Risky Business #777: It's SonicWall's Turn
Released on January 29, 2025
Host: Patrick Gray
Guest: Adam Boileau
Sponsor: Push Security

1. Introduction and Corrections ([00:03] - [02:40])

Patrick Gray opens the episode with a correction regarding the availability of the TikTok app in the Apple and Android stores, clarifying misinformation from the previous week. He also shares feedback from a listener about potential cyber escalations between the United States and China, emphasizing the unpreparedness for such events.

2. SonicWall Vulnerability ([02:40] - [04:43])

The hosts delve into a critical security issue involving SonicWall devices. A CVSS 9.8 vulnerability is discovered, allowing unauthorized code execution across various SonicWall versions. Patrick suspects a Chinese APT group is exploiting this flaw, likening the attack to building a network of orbs.

Adam Boileau ([02:50]): "This is yeah, straight up unauthorized code execution which not really what you want in a security appliance..."

Patrick and Adam discuss the improbability of such a high-severity vulnerability in modern systems, citing the resilience against deserialization attacks today.

3. MasterCard DNS Misconfiguration ([04:43] - [08:35])

A significant DNS typo by MasterCard leads to one of their name servers pointing to an unregistered domain in Nigeria. This misconfiguration allows interception of traffic, potentially enabling hijacking of sensitive information.

Patrick Gray ([06:14]): "They got shafted on the bug bounty here too... Mastercard said that this wasn't a risk to their systems, which I don't know what they're smoking, to be honest."

The discussion highlights the critical nature of DNS configurations and the broader implications of such vulnerabilities in large organizations.

4. Data Consolidation and PowerSchool Breach ([08:35] - [13:28])

Patrick shifts focus to the alarming data breach at PowerSchool, a widely used school management software. With 60 million records compromised, the breach underscores the risks of centralized data repositories, especially in sensitive sectors like education and healthcare.

Adam Boileau ([12:26]): "Disciplinary notes... that's going to be in there. And then data leaked..."

The conversation extends to the challenges of securing specialized cloud services and the potential fallout from such extensive data breaches.

5. Deep Seq AI Model and Nvidia Impact ([13:28] - [15:02])

The hosts discuss the release of Deep Seq, an open-source AI model from a Chinese group. Its efficiency and low development costs have caused market disruptions, including a 17% collapse in Nvidia’s share price. The surge in signups led to service abuses, prompting restrictions to Chinese users.

Patrick Gray ([14:43]): "It's amazing academic work. But on the other hand, I don't know that I'm super worried about it."

6. False Flag Threats: Gamma Copy ([15:02] - [17:27])

A report from Dorina Antoniouk suggests the existence of a group falsely flagging their activities as Gammaren, dubbed Gamma Copy. The hosts debate the credibility of these allegations, with Adam leaning towards the notion that it's more about trolling than actual false-flagging.

Adam Boileau ([17:07]): "It feels less false flag and more like, why not just use Russian TDPs... feels like trolling."

7. Undersea Cables and Potential Attacks ([17:27] - [21:20])

Alexander Martin's reports on multiple undersea cable cuts raise concerns about potential state-sponsored attacks. The hosts compare this to the uncertain narratives surrounding the Havana syndrome, stressing the need for organizations to develop contingencies for such disruptions.

Patrick Gray ([20:05]): "Threat intelligence, we are not maritime experts."

They discuss the complexity and high cost of protecting undersea infrastructure, especially for island nations like Australia and New Zealand.

8. Side Channel Attacks on Apple Chips ([21:20] - [31:28])

Academic research from the University of Georgia reveals side channel vulnerabilities in Apple's M and A series CPUs. These flaws allow memory leakage between browser tabs in Safari and Chrome, posing significant privacy risks.

Adam Boileau ([27:04]): "They are able to leak memory from other browser tabs."

While acknowledging the ingenuity of the research, the hosts express skepticism about the immediate practical exploitation of these vulnerabilities in the wild.

9. Femex Crypto Theft ([31:28] - [25:27])

A startling incident involves the theft of $69 million from the crypto platform Femex. Comparing it to previous high-value crypto breaches, Adam notes the increasing trend of significant financial losses in the cryptocurrency space.

Patrick Gray ([24:30]): "It’s just amazing, man. It’s been like, what, two or three years of just one of these."

10. Legal News: Breach Forum Admin Sentence ([25:27] - [27:04])

The sentencing of Breach Forum's admin, Connor Fitzpatrick, received attention. Despite the severity of his actions, he was sentenced to 17 days time served, which the hosts find perplexing and indicative of potential judicial leniency.

Patrick Gray ([25:40]): "It's rare to see judges accept that their colleagues have erred."

11. API Security Research: McDonald's India API Vulnerability ([27:04] - [34:06])

EatonWorks uncovers several vulnerabilities in McDonald's API in India, allowing malicious actors to manipulate orders and access sensitive customer data. The research is praised for its thoroughness and engaging presentation, emphasizing the importance of robust API security.

Adam Boileau ([33:20]): "The bugs are legit too... it's just a fun read."

12. Reverting to C in Programming ([34:06] - [35:16])

In a surprising turn, the White House removes its memo advocating for memory-safe languages, leading to a resurgence of the C programming language. The hosts humorously debate the implications of this shift.

Patrick Gray ([34:22]): "The White House has deleted its memo on using memory safe languages because we don't want any of that Woke Rust stuff in our code."

13. Sponsor Interview: Push Security on Cross IDP Impersonation ([35:16] - [47:37])

In an exclusive interview with Luke Jennings from Push Security, the discussion focuses on cross-Identity Provider (IDP) impersonation attacks. Employees inadvertently register personal Google accounts using their corporate emails, enabling unauthorized access to SaaS applications.

Luke Jennings ([42:12]): "It's like a certain percentage of your users have all registered personal Google accounts with their corporate emails and they're using those to log into other downstream SaaS apps."

Patrick and Adam explore mitigation strategies, including domain claiming on IDPs and configuring SaaS applications to restrict authentication methods. The conversation underscores the complexity and necessity of securing federated authentication systems.

Patrick Gray ([45:10]): "The main thing though, the takeaway from this conversation is that because most of this oauth is Apple, Google, Microsoft, like it doesn't take a whole bunch to seal this off as a viable attack path for, for, for people out there."

14. Closing Remarks ([47:37] - [51:11])

Patrick wraps up the episode by mentioning job opportunities with Trail of Bits and Push Security. He also thanks Luke Jennings for his insights into cross IDP impersonation.

Patrick Gray ([50:28]): "Luke Jennings, thank you so much for joining me to talk about cross IDP impersonation. Very interesting stuff, my friend."

The hosts hint at upcoming segments and collaborations, ensuring listeners stay tuned for future episodes of Risky Business.

Notable Quotes:

• Patrick Gray ([06:14]): "They got shafted on the bug bounty here too... Mastercard said that this wasn't a risk to their systems, which I don't know what they're smoking, to be honest."

• Adam Boileau ([27:04]): "They are able to leak memory from other browser tabs."

• Luke Jennings ([42:12]): "It's like a certain percentage of your users have all registered personal Google accounts with their corporate emails and they're using those to log into other downstream SaaS apps."

• Patrick Gray ([34:22]): "The White House has deleted its memo on using memory safe languages because we don't want any of that Woke Rust stuff in our code."

This episode of Risky Business offers a comprehensive dive into current cybersecurity threats, vulnerabilities, and the evolving landscape of data security. From critical device exploits and massive data breaches to innovative security research and authentication challenges, Patrick Gray and Adam Boileau provide invaluable insights for information security professionals.