Loading summary
Patrick Gray
Foreign and welcome back to risky business for 2025, our 19th season of this podcast. My name is Patrick Gray. We've obviously got a lot to talk about this week because we've had a four week break. So, yeah, we're going to get into the news in just a moment with Adam Boileau and then we'll be hearing from this week's sponsor, Sand Fly Security, and Craig Rowland, who is the founder of Sand Fly. He's going to be along to talk about a couple of things. First of all, why people don't tend to pay as much attention to their Linux fleets as they do their Windows fleets when it comes to monitoring. And also just talk about the general state of monitoring and Linux security in enterprise environments. It is a very interesting conversation and it is coming up after this week's news with Adam Boileau, which starts now. First of all, Adam, how was your break?
Adam Boileau
It was really nice. I didn't think about computers for several weeks, which, you know, it's kind of a, it's been a long time since I've had that much of a break and that's really, it's really nice. Although of course we're back into it and it's just full of crazy, as you would expect.
Patrick Gray
It's chaos. Indeed. And yeah, it was good. It was a longer break than usual, your idea, which is like, come on man, let's everybody take a good break. So, yeah, we're all back. We're all feeling very refreshed after, after a month off. So, yeah, happy days. One thing before we get going too, I should mention we are hiring. We are looking for someone who can take on audio and video editing for all of our podcasts. And we want this person to be able to do some of the social media management stuff. So we should have a presence on some of these short form video platforms as well as like LinkedIn and whatever. And you know, we would obviously like it if the applicant has an interest in or some experience in cybersecurity. So you can send it a resume or an introduction to editorialrisky biz if that is a job that you are interested in doing. But let's get into the news now, Adam. And I suppose, look, you know, there's going to be some Trump stuff in this week's show. It's kind of unavoidable. And we're beginning with the news that there's been some sweeping changes at the Department of Homeland Security in which all committee members, you know, external to the government have been sort of fired essentially, which means that all of the external advisors to the Cyber Safety Review Board, at least for now, they're gone. So that means Rob Joyce, Chris Krebs, Dmitri Alperovich, Heather Adkins. Yeah, all gone. Which I'm guessing would make the review they're in the middle of a little bit difficult to complete.
Adam Boileau
Yeah, that's, you know, that review is pretty important. That's the one into salt Typhoon, right? That's the right typhoon.
Patrick Gray
That's the right typhoon.
Adam Boileau
Which typhoon is which? Which is like the widespread intrusions into American telcos, which is undoubtedly important. And yeah, having the expertise of people, you know, like that list, you know, is pretty critical for that report to have the kind of depth as well as technical credibility outside of government circles. Right. The private sector likes to see its input in those things, to take it seriously. So, I mean, we're going to see so much Trump crazy over the next little while, so I guess we should get used to it. But this one just, you know, makes me a little bit sad because we really enjoy their reports and they're all, you know, good, smart people doing great work.
Patrick Gray
Well, I mean, I don't think we could, we should, you know, declare CSRB dead just yet. Also, it's a little bit unclear whether or not the government members have also been suspended from all committees. It's like, it's a little bit unclear exactly what's happened here, but either way, you know, CSRB is essentially benched at the moment, I would expect. And I do wonder, you know, given that Trump has surrounded himself with China hawks, I'd kind of be surprised if it didn't come back in one form or another. I guess my concern is that it comes back and the White House gets to determine what it looks into and it be, you know, it winds up being used as a political tool. So they're going to have to go back and look at, you know, cyber attacks and election fraud, targeting the 2020 election, you know, things like that. So that's one concern I have. But, you know, I'm more than happy to be surprised to the upside here, you know, so I think we have to wait and see.
Adam Boileau
Yeah, yeah. I mean, it is still very, very early days and obviously there's just a whole bunch of, you know, kind of churn in the US Government at the moment as they figure out what this all means. And, you know, the cynic in me says that the CSRB was probably just collateral damage here. Right. Because the dhs, Homeland Security has, you know, so many facets. And I imagine that there's probably, you know, dozens and dozens of other things like the CSRB and other disciplines, other fields that are also being gutted with no real clear idea of why or thoughts about what it means. Big picture and, you know, where it actually legitimately helps with their interests. So, you know, I guess I don't buy, you know, incompetence seems more likely than malice to me. But maybe that's just, you know.
Patrick Gray
Well, no, I mean, I think it's just, you know, it very much connects to, you know, Trump's philosophy, which is they were appointed by the previous people, so clear the decks, you know, and then start again. So, I don't know, let's not prejudge it. Let's just wait and see what happens. Meanwhile, Risky Business News, which has been renamed, by the way, it's called Risky Bulletin these days. That's the work done by our colleague, Catalyst Kimpanu. He reported on this Beyond Trust incident last year, where their remote, like admin management, you know, support product, they detected some sort of intrusion targeting a client. We've since discovered that customer was the US Treasury. And, yeah, it looks like this was a Chinese operation targeting treasury to, you know, gather intelligence on things like sanctions and whatnot. And we've seen a lot of action in. In sanctions. We've catl the battery maker had some sort of designation put on it recently. So obviously, and they, you know, the biggest EV battery manufacturer in the world, and they're Chinese. So, you know, obviously this is an area where Chinese intelligence would be interested in focusing, but looks like a tremendously successful operation here. And God knows how long they were rattling around inside treasury, including a presence on the computer of the Treasury Secretary, Janet Yellen. And I will admit that this job is somewhat of a disease because when I read that during my break, I thought, nice.
Adam Boileau
Well, yeah, it's hard to argue with those results. And, you know, one assumes they popped enough domain admin or whatever to show up on those desktops. So, you know, in which case, like, that's a solid day's work, because they were in as well, the Office of Foreign Assets in Control.
Patrick Gray
Well, that's a Treasury, so, yeah, so.
Adam Boileau
That'S part of the Treasury. Also the CFIUS, the Committee for Foreign Investment in the U.S. so, like, all the sorts of bits of treasury that are very relevant to this kind of ongoing economic conflict between China and the U.S. so, yeah, that's a solid day's work, whoever that was.
Patrick Gray
Absolutely. In China, I think you were saying that CISA had said, so far, they're the Only identified victim of this Beyond Trust supply chain thing. I mean, do you even.
Adam Boileau
Yeah, so originally Beyond, I think Beyond Trust said there was only one victim. And then later they've come out and said there were a few more, but I think Treasure is the only one we've seen actually confirmed so far. Yeah, but I think Beyond Trust said like, I think it was like less than 10. That wasn't very many other customers, but yeah, clearly some.
Patrick Gray
Meanwhile, Jen Easterly, who was the. I mean, I'm guessing she's gone now. She was the head of CISA. She's published a blog post over@cisa.gov that says that Salt Typhoon, which of course, as you mentioned earlier, is the campaign targeting US telcos, that the same actors were actually rattling around in federal systems as well for a little while. CISA had detected it and given them another name and whatnot. And it looks like when, you know, the Salt Typhoon detections and evictions kicked off in earnest, that turned out to be useful information. Seems like the blog post is kind of trying to take a little bit of credit for detection here, but they're being a little bit slippery with the words that they're using, which makes me think that probably Sys's detection of this crew in FedGov isn't what led to the rest of the campaign being unpicked. But they kind of are trying to imply that a bit. So God knows how it all came together. We'll find out one day. But it is interesting that this group that we've pretty much exclusively associated with attacks against telcos was also targeting federal systems.
Adam Boileau
Yeah, I mean, it kind of makes sense that they had tasking before this and they will have tasking after this as well. But yeah, kind of joining those TDPs together or following the leads around the place. I mean, that's kind of what the cooperation between private sector threat intel and threat hunters and government, CISO and et cetera, is kind of meant to be able to do. So it's kind of, you know, I guess for them putting up a. Like here is a win that we had, might be a useful thing at the moment. I don't know.
Patrick Gray
Yeah, yeah. And meanwhile AT and T and Verizon have said that they have finally managed to evict this. This report is by Matt Kapko over at CyberSecurity Dive, published January 7, says that, you know, AT&T and Verizon have said they' managed to evict Salt Typhoon, which is great news. Unsure about the other 100 odd telcos that have been impacted though, right?
Adam Boileau
Yeah, I mean, I wouldn't want to be the person that has to put their name to a statement that says, actually, yeah, we totally threw these guys out because, like, they're pretty sneaky. And we've seen, I mean, some really cunning long term persistence mechanisms. You know, things like building control systems or UPS system firmware or whatever else, you know, plus all of the, you know, early boot malware and things like throwing people out these days is legitimately hard, especially when they're well resourced and motivated and properly sneaky.
Patrick Gray
So we would say they're not cured, they're perhaps in remission.
Adam Boileau
Yeah, maybe. And I think the Anne Neuberger said, look, basically like that's great and all, but they also need to secure their network so they don't just come back in another way. Which, yeah, legit.
Patrick Gray
Yeah, indeed. Now, Joe Biden signed a executive order pertaining to cybersecurity on his way out the door. Some good stuff in it. I mean, it puts new obligations on government agencies and departments and also their contractors, right, where you've got to use phishing resistant, you know, authentication controls and blah, blah, blah, blah, blah. There's a lot of stuff in here. You wonder if this one, because, you know, one of the first thing that first things that Trump has done when he took office this week is to rescind a whole bunch of executive orders that Biden put in place. You kind of get the feeling because this is last minute they didn't have time to prepare its removal. You sort of wonder if maybe it'll stick. But hard to know it is, and.
Adam Boileau
It'S a pity because it's full of pretty sensible stuff. Things like let's use our PKI for cryptographically signing route advertisements via BGP and as you said, multifactor auth and mail crypto and all sorts of things like that that you wouldn't think were at all contentious. But, you know, just throwing out executive orders because they got Biden's signature on them is a thing that could totally happen. One of the things that was on this was so the US Cyber Trust mark, which is the scheme for like labeling IoT devices with like, you know, they've got some security at all, they can get firmware updates. That kind of thing was going to be mandated for government purchases after I think it was 2027 or something like that. And that's the kind of thing that really helps along initiatives like that. And it'd be a pity to see that also gutted early on. But we'll wait and see. As you say. We don't know yet what's going to happen.
Patrick Gray
We just don't know. And we've linked to a separate. We've linked to our piece by Catalan on the eo and we've also linked to A Reuter's story about the IoT labelling stuff. We've also seen the US sanction a Chinese cyber company for its role in another campaign that Microsoft calls Flax Typhoon. What's Flax Typhoon? Because we've got our salts and our vaults and now our flexes.
Adam Boileau
Yeah. So this was. So Typhoon, obviously is just like China in general. Flax Group is. I think this was the crew that was building like a orb network out of owned IoT devices and perimeter devices a while back that the FBI rounded up like late last year. I want to say that one Flax Typhoon, I don't know which bit of the, you know, which bit of MSS or, you know, Chinese military or whoever it happens to be that's behind it, but there's a private sector firm that's been doing a bit of work that's.
Patrick Gray
Got themselves some sanctions Integrity Technology Group based in Beijing.
Adam Boileau
That's the one. Yes.
Patrick Gray
Sucks to be them. Although, I don't know.
Adam Boileau
A client of and competitor with isoon. I think I mentioned in the leaks.
Patrick Gray
Yeah, yeah, yeah, exactly. Now, we probably should have mentioned this earlier, but the fcc, the annual defence spending bill was signed by Biden on Monday evening. And you know how they do it, like they bundle up a bunch of other stuff into the, into the defence authorization bill to get, you know, the spending that they need. It's $895 billion spending blueprint. So it's referred to here. This is a Martin Matoshak piece from the record, but there's 3 billion in there to help telcos rip and replace insecure equipment and sort of Chinese equipment from telcos. You know, this is, this is helpful, I think. You know, I think, I think federal funds going to help them replace stuff where their attitude otherwise is going to be, well, it ain't broken, so why fix it? You know, I think this is probably a good use of government money when it comes to, you know, $3 billion in the context of national security. I mean, it's not all that much. I do wonder how much it will genuinely help, though. Like just updating equipment does not give you a great security program. Right. But I don't know, I think it's probably on balance a positive thing. What do you think?
Adam Boileau
Yeah, I agree, like the, all the talkers I've ever worked with, you know, even when they understand that, for example, having a Huawei mobile network is not great, you know, now when they built it, well, when they installed it, they probably didn't understand that. Now they do, they're still not going to rip it out until it's end of life. And they've got, you know, the program for replacing that stuff's going to take years. And you know, that's a long term project that's probably already underway. Someone's showing up with some money to move it along will change things. And it's, you know, it's not ideal that the taxpayer subsidizes private businesses technology choices. But you know, the outcome that you want, which is less Huawei in the middle of your network, you know, if you want to spend some money to get that outcome sooner, then yeah, I think it's a good, it's a good idea. Otherwise it will just live forever.
Patrick Gray
Yeah. So it is mostly targeted on Chinese equipment. Initially this program was created in 2020 and they spent 1.9 billion with everyone saying it needed another 3 billion to make it like to get it to the finish line. And that's what's been authorized now. Interesting thing about it being created in 2020 is that was obviously during the last Trump presidency. Right. So I think this one, you know, is kind of a bipartisan thing. So that's good. Now look, just a couple of quick notes on the incoming. The return of Donald Trump. I think we can expect to see much more aggressive operations against China in particular. So we've got the CIA nominee telling the Senate and this is a story from Tim Starks at cyberscoop that, you know, he wants to get much more aggressive, develop more tools, blah, blah, blah. We've also seen some names floated, some possible names floated for like White House, you know, security coordinator, which would be a dual hat role, also, you know, sitting on the, on the National Security Council. And you know, you look at the people who are possibles for that position and they're very hawkish and they're big believers in flexing America's cyber muscles. Right. Previously our colleague Tom Yuren has written about Trump's propensity to use state power and to embrace the use of state power. So what I'm thinking here is the murmurs coming out of the sort of MAGA camp are look at what China's doing to us and we're clearly not deterring it. It's time for us to do the same thing to them, which would be a radical departure from norms. But you also at the same time think, well, what we have been doing hasn't been working. China's not adhering to norms. Fight fire with fire. I don't know if this leads us to a crazy path of escalation and the abandonment of good behaviour by states on the Internet, but it's going to be interesting to talk about and that's our job. So, you know, yay. What do you make of all of this rhetoric coming from the incoming administration and its possible appointees?
Adam Boileau
I mean, it's hard to argue with the view that relying on a Normans based global order has not worked particularly well, especially when it comes to China and deterring their cybering. Right. I mean China to this day just says, hey, we didn't, we don't cyber. What are you talking about? Yeah, right, that's just the, and in the face of that, you can't really have a sensible, grown up, norms based conversation about, you know, setting expectations and blah, blah, blah. And you know, we've advocated for hound release for a long time. Hounds get released these days. Clearly there are a lot more things you could do and you know, there's a lot of crazy stuff that comes out of the MAGA camp.
Patrick Gray
But is this, is this that? Because that's the thing.
Adam Boileau
I mean this one is, you know, giving China a bit of a, you know, a bit of a bloody nose in the cyber world.
Patrick Gray
But what does that look like? That's the thing that gets me, right, because you've got sort of international law which I know is, you know, not everybody, what is that these days. But you know, targeting civilian infrastructure and whatnot, I mean that is problematic. But at the same time, when that's what your adversary is doing, I just, I sort of wonder what the alternative is. You know, if they're doing large scale preparing the battlefield sort of stuff targeting, you know, U.S. interests, why should the U.S. then not punch back? I think it was possible to make an argument against that previously, but with what we've seen, particularly over the last 12 months, you know, it's insane. It's absolutely insane. And I kind of understand the instinct to hit back. I just wonder, A if it'll actually deter anyone, you know, B, will it escalate things? C, what do you even actually really achieve? I don't know. So I'm, you know, you just can't accuse the MAGA camp of not thinking outside the box, I guess is what I'm saying. Right. I mean, in some, in some ways it's Like, I think I've described. I described Trump in a recent conversation as like the stochastic president. Right. Because they tend to just generate an awful lot of random ideas, and they're not all bad.
Adam Boileau
Yeah, I mean, yeah, yeah. I mean, that's it. And at the very least, as you say, it will be very interesting for the commentariat and just sit here and. And watch what goes down. And, you know, I mean, we, you know, I've been inside enough, you know, instant response reports and things that are, you know, don't end up getting public or whatever, where you just look at what China does and you think, my God, if people knew how bad it is and what kind of stuff they pull, you know, we would be having different conversations. And, you know, I. If they decide, if the US Decided to, you know, as you. I don't know what flexing your cyber muscles looks like, but if they decide to do it, I mean, I'm kind of curious.
Patrick Gray
Yeah, I mean, I think if they go hand to hand with China, I think they're in there with a shot. Right. So it's not like they don't have a decent capability. Then again, China's come a long way too. So.
Adam Boileau
Yeah. I mean, and we just get to sit here on the edges of two superpowers going at it and hope it, you know, stays in the cyber realm.
Patrick Gray
That's right. I mean, funny thing, though, is you look at you, you look at me. We are unlikely hawks when you think about it, but here we are. Right. And I should also, too, before you send me an email, I'm not a fan of Donald Trump. Right. So I would hope that no one thinks that I'm endorsing him by saying that, you know, occasionally, stochastically, they. They generate good ideas. But it's, you know, obviously a touchy subject because he's a very polarizing figure. And as I said, he's not my cup of tea. But, you know, he clearly won the election, you know, by a narrow margin, but he won the popular vote. He won the Electoral College. He is the American president as chosen by its people. So going to be an interesting four years. Speaking of, you know, I think I signed off last year's show by pointing out that the whole TikTok ban and everything and the. And the inauguration was going to be happening the week we got back, and, you know, that got messy. Right. So you had TikTok shut down its servers in or, you know, display a message to users briefly saying, TikTok has been shut down due to the. Due to the laws. And then it came back even before the inauguration, which was very interesting because the companies that were still hosting TikTok at that point were breaking the law. Okay. So they could be, in theory, fined, you know, or punished by a future administration for doing that. Not that I think that would be particularly productive. But it was interesting that they were prepared to skirt the ban. You know, Apple, Google didn't remove TikTok from app stores, as far as I'm aware. Oracle continued to host their content, as far as I'm aware. So that was one interesting facet of this. And then, of course, Trump is sworn in. He can't just overturn the ban. It's law. But what he can do is sign an EO giving them, you know, 75 days to. To kind of prepare a sale. You know, it'll be interesting to see if he can make a deal here. You know, he's. He's the. He's the deal maker. Can he get this forced divestment across the line? I guess we'll find out in 75 days.
Adam Boileau
Yeah. Yeah, I guess so. And, you know, kind of watching the end of TikTok in the days leading up to it was kind of interesting in a way. There was a lot of people posting kind of farewell videos and talking about what they'd achieved on the platform. And, you know, a lot of it was really quite heartwarming. Yeah. And then there was also.
Patrick Gray
It's a wonderful platform.
Adam Boileau
Yeah. There's a few kind of, you know, creators who were posting videos saying, hey, actually, look, I never really made those meals that I prepped for the, you know, for the work week that I'd be talking about. It was all just for the clicks. And then the other platform's back after 14 hours offline. It's a bit orcs for them. So anyway, it was just. It was an interesting period on the Internet. And, yeah, we're just gonna have to see what 75 days brings.
Patrick Gray
Yeah. And meanwhile, a bunch of Americans were signing up to all these other China. China apps like RedNote and whatever, and, like, posting really pro Chinese st. I mean, you know, it's probably worth reiterating that you can't access American social media in China. You know, it's not like. It's just. I don't know why this has been so hard. And I'll also point out that it's an absolute political disaster for the Democrats. Right. Because they announced this thing, which was initially Donald Trump's idea, mind you, pushed the law through, and then now they just, you know, 100 million Americans plus use tick tock. And now it looks like Trump is the, is the savior here. So they just like, they can't help but shoot themselves in the, you know what? The Democrats in America, they did such.
Adam Boileau
A poor job of explaining, you know, explaining why like, I mean, they can't, I guess they can't come out and say, look, we are in an existential crisis in which we are competing with China in a new war. They are the enemy. Yeah, you can't use the enemy's app. Right, but they can't, I guess they can't say that out loud. But you know, there are so many people missing the point, like thinking that it's about individual privacy or thinking it's.
Patrick Gray
About, yeah, about data theft or whatever. We've spoken about it a million times on the show. But when you've got 100 million Americans using it for an hour a day, you know, that is your number one media asset in a country. And there are already quite strong laws about, about foreign media ownership. So yes, you know, if China wanted to come in by the Washington Post, the New York Times, you know, forget it. Right? They want to buy cnn, forget it. It's not going to happen. So yeah, crazy stuff. But I did find it funny people, you know, rushing over to sign up to apps and to agree to terms of service that said that they would respect Chinese cultural values and be good socialists.
Adam Boileau
It's a crazy world.
Patrick Gray
Now, as promised, Ross Ulbricht, the founder of this Silk Road drug and all sorts of bad stuff marketplace, he's been pardoned by Donald Trump. I mean, he was convicted in 2015 for distributing narcotics, distributing narcotics by means of the Internet, conspiring to distribute narcotics, engaging in a criminal enterprise. That one carries a sentence of life and a mandatory 20 year sentence. One count of conspiring to commit computer hacking, conspiring to traffic and false identity documents and conspiring to commit money laundering and yeah, free as a bird. Meanwhile, other news, and this one just happened like the day after we went on break. But NSO lost its big lawsuit in the United States where they were being sued by Meta over, you know, the installation of Pegasus on their customers devices via WhatsApp. Pretty interesting. I've posted also a link to a legal analysis on Lawfare by a guy called Asaf Lubin. And yeah, it's really interesting because what this guy says is that the judge was able to sidestep the most critical questions so as to avoid creating problematic, you know, precedents or whatever. One of the reasons WhatsApp got in, sorry, one of the reasons NSO got into so much trouble here is because they just refused to produce evidence that the court asked for. So that was kind of, that worked really not in their favor. And it reminded me of, you know, 20 years ago when I was sitting in the Australian Federal court, you know, attending the Kazaa lawsuit, which was the peer to peer file sharing app, and the judge did something similar, which was to really base their judgment less on the technology and more on the actions of the, of the company. So it doesn't look like this is going to have huge ramifications for the broader sort of and well behaved spyware industry, particularly considering the better behaved actors don't tend to do operations themselves like they provide tools to government agencies who then use the tools. Whereas here, you know, NSO actually going out and doing the shell popping and intelligence extraction, you know, you can wave goodbye to any sort of sovereign defense on that. But yeah, what did you make of this? I mean, I'll admit to being a little bit surprised that the court found in Meta's favor here.
Adam Boileau
Yeah, I mean I, I was surprised and then when I read through the, the law fair bit about kind of like how it actually ended up being ruled in, in WhatsApp's favorite, kind of made more sense. It also means, I think that it doesn't really make much the way of precedent and there were some questions about like what kind of punishment are they going to get? Like are we going to see like big damages? And if they are big damages, to what extent are they even kind of are they enforceable or are they a thing that you can collect?
Patrick Gray
NSO is dead. Long live nsp.
Adam Boileau
Yes, exactly. OSM Group or whatever else. So I mean, it is interesting, you can kind of see why Apple threw in the towel a while ago because, you know, kind of winning, you know, a spiritual but not particularly effective victory like WhatsApp has done here, you know, maybe is a waste of time. And then, you know, we've still got appeals that could happen. It could take another however many years, who knows. And by then, you know, probably NSO Group won't even matter anymore. It'll be something new entirely. So.
Patrick Gray
Yeah, well, I mean, they've already quite diminished. They are somewhat attenuated between the sanctions and the, you know, all of the drama. So meanwhile, now this is an interesting one that was reported. The reports on this was sort of surfacing late December, early January. There was a interesting attack against the publishers of Chrome Extensions. And it Looks like what brought this one undone is they successfully compromised a cybersecurity company's extension. And this thing was designed to prevent you from accidentally disclosing important information into a, you know, web form or whatever, like a phishing protection or whatever. They're called Cyberhaven. And they did, you know, they did actually wind up shipping a bad, bad extension as a result of this campaign. But it looks like they detected it quickly, and that's what brought this whole thing down. So bad on you for getting owned, but good on you for being the ones who brought it to the public's attention. But if you look at how this phishing attack against the publishers worked, I mean, you know, it's impossible, I would think, to prevent this from being successful in a big enough team, right. Like someone is going to click on it, walk us through the actual way this worked. Because reading this, I was just like, man, that is solid phishing.
Adam Boileau
Yeah. So the phish pretext is initial email which says, hi, we're from the Google Chrome Web Store. Your extension has violated some obscure Google policy that you didn't know about. Click here to read the stupid policy that you didn't know about. And then that leads you through to sign in with Google OAuth grant flow to authorize a malicious application called, in this case the Privacy Policy extension, to get access to your account. And then once they've done that, they've got permissions to upload new versions of the extension to the App Store. And if you've ever used any of the kind of modern cloud world where with lots of OAuth flows and wherever. I was playing with Google Cloud stuff just yesterday, right? And I ended up having to click through all sorts of crazy OAuth grants that I didn't really understand because I'm using a new technology thing. I don't really know what all the words are. It's hard to tell which is Google Internal, because in some cases, you know, like the Google API Explorer, for example, is a Google app, but you have to authorize it to access your stuff as well. And it's all, you know, I can totally see why you would fall for this. And it's just. Yeah, I mean, it's a hard one to fix. And especially, you know, OAuth is complicated. Modern cloud apps are complicated. You know, in the old days where we kind of, you know, when we had Windows apps and Windows boxes, you know, you kind of understood the framework in which you were working in, whereas now everything's crazy. Web SaaS. Who even knows how to work.
Patrick Gray
It's not uniform. I mean, we're not actually talking about it this week, but Dan Gooden has a great piece up talking about the problem with passkeys. And one of the issues is like the UI different everywhere. You know, it's like, it's not a uniform experience. And when you look at things like Oauth grants and whatever. Yeah. You don't know what they're doing. You don't know how they interact really with your account. You don't know quite who the publisher is. Or maybe you might, depending on the ui. So.
Adam Boileau
And what are you even granting? And like, it says, hey, we're only going to do this. But, like, how do I know that? Like, where's the thing that says that? How do I check?
Patrick Gray
Well, I think quite often in the ui it will tell you.
Adam Boileau
Yeah, but like, do I trust that ui? Like, is that the UI or is it the screenshot? Is it a fake of the real ui? Like, how am I supposed to tell when it's all in a browser? You know, I live in fear of hitting a fake password prompt because it just looks like the real thing. And in the old days you could like drag the auth window off the side of your browser and it's like, it's a, it's an operating system window. Okay, fine.
Patrick Gray
Yeah.
Adam Boileau
But, you know, when the browser's the operating system, who even knows anymore?
Patrick Gray
Yeah, yeah, I mean, it's. Yeah, it's interesting, right? So it looked like this, the malicious code added to these extensions did things like harvest like Facebook session tokens and stuff. So it doesn't look, you know, it looks more like, you know, fraud at scale, you know, stealing Facebook accounts. Right? Like, nothing, nothing fancy, but you can do an awful lot with a compromised extension.
Adam Boileau
You sure can.
Patrick Gray
You sure can. And you know, it's funny, right? Like the airlock digital people who do allow listing, I remember like years ago saying to them, like, it's not happening now, but it's coming, right? There's going to be people targeting extensions. And I really think, you know, and they're like, yeah, we'll get to it, we'll get to it. And they did have it on their roadmap, but I was like, they're just going put it further up on your robot. They actually shipped it, I think it was last year. And they, they told me in Slack, they're like, this will make you really happy, Pat. We've shipped the extension allow listing. And it was funny because that was my pet, my pet request from the Airlock people. But you know, and even then, like I'm not sure about their implementation. I think it would actually handle this okay. Where you've got updated code. Because I don't think they did it through the Google. I'd have to check with them, but I don't think they did it through like Google APIs or whatever. I think they actually did it like on disk. So if the code changes like it will, it will disallow it. But you know, even if you're doing it with some sort of Google ui, what does that mean in terms of updates? Does it block them? Does it allow them? Like, I don't even know. I think more and more we're going to see security tools doing cool stuff in the browser. You know, we've got custom browsers like island, which is the big, you know, enterprise browser play. But then there's others like I'm, I'm doing a lot of work with a company called Push Security based out of England who do like identity security in the browser and they do some very, very interesting stuff there. So, you know, more and more I think we're going to see identity based attacks targeting things like OAuth grants and you know, various tokens and whatever. It's just. Yeah, it's the, it's the new black. Right, Absolutely.
Adam Boileau
Yeah. That has only go where, you know, the data is where the creds are, you know, with whatever works.
Patrick Gray
Yeah, yeah, well, and an OAUTH grant is the new code execution. That's kind of the way I look at it. Right. That's the new running malware. And I used to hate it when people would, you know, everyone comes up with a, with a, with a buzzword when things change. And one that I really didn't like and I do now is like identity is the new perimeter. Because I think that is, you know, we're far off, far along. Far enough along for that to actually seem kind of.
Adam Boileau
Yeah, true. Yeah, right, agreed.
Patrick Gray
When you look at M365 and what that gets you in terms of like other access even into physical environments and whatever. Anyway, sorry, I'm ranting, I'm ranting. It's good to be back. It's good to be back now 2025, same as 2024 in some regards. So we've got all this new identity as the new perimeter. But sometimes your old perimeter is still, you know, crappy old stuff like fortigate firewalls which apparently Adam, have more comedy bugs in them that are being, oh.
Adam Boileau
My God, this fortinet bug all Right. So in the Fortinet web interface for the firewall, the main firewall product and also their 40 proxy, you can access the command line console interface of the device through the web interface. There's like a window that pops up and gives you the command line. And the way that, that works behind the scenes is there's kind of a websocket to some kind of endpoint, you know, on the web server of the device that exposes the command line interface. Turns out that didn't have effective auth, and you can show up and just send commands to the device to run.
Patrick Gray
Now, hang on, you said it didn't have effective auth, but it didn't have any auth. Right.
Adam Boileau
Well, this is the funny bit. So part of Fortinet's advice and also their.
Patrick Gray
I'm remembering this as you're saying about.
Adam Boileau
The CVSS score, is that you do have to know the admin username. And if your admin username was a secret, then the attacker can't get in. And Fortnite, like, actually for serious in their advisory saying, well, hey, you could just change the admin username.
Patrick Gray
Is it a default, though?
Adam Boileau
I mean, it's fault like admin, but I mean, if you want to change it to, you know, Cheese whiz.
Patrick Gray
Yeah.
Adam Boileau
Then, you know, you are secure. And I'm making, I'm making scare quotes for the people watching the, you know, listening to the audio version.
Patrick Gray
Well, I own some shares in Knock Knock and I'm on their board and I'm feeling very good about that. So.
Adam Boileau
Yeah. Yeah, because littens up. Yeah. Web interface on the Internet. Fortnite's having a bad time. People are out there using this in the wild. Like, it's just, it's everything you expect if you have a Fortnite on your perimeter. I'm afraid.
Patrick Gray
Yeah. And As I said, 2025, New Year, same as old year. Ivanti stuff is, you know, there's still Avanti drama. Like, how do these companies, like, maintain their value, their position, their revenue? Like, it's just.
Adam Boileau
I have no idea.
Patrick Gray
You know, it's one of those things where you just sort of rage against it in an impotent way. You know, you wish you could be global overlord for a day and just smite the wicked, starting with Avanti and Fortinet.
Adam Boileau
That would be a beautiful thing, this Avanti bug too. Actually, I have a bee in my bonnet about this one because this is a stack buffer overflow in their, like, web vpn. So in the web server that provides Their TLS vpn. So like core functionality of the product and it has a stack overflow. And I went and dug up the exploit because I wanted to see. Because I mean, stack overflows are a bug class that have been dead effectively for, you know, in a sensible platform for a very long time.
Patrick Gray
Like this is real proper time warp stuff here, right? I mean, look, they've been known about and exploited, you know, I mean that was like early 2000s, it was, you know, stack overflows everywhere. But they were pretty easy to find in a code base and code out. Right.
Adam Boileau
Easy to grip for, easy to fuzz for easy to fix with stack cookies and various other compile time controls. But the thing that's most beautiful. So I went and dug up the exploit. I think Watts Tower has done a really good write up of it. The bug is they use STR copy. They don't use strccopy, they use STR N copy, the safe version of STR copy where you specify the length of the buffer so that it doesn't run over the buffer and corrupt memory. Except that to strip in copy you have to pass the length the destination buffer and they pass the length of the source buffer, I. E. The attacker provided buffer. So of course it overwrites the destination buffer because they use the wrong length, which.
Patrick Gray
And then there you are, security product, you're smashing the stack.
Adam Boileau
Yeah.
Patrick Gray
Listening to the Chili Peppers like while it's 1999.
Adam Boileau
Yep, yep, that's exactly. Yeah, that's. And then Dan Gooden over at Ars has a write up of so this is being actively exploited. But the people who are doing it have a pretty nice set of post intrusion tools, including one that when you try and update your Avanti, it gives you like a fake update screen that makes you think you're being updated. Like it has a bunch of like sleep statements in it to make it look like it's patching itself. It also has tools to circumvent Avanti's integrity checker, because when an attacker has root on the box, the way you can fix it is by deploying a thing that checks the hashes of files on the device. And that's somehow fine. No, they just switch out the hashes of the bad components with good ones during the checker and the checker says everything's fine. Because instead of fixing their goddamn stack overflow, they wrote a whole like, let's try and hash the components and make it fine. So thank you for the enemy event.
Patrick Gray
Yeah, I think we need a collective om.
Adam Boileau
We do we do, we do.
Patrick Gray
Just quickly we'll mention this one. We spoke about that Apache struts 2 bug last year. We got a report here from David Jones which kind of oversells the article. The headline oversells the article. It says, researchers warn of active exploitation of critical Apache Struts two floor. But it turns out like it hit a honeypot somewhere, someone was messing around trying to get it to trigger. I mean, you know, that doesn't seem like a campaign. That seems like someone who's like maybe a bug bounty person is trying to get this exploit to work and couldn't be bothered spinning up a Struts 2 based application in a test network, so they just went and found one on the net. That's what it feels like.
Adam Boileau
Let's face it, we've all done that.
Patrick Gray
Well, I mean, you know, that's a crime technically, Adam, so I wouldn't say we've all done it, but, you know, you know, that's what it feels like, doesn't it? Like, what is a pen tester who just, yeah, trying to get something to work. Can't be bothered spinning up test environment. Was that your immediate take on this as well?
Adam Boileau
I mean, that is kind of what it feels like. I had a quick look in Gray Noise and there was like two expert attempts in the last couple of months against this bug, which seems a bit sus. And I don't understand why, because like this proof of concept code, which looks believable to me and you know, the bug doesn't seem that complicated, doesn't seem that many prerequisites. So I don't know why it's not going nuts like it seems like it should be, but it, it doesn't seem to be. So there must be some other wrinkle or complexity or nuance that we don't understand.
Patrick Gray
I mean, you think about log 4J. I mean, it was the slow burn. It didn't turn into a disaster, remember? Because attackers hate Java.
Adam Boileau
But then Java is gross and no one wants to have to deal with it except, you know, a few desperate sickos.
Patrick Gray
Well, and I think Struts too is kind of the same, right? And we're not going to see incredible volumes of exploitation, but it'll be a perma bug that's just going to trickle along, you know, people. I mean, I guess where log4j really turned up was in VMware stuff when people had pox for that. And I think it'll be the same for the Struts 2 stuff where there's going to be some enterprise stuff that uses it and someone literally, in the.
Adam Boileau
Case of VMware, there's all struts to author VMware stuff as well, so.
Patrick Gray
Great.
Adam Boileau
But I think everyone's already got all of the VMware shells, so they probably don't need this bug. Maybe that's what, maybe that's what's going on. Everything that was bumped to this is already shelled by someone, so you don't have to bother.
Patrick Gray
Well, but I mean, you see what I'm saying, right? Like I can imagine someone finds a bug, you know, finds out how to use this bug, targeting some VMware stuff or whatever, proof of concept hits and then people will just use it. But you know, it's got limitless potential if you put in the effort to target like bespoke apps or whatever.
Adam Boileau
Yeah, yeah, I agree completely. And you know, I like targeting bespoke Java apps, so, you know, good times.
Patrick Gray
The U.S. department of justice managed to vape Plug X, which is a piece of malware favoured by Chinese apt crews. They managed to vape that off 4200 US computers. This is a story from John Greig. Shame they only stuck to the U.S. you know, why not just nuke it everywhere? But I guess, you know, they've got to scope these things, don't they? And you know, interesting, interesting story here. It's always good when you see the DOJ has figured out a way to safely uninstall bugs.
Adam Boileau
Yeah, it's nice when you think like, how, how much hand wringing there has been about this kind of thing over the years. I mean, now we're at the point where we can just kind of do it like, yes, you go have to do it to jump through a few hoops, but, you know, we can just go do it. Uninstall a couple of thousand, you know, Plug X deployments. And I think this one was in cooperation with, was it Sequoia, the French firm?
Patrick Gray
Yeah, and the French government, I think.
Adam Boileau
And French government, I think that there's been a bunch of. The French seem pretty forward thinking at building the tools to do this and then sharing them with other people, you know, so that they can.
Patrick Gray
Well, I mean, the Dutch, the Dutch were doing this 20 years ago and at the time, I think it was controversial then. And you're right, it's not controversial now. Which somewhat connects to the earlier conversation we had about the incoming, you know, Trump administration in the United States, where they're going to just ditch some norms. I mean, I think we're Always trying to find the line. Right. You've got to move the line and find it. But, you know, this is one of those instances that you correctly point out. You know, it used to be massively controversial to do these sorts of things, which is to, like, execute a command on someone's computer when it's been impacted by malware. But now it's just like. Well, you know, that's just how it be.
Adam Boileau
Yeah, I mean, it's kind of pragmatic and, you know, there were some. There's some value to pragmatism, you know.
Patrick Gray
Yeah. Now we're going to wrap it up here, more or less wrap it up here with a quick discussion on the ongoing, you know, conflict between Russia and Ukraine. The cyber dimension of this ongoing conflict looks like, according to this story by Darina Antoniuk, a Russian ISP got vaped by Ukrainian hackers. This is the second time we've seen them do something like that. This isp, I think, is called Nodex. And, yeah, bad times being had by them. But then we've got, you know, Ukraine restoring its state registries. I think that happened last year, like in December last year, some of their state registries were vaped by the Russians. And then the Ukrainians have, you know, breached various Russian state registries, like their land records and property records registry, and vaped that. So, you know, it's fun to write about, I guess it's fun to talk about, but I don't think it really changes much, you know, and I think that's. That's just consistent with the theme over the last few years now when talking about, you know, cyber actions in this war, is that they haven't really done all that much.
Adam Boileau
No, they've certainly made a lot of trouble for people who work in those fields or work in those companies or customers or users or whatever else. But, you know, compared to having drones fly through your apartment window and blow up your house or, you know, all of the other terrible things that are happening, you know, in both Russia and Ukraine because of this conflict. Yeah. The cyber domain has not been particularly effective other than, you know, the very, very early days of the conflict. And I know, you know, seriously risky businesses. So between two nerds has talked a bunch around, you know, the extent to which cyber just has not been effective and it kind of continues to be that way.
Patrick Gray
Yeah, that's right. Although I would probably call you out on saying horrible things happening both in Russia and Ukraine because it is so asymmetrical.
Adam Boileau
Yes, that's true.
Patrick Gray
You know, I don't think, you know, people in Russia are not suffering nearly to the same extent.
Adam Boileau
Yeah, I mean, I guess I was thinking like the sysadmins at the.
Patrick Gray
Well, yeah, if you're a CIS admin. Fighting.
Adam Boileau
I know what I meant. Right. Yeah.
Patrick Gray
Fighting in the cyber trenches. Sure, I get what you mean. Now, look, we're going to end with a attaboy for Mr. Brian Krebs, who last year did some Krebs ing of this guy who was involved in the campaign targeting Snowflake instances. You know, a couple of guys have been arrested. He's like, well, there's another one. And I'm pretty sure he works at this military base. And, you know, he did his unpicking and doxing and, yeah, this guy got arrested at that military base, so bad times ahead for him.
Adam Boileau
Yes, Cameron, John Wagnius. I think it was Kyber Phantom. So, yeah, he's going to face some criminal charges. And, yeah, it's, you know, Krebs does solid work, I think Brian was saying as well. Like 15 years of Krebs on Security, the blog. So, you know, solid work, Brian. And, you know, Gratz on. I don't know how he gets. Does it every morning, like, gets up, you know, walks into his Pepe de Silva office and, you know, sits down and starts putting those little red pieces of string on the wall. I mean, good on you, buddy. Good on you.
Patrick Gray
That's right. That's right. All right, man. That's actually it for the first episode. Back for 2025. Great to see you. Great to talk to you. It's good to be back. It is good to be back. And we'll do it all again next week.
Adam Boileau
We certainly will. I think next. Next week I'm gonna be. We'll do it in person, aren't we?
Patrick Gray
That's right. That is absolutely right. You're going to be here at Risky Biz hq. So we'll do it in the flash. That'll be fun. I don't know how we're going to video that, but we'll figure that out.
Adam Boileau
We'll figure it out.
Patrick Gray
We'll figure it out. We'll do it live.
Adam Boileau
We'll do live.
Patrick Gray
That was Adam Boileau there with a check of the news that we missed while we were on break. Big thanks to him for that. It is time for this week's sponsor interview now with Craig Rowland, who is the founder of Sand Fly Security. Really interesting company that makes a Linux security product where instead of it being an agent, it essentially goes in, logs into all of Your Linux stuff deploys like tiny little binaries written and go that go and collect bits of information and can detect things like configuration drift, incidents, intrusions, whatever. It's a really novel approach to Linux security. Rob Joyce Former NSA he's an advisor to Sandfly and yeah, they're really cool. So I wanted to talk to Craig though about how there doesn't really seem to be a uniform approach to looking after the security and like monitoring of Linux systems. A lot of companies seem to develop their own tools or they might use edr, but it's not uniform across their Linux fleet. And I wanted to talk to him about why that is. And I guess we started this conversation by talking about how Linux incidents aren't as splashy as things like ransomware. And there's a good reason for that chiefly being that it's difficult to create malware that works across a lot of Linux variants. So you tend to see a lower volume of more sort of handcrafted attacks hitting Linux systems. So here's Craig Rowland to kick off that interview.
Craig Rowland
What you see with the Linux malware is generally it's a lot harder to get it to run across multiple Linux systems. They tend to be incompatible with each other or they tend to have different configurations. So what we find is that the Linux side just doesn't get a lot of attention because it's not had this highly targeted splashy, like I said, in particular ransomware in particular. But we definitely do know about it being targeted by more advanced groups that are looking to do some serious damage, financial damage, looking to steal information, looking to get inside the critical infrastructure. So it is there. I just don't think it's received the press of again, having a massive encryption happening across all your Windows shares, for instance, shutting down a company. We haven't seen analytics, but that does not mean people aren't operating there. They are operating on those boxes. We just haven't seen the ransomware groups really go after them directly as much.
Patrick Gray
No, you make a really interesting point, which is malicious activity against Windows is easier to scale. It's easier to turn that into an industry, into an illicit industry because you know, it's a target rich environment and there's a lot of compatibility across the different windows and that's just where the knowledge base kind of is. And if you want to go after Linux, you know, as an attacker, you kind of need to know Linux, right? And it's going to be, every single environment is going to be different. It's almost like you're doing bespoke Attacks in every different environment you're trying to enter.
Craig Rowland
Yeah, that's exactly right. I mean, if you think about it even from your own experience running a Linux box, I mean each system is going to be slightly different. So we might run into customers who are running standardized images, but it's standardized to them, right? It doesn't necessarily mean it's what everyone else is going to see. And they'll have different configuration and different hardening or sometimes often no hardening at all. So at that point the attackers do need to approach each system a little bit differently. Custom exploits and things like that. Again, it's like people bash on Windows, but the one thing Windows is really good at is backwards compatibility. You could take an exe from 20 some years ago, it'll still run. Linux just doesn't have it. And in a way, kind of, it's a bit of a saving grace in a way, but it also means advanced attackers could hide. And that different configuration also means it's hard for security teams to find them because again, they need to know about all these different ways people could get on a box or remain there. And it gets quite difficult and complicated very quickly.
Patrick Gray
Yeah, I mean, I think another issue you've got there is that the security tooling, like writing security tooling like EDR for Linux is fraught. I mean, we were just talking before we got recording and you were saying that, you know, you speak to customers where they're like, we can't do a kernel update because we think it's going to break our edr. And as a result, I mean that's not good. Like right there, that's not good. And as a result of that, you know, you might even have people who are just don't want complete EDR coverage because they're worried about how brittle it makes their deployments.
Craig Rowland
It does. We run into that. There's actually a interesting case. Certain industries are required by regulation to update if there's a certain kernel level attack over certain CVE severity. Right. So they're faced with a situation where they have to update the kernel but they've not had the ability to get the EDR agent updated or they haven't been able to test it. So what they do is they just have to shut the EDR off because they're required by these regulations to do the kernel update. So basically the systems are, yeah, they're patched but now there's no monitoring going on and there won't be monitoring going on until that EDR agent is able to go through the Configuration testing necessary to make sure it's not going to crash the system. So it does create a weird situation.
Patrick Gray
It's interesting too because you mentioned that some organizations have a standard sort of Linux build that they use, but I'm guessing that's only going to be in pockets of the business. Right. So you have this team has this standard build, this other team has that standard build. Like I imagine it's extremely rare that you go into an environment and it's one standard build everywhere.
Craig Rowland
Yeah, it would be pretty rare. I think we've seen it a couple times but even then once we kind of got into it, it wasn't really true. Right. You know what I mean?
Patrick Gray
Well, you're going to get some configuration drift and people who need to change because they just need to do the thing and the standard build doesn't support it, you're going to get all sorts of drift.
Craig Rowland
Sure. And you know, and these major global companies might have that level of sophistication, like you might look at a Google or Facebook or something like. But for a lot of other organizations it's just not that easy to keep everything. And a lot of companies grow by acquiring other companies. So you're rolling in this different type of diverse infrastructure, you know, stapling it all together and it eventually just becomes kind of a big mass of various Linux all over the place.
Patrick Gray
Man, my head, I'm rubbing my temples, right? Like just even having this conversation and that's not even to mention. And it's something you and I spoke about in our Snake Oiler slot last year. But like Linux based appliances, right? And what's interesting too is your product, you can get into some of them. Like if you can get an SSH shell and reasonable level of privilege, like it doesn't matter that it's an appliance, you can still do some stuff there, you can pull down artifacts, you can inspect the machine and that's great, but you can't get on every platform. Right. Like I think you were saying, like you'd love to get Shell on Ivanti so that you could take a poke around those boxes, but you just can't.
Craig Rowland
Yeah, that's right. Avanti, Fortnite. We'd love to get on those systems but you know, we just can't. There's no easy Shel this. And yeah, we, we could do some things to access the shell through various technical mechanisms that people post online but at that point, you know, you're, that's.
Patrick Gray
An, that's an unsupported access and it's it's, it's, you know, they can patch that out too so that you get, you just lose it.
Craig Rowland
Yeah, we, we, we just don't want the risk it. Look, they clearly don't want us on the boxes and we're happy to stay off until they decide to kind of come to their senses.
Patrick Gray
Yeah. Do you think they will? I mean, do you, do you sometimes talk to some of these pizza box makers and say, look, you know, getting some shell access to be able to do this sort of inspection would be really useful. I mean, I imagine they just tell you to pound sand, right?
Craig Rowland
Yeah, we've never gotten good response to that yet. We would definitely like to take a look now. There are other companies that are far more open, you know, like, like Synology, Ubiquiti. Those systems are fairly easy to get access to. Quite a few IP cameras are the same way. You could get onto these systems and there our product works perfectly fine. We could go in to sweep those systems as any Linux box. But there are other ones. Yeah, they just don't want you getting access to it. Cisco's the same way. Some of the newer Cisco gear is basically Linux under the covers, but to get a shell on it they'd have to go through different configurations to enable it and they just don't want us on the box.
Patrick Gray
So just going back to what you said earlier about how Linux teams tend to be quite small, kind of overworked and often even lacking some deep expertise there, I imagine that that would have had some implications for the way that you even develop your software, right? Because you almost need to make it something that people can use if they don't have deep, deep, deep Linux expertise. And it is really knowing Linux is an entire career in itself, right? Like it's not like you can just bone up on it and get good at Linux real quick, you know, and be able to walk into any environment and be dialed in. So like how do you make a security product for Linux that's easy enough for someone who's knowledgeable but not a specialist to use, but without dumbing it down to the point that it's useless to the specialists? Right? Like has that been a bit of a thing for you? I imagine that would have been a thing for you.
Craig Rowland
It is. So basically the answer is we do both, right? We provide a very high level explanation of kind of plain English about what's going on with MITRE tact tags. And then under the covers you could always get to the raw forensic data which has really extensive raw information so if you get usually in the SoC, you're going to get different tiers of people operating. You're going to get the people who are stuck at the graveyard shift, right? And then you're going to get the really senior people that things get kicked up to. So we provide information for both sides. So we want to get the attention of the junior people to say we don't want you to ignore this alert and we want you to bump it up to someone who needs to pay attention to it. But we do provide the information with it as well. And in a way even the people who are very good at Linux, sometimes we see stuff they hadn't really considered. So we still need that basic explanation just to let them know kind of why this is a problem. And essentially we just want to automate having like a really pedantic 247 forensic investigator just walking on your network constantly. And that's really what we do. So essentially we can alleviate a lot of the headaches with monitoring these Linux systems that these teams frequently don't have the expertise themselves. So we tried do it for them.
Patrick Gray
Now just one last thing I want to talk about. Am I right in assuming that the companies that have the more secure Linux environments, it's because they do have that deep expertise and they're kind of rolling their own security tooling through a combination of like scripts and orchestration and like they're the ones who do well. And you know, also the mega companies who. That would be their approach like your metas and your whatever like you mentioned before. But everyone else is kind of cooked because that's kind of what it feels like because there hasn't really been a mutually agreed upon sort of tooling approach to doing this. So you've either got to do it yourself or you don't do it. Is that kind of the state of things?
Craig Rowland
Yeah, we do see custom tooling happening. We've seen that at some companies, some of them are quite advanced, some of them not as advanced. Sometimes we've seen products, internal tools that kind of do what we do, but we just end up doing it better so they end up using us instead. But you do get this customer.
Patrick Gray
That is a sales path for so many vendors I've spoken to over the years where like people have been doing it some hacky way and it's work right to maintain it. They've, they've wound up essentially running a software product just for their own use. And then someone comes along who's just like, you know, because they've got multiple customers like it just works better and yeah, it is. Switch to that. Right.
Craig Rowland
That's what it is. We just, we just do it better, more thoroughly. But even the advanced organizations, they still need, I think sometimes they still want to have an external set of eyes. So there are some that definitely suffer from not invented here syndrome, but there are definitely others that are like, yeah, we have our own internal toolings but we want to have another way to look at the same problem to make sure we're not missing things. But you, even with large orgs, that doesn't necessarily mean they're going to have a good internal development team. There's certain companies that absolutely do have great internal development teams but most, most people can't afford. That's a very elite level, you know, reverse engineering on staff and all sorts of stuff. Most companies don't have it. They need to go to external vendors in order to get that monitoring done.
Patrick Gray
Yeah, right. So I mean, look, I think what we're describing right now is a mess, to be frank, which is just the general state of Linux at scale in the enterprise. And I'm not surprised, I don't think that's hysterical to say that it's just been neglected. I mean, I think, you know, we talked about ransomware earlier and I think ransomware has done us a lot of favors in that it's forced companies to properly configure and roll out EDR everywhere. And like Windows networks these days are pretty good largely thanks to ransomware. Right. But we haven't had that in Linux yet. So it's just been, it's now at the back of the pack I guess is what I'm getting at.
Craig Rowland
Yeah, I've joked about that in the past, that if you get Crypto Miner on your system, the first thing you should do is get the address of the person who got out of your box and send them a little bit of bitcoin to thank them for the free audit. Because I mean they've done you a service. So like it's very obvious they've been there. So you know you've got a problem because there's definitely some more serious people that are not going to let themselves be known and it's just, it's just a reality of it.
Patrick Gray
I mean at this stage, you know, as we record, we don't quite know what happened with Salt Typhoon, but I'm guessing there was some Linux hacking involved there. Right. That might change the conversation a bit.
Craig Rowland
It could. Telco's run a lot of Linux. A lot, A lot of switching Equipments Linux based and there's just a lot of places to hide. You know I used to do red team, that's where I started off years ago. One of the first places we red team was a hospital. One of the first systems I broke into was a box at an uptime of four years and that always left an impression on me because I knew we were not going to be found. And that really left an impression that unmonitored Unix and Linux systems is just very, very bad news. You don't want people like me on those boxes for any length of time. And unfortunately today they could exist on these systems for a long time.
Patrick Gray
Just real quick on the telco switch thing, right? How do you go getting on them? Because quite often they are Linux based but then you get companies like Cisco who put like a weird iOS, you know, command line interpreter on top of that. So you can't actually interact with the Linux unless you've got some sort of, you know, privesque that drops you into a real Linux shell. Like how do you go about doing that?
Craig Rowland
Well, I'd go would probably depend on the vendor and again you're going to run into the whole service contract thing so would it count as an unauthorized modification that you're modifying it? Telcos though, even outside the switches, telcos run a lot of other Linux outside of just a pure switching equipment just to keep the networks going and those we could generally access pretty much straight away because they're not under a particular vendor's control. So there's just a lot of Linux running the infrastructure. I mean when you pick up your mobile phone you should just, just bow down and thank the gods that it actually works. There's a lot of fragile components involved with keeping it running.
Patrick Gray
Yeah, yeah there sure is. All right, Craig Rowland, thank you so much for joining me for that conversation all about, you know, how wonderful the state of Linux security at scale is at the moment. A disturbing conversation, but an interesting one. Cheers.
Craig Rowland
Yeah, great, thank you.
Patrick Gray
That was Craig Rowland there with this week's sponsor interview with Sandfly Security. Big thanks to them for making this week's show possible. And you can find them@sandfly security.com and as I say, I think it's a really cool concept. I think it's a, you know, it's, it's a cool idea. But that is it for this week's show. I do hope you enjoyed it. I'll be back next week with more security news and analysis but until then I've been. Patrick Gray. Thanks for listening.
Adam Boileau
Sa.
Risky Business #776 -- Trump Will Flex American Cyber Muscles
Release Date: January 22, 2025
Host: Patrick Gray
Guests: Adam Boileau, Craig Rowland
Sponsor: Sandfly Security
Patrick Gray opens the 19th season of Risky Business, highlighting a four-week hiatus due to the holiday season. He introduces the episode's agenda, which includes a news segment with Adam Boileau and an interview with Craig Rowland, founder of Sandfly Security. Gray also mentions they're hiring for an audio/video editor with a cybersecurity interest.
[00:54] Adam Boileau shares that his break was a refreshing time away from computers, only to return to a "full of crazy" cybersecurity landscape. Patrick Gray segues into major news about significant personnel changes at the Department of Homeland Security (DHS).
Gray reports that all external committee members associated with the Cyber Safety Review Board (CSRB) have been dismissed, including notable figures like Rob Joyce, Chris Krebs, Dmitri Alperovich, and Heather Adkins.
[02:39] Boileau underscores the importance of these advisors, stating, "the expertise of people, you know, like that list, you know, is pretty critical for that report to have the kind of depth as well as technical credibility outside of government circles."
Patrick Gray expresses concerns about the potential politicization of CSRB's work under Trump's administration, questioning whether the board will retain its focus on cybersecurity or become a political tool.
The conversation shifts to the Salt Typhoon cyber campaign targeting U.S. telecommunications companies and the U.S. Treasury. Gray references a report by Catalyst Kimpanu about a Chinese operation infiltrating the Treasury:
[06:36] Gray: "it looks like this was a Chinese operation targeting treasury to, you know, gather intelligence on things like sanctions and whatnot."
[07:37] Boileau adds, "They were in as well, the Office of Foreign Assets in Control. So, yeah, that's a solid day's work."
The scope of the Salt Typhoon campaign is discussed, highlighting successful evictions by AT&T and Verizon. However, Gray points out uncertainty about the remaining affected telecommunications companies:
[09:09] Gray: "AT&T and Verizon have said they managed to evict Salt Typhoon, which is great news. Unsure about the other 100 odd telcos that have been impacted though."
Boileau emphasizes the difficulty in completely removing such sophisticated threats:
[09:58] Boileau: "They're not cured, they're perhaps in remission."
Patrick Gray discusses President Joe Biden's recent executive order aimed at enhancing cybersecurity across government agencies and contractors. The order includes mandates for phishing-resistant authentication and cryptographic signing of route advertisements via BGP.
[10:14] Boileau: "Things like the US Cyber Trust mark, which is the scheme for like labeling IoT devices with like, you know, they've got some security at all..."
Gray notes the executive orders from the previous administration being rescinded, raising questions about the longevity of Biden's initiatives.
Gray touches on the U.S. sanctions against Integrity Technology Group, a Beijing-based firm linked to the Flax Typhoon campaign. This operation involved building an IoT botnet, similar to prior cyber threats.
[12:16] Boileau: "Flax Group is... a private sector firm that's been doing a bit of work."
The discussion highlights the ongoing cyber tension between the U.S. and China.
Patrick Gray reviews the recently signed Defense Spending Bill, which allocates $3 billion to help telecommunications companies replace insecure Chinese equipment.
[14:18] Gray: "Federal funds going to help them replace stuff where their attitude otherwise is going to be, 'well, it ain't broken, so why fix it?'"
Boileau concurs, acknowledging the long-term nature of such infrastructure projects but emphasizes their importance in national security.
With Donald Trump resuming the presidency, Gray anticipates a more aggressive U.S. stance against cyber threats, especially from China. He references potential appointments favoring "China hawks" and the possibility of using cyber measures as political tools.
[17:17] Boileau: "You can't really have a sensible, grown up, norms based conversation about, you know, setting expectations and blah, blah, blah."
Gray raises concerns about the implications of a more confrontational cyber policy, including potential escalation and deviation from international norms.
Gray discusses the chaotic implementation and subsequent partial reversal of the TikTok ban initiated by Trump. Despite the ban, app stores and hosting services like Oracle continued to support TikTok, undermining the administration's efforts.
[22:17] Gray: "It's a wonderful platform."
He also notes the irony of Democrats facing backlash as American users flock to pro-China apps like RedNote in response to the TikTok saga.
Ross Ulbricht's Pardon: Trump pardoned Ross Ulbricht, the founder of the notorious Silk Road marketplace.
NSO Group Lawsuit: NSO lost a significant lawsuit filed by Meta over the use of Pegasus spyware via WhatsApp. Gray references an analysis by Asaf Lubin on Lawfare, suggesting the ruling may not set a strong legal precedent but signifies ongoing legal battles against spyware firms.
Chrome Extensions Compromise: A recent cyberattack exploited vulnerabilities in Chrome extensions, particularly targeting cybersecurity tools like Cyberhaven. The attackers used phishing techniques to gain access and distribute malicious updates.
[28:18] Gray: "OAuth is complicated... it's the new black."
Fortinet and Avanti Vulnerabilities: Patrick Gray and Adam Boileau discuss recent security flaws in Fortinet and Avanti products, highlighting outdated vulnerabilities like stack buffer overflows and their exploitation by attackers.
[35:59] Boileau: "The bug is they use STR copy... the wrong length, which overwrites the destination buffer."
The ongoing conflict between Russia and Ukraine extends into the cyber realm, with Ukrainian hackers successfully compromising Russian ISPs and restoring state registries. However, both hosts note that the cyber dimension has not significantly altered the broader conflict's dynamics.
[45:49] Boileau: "The cyber domain has not been particularly effective other than, you know, the very, very early days of the conflict."
Patrick Gray introduces the sponsor segment featuring Craig Rowland, founder of Sandfly Security. The discussion centers on the challenges of securing Linux environments in enterprises.
Key Points:
Linux Malware Complexity: Craig explains that Linux malware is harder to scale due to diverse configurations and lack of backward compatibility, making attacks more bespoke.
[50:48] Rowland: "Linux incidents aren't as splashy as things like ransomware because it's hard to create scalable malware across Linux variants."
Security Tool Challenges: The difficulty in developing Effective Detection and Response (EDR) tools for Linux is highlighted, with organizations often hesitant to update kernels due to compatibility fears with existing EDR agents.
[52:12] Rowland: "Some industries are required by regulation to update if there's a certain kernel level attack... they just have to shut the EDR off."
Custom Tooling vs. Standard Solutions: Many organizations resort to custom, often hacky, security solutions for Linux, leading to inconsistent security postures. Sandfly Security offers a more standardized approach by deploying lightweight binaries for comprehensive monitoring without the need for deep Linux expertise.
[59:00] Rowland: "We've seen custom tooling happening, but we do it better, more thoroughly... most companies don't have it, so they need external vendors."
Configuration Drift and Diverse Environments: He discusses the challenges of maintaining security across diverse Linux environments, especially in large organizations with multiple standard builds and ongoing configuration drift.
[61:18] Rowland: "Unmonitored Unix and Linux systems is just very, very bad news. You don't want people like me on those boxes for any length of time."
Patrick Gray emphasizes the neglect of Linux security in the enterprise, attributing Windows' improved security to ransomware pressures, a phenomenon not yet mirrored in Linux environments.
Patrick Gray wraps up the episode, thanking Adam Boileau for the news segment and Craig Rowland for the insightful interview with Sandfly Security. He reiterates gratitude to the sponsor and teases the next episode's in-person format.
[63:14] Gray: "That was Craig Rowland there with this week's sponsor interview with Sandfly Security... Cheers."
Adam Boileau closes with a nod to the next live episode.
[63:43] Boileau: "Sa."
Adam Boileau [02:39]: "the expertise of people, you know, like that list, you know, is pretty critical for that report to have the kind of depth as well as technical credibility outside of government circles."
Craig Rowland [50:48]: "Linux incidents aren't as splashy as things like ransomware because it's hard to create scalable malware across Linux variants."
Patrick Gray [17:17]: "I think we're going to have some sort of... it's a very interesting four years. Speaking of..."
Thank you for listening to Risky Business. Stay safe and informed in the ever-evolving landscape of information security.