Risky Business #774 -- Cleo file transfer appliances under widespread attack

Patrick Gray

Hi, everyone and welcome to another edition of the Risky Business Podcast. My name's Patrick Gray. This is our second last show for the year. We will be shutting down from around December 20th and everybody's taken a month off. So that is going to be pretty nice. But we've got a great show to get through today with my co host, Adam Boileau. And we'll be talking about the news in just a moment. This week's show is brought to you by THINKST Canary. And we are joined by Jacob Torrey from thinkst. And we're going to be talking about. About defending off the land. Like we like to talk about how attackers can live off the land, but how can you defend off the land? And you know, they've got, as usual, because it's things, they got some pretty good ideas. And we'll be talking through that with Jacob a little bit later on. But let's get into the news now, Adam. And to kick it off, I mean, here we go again with the file transfer appliances.

Adam Boileau

Yes, there are some bugs in the wild are being exploited in a product called by a company called Clio. And they have a number of files file transfer like products that they have sold. They had some kind of security issue with the product which they patched I think back in October. But it turns out the patch is incomplete and some people have found a variant of it that works and we're seeing it being used in the wild. Huntress have a write up of the bug itself, which basically is a unauth file upload that you can then leverage into command exec by uploading a particular kind of crafted file to a certain place that gets processed by the platform itself as like. I think it's like some kind of health check thing where basically you could run commands. So yeah, we've seen this being used. There is some scuttlebutt that perhaps blew yonder. The company, the supply chain company that got themselves ransomware a couple of weeks ago. Now they may have had an instance of this out on the Internet. We don't know whether that's the cause of it, but. Interesting. Interesting nevertheless.

Patrick Gray

Yes. And security scorecard or whatever didn't pick that up. Crazy. They didn't know about the oday in the thing, you know, but yeah, we're not really sure if. So it looks like Termite. You know, I'd mentioned it last week that I'd heard that it was Termite, the Termite ransomware crew. And it looks like they're a double extortion crew. They steal data and Extort it. And they also drop malware from, from what I can gather. So yeah, this, this all kind of tracks. So kind of not clear if you're going to use a bug like this as a point of entry to then onwards, deploy malware. But it sounds like they do both. So whatever, a bug is a bug for them. And as we know from all of the other clop style intrusions into file transfer appliances, this can be a pretty good business on its own. It's funny that the three products here are Clio Harmony, Clio Vltrader and Clio Lexicom, which are just odd names for file transfer appliance. Clio Harmony sounds like something you find in a pharmacy for women.

Adam Boileau

Yeah, yeah. I had never actually heard of this company before, but I believe they are. They're an American company that was in the like mainframe integration space for quite a long time and they built products that did, you know, gluing your mainframe to your other systems kind of thing. And some of the other file transfer products have come out of similar lineage. So you know, they've all, they all seem to have great bugs in them. So I don't know what it is about this particular product category that just lends itself to, you know, old fairly brittle ghetto engineering so well.

Patrick Gray

But I mean, you know, the mechanics of this bug, as you said, it's like, you know, it's because there's parsers everywhere and stuff like this, right. And they're not going to get the same level of QA as the actual parsers from the company that make the software. You know, like if it's parsing a PDF, it's not going to do like Adobe has a hard enough time doing that in a secure manner. Right. So you can't expect, you know, some library written by these guys to do it.

Adam Boileau

I mean I read all of Excelon's, you know, file rendering and parsing code and boy, oh boy, that was a trash heap. So.

Patrick Gray

Yeah, exactly, exactly. So yeah, so Termite off to the races with this. And I think what you had a look at Shodan and there's something like 1500 of these things out there. Is that right?

Adam Boileau

Yeah, kind of 1300 ish was the number that, you know, a fairly naive Shodan search turned up. But you know, that's, I don't know that there were that many, you know, go anywhere mfts on the Internet and that still turned into a pretty big deal. So yeah, I imagine it's a target rich environment enough.

Patrick Gray

Yeah. So move it Go anywhere. Mft. There was another one, I think, and now this one.

Adam Boileau

So yeah, Sellon ones, of course, they were the granddaddy of file transfer bugs. Yeah, there's the IBM product, whatever that was called. Yeah, name, name escapes me at the moment. But also big in financial industries. So yeah, a bunch of them.

Patrick Gray

Yeah. And this sort of signals that Termite has arrived as the new kid on the block of ransomware and data extortion. And I'm curious to see, you know, like I've mentioned this earlier, I'm curious to see how that's going to shake out because we haven't seen much action from like a big crew since the lockbit takedown. And I wonder if the five eyes agencies that are doing stuff about this are able to respond in a timely manner, let's just put it that way. And I, you know, you hear through the grapevine that they're having some success actually in their counter ransomware operations. So let's see what happens to said leak site. You know, I mean if they're going to move to disrupt, like now is a good time. Guess is what I'm going to.

Adam Boileau

Yeah. Best of luck to the Termite peeps because you're going to need it.

Patrick Gray

Yeah. And happy hunting to all our friends in windowless offices. Now look, staying on something kind of related, like we did see a massive amount of data theft out of Snowflake instances. What that was this year, wasn't it? With the Snowflake stuff? It was. And now it looks like Snowflake is just phasing out like non MFA auth into Snowflake tenants. This is interesting because there was so much detail missing from that whole Snowflake story. Right. Because it was an info stealer that grabbed by the looks of things, cred pairs. But I thought there was also discussion that it grabbed like you know, tokens as well. But I, yeah, I don't know. But I'm guessing if Snowflake is moving to block non MFA authentication that it probably was compromised usernames and passwords and people were actually just going straight in through a browser, which is, yeah, kind of nuts. Although I think there are command line tools as well that you can use username and pass. Either way, I'll stop prattling on. Snowflake is crushing like non MFA authentication by late 2025. That's a good thing.

Adam Boileau

Yeah, yeah, they're going to move away from password auth. They're going to keep a single factor where it's robust. So things like certificate pairs, you know, private Public private, key auth and also like federated auth. So if you've got, you know, a SAML or some other kind of SSO integration, then that will still keep working and assume that you've kind of done your own MFA at that point. But yeah, getting rid of password auth is the plan. And then they're going to provide, I guess, guidance and more robust mechanisms for non human authentication flows. Because that's the other hard bit of credential theft is we still need to have a non multifactor for non human use cases. So they seem to be settling on mechanisms for that.

Patrick Gray

Yeah, and that's why it got a bit muddy in my head and I'm sure someone pinned it down, but I was never entirely clear how these attackers were accessing this data, whether they were using command line tools, whether it was username and password or, you know, some token based off. But whatever, it's. They're moving on and that's good. We got some treasury sanctions to talk about this week. Obviously we have covered, you know, a few times the Sophos, you know, counter apt operation. That was pretty awesome. We had an interview with their CISO about all of that. So, yeah, I mean, for those who aren't familiar with the story, basically Sophos moved to drop implants basically on people who were doing vuln dev or exploit dev for their products in China. And they obtained an awful lot of very juicy intelligence and worked with authorities when they were doing that. And as a result of that, we're seeing indictments and sanctions targeting the Sichuan Silence Information Technology Co. Ltd. And one of its employees, which is Guan Tianfeng. So, yeah, that's where we are. And I think you pointed out though, that this company, Sichuan Silence Information Technology Company, offers some pretty dystopian products.

Adam Boileau

Yeah, they provide vulnerability development and exploit writing services. But the other treasury press release also says they provide, quote, public sentiment suppression products and services, which. That's. That's dystopian.

Patrick Gray

Yeah, yeah, that's sort of. That's one that makes the hairs on the back of the neck stand up a little bit somewhat. But it's good to see a result there and, you know, good. Way to go, Sophos. Yeah.

Adam Boileau

And I mean, I think that other vendors could, well, you know, they could model good behavior for other vendors, I think, which would be nice.

Patrick Gray

Yeah. Well, I think when I spoke to Ross, the CISO at Sophos, he'd already spoken to some of his sort of counterparts at other vendors and they were curious, they were Definitely curious about it. And I think, you know, whether or not they pull the trigger, I don't know. But they were like, oh, you did that? That's interesting.

Adam Boileau

You know, and they get big ups from people for doing it. So, you know, take that on board. Other vendors.

Patrick Gray

Food for thought. Food for thought. We got one here from James Reddick over at the Record, which is another one of these com kids has been arrested or you know, Scattered Spider or whatever you want to call them. Remington Ogletree, a 19 year old resident of Texas and Florida. He's the sixth one to get charged here. I one thing I found very funny reading this is the FBI apparently went to speak to him, I think back in February and he's like, yeah, no, I've got, you know, I know a lot of those Scattered Spider people and sort of talked about them as like how, you know, people that he, he knew. But obviously, you know, avoided implicating himself but then immediately went after the FBI visit to launder a bunch of cash. And the launderer he had chosen was actually like the FBI pretending to be a launderer by the looks of things. So you know, we asked them to mail him 75k in cash in exchan exchange for some cryptocurrency. And you know, they've got him now, so looks like he's in deep doo doo.

Adam Boileau

Indeed. And yeah, I mean he'd been doing it, I think since he was 12.

Patrick Gray

Yeah, I saw that. Yeah. Started sim swapping when he was 12 years old.

Adam Boileau

Yeah, I mean that's a. I mean kids, kids these days. Like I, you know, I'm sure I was not into that when I was 12, but you know.

Patrick Gray

Yeah, yeah, I mean, I think when all of the casino hacks and stuff went down, was that last year, I expected them to be arrested quickly and that turned out to be wrong. But it is all catching up with them.

Adam Boileau

It is finally. Yeah, it's taken, taken a while for the wheels to turn, but they're getting there.

Patrick Gray

Yeah. Another one from the record, this one by Darina Antonio. And we only included this one because there's, there's a funny detail here. Right. So a guy's been arrested in Germany for running like a, you know, drug and an online marketplace for stolen data, drugs and forged documents and like, what did he call it? Crime Network, which is the most German thing you can. Absolutely. You know, what do you call your underground crime, you know, crime website. You call it Crime Network because. Well, that's what it is. It's a network for crime yes, that.

Adam Boileau

Was an amusing detail when we were reading through the. The news, trying to prepare, but yeah, just very Germanic. Very matter of fact. And yeah, now he's off to jail.

Patrick Gray

Yeah. This site had been running since 2012, had 100,000 users and 100 sellers on the platform, and, you know, Bitcoin, Monero, the whole thing. So we've linked through to a write up on that. Now we've got a response from the FCCC to the salt typhoon stuff where the FCC is proposing tying some cybersecurity rules and regulations to Kalea, which is the wiretapping requirements. That's the Communications Assistance for Law Enforcement Act. So this is an interesting idea is they're saying as part of your CALIA compliance, you need to make your networks more secure against foreign adversaries. Well, any adversary being able to intrude upon your network and surveil your subscribers. I've had a look at the release from the FCC and it's all pretty weird generic stuff where it says that they, you know, carriers would need to secure their networks from unlawful access of interception of communications. That actually is accompanied by a proposal that would require communication service providers to submit an annual certification to the FCC attesting that they have created, updated and implemented a cybersecurity risk management plan which would strengthen communications from future cyber attacks. I mean, they're not doing this already.

Adam Boileau

Exactly right. Telcos already take access to that stuff pretty seriously, in my experience.

Patrick Gray

Well, but this isn't just talking about the KALIA gear. This is talking about the network writ large. Right. So, and that's why I find it interesting is they're tying broader requirements and regulations just to the KALIA authority.

Adam Boileau

Yeah, I mean, you know, I guess it makes sense, but surely it already says you have to do a reasonable job of not letting unauthorized people in. Like that's.

Patrick Gray

Well, I don't know that it does say that, Adam, but my point is, like, you would just think the people running the telcos would have a cyber security risk management plan, you know.

Adam Boileau

Exactly. So. And like the problems that telcos have, which we've talked about at length before, you know, one more line saying that they shouldn't be so bad is not going to really help. I mean, maybe in the. Maybe. Maybe overall the response to SALT type room will help telcos up the game a little bit, but it's a. There is a long tail of problems to solve in those environments.

Patrick Gray

Yeah, so that was my immediate thought, which is it's well and good to say, hey, you know, you think you can Work a little harder there. But I don't know that it's. I, and this isn't to say that they shouldn't do this, it's just I would be surprised if this yielded any sort of quick results, you know what I mean?

Adam Boileau

Yeah, yeah, exactly. And the CSRB obviously is going to do their review of, you know, of the salt typhoon situation and come up with a bunch of recognitions. And I'm sure something like this will be, you know, will be part of what they're recommending. But yeah, the problems run pretty deep. So, yeah, needs a bit more than just a couple of sentences of stern language.

Patrick Gray

Yeah, I think so too. And I think the, the. I think it's been, who is it, CISA and the FBI saying, hey, everybody should use over the top services. You know, I think maybe getting telcos to adopt things like rcs, you know, which is a sort of encrypted messaging standard that would replace sms. That's going to be a good thing to do. You know, I discussed this at great length with Chris Krebs when I was down in Sydney last week to record the last episode of Wide World of Cyber for the year. I'm not sure when I'm going to publish that. It might be, it might actually be in January. But big thanks too to all of the, to all of the listeners who came because that was, that was a lot of fun. But yeah, you just sort of think perhaps focusing on moving towards more secure services and away from relying on telcos to be secure. Like, I don't know, that seems a better path out of this than getting the FCC to demand that they come up with cybersecurity risk management plans.

Adam Boileau

Yeah. And I guess ironically, in the lawful intercept bit, which will be hampered by the use of those over the top services, you know, that sort of, you know, is, you know, making it robust so that people can't nick the awful intercept at the same time as telling people to not use communications that can be intercepted by those things. Or we may see overhaul of intercepts to deal with services.

Patrick Gray

I think it's important not to get tied up in the interception equipment bit because that wasn't the stuff that enabled the Salt Typhoon attackers to actually monitor communications. They did not do it through the Kalea stuff, which I think is an indication that perhaps they were scared they would get caught if they did do that.

Adam Boileau

Yeah, I wouldn't be surprised.

Patrick Gray

But yeah, it is still a bit funny directing people to services where interception cannot happen. So. Yeah, I agree. Now, let's talk about Cloudflare abuse. This next piece is about something that is not entirely new, but it seems to have become work a day now. For the last several years, I've been saying that I expected malware crews to start using, you know, TLS 1.3 encrypted client hello in their C2 as a way of avoiding detection. What we're seeing instead is something roughly equivalent but slightly different, which is everybody's using Cloudflare tunnels, which is a way to provision remote access to, like, you know, servers that might be inside your environment. You can create a Cloudflare tunnel and do your remote access that way. Attackers love to use these for C2, and we're seeing that the Russians are using this currently in a campaign targeting Ukraine.

Adam Boileau

Yeah, I think this was a crew based out of Crimea that's been using this. But as you say, anything where you can proxy your connections through a more trusted or more opaque kind of place is really helpful. I mean, Cloudflare in some respects, you know, is the biggest bulletproof hosting provider because you can hide your communications or hide your services or hide your endpoints behind their various services, and there's so much traffic to and from those that it's difficult to, you know, to spot or to block. And also, the impact of messing with stuff that goes to Cloudflare from an availability point of view is very high. So it's a challenging thing for people to respond to. And I know when Cloudflare started providing their tunneling services, you know, that I think we talked about it on the show at the time because there was already kind of signs of it being used for abuse. But, yeah, it makes sense that people would use it because, hey, it works. And domain fronting before it kind of got killed a little bit, and then empowered again with TLS 1.3 and the replacement to ESNI, whatever that's called.

Patrick Gray

Ech. Encrypted client hello?

Adam Boileau

Client hello. Maybe.

Patrick Gray

Yeah, yeah, yeah. So that's the one. So anyway, I just think that's interesting that it's become such a thing and Cloudflare, therefore, it's part of, like, well, you know, when someone reports one of these to us, we crush it. And I don't know, man. You talk to anyone who works in cti, they say Cloudflare is a bit of a pain to deal with and don't really act that much. And it's kind of not the point, is it? If you've got them, you know, waiting on people to report the C2 to you, to crush it. Like, I don't know.

Adam Boileau

Yeah, it's a bit late then.

Patrick Gray

Yes, it is a little bit late then. And that's not the only thing going on with Cloudflare because people are using attackers are using workers.dev and what's the other one? Pages.dev yeah. So they're using them to spin up phishing sites. And of course these are sort of trusted domains. Right. So there's an advantage doing that and that's rife as well. I got a post here from Fortra talking about that.

Adam Boileau

Yeah. And like pages.dev is sort of a general sort of hosting service where you can write content. Workers.dev lets you build out like client side JavaScript that's distributed via the CDNs. And in both cases it's behind Cloudflare, behind their TLS, behind their, you know, very best practice, modern TLS. 1.3 TLS. So, yeah, it's, you know, complicates things for defenders and of course attackers are going to use it.

Patrick Gray

Yeah, yeah. So links to all of that in the show notes. Now let's Talk again about TikTok, where TikTok took a big L in the US courts. They had challenged the law that was passed that, that would demand Tick Tock be divested from bytedance. Interesting thing, interesting detail in all of that is the divestment has to happen before January 19th and Donald Trump's inauguration is what, the 21st. Right. So it's very deliberately a date picked before he can be inaugurated. That said, I mean, Trump has gone back and forth on this before. Previously he wanted to ban it, now he's decided he really doesn't want to. But that's what he said and he might change his mind again, who knows? And even then, like, what can he do? Because this is actually a law. I think, you know, there would probably be a way for him as president to find a way that that law is not enforced or whatever. Like, like, who knows? I think, you know, his opinion on this is, is gonna really be quite pivotal here. But Tick Tock has now filed an emergency motion asking an appeals court to block the law as well. So that the legal fight is, you know, going into hyperdrive at the moment. But there's been another event which is quite relevant here, which is the Romanian elections. Right. So they had a multi, they have a multi round election for president. The first round, in the first round, which was held a couple of weeks ago, a very little known, far right Russia friendly candidate named Kalin Georgescu came out of nowhere to. I think he came into the second spot. Right. The odd thing about that is this guy was all over TikTok and no one could quite figure out why. So I've heard, you know, interviews with Romanians on BBC, like students just saying every second video on their for you page of TikTok was this guy, right, talking to our colleague Catalyn Kimpanu, who is Romanian. He's just like, man, there was. There was something deeply suspect about the extent to which this guy was just all over TikTok. It's like you could not open TikTok without seeing this guy. Well, it turns out that there was some money exchanged as part of this whole, you know, online advertising stuff that violated Romania's election laws. The Romanian Constitutional Court has actually annulled the results of the first round of the presidential election. They're going to rerun the campaign now, depending on who you talk to. You know, this is a terrible violation of the democratic process or entirely appropriate. Right. And it really depends, you know, who. Who you talk to about that. You know, the.

Adam Boileau

The.

Patrick Gray

The Constitutional Court has some ties, you know, is. There's former members of the ruling party, I think, are involved there and whatever. But. But either way, like, this is a very, very big deal. The EU has demanded that TikTok freeze and preserve data involving this because there is going to be an investigation. And meanwhile, we've got some work here from Check first that looks at the role Meta played in this as well, because there was just this absolute deluge of Georgescu content across online platforms. So I think it's interesting that we've got ByteDance in US courts trying to fight this law at the same time where a European country and NATO member has literally annulled its first round of election, you know, its first round of its presidential election, largely because there was a lot of manipulation on TikTok. And, you know, some of this was involving botnets and, you know, accounts that had been dormant for a long time, like lots and lots of accounts that were coming along and boosting this content. So, yeah, intrigue, craziness. You know, anyone who's suspicious might think TikTok dragged their heels on sorting this out. And, you know, does Russia have a hand in this because it's more allied with China? I don't know. But the fact that we're even asking these questions gives you an indication that control over TikTok is actually a big deal.

Adam Boileau

Yeah, I agree with you. This is a really interesting. I was going to say microcosm, and obviously it's not a microcosm. For like, it's not a small thing for Romania, but for the rest of the world, like looking on at this, because I know plenty of people who are on TikTok and for them, you know, they find the platform innocuous and fun, entertaining and kind of light by comparison to, you know, like Facebook is filled with old people and some of the other social networks.

Patrick Gray

Facebook is filled with content, farming, slop. Right. Like, it's just stacked with slop. TikTok is authentic, it's fun. I love TikTok, I am a huge TikTok fan. But if my, if my for you feed were to instantly transform into something where every second video was some fringe right wing lunatic who I'd never heard of being pumped for the Australian election, don't know how I'd feel about it then.

Adam Boileau

Yeah, yeah, yeah, exactly. And like, I guess it's just really interesting seeing a concrete example to point to and I'm the EU's investigation will be super interesting to see where that, where that goes and the situation in America. I mean, you know, on TikTok you already see people starting to prepare for where we're going to go, what's going to happen, what are we going to do on this platform without all the Americans there to make it fun? You know, it's, it is legitimately interesting to see. And one of the things I was thinking about this morning, which is slightly tangential I guess, is in the early days of, you know, really the beginnings of very heavy censorship of the Chinese Internet, one of the things that was interesting was all of the alternate language that cropped up to avoid censorship.

Patrick Gray

Yeah, we've talked about this before and now it's crept into the West. Right. And it's not just tick to the west though, it's not just TikTok because people will use the term unalived instead of murdered or killed, you know, because that like downranks you when they do the, you know, when they do the voice to text and you know, process it in their giant algorithms, they're like, oh, that's sad. We want people to have a good time on this platform, you know?

Adam Boileau

Yeah, yeah, exactly that. It's really interesting when I was thinking back to the, you know, the grass mud horse.

Patrick Gray

Yes.

Adam Boileau

Of early Chinese Internet fame. But yeah, it's interesting seeing that stuff spilling over into the west and now seeing it spill over into, you know, annulling an election in a major European country, like, that's, it's just really interesting and I don't know what's going to happen, like whether TikTok will survive, whether it will become Oracle talk, whether it will, you know, you know, threads or whatever else, whatever the. What's the meta short video thing called? I forget now, there's reels.

Patrick Gray

But that's YouTube. No, no, it's real YouTuber shorts.

Adam Boileau

Oh, yeah. I don't know. I don't know where people are gonna.

Patrick Gray

Go, but they all suck. That's the thing. Like Tick Tock is awesome. It's so funny. Like I love to share ship. Like my Tick Tock faves are like my friends covet my Tick Tock faves because, you know, you can bust them out, send them over because I've got my algo tuned so well, for me, it's, it's very, very funny. But yeah, like the whole.

Adam Boileau

Thanks, China.

Patrick Gray

I mean, this just goes to show, like this stuff is important, you know, and it doesn't even matter if there were shenanigans. The fact that there could have been shenanigans that, you know, the fact that it's entirely plausible that CCP officials leant on TikTok to allow this to happen as a favor to Vladimir Putin. Now, do I think that's what happened? Probably not. Is that a plausible theory? Absolutely. And that underscores the need for this band.

Adam Boileau

Yes. Yeah, I agree completely. Right. It's probably just, you know, kind of regular manipulation as opposed to government directed. But as you say, it absolutely could be.

Patrick Gray

Yeah, yeah, that's right. And meanwhile, there has been. Alexander Martin, for the record, has reported that there's been an attack, a cyber attack on a electricity distributor in Romania. You know, and of course, there's the usual suspicion that this is somehow connected to a broader sort of influence or, you know, influence campaign, or this is the Russians getting, getting one back because they've annulled that election. But there's no evidence there at all. Is this, this is a ransomware one, isn't it?

Adam Boileau

Yeah, this is ransomware. Yeah. So it could absolutely be just regular Covent Garden ransomware. It could be state directed, it could be, you know, patriots, it could be anything. The world is. The world is mad.

Patrick Gray

Yes, it's a mad, mad, mad, mad, mad, mad world. Now look, we sort of went back and forth on whether or not to talk about this one. In this week's show, it's a report from Dan Gooden about a backdoor in a code library that resulted in a crypto theft. Pretty small beer, to be honest, of $155,000. Although I would not complain if someone dropped 155k on me right now. But the reason I wanted to talk about this one is it's just such a great illustration of what supply chain attacks against code libraries look like in this year of our Lord 2024.

Adam Boileau

Yeah, so this was an attack on some like JavaScript plumbing used by the Solana blockchain. So if you wanted to build smart contracts, this was one of the libraries that you would use to do this. And somebody got access to an account that had code commit rights to their repo, shipped a backdoor in it that basically just made a web request out with the private key material that you were using. And this was live for like five hours before it was snapped. And because that ecosystem is so rebuilding everything from source the whole time, very dynamic, very modern, very hip, very DevOps means that you can get supply chain attacks like this into use very, very quickly. And the fact that like, I mean, I looked at the headline, 105k, kind of not exciting by comparison to most crypto attacks, but as you say, 155k in five hours is pretty good return on investment. So, you know, kind of a, you know, there's so many things wrong with cryptocurrency as a, as a, as a thing, but the fact that you can do this and still make such good money so quickly, I mean, it's pretty amazing.

Patrick Gray

Yeah, but I mean, this is just one class of attacker that rolls with this sort of, you know, these sort of ttps. Right. At the moment, we see it mostly targeting crypto theft. It ain't going to stay that way, you know, and I feel like this is a bit of a canary in the coal mine situation.

Adam Boileau

Yeah, I mean, the fact that crypto moves so quickly I think means that you can go from access to code exec pretty quick. Right. Whereas, you know, more traditional software dev environments are a bit slower. You might end up with code exec in a dev environment somewhere. You might get it inside a developer's laptop, but it would take a while for it to get to a place where you could steal the good keys. But in the crypto world, everything moves so quick and the rest of it is also moving in that direction. So as you say, it's a bit of a warning for our over reliance on distributed code infrastructure.

Patrick Gray

Yeah, we got another one here from Dan Gooden at ours, which is looking at a way to subvert AMD's truck trusted execution environment. Talk us through exactly what the researchers did here.

Adam Boileau

Yeah, so this is some research that I think it's out of European academics It's been given the name bad ram, which, you know, of course we have to have names these days. But this is ultimately a really quite cunning attack that's probably not super practical. It's in AMD's. They call it the secure encrypted virtualization, Secure nested paging. And this is the security controls that AMD put in the CPUs to allow encrypted virtual machines to run on hardware that you might not necessarily trust. This is to protect cloud users from cloud operators, which in this case the point of the control is exactly this, right? The people who have physical access to the equipment, equipment shouldn't necessarily be able to immediately, by design, compromise the virtual machines running on their equipment. And that's what this attack allows. So some of the takes we've seen on social media have been like, well, requires physical access. This is dumb. But the whole point of this control.

Patrick Gray

Was to protect you against the people who do have physical access.

Adam Boileau

Right? Right. By encrypting the memory of your virtual machine so that they can't read it from the hypervisor and then to have hardware support to prevent the hypervisor from being able to get access to that memory unencrypted or write to it or whatever else. And this was a bug in the kind of attestation process that you would use to detect it. And the actual mechanism by which they do it is super clever.

Patrick Gray

It is. It's sneaky and cool and simple and I like it.

Adam Boileau

Yeah. So essentially what you do is you modify the RAM chips to over report their size. So they report that they are double the size of what they actually are, that there is an extra address line for the amount of memory on these chips. And then what that means is you've now got two separate addresses that, as far as the memory itself is concerned, are the same thing because it ignores the extra bit in the actual memory chips because they're not connected. So there is a way to have two addresses that refer to the same bit of memory and then you can remap these so that the host cpu, the hypervisor which is untrusted, can use the second copy of the address, which is different, to read and write memory of the guest, thus circumventing the control. And they actually implemented this in the hardware. And they argue that in some cases the memory controllers are kind of software patchable firmware patchable, so that you could do this even without hardware modification. But it's just a really quite clever attack and it doesn't work on Intel's equivalent, but I think in the past might have and then no one's quite sure about ARM yet. So it's actually legitimately interesting research, even if probably not super practical. But it's nowhere near as dumb as people have been making out on infosec socials.

Patrick Gray

Yeah. Now let's talk about some research out of Positive technology. Of course the famous Russian security research firm, they've done some stuff that's like. They've done some research that's a bit like some old research you did. Of course, for those who don't know, Adam developed Windlock pwn which was a DMA based attack against Windows. Right. So you could plug something into some, you know, a peripheral in to get direct memory access through like a FireWire port. People actually later discovered that you could just plug in like a PCIe card that was a FireWire card and Windows would auto install the drivers and you could do it that way as well. And the idea was you could manipulate memory through direct memory access, overwrite where a password was in memory and just you know, hit enter and you know, get into, get into a computer system. Obviously there's a lot more controls against people doing that sort of thing these days, but Positive has done some research in this area and it's quite interesting.

Adam Boileau

Yeah, I mean, I guess, you know, the overall thing is if you will put a bus that can do DMA on the outside of your computer, you're going to have a bad time and it's up to individuals to implement that bad time. So we've either with FireWire, Snare, did it with, with Thunderbolt, other people have done it with Card bus and pcmca. In this case Positive have done it with SD cards. And I did not know this, but it turns out that the most recent SD card like memory card interface actually has support for bus mastering. So it extends a PCIe bus out the side of the machine. The traditional SD cards used an interface called like sdio which was a way to move data in and out, but. But ultimately it was pretty slow.

Patrick Gray

Yeah, I was going to say like this has to be speed, right, for the next generation of like super fast SD cards.

Adam Boileau

Yeah, I mean this is so that you can record, you know like 4K video or 8K video or whatever else onto these cards and your cameras, transfer it onto your computers, those kinds of things. And so yeah, the very latest standard has support for PCIe bus mastering. And yeah, Positive did the hard work of building the hardware to actually do this and they made a really cute little board that looks like a train going into the side of your SD card slot and then you can talk to it and do, and do bus mastering Memory reads and writes, which is pretty cool. Some modern systems and mostly Apple stuff does remap this kind of these devices into a separate address space with the memory controller, which makes it so you're not getting to system ram. That's not necessarily the case on non Apple hardware. But yeah, I mean this is entirely predictable. Put the bus on the outside and find out is pretty much what's going on. So, I mean, good job. Positive, it's real. You know, this is hard work to turn this into a working thing.

Patrick Gray

So yeah, no one doubts their skills. No one doubts their skills, that's for sure. We just doubt who they serve. Telegram, I mean, it's a new platform since Pavel Durov was arrested in France. They have a real commitment to improving the safety of their platform and they've just launched an initiative to tidy up, or do their best to tidy up CSAM on the Telegram platform, which is rife. And it looks like, yeah, they're working with some sort of foundation to try to deal with that now, which is a good thing. I mean it's, it's incredible how Pavel Durov gets arrested and then all of a sudden some of these like, you know, channels full of, you know, militant neo Nazis that people start getting arrested and there's all these great new initiatives and you know, I think he's terrified of prison and that's what this is about. But hey, I'll take it. Yeah.

Adam Boileau

I mean in the end, like if, if it works then then great, and appears like at least on this one particular topic, you know, scanning for known child sex abuse material and so on and cooperating with the entities that kind of coordinate that where traditionally Telegram just completely ignored this stuff. So the fact that they're now starting to cooperate, providing access, that's great. And you know, if it turned out that all it took was arresting a few CEOs and threatening them, then let's arrest them all.

Patrick Gray

Let's arrest them all. And look, you know, this isn't government, this next one that we're going to talk about, and that's why I find it actually very interesting. But Apple is being sued for $1.2 billion after it killed its proposal to do client side scanning for CSAM that was going to then go into like encrypted icloud. Right. So the idea was to make encrypted icloud safe is they push out the CSAM Scanning to the edge onto people's devices and people lost their minds. So Apple wound up pulling the feature. Now a group of victims, so thousands of victims of CSAM are now launching a lawsuit against Apple over its abandonment of this feature. Which is very interesting because it's a case where it's not regulators, it's not the government, it is happening in civil court. And I'm going to be watching this one real closely because you get the impression this isn't people trying to get a payday, this is people trying to get a result. So I don't think this one, I doubt this one will be settled quickly. It's probably going to go to court.

Adam Boileau

Yeah, it is, it is interesting and unique for that aspect of it. And yeah, I don't know how this is going to go down because they're not the sort of people that are likely to just, you know, settle for some money. And obviously, you know, Apple's got a heap of money, they can settle these things if they want to. But that is probably not what they, you know, the people behind this class action are after. And it is interesting that private company implementing controls on its devices and in this case not like being having a lawsuit about not doing a thing. It's not like they did a bad thing, they didn't do a good thing. It's really interesting. So I don't know how this is going to turn out for them.

Patrick Gray

Well, I think the interesting thing here is that they had a proposal, they had a feature that they then abandoned. Right. So it's not like they didn't do a thing, it's that they changed course on a thing which I don't know if that makes it legally more sticky for Apple, but I'm sure we're going to find out. I mean, you never know the way these things would go because obviously we're not lawyers. It might make it a couple of days and then get tossed or it might turn into a multi year thing, we just don't know. But it is interesting. It is definitely interesting. All right, so there's a bit of research here you wanted to talk about from Flat Security, which is on Open wrt. So yeah, I'm not fully across this one. Take it away, Adam.

Adam Boileau

So Open WRT is a set of open firmware for lots of varieties of wireless access points and other kind of small embedded network devices that people use for routers and switches and so on. And this is a piece of research that ultimately resulted in the ability to kind of trojan other people's firmware. Images and it's useless in the sense that no one is ever going to get hacked by this. And they fixed it in a matter of, you know, like hours after it was reported. And they went through the logs. And despite there not being a lot of logs, they have no evidence that everyone's ever used it. But it was just really interesting research. So this person, I think a Japanese security researcher that goes by Ryo Takei, was looking into there's like a cloud based mechanism for building open WRT firmware images because making a build environment for compiling a firmware is kind of a pain. And so OpenWRT provides a mechanism for people to run and they also themselves run a cloud service for building stuff. And you submit your build request to it, it builds you a firmware, it signs it with some key material from OpenWRT if you're using their official one, and then you can install it on your device. This researcher figured out a way to control that build process because you can provide what list of packages you want compiled in your firmware, other settings. So they turned that into code exec, which, not that surprising, but it runs in a container. And then in the process of trying to escape from that container, they figured out a bug where you could basically cause a hash collision with the result of your build process, which essentially means you could have your firmware that you control the contents of return to other people as a result of their build, thus providing custom firmware for them which might include your backdoors, et cetera, etc. Etc. And this involved having to brute force like part of a SHA hash that was used in the file name, but it got truncated down to a lesser number of bits. And the researcher built some, you know, hashcat config to brute force it and then do command inject. And it was just, you know, a great research story and well written up and I think anyone who's into, you know, hacking embedded devices, it's just a fun read. So yeah, have a look.

Patrick Gray

So it's flat security with two T's and I love at the end they put in a shameless plug. To celebrate the update of our brand new English web pages, you can currently receive a month long investigation by our elite engineers for just $40,000. So they're branching out into the English speaking market. Flat security. Welcome to the sock. So last thing we're going to talk about today is that Firefox has abandoned the do not track feature. And look, it was always kind of silly, right, to introduce an optional do not track feature that Nobody had to agree to. But I think there would have been maybe an expectation when they launched this feature, God knows how many years ago now that perhaps it was a bit of a indication to policymakers that, hey, there are these options here where browsers can set these flags and if you happen to come up with a regulation that says people have to respect them, maybe that would be good. And of course, that's just not how things worked out. So without legislative or regulatory support for a feature like this, it was never going to do anything. And this blog post announcing the abandonment of the feature points out that do not track actually in some instances makes it easier to track you. Right. So they have now killed it off.

Adam Boileau

Yeah, I mean, yeah, I think you're right in your assessment. It was a nice idea. And as a user, like turning on do not track. It felt like at least you had a very small amount of agency. You were saying to the world, I actually don't want to participate in this tracking based ecosystem that sells everything I do and sells me advertising and blah, blah, blah, blah. The reality is that is the world that we live in, suck it up and turning it on and off. No one really cared. Everyone ignored it. And it was a nice idea back in the day when Mozilla had ideals as opposed to turning into an AI, you know, crypto junk company or whatever the hell they are now.

Patrick Gray

I haven't seen that. So that's all news to me.

Adam Boileau

I don't know, the Mozilla foundation has its, has its ups and downs and it feels like it's on a down at the moment, but.

Patrick Gray

Well, Chrome won the browser wars. I mean, come on, like, you know, even Edge is Chrome.

Adam Boileau

Yeah, I mean it did Chrome Chromium and Chrome won. And you know, it was really important that we have another browser stack. But Firefox's code base is so old and Mozilla is not doing a great job of stewarding it into the future. But how can they?

Patrick Gray

Right, like that's, I think the question I've got a bit of sympathy there for, you know, for someone making a critical piece of technology that's quite complicated and expensive to maintain and you know, no obvious sort of business model there.

Adam Boileau

And you know, other than being funded by Google, which, you know, here have.

Patrick Gray

Some irony, you know.

Adam Boileau

Exactly, exactly.

Patrick Gray

Yeah.

Adam Boileau

So rip DO NOT track.

Patrick Gray

Yeah, well, we're going to wrap it up there and yeah, second last show for the year and you know what an end to the, to the year we've had the, you know, Bashar Al Assad has fallen in Syria, which is, you know, terrific news. I mean, who knows what's going to happen there? But for now, let's just celebrate that. And, you know, we've had CEOs getting gunned down in New York by Jim Bros with weird politics. And, like, it just feels like, you know, it feels like 2024 is, is going out with a bang. Just one parting thought on the, on the Syria thing, which is, I wonder what's going to happen to the Syrian Electronic army people.

Adam Boileau

That's, that's a, that's a good question.

Patrick Gray

You do wonder, you do Wonder if some HTs affiliated nerd with a bone to pick is going to say, no, no. Here's a list. We've got to get these guys.

Adam Boileau

Yeah, that's. Might be time to go somewhere else for a little bit.

Patrick Gray

Yeah, that's. Just go hang out in Moscow with Bashar. All right, well, that is it for this week's show. Great as always, Adam. Wonderful to chat to you. And we'll do it all again next week.

Adam Boileau

Yeah, we certainly will, Pat. I will talk to you then.

Patrick Gray

That was Adam Boileau with this week's news segment. Big thanks to him for that. And yeah, just a reminder, as of after next week's show, we're going to shut the whole thing down for about a month. Everybody's taking a break. It's going to be wonderful. But there will be no risky biz for about a month. It is time for this week's sponsor interview now with Jacob Torrey. From thinks to Canary and, you know, things to make honey pots and run alerting infrastructure for Canary tokens and do all sorts of really cool stuff. And they did some interesting work on a sensitive command token a while back where you could set Windows machines to alert if an attacker tried to run, like, who am I? For example? Really cool thinking. And they've since expanded this a little bit away from just a single feature or a single token. And they're really talking about this concept they're calling defending off the land. We've all heard of living off the land, but now they're talking about defending off the land. And I gotta say, it's really compelling stuff. So here's Jacob Torrey to fill us in on exactly what thinks mean when they talk about defending off the land. Enjoy.

Jacob Torrey

So a lot of this came about from our sensitive command token that we released, I don't know, a year and a half ago, two years ago, where we kind of were able to kind of harden the Windows environment by making it where certain commands that attackers typically run but kind of good guys don't as much. And being able to kind of put this down as a configuration change, it now starts alerting on that behavior change. And so as that evolved, we saw that that was kind of one instantiation on this spectrum of potential capabilities. And so we spent a lot of time over the last year or so looking at what are the primitives available on Windows that allow you to do hardening, improve visibility or defending. And now we're kind of releasing almost a dozen different capabilities in various stages of. This is a product new Canary Token. These are some cool ideas and here are some kind of basic scripts to start playing with it. Or here are some primitives that we think you might be able to tailor into your environment, but it's not a kind of off the shelf capability like some of our other ones. And so we're putting all those together and kind of showcasing how much there is out there for defenders built into our modern operating systems.

Patrick Gray

Why don't we just quickly recap the sensitive command token just for people who might not remember what that.

Jacob Torrey

Sure, sure. So basically it sets up a hook to whenever a certain process is run, whatever the sensitive command is. So if you read defer reports, you see that they run things like Whoami or KLIST to get the Kerberos tickets from the domain or NL test which does some kind of networking authentication checks. And those are run very rarely, kind of by the blue team and very often early on when someone lands on a network trying to figure out where they are and orient themselves. And so by essentially setting this up to run a debug process, when that process begins, we can then create an alert on that. And so this is essentially a canary token that allows you to put these traps down for attackers who land on a legitimate box and other event trying to orient themselves and move throughout an environment. And that was using all existing built in Windows debugging capabilities. So we ship you a registry file, you install it and then if someone runs that application or that command, you know, yeah, 100%.

Patrick Gray

So that was really popular. I remember when you guys first started talking about that, everyone was like, hey, that's a great idea. So you know, it makes sense to extend that. So you've said, you know, I've read the synopsis for your Black Hat talk and you're going to present on nine of these techniques. I don't think we're going to have time for all nine. And in fact you've told me before we started recording that You've got a lot more than nine, it's just you have to whittle them down for the talk. But why don't you walk us through, you know, your favorite few of these defending off the land techniques?

Adam Boileau

Sure.

Jacob Torrey

So one of the ones I really like is using a primitive that you can then kind of repeat across different capabilities that where if you create a certificate that is configured as the server. So if your endpoint is hosting RDP, it can be an RDP server or a WinRM server, you can create that certificate with certain properties. So we found that the AIA property, which is kind of a pointer to a URL for kind of the parent certificate to when it's going and verifying the certificate. If you do that, the client will gladly go out and go to that URL, even if that's a canary tokens URL. And so you can configure your system to essentially serve this certificate that anytime someone connects and does a handshake and tries to RDP into your system or winrm into your system, they've now made a request from the attacker side server to our canary tokens system. We've got their client IP address and then we can tweak some of the permissions to actually deny actual logins or sessions being granted over those services. So if you're not using those services, you kind of enable it, but then deny all access and then you serve this kind of token certificate and now anyone using that, you know, kind of gives you some visibility when people are trying to WinRM or WMI or PS remoting into your system.

Patrick Gray

So this is for what, RDP systems, RDP services that people aren't using. I mean, how do you disambiguate between people who are legitimately using that RDP server, for example?

Jacob Torrey

Yeah, so for rdp, you know, if you're not using RDP like on your work laptop, you could enable this, or your personal laptop, you can enable this. You know, we find that, you know, obviously with this whole defending off the lan, we're not trying to replace edr, kind of a professional, you know, agent solution. It's more about there are those systems that are third party or they're not allowed to be touched. You can't install something on there, you can't really mess with them. These are ways where you can start to just make small configuration changes where maybe you don't RDP into that system. But ussa, you could enable that with the rdp.

Patrick Gray

So it's not the case where it's like oh, this is the RDP that everyone uses because then you're going to just be drowned in alerts. I'm more clear now on.

Jacob Torrey

Yeah, so one cute trick is you can essentially set up privileged access workstation where if you install the certificate into the client, the one that it would be looking up, it sees that it knows that fingerprint and it won't go to the canary token server. So you could, if you said, okay, I'm only going to RDP in from these five workstations, sure.

Patrick Gray

Or you could, yeah, you could put some network logic around that as well obviously. So you know, anyone from out of the country trying to do that, you can get an alert, but we've seen that backfire before. What else have you got? Like give us some other techniques here because I love these sort of tricks.

Jacob Torrey

Yeah. So another one is projected file system. So essentially it's a built in fuse type user LAN file system in Windows and so you can create file systems out of thin air. So we have a PowerShell script that essentially creates a fake file system and then if someone is accessing it, either it's on a server somewhere and they go in there and you can get an alert when someone's accessing it. You can do things like Tarpit where you're actually sitting in that filter driver level, but you're running as a unprivileged user space application. So you can do fun things like say, oh, I'm only going to give you one byte of this file at a time or I'm only going to enumerate one of the million files that I say is in this directory at a time. Come back to me later and you can take these red team tools that are going and trying to, you know, grab as much stuff as there or ransomware and you can really bog them down and get, you know, early alerting in that respective. You can also create a share from these and that's a nice way to see if someone is sniffing around for a share that doesn't actually exist. And that's a fun one.

Patrick Gray

The world's most frustrating. Happy to see the world's most frustrating Windows share drive basically.

Jacob Torrey

Yes.

Patrick Gray

All right, cool. Give us a couple more and then I got some different questions.

Jacob Torrey

Sure, sure. So another one that's a little bit taking it differently I guess, you know, with the push for Azure and kind of this, you know, hybrid entra ID world looking at things, where can you start building oauth applications or IDP applications that you know, you know that you're not running Salesforce in your Entra ID or your M365 dashboard. But there's an app there that says Salesforce or GitHub. And if you click on that. So say you steal a session and you're trying to look around, see what you get in that native M365 or Okta environment. These are what appear to be real SSO SAML applications, but they're actually token applications that you can get and see. Okay, Steve just got his credentials compromised.

Patrick Gray

And because Steve is trying to access the Privilege Manipulator app, Right?

Jacob Torrey

Exactly.

Patrick Gray

Privilege controller. We use it for controlling privilege. Like everybody going to try to do something with that, right?

Jacob Torrey

Yeah, it's kind of a similar vein of make something juicy that shows up in an app list. We had our Android app or the web, kind of the very progressive web app that we released over the summer that was very popular, where you could put Chase banking on your phone. And you know that that's not really chase banking, but if someone gets on your phone and they try to go and see your bank information, it alerts. When that opens, it says something kind of similar, but moving that more into the kind of M365 Okta IDP realm.

Patrick Gray

All right, so here's the other line of questioning now, right, Is when I think about what you've done with Canary Tokens. Similar sort of idea, right? Which is these really simple ideas that people never really did much of, because who wants to spin up all of the alerting infrastructure, make that reliable, like, it's actually a lot of work, right? So. So for those who don't know, thingstoperatescanarytokens.org, it's all free, so you can go and spin up Canary Tokens and do all of that. And you know, so many people use it and it's. And it's great. But, you know, without canarytokens.org or something similar, doing that is really hard. And again, like with these sort of techniques, they're great. But you are talking about at the moment, like manually going out and configuring these sort of trap doors for people, these sort of tripwires, if you will. So, like, how would you begin to sort of approach this sort of thing at scale? Are you planning on releasing some tools that might help people introduce some of these things into, say, Windows networks where, you know, they are centrally instrumented. Right. So I'd imagine you could produce some tooling here. Or is this more just for the moment, an academic exercise, I guess is the question.

Jacob Torrey

It hits across the spectrum. So this is us doing research in area. And some of these turn into products. So some of them will be live on canarytokens.org and these are things where kind of like the sensitive command token, it's a registry file that when that gets pushed out, you can push that out en masse. It includes the computer name that was, you know, being used and the username of who was running that command. So we can encode all of that kind of dynamically. And so all you do is you get one registry file, you push it out through GPO or SCCM or whatever tools you use. And so some of these capabilities are very much going to be from the dropdown list on canarytokens.org others of them are more academic kind of research figuring out. But there have enough caveats, I guess, of what your environment looks like. Is it really. We can do a good job of making that a very seamless, easy to scale, easy to deploy. So for example, the RDP one we've already brought up, that it really depends are you trying to use rdp? Do you know which clients are supposed to access it? And so that's one that I think is we've built a really simple script which you can deploy and say, okay, for these servers, hit this canary token with all the information and then you start to get that information. You can use the canary tokens infrastructure as an alerting mechanism, but it's going to be a little bit more kind of, all right, do I want to disable logins for this server or not? And then which one? So it's definitely not to the level of making, you know, it to the product level. And I think that's, you know, with labs, you know, our research group is we do find that we have a lot of things that we spend a bunch of time in and maybe the mindset of making it super quick to deploy and forget about isn't the mindset you want to be doing when you have these more kind of of nuanced or environment specific decisions. And so for those ones, we're going to be releasing it kind of as a bunch of open source scripts and tools and capabilities for people to play with. Maybe you end up using them, maybe you end up tweaking them. But I think that's kind of what we're trying to show is the primitives that you can build off of. And then some of them, of course will become actual canary tokens and products you can use.

Patrick Gray

Yeah, I mean, I get it. I just would have thought some of these are really useful, but they require a little bit of sort of tracking, if that makes sense. So you've got all of the alerting side with canarytokens.org but at some point, you know, if you want to really go to town with this stuff, you might need something to manage all of this. Any plans there? Because, you know, someone sets up a whole bunch of Canary. Look, it's one thing to put Canary tokens into, like, documents and whatever, but, like, if you're doing this sort of stuff, really getting advanced with it, and the person who set them all up, like, resigns, moves on, you know, like, it all starts to get a little bit lost in, you know, lost in the cracks. So I just wonder if you've ever going to introduce something that, you know, formalizes managing and tracking the, you know, the rollout of these sort of detections, you know, because I think. I think. I think people would love it.

Jacob Torrey

Yeah, I mean, it's definitely something we're thinking about. You know, some of our tokens are kind of of simple in the sense that for our id.

Patrick Gray

Right. Which is why I'm thinking about that.

Jacob Torrey

Yeah, yeah. Some of them kind of it's one set and forget for your organization. Others, yeah, there's going to be management. And, you know, we launched the beta credit card token a year and a half ago, and that was our first token that naturally expired.

Adam Boileau

Right.

Jacob Torrey

Credit cards don't last forever. And, you know, we pulled that back down and we're re releasing it again now, kind of the production mode. But there are kind of questions of. Yeah, I mean, people are spending time and they're maybe doing this, and there's a lot of kind of human knowledge that how do we help people do that in a much easier way?

Patrick Gray

Yeah. And you want them everywhere, Right. Like a taco truck on every corner, a canary on every box, multiple canaries on every box. Jacob Torrey, thank you so much for walking us through all of that. A pleasure to see you again and chat to you again. Cheers.

Jacob Torrey

Thanks for having me.

Patrick Gray

That was Jacob Torrey from Finks Canary there. You can find them at Canary Tools. And yeah, I love the concept. I think we're going to see some cool products and tools out of things to do all of this, and I think they're going to be really popular. So that is it for this week's show. I do hope you enjoyed it. We'll be back next week with more security news and analysis, but until then, I've been Patrick Gray. Thanks for listening.

Jacob Torrey

Sa.