Risky Business #776 -- Trump Will Flex American Cyber Muscles

Release Date: January 22, 2025
Host: Patrick Gray
Guests: Adam Boileau, Craig Rowland
Sponsor: Sandfly Security

Introduction and Welcome

Patrick Gray opens the 19th season of Risky Business, highlighting a four-week hiatus due to the holiday season. He introduces the episode's agenda, which includes a news segment with Adam Boileau and an interview with Craig Rowland, founder of Sandfly Security. Gray also mentions they're hiring for an audio/video editor with a cybersecurity interest.

Department of Homeland Security Shake-Up

[00:54] Adam Boileau shares that his break was a refreshing time away from computers, only to return to a "full of crazy" cybersecurity landscape. Patrick Gray segues into major news about significant personnel changes at the Department of Homeland Security (DHS).

Gray reports that all external committee members associated with the Cyber Safety Review Board (CSRB) have been dismissed, including notable figures like Rob Joyce, Chris Krebs, Dmitri Alperovich, and Heather Adkins.

[02:39] Boileau underscores the importance of these advisors, stating, "the expertise of people, you know, like that list, you know, is pretty critical for that report to have the kind of depth as well as technical credibility outside of government circles."

Patrick Gray expresses concerns about the potential politicization of CSRB's work under Trump's administration, questioning whether the board will retain its focus on cybersecurity or become a political tool.

Salt Typhoon and Cyber Intrusions

The conversation shifts to the Salt Typhoon cyber campaign targeting U.S. telecommunications companies and the U.S. Treasury. Gray references a report by Catalyst Kimpanu about a Chinese operation infiltrating the Treasury:

[06:36] Gray: "it looks like this was a Chinese operation targeting treasury to, you know, gather intelligence on things like sanctions and whatnot."

[07:37] Boileau adds, "They were in as well, the Office of Foreign Assets in Control. So, yeah, that's a solid day's work."

The scope of the Salt Typhoon campaign is discussed, highlighting successful evictions by AT&T and Verizon. However, Gray points out uncertainty about the remaining affected telecommunications companies:

[09:09] Gray: "AT&T and Verizon have said they managed to evict Salt Typhoon, which is great news. Unsure about the other 100 odd telcos that have been impacted though."

Boileau emphasizes the difficulty in completely removing such sophisticated threats:

[09:58] Boileau: "They're not cured, they're perhaps in remission."

Biden's Executive Order on Cybersecurity

Patrick Gray discusses President Joe Biden's recent executive order aimed at enhancing cybersecurity across government agencies and contractors. The order includes mandates for phishing-resistant authentication and cryptographic signing of route advertisements via BGP.

[10:14] Boileau: "Things like the US Cyber Trust mark, which is the scheme for like labeling IoT devices with like, you know, they've got some security at all..."

Gray notes the executive orders from the previous administration being rescinded, raising questions about the longevity of Biden's initiatives.

Sanctions on Chinese Cyber Entities

Gray touches on the U.S. sanctions against Integrity Technology Group, a Beijing-based firm linked to the Flax Typhoon campaign. This operation involved building an IoT botnet, similar to prior cyber threats.

[12:16] Boileau: "Flax Group is... a private sector firm that's been doing a bit of work."

The discussion highlights the ongoing cyber tension between the U.S. and China.

Defense Spending and Telco Security

Patrick Gray reviews the recently signed Defense Spending Bill, which allocates $3 billion to help telecommunications companies replace insecure Chinese equipment.

[14:18] Gray: "Federal funds going to help them replace stuff where their attitude otherwise is going to be, 'well, it ain't broken, so why fix it?'"

Boileau concurs, acknowledging the long-term nature of such infrastructure projects but emphasizes their importance in national security.

Trump's Cybersecurity Agenda

With Donald Trump resuming the presidency, Gray anticipates a more aggressive U.S. stance against cyber threats, especially from China. He references potential appointments favoring "China hawks" and the possibility of using cyber measures as political tools.

[17:17] Boileau: "You can't really have a sensible, grown up, norms based conversation about, you know, setting expectations and blah, blah, blah."

Gray raises concerns about the implications of a more confrontational cyber policy, including potential escalation and deviation from international norms.

TikTok Ban and Aftermath

Gray discusses the chaotic implementation and subsequent partial reversal of the TikTok ban initiated by Trump. Despite the ban, app stores and hosting services like Oracle continued to support TikTok, undermining the administration's efforts.

[22:17] Gray: "It's a wonderful platform."

He also notes the irony of Democrats facing backlash as American users flock to pro-China apps like RedNote in response to the TikTok saga.

Notable Legal Developments

1. Ross Ulbricht's Pardon: Trump pardoned Ross Ulbricht, the founder of the notorious Silk Road marketplace.

2. NSO Group Lawsuit: NSO lost a significant lawsuit filed by Meta over the use of Pegasus spyware via WhatsApp. Gray references an analysis by Asaf Lubin on Lawfare, suggesting the ruling may not set a strong legal precedent but signifies ongoing legal battles against spyware firms.

Recent Cyberattacks and Vulnerabilities

Chrome Extensions Compromise: A recent cyberattack exploited vulnerabilities in Chrome extensions, particularly targeting cybersecurity tools like Cyberhaven. The attackers used phishing techniques to gain access and distribute malicious updates.

[28:18] Gray: "OAuth is complicated... it's the new black."

Fortinet and Avanti Vulnerabilities: Patrick Gray and Adam Boileau discuss recent security flaws in Fortinet and Avanti products, highlighting outdated vulnerabilities like stack buffer overflows and their exploitation by attackers.

[35:59] Boileau: "The bug is they use STR copy... the wrong length, which overwrites the destination buffer."

Russia-Ukraine Cyber Conflict

The ongoing conflict between Russia and Ukraine extends into the cyber realm, with Ukrainian hackers successfully compromising Russian ISPs and restoring state registries. However, both hosts note that the cyber dimension has not significantly altered the broader conflict's dynamics.

[45:49] Boileau: "The cyber domain has not been particularly effective other than, you know, the very, very early days of the conflict."

Sponsor Interview: Sandfly Security with Craig Rowland

Patrick Gray introduces the sponsor segment featuring Craig Rowland, founder of Sandfly Security. The discussion centers on the challenges of securing Linux environments in enterprises.

Key Points:

• Linux Malware Complexity: Craig explains that Linux malware is harder to scale due to diverse configurations and lack of backward compatibility, making attacks more bespoke.

  [50:48] Rowland: "Linux incidents aren't as splashy as things like ransomware because it's hard to create scalable malware across Linux variants."

• Security Tool Challenges: The difficulty in developing Effective Detection and Response (EDR) tools for Linux is highlighted, with organizations often hesitant to update kernels due to compatibility fears with existing EDR agents.

  [52:12] Rowland: "Some industries are required by regulation to update if there's a certain kernel level attack... they just have to shut the EDR off."

• Custom Tooling vs. Standard Solutions: Many organizations resort to custom, often hacky, security solutions for Linux, leading to inconsistent security postures. Sandfly Security offers a more standardized approach by deploying lightweight binaries for comprehensive monitoring without the need for deep Linux expertise.

  [59:00] Rowland: "We've seen custom tooling happening, but we do it better, more thoroughly... most companies don't have it, so they need external vendors."

• Configuration Drift and Diverse Environments: He discusses the challenges of maintaining security across diverse Linux environments, especially in large organizations with multiple standard builds and ongoing configuration drift.

  [61:18] Rowland: "Unmonitored Unix and Linux systems is just very, very bad news. You don't want people like me on those boxes for any length of time."

Patrick Gray emphasizes the neglect of Linux security in the enterprise, attributing Windows' improved security to ransomware pressures, a phenomenon not yet mirrored in Linux environments.

Conclusion

Patrick Gray wraps up the episode, thanking Adam Boileau for the news segment and Craig Rowland for the insightful interview with Sandfly Security. He reiterates gratitude to the sponsor and teases the next episode's in-person format.

[63:14] Gray: "That was Craig Rowland there with this week's sponsor interview with Sandfly Security... Cheers."

Adam Boileau closes with a nod to the next live episode.

[63:43] Boileau: "Sa."

Notable Quotes

• Adam Boileau [02:39]: "the expertise of people, you know, like that list, you know, is pretty critical for that report to have the kind of depth as well as technical credibility outside of government circles."

• Craig Rowland [50:48]: "Linux incidents aren't as splashy as things like ransomware because it's hard to create scalable malware across Linux variants."

• Patrick Gray [17:17]: "I think we're going to have some sort of... it's a very interesting four years. Speaking of..."

Key Takeaways

1. DHS Restructuring: Significant personnel changes at DHS may impact cybersecurity oversight and the effectiveness of the CSRB.
2. Salt Typhoon Campaign: Ongoing Chinese cyber operations continue to target U.S. infrastructure, with mixed success in eradication efforts.
3. Policy Shifts: Biden's executive orders on cybersecurity face uncertainties amid Trump's reclaiming of the presidency and potential policy reversals.
4. Linux Security Gaps: Enterprise Linux environments remain underprotected compared to Windows, necessitating innovative solutions like those offered by Sandfly Security.
5. Cyber Escalation Risks: Increased rhetoric and potential policy shifts under Trump could escalate cyber conflicts, particularly with China.
6. Legal Consequences: High-profile cases like NSO Group's lawsuit and Ross Ulbricht's pardon highlight the evolving legal landscape in cybersecurity.

Further Resources

• Sandfly Security: sandflysecurity.com
• Risky Bulletin: Catalyst Kimpanu’s reporting
• Legal Analysis by Asaf Lubin: Lawfare
• Dan Gooden’s Piece on Passkeys: Available on Risky Business website
• Upcoming Episode: Live recording at Risky Biz HQ

Thank you for listening to Risky Business. Stay safe and informed in the ever-evolving landscape of information security.