mergers and acquisitions and divestitures and everything's, you know, there's so many layers of technology in there that securing it super difficult. It's also difficult as an attacker to find your way around. But I think the thing that strikes me about this whole kind of set of stories is so on between two nerds. Our other show that Tom Uran hosts with the Grok, I think it's last week's episode, they were talking about telcos as being like cyber high ground. Like it's the preferred place for sophisticated attackers to go because you have such great visibility of everyone using the telco, of all the customers of the telco, et cetera, et cetera. And you know, in any big telco there's going to be dozens of different nation states all kind of duking it out for control of their environment. And the idea that US telcos are not the same as everybody else's telcos in that respect in terms of being penetrated by everybody, you know, I feel like that's the thing, you know, us in the industry probably have understood for a long time and it's interesting watching it come home to roost when the Americans are, you know, the experts at honing telcos.
Patrick Gray
Well, this is the other thing, right, is that they can't really complain too much about this because they do this to China. I mean, there's some differences here though. So one, another thing that's popped up is the number of compromised devices that, you know, these Chinese apts have racked up is just insane, right? So it's going to be real expensive to clean up. I think that's one difference. We saw that with the Barracuda hacks as well, where it's like, okay, you going and Doing intelligence collection. Right. But you've got rumbled. So now you're burrowing into those devices and you're turning it, you know, you've been snapped. Guys like, why make it expensive to clean up? Why impose that cost on, you know, your collection targets? That just seems like a not very nice thing to do. And I think it's the same here. Whereas, you know, Western operations against Chinese telcos, I don't think they're going in there and owning every single device on the network. You know, one difference too, and this is pointed out in some of the coverage, is that a lot of these American telcos, America was quite ahead in developing its telcos. Right. Which means that, you know, a lot of this stuff was built right for its time, but its time was decades ago. And, you know, so it's not like some all singing, all dancing modern Huawei, you know, vibe. It's just, you know, ancient, ancient routers and switches everywhere.
Adam Boileau
Yeah. And stuff bought from vendors that are, you know, 15 corporate maneuverings old, you know, been divested or sold or rebranded or whatever else. Like it's. I love walking through telco data centers because you see so many old names like, oh, I haven't seen a Nortel in a long time or a, you know, Ascend Max or, you know, all the stuff that from my, you know, youth working in ISPs and network environments. Like, yeah, you see all these throwbacks. So it's kind of like, it's like a vintage shop, you know, like going in and browsing through the shelves and seeing all the, you know, the cool vintage stuff. That's kind of what telco networks feel like to me. Yeah. So I don't know what the US is going to do about it. Right. Because we haven't really seen a heap of success in bringing cybersecurity regulation to things like, you know, critical infrastructure, water and whatever else is kind of pushed back. And obviously the incoming administration is kind of anti big government and anti regulation. But at the same time, this is super serious stuff. And telcos, you know, like if the government turns around and says to telcos, okay, you have to do all this extra work, you have to impose all these extra controls. I mean, telcos have been doing security for a long time. They're not necessarily great at it, but like, of industries that have had to take security seriously, you know, telcos are better equipped than average and their entire.
Patrick Gray
Thing was stopping people from making free phone calls. You know, like that's what they, that's what they optimized for. Which is less relevant these days. So now they got to worry about, you know, state backed actors trying to do this stuff and you know, actors who are willing to spend the time and money to develop novel attacks into gear that doesn't really have great defense.
Adam Boileau
So good, so much fun. I love Telco.
Patrick Gray
So you're available for consulting on this one.
Adam Boileau
I mean risky biz, we could branch out into, into a little, little telco shenanigans. Sure, why not?
Patrick Gray
Now speaking of, there's actually a company in, there's a startup in the United States that's doing some interesting stuff around Telco. It's called Cape. And I'd heard of it a few times, like it's starting to hit the headlines now. And the idea is they're selling like a privacy and security focused like Android Phone, but they're also running the network. They're like a mobile virtual network operator or whatever. And the idea is they can secure people against SS7 style attacks and whatever. It just, you know, give their customers a connection to a network that is not one of these. Right now obviously this won't help those people who are talking to the FBI, right, who might have received phone calls and whatever, but you know, pro tip to the FBI, maybe get your sources to install signal, that might be a good idea. And don't just call them on the old telephone out of FBI hq. Just a little opsec tip for you there guys. But I do find this idea of Cape and you know, I've spoken to their advisors and stuff in months gone by. Dmitri Alperovich is apparently an investor, so I guess he made his decision on that one. And you know, it's, it's a really interesting idea. I wonder about the, I wonder how much of a moat it has as a business because I can imagine they'll pick up a lot of US Federal contracts and then companies like Talos or Lockheed or you know, Raytheon or whatever might go, hmm, nice business, and then spin up their own, you know, virtual mobile networks. But you know, you and I have discussed this as well over the last couple of months. What do you think of all of it?
Adam Boileau
I mean, I think, I think it's a good idea. There are a number of things in the telco world that are difficult to solve at the edge of the network, right? I mean end to end messaging with signal, whatever else it buys you a lot, right, in terms of confidentiality. But you know, there are things, and you mentioned the SS7 for example, and tracking and you know, kind of metadata leakage and Call records and stuff like that that, you know, you can't really solve at the network edge. You do have to do that in the middle of the network and you know, having a telco for whom security was a priority as opposed to a like kind of thing that as you said they have to do to stop people stealing phone calls or whatever. But like some things like sim swapping for example, right, that's about making the telco's processes easy for them and easy for customers. And it's not about securing that against malice as we have seen with the amount of sim swapping. So having a telco where this was a value that they cared about and it was part of their value proposition to their customers, that would be a good thing. There is a lot of fiddle in here because running an MVNO is, there's different levels of integration and stuff you can do with the telcos that are providing the equipment and so on. And so there's a bit of technical fiddle in there, but that stuff is so much easier now in modern mobile networks than it ever was. And also you can get rid of a whole bunch of legacy stuff, you know, that would make you less, it would make you less vulnerable to the sorts of things that current telcos have. So like overall I like it as an idea like business model. Like are people willing to pay?
Patrick Gray
Oh yeah, there's enterprises and governments and you know, people will pay. There's definitely a business here. I just wonder how successfully you can defend, defend a business like that when you know there's other companies out there who have existing contracts with all of those sort of people. Right. That's more what I wonder about. There's definitely a market here. 100%.
Adam Boileau
Yeah. And I think obviously the timing of this, given the amount of focus that mobile and comms networks in general are getting with the Zop Typhoon thing, like they're in a great place. If they started a couple of years back and they're ready to roll with some solutions to this problem, right when it's hitting the zeitgeist, then, you know, top work there. But yeah, I mean I'm, you know, I'm technically curious about the gubbins of course, but.
Patrick Gray
Well, it's funny because one of the advisors actually reached out a month or two ago and said, hey, do you guys want to, you know, want to take a look at this? I was like, well we are in Australia and New Zealand. Do you have agreements that would actually get us data? And they're like, oh yeah, no, the advisor said so that's a shame. I mean, I'm guessing the phones would probably work here, but, you know, their data bills by giving us a free trial would, you know, rack up pretty quickly.
Adam Boileau
Yeah, yeah, probably. And yeah, roaming is also fiddly. There's a whole bunch of extra kind of level of things you have to worry about there. That whole roaming interconnect network. Also a very interesting place to go.
Patrick Gray
Yeah. Anyway, it's just one that I think is interesting. The time is right, as you say. Let's see how they go. But good luck to you at Cape. Moving on. And you know, we've been talking about Chinese espionage. I think there was a real turning point for our understanding of how the whole Chinese IC surveillance apparatus works. You know, big turning point for that was the isoon leaks where we realized that, wow, everybody's broke, nobody likes their jobs. And we got another great piece from Andy Greenberg at Wired here today looking at how people who are working in the surveillance apparatus are like, selling their access to like shady data brokers who then on sell this data to Telegram. This was a, this was a talk at Cyber Walk on as well, where the people doing the talk actually managed to buy information on like Chinese government officials and ransomware crews and whatever. And this made me think like, geez, what an opportunity for CIA, nsa, FBI to just go and buy the information on the people they want. This is a huge national security issue for China and it's a, it's a vulnerability that the west would do well to take advantage of, if I'm honest. But it's a fact. Fascinating story all around.
Adam Boileau
Yeah, yeah, it really is. I'm looking forward to actually seeing because the talk I think, happened a few days ago at cyberwarcon, so I haven't seen videos or anything posted. In the end, I'm certainly interested to see it because the previews, you know, are always fun, but, you know, you want to see the actual, the actual thing from the researchers. I was kind of struck by, you know, we've talked a bunch of times about the US data broking ecosystem, where you can buy all sorts of sort of vaguely public data, but sort of aggregated and searchable and so on, and how that kind of provides a force multiplier. And then this is the same thing, but in the Chinese underground, where you've got all these underground sources, data breaches and leaks, and public sources that are scraped. But that also combined with paying government employees to provide search access into their work systems and the isoon leaks illustrated for us and Andy's story Also points out that, you know, at some point some of these people who are, you know, work in these mines make really not very much money at all. And the sorts of money being offered by the people doing this data broking is, you know, like a third of a year's salary a day kind of thing. It's pretty compelling. And I think absolutely that, you know, economic disparity of the Chinese surveillance apparatus is a thing that the west could probably, as you say, take pretty good advantage of because it's one of the, you know, China was absolutely taking advantage of these same kinds of things in the West. So, you know, if we're going to.
Patrick Gray
But this is deeper access. Like this is, this is amazing, you.
Adam Boileau
Know, like more so than just data broken, like this is actually helping yourself to these internal systems. And you know, you think about the amount of grief the FBI got for searching some of its stuff without following entirely following all of its procedures. You know, with the, what's the Pfizer 702 data set, for example, like, imagine just being able to query really very.
Patrick Gray
Little money, 10 bucks a query.
Adam Boileau
Yeah, that by China. And it says Chinese equivalent of that.
Patrick Gray
Yeah, these researchers were from spy cloud. They did say though that some of the brokers, these underground brokers, like they wouldn't let you, you know, get information on sensitive people like, you know, party officials and whatever, but they'd always, you just ask the next one and they'd cough it up. Right. So that's pretty interesting. Looks a little bit different on the US side. John Greek has a report up for the record about a former Verizon employee who's just been sentenced to four years for sharing so called cyber secrets with the Chinese government. So this was a 59 year old IT worker living in Florida by the name of Ping Lee. So I'm guessing he has some sort of connection to China just based off his name. But yeah, he's been supplying all sorts of information to the mss, which is, you know, you think four years. Gee, you got off pretty light there, guy.
Adam Boileau
Yeah, and this is an interesting story because I mean, he'd been at Verizon what, 20 years, I think it said something like that. So quite a long time. And there's no word in the stories that I've seen so far about kind of what his motivations were, whether it was purely financial, whether it was family connections or history, industrial, you know, pressure from the Chinese government. We've seen, you know, all those tactics used by China's intelligence services to, you know, have their diaspora do things for them. But, you know, it's a good reminder that these kind of insider threats, you know, are not just about ransomware, not just about cybercrime. They are very much also a thing that you have to think about from an intelligence lens. One thing was interesting is that he got tasked with looking up information about these Chinese breaches of US telcos. So it kind of. Kind of makes sense, I guess they'd be interested to know what, you know, what their adversary knows about the operations. So, yeah, helpful for them, I suppose, having an insider.
Patrick Gray
Yeah. Now we're going to talk about my favorite story of the week, which just proves Australia is built different. So, of course, Australia and New Zealand were all over the anomaly thing, the investigation. I think here it was called Operation Ironside. And, you know, this was, of course, where the FBI and Australian Federal Police were distributing and selling crime phones to people. But they would send. They would carbon copy every message sent over the network onto a government server. Now, where this gets interesting is the Australian Federal Police, I think we're using, like, computer access warrants to retrieve the material from those servers, which means they didn't. I don't think they actually got telecommunications interception warrants, which are quite hard to get. Right. So they were just like, well, the data is just sitting there on that server. So we just grab it off that server and that's fine. We don't need an interception warrant. So it looks like there's, you know, this has turned into a bit of an avenue of appeal, or it is threatening to turn into a bit of an avenue of appeal. And the way it goes is that, you know, the appeal, someone appealing this could argue that the parliament didn't intend for these laws to be used this way. So the Australian Parliament, the Federal Parliament is passing an entire act of legislation which says this is actually what we intended. Right? So this is just going to seal off an avenue of appeal. I've linked through to the, you know, the homepage about this bill and then the explanatory memoranda and whatnot. But I just think it's real funny where, you know, the sort of people who got caught up in that sting here were very serious criminals, a lot of them quite violent. And, you know, they've got really good lawyers on this. And you can just imagine being that lawyer, saying, aha, we've got an avenue of appeal. We can drag this out for years. And then the Federal Parliament passes a law to clarify, you know, what this, what this act is, how it's supposed to be used, like it's called the Surveillance Legislation Confirmation of Application Bill 2024. I just think this is kind of funny, actually, if I'm honest.
Adam Boileau
Yeah, no, no, that, that is kind of funny. And I guess, you know, it's, it seems strange to have a government that's so like nimble and responsive in a way, you know, looking from, you know, comparing to everybody else's government. So, yeah, I'm a good work Australia. And it'll be interesting to see how this changes any of the cases that are going on that are trying to challenge the, the process that the ANOM system went through to bust them all.
Patrick Gray
So it is, it is funny though that they're, that they're saying, well, we didn't intercept the telecommunications thing, you know, data here. This was just data sitting on a server which happened to have been carbon copied there by the design of the system. But, you know, whatever.
Adam Boileau
Exactly.
Patrick Gray
I don't really feel sorry for the people who are being charged by this thing. Another quick update. Like a day after we recorded and published last week's show, you remember we talked about that. I think it was a New York Times report that said that testimony by witnesses, you know, in a civil suit against the then Attorney general nominee Matt Gates, the New York Times reported that, you know, documents had been hacked. And we said, I don't know, that kind of sounds like someone accessed a file share link. We got a Blue sky post here from Chris Bing that suggests that that is indeed what happened. So it looks like we were right on that.
Adam Boileau
Yeah, apparently there was a file storage platinum called literally file share. No share file share file Share file. That. Yeah, it was one of those, like if you've got the link, you can download the doc. And someone had the link and downloaded the doc. So. Yes, exactly. As it kind of, you know, we had no resourcing on that. It was just kind of like vibes.
Patrick Gray
Yeah, it was vibes, but the vibes were strong. The vibes were good, as it turns out go those vibes. Now we've got one from Joe cox over at 404 Media, which is looking at the way that's money launderers connected to Mexican drug cartels are, you know, using tether, which is a, you know, stable coin, as we all know. It's an interesting write up. Like, it is an interesting write up. And I think it's pretty funny that some of these launderers are still using exchanges and whatnot like Binance. But, you know, it's really good to get this stuff out there and on the record about criminal use of crypto. Because we're just going to, it's gonna, you know, it's already sort of become the standard way for many transnational crime syndicates to move money around. Like, that's, that's not surprising at all. And frankly, a lot of this activity, it doesn't ever need to leave the blockchain. You know, you, you really only need to launder and pull out the money that you want to spend. You know, why not just leave it in the blockchain? And then when you need some money, it looks like some of these Mexican money changers will buy tether at a discount because they know it's illicit and then they can have a store of it and then, you know, move it along into some launderer who might pay, you know, a certain number of cents on the dollar and whatnot. So this is, this is just a little snapshot of what it looks like. But, you know, crypto has been used for, you know, international payments in large scale drug trafficking for a long time.
Adam Boileau
Yeah, I mean, it's kind of the point of crypto really. There isn't much, there isn't much else to do with crypto other than scam people hodl it or use it for crime. Right. I mean, there's. What other purpose does cryptocurrency really have? The thing that I found really funny in this story though, is that Joe Cox reaches out to like, you know, binance and tether to ask them about it, and they both say, look, cryptocurrency is on the blockchain. It's the most robust against money, you know, against anonymous use of money compared to cash. Because look, all the transactions are there for everybody to see. So therefore we are better than cash. We're better than the other financial systems because of our extensive logging and traceability. It's like. Well, I mean, you say that, but.
Patrick Gray
Yeah, but they're still doing it, aren't they?
Adam Boileau
Your customers are voting with their, you know, with their illicit dollars right there, buddy.
Patrick Gray
They're voting with their digital wallets.
Adam Boileau
Yes, exactly.
Patrick Gray
But, you know, look, my point is you don't need to really launder it until you want to spend it. Like if you're looking to buy a whole truck full of cocaine from Mexico, you can just zap some tether down there. When they need to buy something, they can just zap some tether around. Like it really, you know, you don't need, you know, the whole operation doesn't need to be in cash. You can just run entire arms of these types of syndicates on chain. Right. And I think that's what they're going to do. And that means you can take a bit more, you know, because storing it as a store of value and ready to spend, ready to transmit funds, you know, you don't need to launder it at that point if you're, if you're, you know, doing self hosted in particular. Right. So I just find all of that pretty interesting. And it's. Yeah, it's well and truly. I mean I spoke to people like I knew one guy who was kind of involved at a pretty low level in the drug business. The reason I can speak about it now is he is dead and drugs killed him. But you know, speaking to one of his friends and I mean this is like 11 years ago and they were all over Bitcoin for doing international payments and whatnot. So yeah, this is very much not new. And I think, yeah, some of the stories that are yet to come out on this will blow people's minds. Now, speaking of lots of money, we're going to talk about Palo Alto Networks. So Palo Alto is doing earnings calls and it's all backslaps and high fives because they're doing platformization deals apparently, according to this reporting from cybersecurity dive. And this makes us unhappy. You know, this is a company that is now worth US$129 billion. Its share price has 4x over the last five years. And you look at the other story about Palo Alto that we've got in our run sheet, and it's about Shadow server spotting 2000 Palo Alto Networks out there. They found artifacts on them that suggest that they'd been compromised.
Adam Boileau
Yeah. You know the firewalls with the bug that we talked about, what last week, the Auth bypass privesque like super dumb bug. And, and they're all owned.
Patrick Gray
And they're all owned. And these guys are laughing all the way to the bank. When will the wicked be punished? Adam?
Adam Boileau
That's a great question. We are very much here for the wicked being punished on this show. And oh, pan. I mean that bug last week was just so dumb. And then like the process by which it was, you know, like it was sold on a, on a crime forum or underground forum somewhere, you know, as zero day without Palo knowing the details of the bug. And then they were kind of like offering weaselly advice and then, you know, the, I mean, okay, yes, it's in the management interface. Yes, you shouldn't put the management interface on the Internet. And they told the customers not to do that, but it's just like the whole process of this did not fill me with confidence. And then when we saw the actual bug itself, you just want to smack yourself in the head. So it's particularly galling to then see them, as you say, like, laughing it up, yakking it up on their earnings calls.
Patrick Gray
Yeah. And they're disputing Shadow Service findings here as well, which I think I know whose side I'm on with that.
Adam Boileau
Well, exactly. Yeah. I think Palo Alto Network said, while we can't confirm the exact number of customers that got wrecked, I can tell you it's a smaller number than the one that Shadow Server says.
Patrick Gray
By how many? By two, by 100. Like, they don't say.
Adam Boileau
Yeah, they've certainly lost the, you know, the benefit of the doubt there when you come out and, you know, Shadow Server is a bunch of volunteers and, you know, they're not always right, but Shadow Server is absolutely working in the best interests of the Internet. And Palo Alto.
Patrick Gray
Probably not what sticks in my craw about companies like Palo Alto and Fortinet, you know, which is another tens of billions of dollars, you know, company. I mean, look, Palo Alto could issue a bunch of new shares and raise half a billion dollars tomorrow and go spend that on fixing this stuff. They could announce their bold plan to stop this sort of stuff happening, and they just haven't. They're just not interested because, hey, we got good stuff to say on the earnings call. It drives me nuts. It's everything that's wrong with this industry, I'm sorry to say. And, you know, we're lucky we get to be selective with our sponsors on this show, which is why we don't do business with companies like that. And, you know, it just.
Adam Boileau
So.
Patrick Gray
Yeah. Anyway, consider them told.
Adam Boileau
Yeah, exactly. Big old risky biz, middle finger to Palo Alto Networks and Fortinet.
Patrick Gray
Don't forget about Fortinet.
Adam Boileau
We'll never forget about Fortinet on this show.
Patrick Gray
Yeah. And another interesting thing, I had that discussion with the Sophos CISO way back when. One thing that was interesting there is, I was saying to him, like, you know, why aren't you putting better controls on those management interfaces? Like, because we've got this entire other path for people to manage our devices via the, like, Sophos cloud service thing. And it's like the people who don't use that, who are, who are getting rinsed and we tell them, don't do this, don't put it on the. You know, I still think they need to Figure something out in terms of making that start making that stuff safer for the people who absolutely insist on putting it out there. But at least those guys are thinking about things. They're doing some interesting hack backs against, you know, people targeting their devices. You just don't hear much from Panel Fortinet. And I know there's very good people at both of those companies, but they need to be empowered. It's just not good enough. Now it's a love story. It's a beautiful love story. This next story that we're going to talk about because you know, we've talked many times about the security researchers at Qualys and about how much you love their Linux security research. And it turns out, Adam, the feeling is mutual. You're all going to need to get a rune because at the end of the advisory we're discussing today, we actually have a shout out to you which is we also thank Adam Boileau, Metalstorm and Rodrigo Branco, who is BS Damon, for their very kind words about our work. They mean the world to us. So there you go.
Adam Boileau
Well, I'm glad that they have heard the nice things we've had to say because no one seems to know who it is at Qualys that does this amazing old school, beautiful research and I'm glad they are at least listening to us. So hats off to you as always. And this one is straight out of their regular playbook. This is a set of bugs in a service called Need Restart, which is a component of Linux systems I think primarily Ubuntu maybe that kind of figures out after you've installed some software upgrades which running processes could do with a restart to pick up those updates. And they found some bugs in this process that lead to local privilege excavation. And the nature of those bugs is just warms my heart like these are exactly the sort of bugs that I love and that I have dug up and used in many Unix boxes over the years. So things like if this tool wants to figure out if a Python process is running, a Python interpreter is running and it uses some libraries that got patched, it needs to go nose into that Python runtime and kind of figure out what it's using. And it does that bylaws by running the Python binary and querying what libraries are are installed and you can. The bugs mostly revolve around tricking the privileged need restart process into running an attacker controlled or attacker influenced Python or Perl or Ruby or whatever else scripting language environment. And it's just a beautiful set of research and the sort of bug. That is exactly what you want in a local privilege because there's no memory corruptions, nothing unreliable. It's just straight up. Please run code that I provided in a privileged context. Thank you very much. So solid chef kiss work.
Patrick Gray
There you go. So everybody's happy there. That's wonderful. I hope they're still listening. Shout out to you now. One thing I want to address really quickly is we were actually mentioned in a Reporters Without Borders write up on this whole shambles involving the Reuters coverage of an Indian spyware firm. Now of course this is involved a company called Appen. The founder of Appen sued Reuters, somehow got an injunction in a court in India. So Reuters had to pull down the story. Where we got involved is my colleague, our colleague Tom Uren had written up a short analysis of the Reuters article and Tom's work, his newsletter is actually syndicated by Lawfare, so it was published to Lawfare's website. Lawfare got a legal threat demanding that we take it down. I mean, all we really did was link to the Reuters story. We didn't even mention the founder, we didn't mention the company. But they came in with this extremely aggressive legal threat and this was after, of course, the Reuters story had already been removed. Now from our perspective, so the reason I'm mentioning this is Reporters Without Borders cite us as a outlet that basically pulled down our content in anticipation of intimidation. And I don't think that's quite accurate. And they also said we didn't give a reason, so there was the intimidation to Lawfare. So they were the ones who actually received the takedown request from the solicitors in that case. But you know, it was based off our content so they were obviously going to come for us next. Now, the reason we took it down had less to do actually with the intimidation and more to do with the fact that what we had published was the was an analysis of an article that was no longer published. So it was sort of difficult when we hadn't done any of the primary news gathering or and you know, verified any facts or whatever. And a court in India had said that that story needed to be nuked off the Internet. And Reuters lawyers themselves understood that they had to do that. It was very difficult for us to then leave that online. So we just thought we'll take it down, we'll wait for the Reuters story to eventually get restored, which it has been, and then we'll put it back. We haven't put it back yet, but we will. But yeah. So I don't think it was Fair to us to say that, you know, we just pulled it down in anticipation of intimidation. There had been intimidation, but ultimately the call to remove it had more to do with the fact that you can't let an analysis of an article stand when the masthead that's published that article has then pulled it down. It was just one of those situations. So just wanted to get that out there on the podcast. And the last thing I want to mention too is that we have all joined bluesky and we can all be found on bluesky. I'm just Patrick Risky Biz because you got domain validated usernames over there. You are Metalstorm, M E T L S T O R M Tom is Tom Risky Biz and Catalyn is Campus Cody Risky Biz. And I gotta say, I am quite enjoying being on a Twitter like platform without the, you know, crazy racism, violence, and also just the copious volume of filler content that you find on X these days. So, you know, it's sort of like Blue sky is giving me, you know, Twitter eight years ago vibes. How about you?
Adam Boileau
Yeah, yeah. I mean, I've only just joined up because I kind of had resettled over on Mastodon with the other nerds. But it is weird how much it feels like Twitter and there are people who basically haven't really been in social media contact with, you know, since I moved over to Mastodon that are just there on Blue sky doing exactly the same things that they were, you know, kind of before Twitter fell apart as well. So it's kind of, it's, it's kind of. It's weirdly familiar. Even the color scheme is weirdly familiar. So, like, I'm cautiously optimistic about it. Like, it just, it feels like old Twitter and, you know, old Twitter had its moments, you know.
Patrick Gray
So, yeah, it did. It did. Everybody climb aboard. I didn't realize how reluctant I'd become to, you know, posting on X. I mean, I still was every now and then, but it just didn't, I didn't.
Adam Boileau
Enjoy, you know, it feels dirty every time you go to there. You feel like you've got ick on you and you have to go have a shower afterwards.
Patrick Gray
Yeah, I mean, I haven't posted on there in a couple of weeks and it feels good, man. It feels good. I mean, I still fire it up, check to see because there's still some stuff there that you're not going to get elsewhere. You know, I might post the occasional post, you know, linking to work that we've done or whatever. But apart from that, like, you know, for the fun posting. I posted a clippy meme the other day, a pretty dark one. That was cool. You saw that?
Adam Boileau
I did see your dank memes, Pat.
Patrick Gray
Yeah, yeah, yeah. So I'm back into, I'm, you know, I've rediscovered my love of posting. So see you all over there. But Adam, that is actually it for the week's news. Thank you so much for joining me as always, and I look forward to doing it all again next week.
Adam Boileau
Yeah, thanks so much, Pat. I will talk to you then.
Patrick Gray
It is time for this week's sponsor interview now with Matt Muller over at Tynes. And you know, Tynes of course, make a terrific automation platform. And they were puzzled somewhat by a statement from Gartner along the lines of saw, which is, you know, security orchestration, automation and response. SOAR is dead, which is a very odd thing to say given that large language model technology is just breathing all sorts of new life into that category. So a big part of this interview is Matt and I trying to divine and analyze and kind of understand what on earth Gartner was talking about there and why they're wrong, basically. So here is Matt Muller from Tynes. Enjoy.
Matt Muller
Gartner said that SOAR is dead, which I think is a pretty spicy take for Gartner. And you know, this may be a weird thing to say for somebody who actually works at a next gen security automation company, but like, I couldn't disagree more. I don't think SOAR is dead.
Patrick Gray
No, I mean, I think it's a bizarre thing to say. Like we're on the cusp of the AI age and one of the big things that AI is going to be really good at is automation. So it seems a strange thing for an analyst firm to come out and say that automation's dead. But what exactly did they say, Matt? I mean, why don't we start there?
Matt Muller
Yeah, I mean, I think the general gist was that SOAR was a category that sort of never got off the ground. And now what we're sort of seeing generally, if you look at some of the marketing terminology, is that the next generation here is hyper automation and autonomous soc and fun terms like these. But if you look at what SOAR actually stands for, it's just security orchestration, automation and response automation is still a very big thing that is still happening across a lot of companies, last time I checked.
Patrick Gray
Yeah. So this is typical analysts being analysts. Right. So they're not saying that the concept of doing orchestration and automation is dead, they're just Saying, as you know, that category as it existed previously is dead. Is that kind of where they're coming from?
Matt Muller
Yeah, I mean, they said, you know, soar is dead. The category is dead. Now the new thing is hyper automation. And so, you know, I actually googled what is hyper automation and the first search result, you know, brought me to the IBM website and I actually have a direct quote which is hyper automation is the concept of automating everything in an organization that can be automated. The difference between automation and hyper automation is often unclear. I'm like, are you serious? Like this hyper automation, it's often unclear, right? Like this is the thing that is replacing automation is just more automation.
Patrick Gray
Yes, yes, it's the same thing, but faster and more of it. So, okay, thanks for the, thanks for the clarification on what they said. So, I mean, it's probably a good thing to point out here that Tynes is at the moment really embracing stuff like LLMs to drive simple decisions for automation purposes. Like we had your founder on a demo recently showing off your chat service where you can just ask computer to go and do computer things, which was pretty cool. I mean, how is that all unfolding at the moment? What's the competitive environment for that looking like? Are there more and more companies doing this? I guess I'm just asking for your sense of like, uptake, development, innovation. Like, how's this space evolving now that AI has come into the mix?
Matt Muller
Yeah, I mean, I think evolution is definitely the right word for it. And what we're finding generally is that the toolbox of tools that's available to security practitioners is just growing. Right. AI isn't necessarily displacing traditional automation, it's supplementing it. And when you start to see these combinations of human plus deterministic automation plus probabilistic AI that can sort of act as a human analyst that never gets tired. Now all of a sudden you start to see these really cool combinations of things that people can then go automate. So there is a difference compared to what people may have perceived as legacy soar. I don't disagree that the category is evolving, But I think AI and LLMs and all these tools are just part of that natural evolution of automation.
Patrick Gray
Yeah, I 100% agree. Right. So I work with a company that does some automation stuff around detection and they haven't tried to rebuild the detection stack. Right. Because that would be pointless. What they're trying to do is instrument your existing detection stack and apply some basic AI decision making to fairly predictable sequences of events, which is what you're mostly doing in the SoC, and I think you're sort of saying the same thing, which is it's not about rebuilding security and IT tooling, it's about figuring out how to get some of that basic decision making involved so that people can do the stuff that people are good at. I mean, that's. That seems about right.
Matt Muller
Yeah, yeah, absolutely. And I think there's sort of an interesting analogy to just the overall evolution of compute generally. Despite my youthful good looks, I have actually racked and imaged a server, right. Like this is in the bad old days when that was all you could do in order to bring a website online. And then of course we saw virtualization and we saw the first generation of cloud platforms and then we saw serverless. And if you saw a VP of engineering say, well, serverless is the hot new thing we have to ditch, EC2 is dead. Right? The only thing left is lambda. You'd have looked at them with a little bit of confusion, I think, because really strong engineering teams understand that there's a time and a place for each of these different pieces of tooling and it's how you combine them that actually provides value. And so from an automation perspective, being able to have AI, you know, maybe make a prediction for you, but then call a deterministic workflow in response. Right. That blend I think is very, very powerful and one that if you just said, hey, only AI, right, I think you'd run into a little bit of disappointment.
Patrick Gray
Now there's two ways that I know you're using AI. So there's the chat service thing, which as I mentioned, we demoed with Owen. But there's also you've got like an automation action in your normal times, automations, which is now LLM driven. So you could throw like a bit of data and a prompt at it and you know, take the response and do things with it. I guess one thing I'm curious about is that's actually been around for a while now. Where are people most applying that, you know, and what are they asking you? Because I'd imagine there's some things they want to do that doesn't quite work. And they would be asking you like, can you make some changes here so that we can get this thing to work? Like where are people most clamoring for more automation, sort of AI driven automation? Because I can't actually think of a better vendor to answer that question, to be honest, given that you're just a Swiss army automation company.
Matt Muller
Yeah, I mean we are always just perpetually Surprised and delighted by what our customers actually do with the tools that we build. I think one of the most common use cases that we see, particularly for AI within a workflow, is what we call our automatic transformation mode. If you've ever had to move data from one format into another, there can be a lot of painstaking looking up the different data formats and all that sort of stuff. And so when we say, hey, automatically transform this, take this input output a JSON blob that has maybe these three fields in it. And by the way, the AI is not actually trying to do that in real time. The AI is generating Python. And so your deterministic Python transformation is what actually runs. But like, I didn't have to figure out how to write that Python, the AI did it for me. Right. And I can validate that the outputs are what I expect. And so that's a use case that we just see getting, you know, pretty massive traction across the board, you know, because, yeah, data transformation, moving stuff from one system into another, everyone has to do it and it's everyone's least favorite task.
Patrick Gray
Well, and it's time consuming too, because it's just, it's a pain, it's a pain in the. You know what.
Matt Muller
Exactly, exactly. We also have a more traditional just prompt the LLM and see what output it provides. And one of the use cases that I think it's been pretty applicable for is around understanding the intent of everything from I need help from the security team and maybe you have that being routed to one of five different parts of your security organization and people can ask questions in very slightly different ways. The LLMs are really good at interpreting that nuance and rules based. Click this dropdown to get this exact help from the security team. Not so useful processing and categorizing phishing emails. So where it comes to just this, hey, interpret this data for me and help route it to something based on your classification of it. Super prominent LLM use case for us.
Patrick Gray
So when Gartner talks about the death of Saw, what are they saying is actually dead here? Because, you know, we've already established they're not saying that orchestration and automation are dead. Are they just saying that the existing solutions that don't use, you know, LLMs and whatever, that that's the thing that's dead. And if so, why have those solutions not succeeded? Because I think it's actually fair to say that as a category, it didn't quite go where people hoped it would, particularly the people who own those companies. Right. It didn't it didn't quite take over the world in the way that per people thought it would. But what did they mean really?
Matt Muller
Yeah, I mean, I think that's a fair take. And you know, if you look at some of the things that, you know, next Gen Soar has learned from, you know, what I would sort of classify as legacy Soar, which, which might be the actual thing that Gartner is declaring dead. You know, I think the number one thing that we've all learned is that people want to automate use cases that are far and beyond whatever you as a vendor can imagine. And so if your Soar platform is, you know, tightly coupled to a SIM or is only using pre built integrations, you're going to have a really hard time being successful automating with that.
Patrick Gray
That's okay. They usually come with an integrations builder that you only would need to study for four years to get it to do anything useful. Right. Just here, learn this or learn this scripting language.
Matt Muller
I think the other mistake that they made was focusing only on the society. And like, don't get me wrong, the SOC team is probably one of the most overworked parts of any security organization. Alert fatigue and analyst burnout and all those sorts of things. But one of the things that we've learned is that there's a huge appetite for automation beyond just the SOC team and that the SOC team actually benefits when say the IT organization is using the same platform as they are because it has to deal with resetting passwords. Right. And provisioning and deprovisioning user accounts. You don't have to build that automation yourself.
Adam Boileau
Right.
Matt Muller
You can leverage, you know, IT built the password reset flow because people forget passwords. Awesome. I can also use that in my incident response workflow if I see a compromised user. Right. There's actually network benefits from getting more and more teams using the same automation platform, which again, I think it involves, you know, being a little bit more neutral about, you know, where, where and when you integrate into all these other platforms.
Patrick Gray
Yeah, I mean, I think the difference is, right, like Saw previously was like we build a platform that does the thing. And I think this newer approach is we build an engine that tells the stuff you've already got what to do. Right. I think that's probably one of the core differences.
Matt Muller
Yeah, absolutely. And I think at the end of the day where I see this as an evolution is one thing still holds true. If you have a bad process and you automate it, that doesn't make the process better. Right. It just means you Get a bad outcome more frequently. And so I think people that are looking, whether it's traditional soar next gen, soar, whatever you want to call it, if you just sort of go in saying, well, we bought the platform, therefore our problems are solved again, I think you're going to be a little bit disappointed.
Patrick Gray
So look, you've described some of the run of the mill use cases here, like transforming data from one format to another, getting stuff to put into a nice tidy JSON blob that can be ingested over here and, and whatnot. What is. And phishing is a huge one. I was expecting you to say that one first actually. But what are some of the. I'm sure there would have been a couple of exotic use cases that have popped up by now. I'm just curious what they've been and stuff that like maybe one or two customers have done where you thought, geez, everyone should be doing this. Can you think of any of them off the top of your head?
Matt Muller
I mean, I think in general, you know, tying things maybe back a little bit to workbench here is, you know, the way we've seen people using LLMs is as a tool for iteration, right. And like having that workbench conversation. We actually recently added the capability of turning a workbench conversation into an actual deterministic workflow. And you know, I think some of the use cases that we've seen coming out of that, right. Like hey, I don't. I literally, you know, I honestly think that some of the boring use cases that come out of this end up being the most fascinating. Because when a tool is boring, it means it's actually useful for your day to day job. Right?
Patrick Gray
It means it's boring for the robots, not for us.
Matt Muller
Exactly, exactly.
Patrick Gray
Let the machines do it.
Matt Muller
Yeah. And so the ability to empower people that again, have maybe never interacted with the AWS command line before are now able to do incident response in aws. Right? Because the AI is helping them generate those commands and then you can turn that into a workflow, right, that your senior analysts can validate for you, that it's doing what you actually expect it's going to do and we'll do it every time. So I think to me, just seeing the ability to unlock that ability to go from like, hey, I have an automation idea to I actually have something that is like validated, tested and in production without sort of like background, deep background knowledge of that system, that to me is the coolest thing. And we just see it applied across so many different tools.
Patrick Gray
All right, Matt Muller, thank you so much for joining us for that conversation. All really interesting, interesting stuff. And yeah, I can't wait for the the, you know, tines all singing, all dancing, robot army to take over the boring work. That sounds great.
Matt Muller
Likewise. Thanks so much, Patrick.
Patrick Gray
That was Matt Muller there from Tynes, and they do all sorts of awesome automation stuff and they're plugging AI into their tools in a not insane way, which is really cool. And you can find them at times. T I n e s.com and that is it for this week's show. I do hope you enjoyed it. I'll be back soon with more Risky Business for you all. But until then, I've been Patrick Gray. Thanks for listening.
Risky Business Podcast #772: Salt Typhoon is Truly a National Security Disaster
Release Date: November 27, 2024
Host: Patrick Gray
Guest: Adam Boileau
In the latest episode of Risky Business, host Patrick Gray and guest Adam Boileau delve into a week’s worth of critical information security news. They kick off the discussion by addressing a correction regarding Jen Easterly's departure from SISA, highlighting the complexities of U.S. political appointments and resignations.
The episode quickly shifts focus to a significant ransomware attack targeting Blue Yonder, a multinational company providing supply chain and HR management services. Patrick admits, “...what do we have here? A major, significant ransomware attack which is affecting a company called Blue Yonder” (02:48). Adam elaborates on the severity, noting the lack of detailed information but emphasizing the widespread impact: “It sounds like, yeah, they have been wrecked... it’s probably bad, we don’t know much” (03:43).
Patrick highlights the operational disruptions faced by Blue Yonder’s clients, such as Starbucks reverting to manual processes for timesheets. The vague updates from Blue Yonder, including phrases like “steady progress” and the absence of a restoration timeline, suggest ongoing negotiations with attackers.
Adam introduces a report from Andy Greenberg at Wired about APT28's innovative use of Wi-Fi to transition between networks, targeting U.S. entities. Patrick finds the incident intriguing, noting its resemblance to known Red Team engagement strategies: “...it’s not something that you see often in public sort of incident reports” (09:11). Adam concurs, pointing out the sophisticated nature of such attacks and their implications for national security.
The core of the episode centers on the Salt Typhoon incident, described as a national security disaster. Multiple reports from credible sources like The New York Times and The Washington Post indicate that Chinese attackers targeted FBI surveillance data, risking the exposure of sensitive sources. Patrick raises concerns about the antiquated and insecure networking equipment used by telcos, which facilitated the breach: “...these networks are just ancient and they’re not properly secured” (11:38).
Adam shares his extensive experience with telco networks, emphasizing their vulnerability due to outdated infrastructure: “Telco networks are a wonderland for attackers because there is so much super old gear” (13:50). The discussion underscores the urgent need for policymakers to address the security shortcomings of critical infrastructure.
Patrick discusses a Wired story about Chinese surveillance employees selling access to sensitive data brokers. He reflects on the implications for Western intelligence agencies: “It’s a huge national security issue for China and it’s a vulnerability that the west would do well to take advantage of” (22:31). Adam adds that economic disparities within Chinese intelligence operations make such insider threats particularly exploitable: “...economic disparity of the Chinese surveillance apparatus is a thing that the west could probably take advantage of” (24:03).
The podcast touches on the sentencing of Ping Lee, a former Verizon employee, for sharing cyber secrets with the Chinese government. Patrick critiques the relatively light sentence, “...four years. Gee, you got off pretty light there, guy” (25:24). The conversation highlights the broader issue of insider threats in intelligence and corporate sectors.
Patrick narrates Operation Ironside, an investigation involving the FBI and Australian Federal Police distributing fake crime phones. Legal battles ensue over the methods used to intercept communications, leading to the Australian Parliament passing the Surveillance Legislation Confirmation of Application Bill 2024. Adam remarks on Australia’s swift legislative response, “It’s, it seems strange to have a government that is so nimble and responsive” (28:30), showcasing a unique aspect of Australian law enforcement.
Joe Cox from 404 Media discusses how Mexican drug cartels utilize Tether, a stablecoin, for money laundering. Patrick explains the process: “...they can have a store of it and then move it along into some launderer who might pay... some of these Mexican money changers will buy tether at a discount” (31:36). Adam is critical of cryptocurrency exchanges' responses, sarcastically noting their claims of blockchain transparency: “...your customers are voting with their illicit dollars right there, buddy” (32:21).
A concerning development involves Palo Alto Networks, a leading cybersecurity firm, being compromised. Shadowserver identified thousands of affected devices, though Palo Alto disputes these findings. Patrick expresses frustration: “They’re laughing all the way to the bank. When will the wicked be punished?” (34:35). Adam echoes the sentiment, criticizing Palo Alto’s handling of the breach and their public relations stance: “...Shadow Server is absolutely working in the best interests of the Internet” (35:43).
Patrick and Adam take a moment to commend the security researchers at Qualys for their exemplary Linux security research. Adam appreciates the acknowledgment: “Well, I’m glad that they have heard the nice things we’ve had to say...” (38:41), highlighting the importance of collaborative efforts in cybersecurity.
The podcast addresses a situation where Reporters Without Borders cited Risky Business for an alleged content takedown related to a Reuters article on an Indian spyware firm. Patrick clarifies the circumstances, explaining that legal pressures from a court order led to the removal of their analysis: “...we thought we’d take it down... we just thought we’d take it down” (28:30). The discussion underscores challenges faced by media outlets in reporting under legal constraints.
Patrick shares his experience transitioning to BlueSky, praising it for a more positive community compared to X (formerly Twitter). Adam provides his perspective, having moved to Mastodon but cautiously optimistic about BlueSky's environment: “It’s just like old Twitter and, you know, old Twitter had its moments” (44:01). Both hosts express relief at escaping the toxicity prevalent on mainstream platforms.
Concluding the episode, Patrick interviews Matt Muller from Tynes about Gartner’s provocative statement declaring that SOAR (Security Orchestration, Automation, and Response) is dead. Matt refutes this, arguing that automation is evolving rather than obsolete: “AI isn’t necessarily displacing traditional automation, it’s supplementing it” (47:04). They discuss how Tynes integrates AI and Large Language Models (LLMs) to enhance automation capabilities, emphasizing the synergy between deterministic processes and probabilistic AI decision-making.
Matt highlights innovative use cases such as automatic data transformation and intent understanding for routing security requests, demonstrating the practical advancements in security automation: “We actually recently added the capability of turning a workbench conversation into an actual deterministic workflow” (59:24).
Patrick appreciates Tynes' approach, envisioning a future where AI-driven automation handles mundane tasks, allowing security professionals to focus on more critical issues: “...the awesome part is seeing the ability to go from like, hey, I have an automation idea to I actually have something that is like validated, tested and in production” (60:05).
Patrick Gray wraps up the episode by reiterating the importance of embracing evolving automation technologies in cybersecurity, while critiquing Gartner's misinterpretation of SOAR's relevance. The discussion offers valuable insights into contemporary security challenges, ranging from ransomware and espionage to the ethical implications of automation in the industry.
Notable Quotes:
Patrick Gray: “We're talking about a major, significant ransomware attack which is affecting a company called Blue Yonder” (02:48).
Adam Boileau: “Telco networks are a wonderland for attackers because there is so much super old gear” (13:50).
Patrick Gray: “They’re laughing all the way to the bank. When will the wicked be punished?” (34:35).
Matt Muller (Tynes): “AI isn’t necessarily displacing traditional automation, it’s supplementing it” (47:04).
Matt Muller (Tynes): “We actually recently added the capability of turning a workbench conversation into an actual deterministic workflow” (59:24).
This comprehensive summary captures the essence of Risky Business episode #772, providing listeners with an in-depth overview of critical security issues discussed by Patrick Gray and Adam Boileau.