Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects - Risky Business

Summary8 min read

Risky Business #784 Summary: GitHub Supply Chain Attack Steals Secrets from 23k Projects

Release Date: March 19, 2025
Host: Patrick Gray
Guest: Adam Boileau

1. GitHub Supply Chain Attack Overview

The episode kicks off with host Patrick Gray introducing Adam Boileau, who delves into a significant security breach affecting GitHub users. This supply chain attack targeted a widely-used GitHub Action called "changed files," which assists developers in identifying modified files within their repositories.

Key Details:

Attack Method: An attacker obtained an access token from a maintainer of the "changed files" utility. They subsequently backdoored the action to scan the server's memory for sensitive credentials during build processes.
Impact: Approximately 23,000 repositories were affected. Credentials such as passwords, tokens, and keys were exposed in build logs, which are publicly accessible for open-source projects.
Response: GitHub is reportedly contacting repository owners to address the breach, but the widespread nature makes remediation complex.

Notable Quote:

Adam Boileau [02:29]: "Anyone who was using this utility had the memory of their build system scraped for credentials and then those credentials logged in a place that probably the attacker or indeed other people can get to, which is bad."

2. Chinese Cyber Attribution Against Taiwan

Patrick and Adam discuss recent activities by China's Ministry of State Security, which publicly attributed cyber-attacks to Taiwanese military personnel linked to an advanced persistent threat (APT) group targeting systems within China.

Key Points:

Implications: This attribution serves as both a defensive stance and a deterrent, especially with ongoing geopolitical tensions regarding Taiwan's sovereignty.
Analysis: The tactics reveal potential future threats, especially concerning the possibility of China attempting to annex Taiwan, which would have severe cybersecurity implications.

Notable Quote:

Patrick Gray [06:57]: "It's quite threatening because there is always the possibility that in the medium term future Taiwan will be invaded and annexed by China."

3. Crypto Exchange OKX Shutdown

The podcast covers the shutdown of OKX, a decentralized cryptocurrency exchange accused of facilitating money laundering by allowing funds from other platforms like BYBIT to flow through it.

Key Insights:

Allegations: OKX is under scrutiny for allegedly permitting illicit activities despite claims of compliance with legal requirements.
Industry Impact: This incident underscores the regulatory challenges within the crypto ecosystem, highlighting the need for robust compliance measures.

Notable Quote:

Adam Boileau [09:38]: "The fact that the platform makes money laundering seem to surprise absolutely no one."

4. North Korean Malicious NPM Packages

A report from Socket Security reveals that North Korean actors, attributed to the Lazarus Group, have been deploying malicious NPM packages via typo squatting. One such package imitated one previously developed by host Adam Boileau himself.

Discussion Points:

Technique: Typo squatting involves creating packages with names similar to legitimate ones, tricking developers into downloading malicious code.
Personal Angle: Adam reflects on the irony of North Korean actors targeting a package he authored, raising questions about the motives behind such specific attacks.

Notable Quote:

Patrick Gray [10:26]: "It's just plain old typo squatting."

5. Blackbuster Brute Force Tool Abuse

The conversation shifts to the abuse of brute force tools by threat actors, specifically referencing the Blackbuster leaks. These tools, written in PHP, have been used to target VPN devices and deploy ransomware.

Key Takeaways:

Tool Development: The brute force tool's complexity, being developed in PHP, exemplifies the challenges faced by attackers in creating efficient malicious tools.
Internal Conflicts: Leaked chat logs suggest infighting within the Blackbuster group, possibly due to the misuse of tools against Russian banks.

Notable Quote:

Adam Boileau [17:57]: "The brute force tool itself was written in PHP, which is like, that's kind of hard mode."

6. Ransomware Exploiting Fortinet Vulnerabilities

John Greig from The Record reports on the Mora_001 ransomware gang exploiting Fortinet vulnerabilities warned about by SISA in January. This repetition highlights ongoing security lapses despite prior alerts.

Analysis:

Irony: The exploitation of security appliances like Fortinet devices for ransomware attacks is paradoxical and underscores the persistent vulnerabilities in essential security tools.
Industry Response: Continuous vigilance and patching are imperative, yet attackers remain undeterred in leveraging known weaknesses.

Notable Quote:

Patrick Gray [16:40]: "It's just deeply ironic and funny in the kind of tragic way."

7. CISA Staff Firings and US Government Turmoil

The episode touches on internal turmoil within the US Cybersecurity and Infrastructure Security Agency (CISA), where numerous probationary staff members have been fired. A court has mandated their rehiring, but they have since been placed on administrative leave, contributing to organizational chaos.

Impact:

Operational Disruption: Such instability hampers CISA's ability to effectively secure national infrastructure and respond to cyber threats.
Broader Implications: The White House has instructed federal agencies to retain cybersecurity personnel, recognizing their critical role in national security.

Notable Quote:

Patrick Gray [21:28]: "It's so farcical. Oh, God."

8. European Push for Independent Cloud Stack

European tech leaders are advocating for the development of a European cloud stack to reduce reliance on American technology, driven by geopolitical uncertainties and regulatory challenges.

Discussion Points:

Feasibility: While ambitious, establishing a competitive European cloud infrastructure akin to Amazon or Azure poses significant challenges.
Economic Implications: This move could impact America's economic leadership in technology and disrupt existing tech pipelines and collaborations.

Notable Quote:

Adam Boileau [23:58]: "We've seen a call amongst European tech leadership to start working on a European cloud stack [...] it's going to be a heavy lift."

9. Signal's Cooperation with Ukrainian Law Enforcement

Ukrainian law enforcement has expressed dissatisfaction with Signal's cooperation concerning Russian cyber threats. Signal's leadership clarified that they do not have formal cooperation agreements with any government, leading to speculations about the nature of their assistance.

Key Insights:

Unclear Boundaries: Signal's stance raises questions about the extent and form of their support for Ukrainian authorities.
Potential Data Sharing: Possible scenarios include sharing IP addresses or other metadata, but the lack of official agreements complicates accountability and transparency.

Notable Quote:

Patrick Gray [27:23]: "We don't officially work with any government, Ukraine or otherwise. And we never stopped."

10. Telegram Founder Extradited to the USA

Pavel Durov, the founder and CEO of Telegram, has been extradited from Israel to the United States. His arrest was linked to Telegram's alleged failure to address illicit activities on its platform. Since his release, Telegram has made strides in improving content moderation, particularly concerning Child Sexual Abuse Material (CSAM).

Discussion Points:

Moderation Efforts: Telegram's commitment to enhancing moderation reflects broader industry pressures to combat illegal content.
Implications for Leadership: Durov's extradition serves as a cautionary tale for other social media leaders regarding compliance and cooperation with authorities.

Notable Quote:

Patrick Gray [30:10]: "He's put out a statement just saying, yeah, yay, law enforcement. I'm very happy."

11. Joe Sullivan's Legal Case

Joe Sullivan, former Chief Security Officer at Uber, has been convicted for failing to report a data breach to the Federal Trade Commission (FTC). Despite arguing that handling the breach internally was sufficient, courts ruled against him, emphasizing the legal obligations of CISOs.

Key Points:

Legal Precedent: Sullivan's case underscores the importance of transparency and adherence to reporting protocols in the wake of data breaches.
Community Reaction: The episode highlights concerns within the CISO community about potential overreach by the Department of Justice (DOJ), although Sullivan's actions were not deemed standard CISO practices.

Notable Quote:

Patrick Gray [32:51]: "It's time for people to stop worrying about this. Like, until you've read the details of the case and what he's alleged to have done, stop worrying that the FBI are about to come and arrest you."

12. Google Acquires Wiz for $32 Billion

In a landmark deal, Google has acquired Wiz, a cloud security firm founded in 2020, for a staggering $32 billion. This acquisition marks the largest security-related purchase to date and reflects the escalating importance of cloud security in the tech industry.

Implications:

Market Impact: Google's acquisition consolidates its position in cloud security, potentially overshadowing competitors like Cisco and Splunk.
Integration Concerns: Customers using Wiz's services across various platforms may face integration challenges post-acquisition.

Notable Quote:

Patrick Gray [34:22]: "How did they manage to add like $9 billion in enterprise value in that amount of time? Like how did they, like, what are they, did they hypnotize?"

13. Sponsor Segment: Zero Networks with Aaron Steinke

The episode transitions to a sponsored segment featuring Aaron Steinke from La Trobe Financial in Melbourne, Australia, discussing his experience with Zero Networks' micro-segmentation product.

Key Highlights:

Product Efficacy: Aaron praises Zero Networks for simplifying the network segmentation process, reducing manual rule maintenance, and effectively implementing multi-factor authentication (MFA) without introducing latency.
Legacy Integration: La Trobe Financial successfully integrated Zero Networks with their existing legacy systems, enhancing security without overhauling their entire infrastructure.
Compliance Benefits: The solution has aided in meeting stringent audit requirements, particularly regarding MFA implementation.

Notable Quotes:

Aaron Steinke [45:07]: "With Zero Networks, there's actually a lot less hard work than there is with some of the alternatives that we have played with in the past."

Patrick Gray [46:52]: "It's funny what you were talking about, the nature of your network is like what came across was like yeah, there were a few sticky parts but that was our fault, not theirs kind of thing."

Conclusion

Risky Business #784 provides a comprehensive dive into pressing information security issues, ranging from significant supply chain attacks and geopolitical cyber tensions to groundbreaking industry acquisitions. The episode also highlights effective security solutions through its sponsor segment, offering listeners actionable insights and perspectives from insiders like Aaron Steinke.

For those navigating the complexities of information security, this episode serves as a valuable resource, encapsulating the multifaceted challenges and innovations shaping the industry today.

Loading summary

Transcript131 lines

[00:04]
Patrick Gray
Hi, everyone, and welcome to Risky Business. My name's Patrick Gray. We've got a great week of news to get through with Adam Boileau in just a moment. And then we'll be hearing from this week's sponsor. And this week's show is brought to you by Zero Networks, who make a really cool micro segmentation product. And those words don't normally belong together, which is a really cool micro segmentation product, but Xero basically automates a lot of micro segmenting your network. And joining us this week, instead of someone from Zero Networks, they actually had me speak with a customer, Aaron Steinke from Latrobe Financial in Melbourne. And yeah, he talked through why they rolled out Zero and what that experience was like. The upshot is Aaron says it actually does what's on the tin, which even surprised him. That was actually a really fun interview, so do stick around for that one. But it is time to get into the news now with Mr. Adam Boileau and mate. We're going to start off with a story that we actually were the first media outlet to break, which is this supply chain attack that targeted a GitHub action. And it is starting to pick up now in other media reports, but this looks actually quite bad.
[01:17]
Adam Boileau
Yeah, yeah, this is an interesting hack. We don't know who pulled this off, but what happened is there was a GitHub action that people were using called changed files that you would use when you're kind of assembling a workflow pipeline for building your software in GitHub, you can pull in kind of third party bits of tooling and this was one that would figure out which files are changed in your repository. So like a pretty widely used utility function, somebody gained access to some kind of access token for one of the maintainers of this changed files utility, and then they backdoored it to rummage around in the memory of the server that's running the build. So in this case, this is going to be a server at GitHub, but presumably in a virtual machine and rummage through the memory and find credentials. So secrets, passwords, credentials, tokens, keys, whatever in memory and then write them out to the build log of this build process in GitHub. So this is running in kind of your GitHub account, but those build and those build logs are yours as well. But in the case of public projects, those logs are also public.
[02:29]
Patrick Gray
Yeah.
[02:30]
Adam Boileau
So the net result of all of this is that anyone who was using this utility had the memory of their build system scraped for credentials and then those credentials logged in a Place that probably the attacker or indeed other people can get to, which is bad. And we're talking like 20,000, 23,000 repositories used this and you know, triaging what this means for each individual project is pretty difficult. But suffice to say, if you've been using this thing, then yeah, you probably are going to be rolling all of the credentials ever. Because this thing was used an existing tool for scraping creds that appear to be pretty good at it. So. Yeah, smooth. Really.
[03:12]
Patrick Gray
I mean, it is smooth, but it's kind of a bit of an interesting approach. Right. Which is to just crap out like private material into a build log because people are going to notice that. Right. So I, you know, I, I'm not quite sure I understand the thinking here. I mean, getting, you know, getting it to connect back to an attacker and dump stuff. I mean, well, you know, could you even do. I don't know, I just, I've got, I don't know what my feelings are about this one. I don't know if it's really smart or really stupid. Basically.
[03:40]
Adam Boileau
Yeah, I mean, if you were connecting, like if they had it kind of connecting back out to you or putting in these things in a format that only the attacker could get them because like, for example, you could public key crypto them before you dump them in the logs so that only you can get them.
[03:53]
Patrick Gray
Yeah, that was one thing I thought about. But also like the reason they're probably not doing a connect back is because you couldn't do that with a GitHub action.
[04:00]
Adam Boileau
Yeah, I'm not sure what constraints are on that environment. Like it may not, it may be limited in what kind of outbound connections it can make. But yeah, you could have done this in a way that meant that only you got the creds. But on the other hand, there is some kind of safety in numbers where if everybody's got access to the creds, then no one's going to know that it was you that then used them. And if you knew this was going to happen and there was a couple of specific things you were targeting. Like if you were a North Korean, for example, and you were going after a very specific thing, this might be a good way to sort of, you know, hide in the noise. Not that North Koreans care. So that's a bad example. But you know, like there might be some smart as a fox thinking here or it might just be dumb and we can't tell anymore.
[04:41]
Patrick Gray
Yeah, that's right. Like can't tell if smart or stupid but exactly. I mean, what we can say is it's high impact and there's going to be a lot of people out there who are affected by this and who don't know because they might have run a build with this script and there's a whole bunch of their creds sitting around in a public build log and they don't know. And that's, that's the bit that's bad here. And I mean I imagine that the team at GitHub who have proven themselves to be really smart over the years, you've got to wonder what they're doing here, whether or not they're like trying to figure out how to scale Truffle Hog to like, you know, go through every build log that was done over a certain period of time, but it's a mess.
[05:16]
Adam Boileau
Yes, yeah. And I think they are communicating with repository owners and things because obviously the, if you aren't a public project then the exposure is kind of different. Like if you're a project where there are less trusted contributors, they can see the logs kind of thing, then maybe there's some impact there. So yeah, it's a, you know, a lot of repository owners are going to have to go, you know, read the advice from GitHub and then try and figure out what it means for them. So yeah, messy.
[05:40]
Patrick Gray
Yeah, definitely messy. And yeah, not the sort of thing that you enjoy as a public project maintainer. Something like that is happening. Let's move on now. And some interesting developments in China. The Chinese government, its, its Ministry of State Security has done some public attribution, looking at some Taiwanese military fellas here who apparently are, yeah, know, behind this APT group that targets, you know, various systems in China. I mean we've seen the United States do this to China and a bunch of other countries previously. You get the impression China would love to do this to NSA, but can't really because NSA is pretty good at opsec. You know, if they could, they would, you know, so there's that angle to it. But I think the thing that makes this most interesting and it was our colleague Tom Uren, who's our policy and intelligence editor here, you know, his, his thinking around this is that it's quite threatening because there is always the possibility that in the medium term future Taiwan will be invaded and annexed by China. And that would make, you know, these guys positions pretty precarious. Right. So there is that threat side to this which I think, I don't think we've seen before.
[06:58]
Adam Boileau
Yeah, there's kind of also a deterrent aspect, you know, in terms of recruiting new people. You know, you might think twice about going to work for Taiwanese security services if you were worried about a, you know, mainland China invasion future, which I'm sure they are worried about. So, yeah, it's an interesting kind of. I mean, the actual kind of attribution part of it, like China is kind of clumsy with it, and the press release from the Chinese Ministry of Defense is kind of comedic in that, you know, Iraqi Information Minister kind of way where they're all on about, you know, abandoning the fantasy of Taiwanese independence and so on and so forth. Yeah, so that's kind of worth the read just for the comedy aspect. But yeah, it's an interesting. You know, I, I would be a little concerned if I was in Taiwan for lots of reasons. And yeah, if I was working in the cybers, that would definitely be one of them too.
[07:48]
Patrick Gray
Yeah, Communists always do the best press releases though, on stuff like that, because it's always so. Although I got to say, you know, the Trump admins getting there, they do some pretty florid writing. But I remember during Trump term one, some of the releases out of North Korea, when the whole Rocket man thing was happening, they were just so funny. What else have we got here? We've got a crypto exchange named OKX shutting down, a decentralized exchange that they operate because some of the BYBIT funds were being rinsed through it, apparently. And, you know, this exchange in particular appears to be really on the ropes because everybody's yelling at them for, you know, kind of, you know, allegedly allowing this sort of thing to happen previously. And meanwhile they're denying it and saying we do have everything that's required of us by law to, you know, stop these sorts of things from happening. But, you know, to me, this is just one more example of the crypto ecosystem kind of speed running like regulations and, you know, compliance. Excellent write up from John Greig, by the way, over at the Record. Well done, John. And we've linked through to that in the show notes. But what was your take here?
[08:56]
Adam Boileau
I suppose the interesting aspect here, to the extent that anything cryptocurrency is interesting, is that this company is a front end to other exchange platforms. So instead of being an exchange themselves, they are a distributed exchange front end. So they aggregate other exchanges, trade offers, and they provide a unified API for you to use it or split your transfers across multiple exchanges. So like, it's kind of a money launderer's delight and the fact that if their platform that makes money Laundering or using other people's platforms to make exchange, you know, to exchange currencies and stuff. Like the fact that then, that then gets used for money laundering seems to surprise absolutely no one.
[09:38]
Patrick Gray
I mean it's a bit, It's a bit Dr. Strangeloveian. Right, like this is the war room. You can't fight in here. Like, how dare you use our money laundering machine to launder money.
[09:47]
Adam Boileau
Yeah, exactly. Anyway, so they have said that, yeah, we've, you know, everything the EU is asking us to do, we're doing and they've shut down their distributed exchange platform for a little bit whilst they think about what they've done. But you know, this is just the nature of the crypto ecosystem, you know, being what it be.
[10:04]
Patrick Gray
Yeah, yeah. And staying with North Korean crypto hacks, apparently a bunch of malicious NPM packages have popped up as well, you know, attributed to Lazarus Group. Which one of them though? Pretty funny. Talk us through it.
[10:16]
Adam Boileau
Yes. So this, this was based on a report from Socket Security. I think we've had on the show as a, like a snake oiler, maybe at some point.
[10:23]
Patrick Gray
They've been a sponsor.
[10:24]
Adam Boileau
Yeah, they've been a real sponsor for us.
[10:25]
Patrick Gray
For us and Booker dj.
[10:26]
Adam Boileau
Yeah, yes, for us. It's been on for. Anyway, so they wrote up this particular campaign but it's a little personal because one of the NPM packages that the North Koreans are typo squatting here was one that Feros wrote himself back before Socket started. But you know, kind of a bit, a bit personal for him. So yeah, I don't know whether that's a case of, you know, the North Koreans doing it specifically because Socket keeps a track of North Korean supply chain attacks or whether it's just coincidence that Feros wrote a popular package. But either way that was a funny nuance in it I thought.
[10:59]
Patrick Gray
Yeah, so what, this is just plain old typo squatting. Is it plain?
[11:03]
Adam Boileau
It's just plain old typo squatting, yes.
[11:04]
Patrick Gray
Yeah, yeah, yeah. Oh, and just to follow up on last week, like we were talking about how the Bybit developer downloaded and ran a Trojan Docker container and I was wondering if that was like supply chain. Since then I've heard from, you know, and been pointed to a bunch of information about the likely threat actor in this case. And they always do social eng. So it's very unlikely to have been a supply chain thing. What they normally do is they put out some, you know, made up job where people can apply and there's like a coding challenge and they'll pay you to do the coding challenge, even if you're not going to take the job. Right. So they'll give you 500 bucks to do this coding challenge. Just download this Docker container and off you go. And it looks like that's probably more like what happened here. Which, again, I mean, nice.
[11:55]
Adam Boileau
Yeah. I mean, and exactly. Really. And I mean, clearly you would hope that an employee at a company like Safe Wallet wouldn't be running their future job application. Docker Images, you know, the thing, they're going to like some work that they're looking for on their corporate machine. But hey, everyone's working from home. Everything's, you know, everyone's just, you know, winging it on their developer Macs. And, you know, North Koreans know how to work that game, so.
[12:20]
Patrick Gray
They sure do. They sure do. And look, I know they're not a VM, right? But like VMs, much like VMs, trying to put security controls around things like Docker containers, that's hard.
[12:31]
Adam Boileau
Well, I mean, and if, like the normal out of the box Docker experience, there really isn't any actual isolation. Right. You have to go out of your way to make it even slightly isolated from your host os. And a lot of people don't really join those dots. They think of it like a traditional VM when it's kind of not unless you push the right buttons and have the right config and so on.
[12:56]
Patrick Gray
But I guess my point is more that visibility is a problem with both. Not so much that there's separation, you know, like there's no. You're right, there's no separation like there is with a vm, but there's like, it's a bit of a black hole in terms of, like, security tools being able to see inside what's happening in them.
[13:10]
Adam Boileau
Oh, yeah, yeah, yeah, absolutely. Yes. Yeah. Certainly if you have like EDR or something on the desktop. Right. Yeah. You're pretty blind as to what's going on inside a container image.
[13:19]
Patrick Gray
Yeah. Now, moving on to another story, and this is another one from John Grigg over at the Record here, and he's written this story about state based actors abusing LNK files to do various things, which your first thought is like, what year is this? But then you look at the actual nature of the bug that's being used here, which Microsoft kind of reasonably argues isn't actually a bug. It's not really a vulnerability. And the piece sort of goes on from there. But walk us through exactly what the feature abuse is or the UI abuse is here, Adam, because It's actually kind of funny.
[13:59]
Adam Boileau
Yeah. So Windows LNK files lets you kind of shortcut files I guess is what they also get called. They let you kind of wrap up a file or a command line in one kind of convenient blob. And if you are, you know, if you see a shortcut file, I have a little arrow, you know, kind of overlay on them. You right click on them, you can see the command they're actually going to run or the file they're associated with. And the trick here is that you make an LNK file with an innocuous looking name and an innocuous looking icon that links to command.com or powershell or exe and then hides what it's doing by putting a whole bunch of white space in the command field. So when you right click and inspect it, you probably will see either nothing in the command or something that is designed to confuse you because I've used a bunch of white space characters, line feeds or tab characters or whatever else to push it off the side of the text box. And Microsoft kind of rightly says that that's not really a security issue, but.
[15:04]
Patrick Gray
Well, it's not a vulnerability, but it is a security issue because it's an absence of security like thought, right, where maybe you should have some sort of format checking on these things to make sure it doesn't happen. But that's not an easy, that's not a easy thing to do because we're talking about this before we got recording. It's like, well, you know, you could just prevent multiple spaces from being in there. And it's like, oh, well then you've got tabs and then you got this and the Unicode and you know, so you would actually need to introduce some sort of, you know, format checking and parsing and like, it would be, it would actually be kind of hard to fix.
[15:37]
Adam Boileau
Yeah, I mean like it's, it's fiddlier than it first appears. Although clearly within Microsoft's, you know, ability to do something about. There is actually a cwe. The common weakness, enumeration, like designation for this kind of flaw. It's called like a, like misrepresentation of critical information user interface misrepresentation of critical information, which, you know, is what this is. And clearly the fact that a bunch of APT groups, I think the record piece says like 11 different APT groups have been seen using this. So clearly it works for them.
[16:11]
Patrick Gray
Well, herein lies the argument for Microsoft to do something about it, right? Which is that like you can say, oh, it's Not a problem. But if you know every apt group under the sun from here to Timbuktu is using it, well, you know, maybe, maybe you want to get on that and put, put a few people on it, you know.
[16:29]
Adam Boileau
Yeah. I mean in the end there are, there's plenty of other places in like a decent set of lag controls that would stop this being a problem. But the fact that they are using it says that, yeah, it's useful for something.
[16:40]
Patrick Gray
Yeah, exactly. Now let's look at ransomware stuff yet. One more from John Greig today. And there's this Mora underscore 001 ransom gang which looks like it might have spun out of the remains of lock bit. They are exploiting the Fortinet bugs that SISA was warning about in January and just going off and you know, ransomware because of that, like, I mean it's just. God, rinse and repeat, same headline over and over. Right?
[17:09]
Adam Boileau
Yeah, well, well, exactly. You know, and clearly the fact that your security appliance gets you compromised by ransomware, like, it's just deeply ironic and funny in the kind of tragic way. But yeah, like how many times have we seen this headline and how many times are Fortinet customers going to get rinsed, you know, as a result of their fine security products?
[17:29]
Patrick Gray
Yeah, yeah. And in the next piece we got today, which is from cybersecurity dive, Rob Wright has written about some work out of, I think it was Eclectic IQ who took a look at the Blockbuster chat logs and discovered that they have their own in house bruting like brute force tool, which they've been using to go after the same sort of devices at the edge, like VPN devices and whatever. Just brute forcing their way in and dropping ransomware and you just, you know, it's depressing. These last two stories are depressing.
[17:57]
Adam Boileau
Yeah, it is kind of depressing. And the brute force tool itself was written in php, which is like, that's kind of hard mode, like respect to the blackbasta developer that did that because.
[18:08]
Patrick Gray
Like coded in PHP for efficiency, it.
[18:11]
Adam Boileau
Just would be so much easier to write it in literally any other language because PHP is such a pain to write stuff in. The thing I thought was actually amusing about this was the Blackbuster leaks where this, you know, revelation came out of the details about this tool we're in. There was also some analysis which suggested that these logs were the result of infighting because this particular brute forcing tool had been used against a Russian bank.
[18:39]
Patrick Gray
Well, we saw that at the time. We did have a bit of an idea that the infighting was because someone had used the tools to hit, to hit targets in Russia. And that's, you know, that's dangerous if you're a Russian threat actor.
[18:53]
Adam Boileau
Yeah.
[18:53]
Patrick Gray
To have your tools associated with, you know. And then, you know, my fun little bit of speculation about that was, well, you know, if I'm Cyber Command or asd, you know, I'm grabbing their tools and throwing it against Russian targets to get them in trouble like that, you know, because you're not really, look, brute, forcing a shell at a Russian bank makes a lot of noise. You're not gonna have to do any damage to cause them trouble. You know what I mean? So I'd imagine if there's something that's gonna actually pass the legal checks that would be required to do an operation like that, I reckon with the right lawyers on your side, you could probably build a case that that one's okay.
[19:28]
Adam Boileau
That is how I feel as well. So like if it was some, some friendly five eyes spooks or their associates, then good job and hats off to you and your lawyers.
[19:40]
Patrick Gray
Now staying with ransomware and an alleged developer of the lock bit ransomware has been extradited to the United States from Israel. He's a Russian Israeli national, 51 year old Rostislav Panev. He was arrested back in August 2024 and off he goes. He's in a world of hurt. Like you do not want to be extradited to the United States for doing lock bit stuff. He's going to do time.
[20:05]
Adam Boileau
Yeah, like it's not, not going to go super well for him. And he was one of the developers of a bunch of the kind of tooling and plumbing and he was getting. So they've got like chat logs of him communicating with lock bits up and he was making, you know, a couple of hundred thousand dollars a year writing tooling for them. So yeah, like he's, I don't think, going to have a good time with the US legal system.
[20:27]
Patrick Gray
No, I mean if you're him, you have to flip as quickly and as violently as possible. Right. And just because really 200 grand a year, like, oh my God, what are you thinking? All right, so now let's have a bit of a chat about what's going on in the American government. And we've got a few pieces to get through here because we've seen a bunch of people fired, a bunch of probationary staff fired from CISA and that might be people who've just been put in new roles or whatever. I'm not even clear on what probationary means in the context of United States, you know, government HR systems. But, you know, you know, who else is not clear is Doge. Right. Who's been instrumenting these. These. These firings. It looks like a court has ordered. Has ordered that CISA rehire the probationary people who were fired, but they come back and they go on administrative leave, which I guess means they're all getting a free holiday, which just screams government efficiency. So, well done, Doge.
[21:29]
Adam Boileau
It's so farcical. Oh, God.
[21:33]
Patrick Gray
And then we've got also the White House telling US Federal government agencies not to fire cybersecurity staff because it, like, falls under the umbrella of, like, national security work. So stop firing cybersecurity people. You sort of wonder how many have been fired already. A little bit difficult to get insight there. And then we've got a story from Wired, written by Eric Geller, which talks about, you know, the vibes inside SISSA at the moment, which are really extremely not great. And then to bookend it all, we got another story from Tom Brewster over at Forbes, which says that people inside sissa, you know, broadly, you know, happy about Sean Planky being, you know, nominated as the new head of sisa. So a bit of a mixed bag here, and I think, really, like, the reason we don't try to cover this too much is because I don't think anyone really has a complete picture of what's going on, because it is very chaotic at the moment.
[22:24]
Adam Boileau
Yeah, I think that definitely is the overriding feeling you get here, is there's just a whole bunch of chaos happening. And I'm sure there are a great many people, you know, still at CISA and perhaps, you know, on. On administrative leave right now who really just want to do their jobs, do good work, you know, look after securing America's stuff, and then, you know, all of this is happening around them. And it must be a very trying time to be someone, you know, that cares about their work and, you know, their country trying to work through this madness and, you know, kind of hope they get it over and done with sooner rather than later. But that's, you know, we've got the whole rest of the Trump administration to go, so who knows? But, yeah, we. I think. I think it's fair to say we feel for all the people that work at cisa, because there are many listeners there and.
[23:09]
Patrick Gray
Yeah, well, in Fed Gov, generally, Right. Like, it is not a great time to be working for the. For the government in the United States. States. And obviously, there's a lot of people downstream from all of that who are affected. I've spoken to founders just in the last couple of weeks and you know, government projects are just stalling out. I mean there should be no surprise there, but it's just like dead for, for a lot of stuff. It's just, you know, stuff is no longer moving forward. You do wonder about the, you know, the knock on effects to economic growth in the United States too as all of this stuff happens. But we're also seeing a bit of pushback finally against, you know, musk just randomly flipping switches and firing people inside the government. And you sort of wonder if things are going to start to settle down because you definitely get the impression that it can't continue like this. But yeah, woof. Not, not a great time.
[23:58]
Adam Boileau
Yeah, we had some actually reporting in today's Risky bulletin about, you know, a call amongst European, you know, tech leadership to start working on a European cloud stack and a European technology stack because they can't rely on the Americans and the American tech stack anymore because of all of the uncertainty. And you know, so much of America's economic success is because of, you know, being a world leader in this stuff and developing all these things and encouraging people to come from other parts of the world to work there. And you've got to look at it and think like what's, what's this going to do to that pipeline, you know, and all of that leadership?
[24:34]
Patrick Gray
I mean, I think if you want to, if you want to have play crystal ball with how that's going to unfold, I think that's going to be a heavy lift if I'm honest. I think it's going to be very difficult for Europe to have like oh yeah, yeah, its own Amazon or something like that. But if you want to see what that looks like when it really picks up steam. I mean just look at what's happening with defense tech and spending in Europe. We've already seen Portugal back out of the idea of buying F35s. Canada obviously not so interested in the F35 program anymore. We're going to see massive investment in things like, you know, air defense, R and D and manufacturing in, in Europe. We're seeing former Volkswagen factories being considered as new sites to build defense materiel. You know, huge amounts of capital being committed. So I do think that there's about to be a big shift in defence spending when it comes to broader enterprise tech though, like the, the R and D lift that would be required there is just mind boggling. So I'm not too, you know, I think they'll use local where they can, but, you know, what are you going to wind up with, like, you know, EU Linux? Like, like a Red Star Linux equivalent? Like, I just don't think that's realistic. Did you sort of see where I'm coming from?
[25:45]
Adam Boileau
Yeah, I mean, you know, obviously Linux kind of came out of Finland in the first place, but yeah, it's obviously global open source, you know.
[25:51]
Patrick Gray
Well, I'm saying, that's the one that I'm saying they can have, but they can't have, you know, Windows, like an.
[25:55]
Adam Boileau
Azure or, you know, or an Amazon. Yeah, like, there's a long way to go there. So. But you know, it's just the, it's so mad, right? I mean, the, the, he just, you know, you want to throw your hands in the air.
[26:07]
Patrick Gray
Well, and there's going to be a lot of work, I think, from the major technology providers. They're going to have to spend a bit of time working out how to soothe the Europeans. Right. Whether that's through restructuring their businesses somehow, licensing deals, you know, you know, different processes for distributing updates. I don't know how that's all going to work out. But yeah, I mean, it's, it's an uncertain time, that's for sure. Now we've got a really intriguing story here from Dorina Antoniok over over at the Record, which is about the Ukrainians saying, hey, Signal is no longer cooperating with us. They're no longer cooperating with Ukrainian law enforcement regarding Russian cyber threats. And what makes this intriguing is a statement from Meredith Whitaker, who is the, I think, what is she, the president of the Signal foundation or whatnot. You know, she came out and said, oh, well, we don't have formal, you know, cooperation agreements with anyone or official cooperation agreements. And it just seemed like a pretty carefully worded statement, which didn't exclude the possibility that Signal was assisting Ukraine in the first place. So it's a little bit hard to know exactly what happened here, but yeah, we've done a bit of speculating around the office. You know, why don't you tell people where we landed?
[27:23]
Adam Boileau
Yeah, and I guess the, you know, I guess data point I want is you wouldn't expect the Ukrainians to be feeling like they had lost something and saying it out loud if they hadn't, in fact lost something, you know, they hadn't got some benefit. Now, whether it's, you know, some individuals inside Signal, you know, who have sympathy for Ukraine's plight and are happy to help them out you know, have been sharing information, answering their queries or whatever else, you know, because Signal doesn't have a whole bunch of information to share, but presumably whatever they do have, you know, they may have been sharing in some capacity. But, yeah, it's. It was a little. Yeah, it was just kind of a strange one because, you know, that wording of we don't have any official cooperation.
[28:03]
Patrick Gray
Well, I'll read the quote, which is, we don't officially work with any government, Ukraine or otherwise. And we never stopped. We're not sure where this came from or why. So why isn't it. We don't work with any government. Why did you need the qualifier that it's official? You know, like, that's the bit where. Where I'm a little bit like, well, what's. What's, you know, what's going on here? That's a bit strange.
[28:25]
Adam Boileau
Yeah, you got to think, like, you know, what could they possibly be providing? I mean, things like IP addresses that are accessing a particular account, you know, because we've seen reports of devices being seized in the battlefield and then used for, like, QR code account linking phishing and stuff into Signal groups. So there may be some cases where, like, you know.
[28:43]
Patrick Gray
Well, that would be very useful information. Ip. IP address information would be extremely useful. Yeah, but, I mean, this is coming from the Ukrainian. Yeah, this is coming from the Ukrainian police, I think, Ukrainian law enforcement. So, I mean, they're not even talking about it in terms of, like, military intelligence, which is where you expect this to come from. I don't know. My point is that this whole story is just a bit strange.
[29:04]
Adam Boileau
Yeah, yeah, it is a little bit strange. And, you know, it's. It's hard to know without having better sourcing. But, yeah, I guess we just wanted to flag it for everybody because it's kind of interesting, you know.
[29:13]
Patrick Gray
Yeah, yeah. On a similar topic, Pavel Durov, the founder of Telegram, Founder and CEO of Telegram. He has been allowed to travel home to Dubai from France. He was arrested there last year, you know, because of all of the bad stuff that happens on Telegram and his absolute failure to do anything about it. You know, obviously, since then, Telegram's taken some, you know, small but significant steps toward actually improving moderation on its platform. It's committed to doing something about the CSAM all over its platform, which is a, you know, in my view, a positive thing. And now he's managed to negotiate going home and has, you know, put out a statement talking about how, you know, Telegram's great at doing moderation. Cooperation and fighting crime for years and years and years. So he's, you know, he's put out a statement just saying, yeah, yay, law enforcement. I'm very happy. And he's. And he's gone back to Dubai.
[30:11]
Adam Boileau
I mean, I guess anything that moves the needle is good. And, you know, it's hard not to look at this as a model for, like, regardless of how successful it is in. Specifically in the Telegram case, they did manage to get some leverage through this approach. And you have to think, like, if you were the, you know, the owner of another social media network and you were traveling around the place and you didn't want to be, you know, and you.
[30:37]
Patrick Gray
You want to be able to go to Paris for it when you want.
[30:39]
Adam Boileau
To be able to go to Paris or wherever else, then maybe that would be a thing to consider that, you know, this might be a model they could apply to other people.
[30:47]
Patrick Gray
Yeah, yeah, exactly. And we'll see if that cooperation ceases the second. The second he sets footage, you know, off the plane in Dubai. Another one from the record, another one from John Greig, which is a report about Joe Sullivan, who was the former Uber, you know, chief security officer. And, of course, he was convicted of, like, a bunch of stuff, including, like, misprision of a felony for failing to report to the FTC that there had been a data breach, which, you know, the FTC's contention is that he covered it up because he tracked down the people who actually did this breach, got them to sign a bunch of documents and agree to delete data, which, you know, Sullivan kind of argued, well, that meant that it wasn't illegal and we didn't have to report it and everything's cool now. And I remember years ago when all of this happened, I had some sources inside Uber, and I got a pretty good idea of what had happened. And even then I said what they had done with these guys in terms of tracking them down, paying them a bounty and getting them to sign documents was fine. Where they messed up, was failing to report it, and, you know, ultimately the courts found that to be the case. He was convicted of a bunch of crimes. He didn't have to do any prison time. You know, he copped a fine and. And whatnot. And he's appealed it, and, you know, his appeal has been overturned now through the whole Joe Sullivan thing, you know, regular listeners would know that. I thought it was a. I thought it was a bit off base that people. CISOs, other CISOs, were really worried about, like, DOJ going after CISOs. For doing normal CISO stuff. Because when you looked into the details of this case, he was not doing normal CISO stuff. I mean, I saw him as recently as like RSA last year. He turned up to a thing I was at and did a talk about it. And, you know, it's still his line that this is terrible precedent, whatever. It's like, bro, you know, two courts now have found that you broke the law. Like, time to just accept it and move on. And I think it's time for people to stop worrying about this. Like, until you've read the details of the case and what he's alleged to have done, stop worrying that the FBI are about to come and arrest you. Like it ain't happening.
[32:51]
Adam Boileau
Yeah, I mean, in the end, it's the COVID up that gets you. You know, in, in this particular case. Right. They could have been more forthright with what they were doing. I mean, yes, kind of retroactively claiming something was a bug bounty is a little bit Weasley, but in terms of the data that went out and then, you know, preventing it from going further and causing more harm, you know, but.
[33:11]
Patrick Gray
They were in the middle of an FTC investigation. Like there were requirements there for him to report exactly this sort of thing happening. And, you know, anyway, look, he argues and it's fair enough that the DOJ were using charges against him to try to get him to flip on the, on Travis Kalanick, the CEO of Uber. And look, that might be the case, but that's what happens when you commit crimes around other people that the DOJ are looking into. They. They're going to use that leverage and the decision is yours whether or not you want to wear the charges or flip. And he chose to wear the charges. I just wish he'd stop complaining about it. I mean, I've got a bunch of friends in common with Joe Sullivan. I can't say I've met him before, but only briefly. I can't say I know him. He seems like a decent guy, but he's just got to let this go.
[33:55]
Adam Boileau
Yeah, yeah, that's dragged on for long enough. And yeah, time to. Time to get on with life.
[33:59]
Patrick Gray
Yeah. Now, in some business news, My God, Wiz, which was founded in 2020, has just been sold or just been acquired by Google for $32 billion. I mean, that's not a bad payday for five years. That's incredible.
[34:22]
Adam Boileau
That's wild. You know what, 30, 32 Instagrams. Is that the metric?
[34:27]
Patrick Gray
Yeah.
[34:28]
Adam Boileau
Which, you know, that's. That's pretty funny. And of course they rebuffed the Google offer. Was it last year for something like.
[34:36]
Patrick Gray
I think it was like 23, you know, and like how they've managed to add like what, $9 billion in enterprise value in that amount of time? Like how, how did they, like, what are they, did they hypnotize?
[34:49]
Adam Boileau
I guess clouds, you know, the cloud is a big deal these days and securing your cloud is also a big deal. But like this is the. I think it's the biggest security acquisition ever, right?
[35:00]
Patrick Gray
Like, yeah, I mean we were trying to think of a bigger one and splunk was like 28 billion.
[35:05]
Adam Boileau
Yeah, like Cisco and Splunk seemed pretty.
[35:07]
Patrick Gray
Big, but I just think the thing that spins me out about it is like how quickly they built a $32 billion company. And to be honest though, like everyone you ask about Wiz, they're like, oh yeah, Wiz is great. Like, you know, talk about satisfied customers, everybody sort of loves it for its core, you know, for its core stuff. It just kind of works and does a bunch of good stuff. And I think the only thing we ever had to do with Wiz is we had, we had them into a snake oiler slot once just to promo one of their new product lines or whatever. And you know, it's a company that does kind of ooze competence. Right. So it is nice to see, you know, just such a success story for founders. Like, oh my God.
[35:44]
Adam Boileau
Yeah, I mean it's certainly, you know, congratulations to Wiz. And then, you know, I guess we will see what Google does with it because you know, we've seen sort of.
[35:52]
Patrick Gray
Google acquisitions because they're so good at enterprise sales, right?
[35:56]
Adam Boileau
Well, yeah, right. And you know, you've also got to wonder if you're a customer that's relying on was for services on other platforms than Google. Like if you're using it in your Amazon environment, using it in your Azure environment.
[36:08]
Patrick Gray
I'm less worried about that. I mean, you know, Google have got their sort of cloud scene product and that's not just tied to, you know, the Google platform or whatever. I think, you know, they're trying to build a product portfolio that's not just relevant to gcp because that would be really dumb, you know, and they're not, they might not be great at enterprise sales, but they're not that dumb. So I'm less concerned about, about that now. Just before we wrap it up, we've actually got a little bit of sort of risky business related news to talk about which is that I have a new gig.
[36:41]
Adam Boileau
A New gig, you say?
[36:42]
Patrick Gray
So, yeah. So I am, I've taken a role with Decibel Partners, which is a US based venture capital firm, as a founder advisor. And I'll just sort of explain a bit of the backstory of how we got here. Right. So for many years I've been working with companies that have been founded by this fund. Right. Like not through any sort of arrangement. They just tend to invest in the sort of startups that I find interesting. Right. So like Run Zero is a great example of, of that. Right. And HD more over there and they're a cool, fun, they do like early stage stuff. And I got to know John Sakota, who's the, the head honcho over there over the last couple of years. And at the same time, you know, I started sort of thinking about the future of this company. Right. Because we are, you know, small media company in a niche. You know, what's the future for a company like that that I've been running almost for 20 years? And you know, around the same time there were some discussions with major vendors about potentially acquiring Risky Business, which. Why don't we get you in here to explain why you found that deeply traumatizing?
[37:51]
Adam Boileau
I mean, I guess there's a couple of aspects, Rick. One is I've also recently been through the process of, you know, selling off 15 years worth of work in a big acquisition. And you know, that, you know, that has upsides and downsides. And you know, really for me, you know, I've been doing Risky biz for almost as long as you. Right. I've been here what, 16 out of those 20 years?
[38:14]
Patrick Gray
Something like that.
[38:14]
Adam Boileau
Like that. 16, 17, whatever it is. And so I'm pretty invested in Risky Biz being a thing and I am concerned about anything that kind of really changes what it is we're trying to do here. Ultimately, I like learning about interesting new stuff happening in Infosec and talking about it and anything that kind of changes that is concerning to me and being bought by a vendor may come with constraints.
[38:43]
Patrick Gray
Well, yeah, I mean, ultimately you're going to wind up at, you know, after a few years you're going to wind up working for a CMO who's interested in pushing their underperforming product line and they're like, get on your microphone, monkey dance. Right. And that, that was going to be the issue. And yeah, so Risky Business has always had a very different model. Right. You would notice, like, I'm guessing a lot of the people listening to this, they listen to other podcasts and they are Their fingers are sore from hitting the 30 seconds forward button every time someone breaks from their programming to read a script for BetterHelp or NordVPN. Right. So we've never really wanted to have that model for as long as we've been around. We've kind of worked with sponsors and people are like, well, but does that give you conflicts and. Not really. It's not really the way that it's turned out because we put a lot of effort into picking who we put on this platform to begin with. And now we're just kind of moving that a little bit earlier. Right, where I'm going to be working to try to start startups with founders, you know, practitioners who might have ideas, you know, by all means, get into my inbox and tell me what your ideas are. We'll see if it's something that we can develop and that's going to be exciting. And then, of course, once they're. They're ready for that, we might start floating their ideas in the show. They can, they can sponsor the show and, you know, I can work with them on refining their message and all that good stuff. And this was John's idea, right? John Sakoda, who runs Decibel, you know, he really came to me with an alternative to selling risky business to some vendor and then making, you know, destroying, you know, what I think has sort of become a bit of an institution. Right. So this is a new business arrangement we can come to that keeps Risky Business doing what risky Business does.
[40:23]
Adam Boileau
That. That's certainly my. You know, the thing that made this appealing to me was their incentives are very much aligned with ours. Right. We want to do what we do and not really change what we do. And, you know, their interest is for.
[40:40]
Patrick Gray
Us to keep doing what we're doing. Right.
[40:42]
Aaron Steinke
For us to keep doing.
[40:42]
Adam Boileau
Because clearly we have similar taste in, you know, in tech firms because there's such a lot of overlap between our sponsors and their, you know, stable.
[40:51]
Patrick Gray
Yeah, that's right. And, you know, I've already helped one company raise money through Decibel. That's Knock Knock, which everybody would know. I'm a huge fan of that. I'm on the board of Knock Knock now. So they got a little seed round through Decibel, which was just announced today. And I'm working in an advisory capacity with about like five or six of their companies. Like Push Security is one like Run zero Authentic Prowler, which is super cool. Speaking of WIZ selling for 32 billion, you know, and Prowler's got Like an open source platform that does some of the stuff that that Wiz does, but it's very good for like, you know, cloud security checks and stuff and even remediations like. But you see what I'm, what's happening here is I'm already, you know, just, just motor mouthing about it because I'm actually into this stuff and you know, so what it means is that I've been appointed to this new gig. Decibel has invested in Risky Business, which means that we can grow, hire some more staff, but we're not going to mess with it. And that's the thing that I really want people to understand is any changes we make here, we're going to think about them carefully because we respect our audience. As you can probably tell from this conversation, we think being transparent is really important. But that's basically it. Like this deal, this change, you know, more than anything just sort of seals, you know, the future of Risky Business being Risky Business. And that's why we did it. And you know, I think that's about it, isn't it?
[42:07]
Adam Boileau
Yeah, yeah. I mean, having a way to fund us continuing to do what we've been doing for so long without it being your personal sacrifice for 20 years, you know, and turning it into a thing that, you know, has a path forward that, as you say, doesn't involve shilling. NordVPN.
[42:24]
Patrick Gray
Yeah, no betterhelp scripted reads and no working for a single product vendor who's just going to get us to push stuff. Like it's just, you know, obviously at some point something has to happen with the business after 20 years. And I'm just really glad it's this. And I am. The interesting thing for me is like, it took a long time to get this thing over the line and the thing that has made me happiest about it is like now I get to start doing the work with the founders. I'm actually very excited about that. I am not just saying that I enjoy that sort of work and I'm looking forward to trying to develop some new companies and new ideas and whatnot. So as I say, if you've got an idea for a startup, you know, let me know. I'm, I'm all ears at this point. That is my job in addition to hosting this podcast. But mate, we're going to wrap it up there. That is it for this week's news segment. Thanks a bunch for joining me. We'll do it all again next week.
[43:14]
Adam Boileau
Yeah, thanks very much, Pat. I will look forward to it. And I'LL see you then. Foreign.
[43:25]
Patrick Gray
That was Adam Boileau there with the check of the week's security news. And big thanks to Adam for everything that he's done for this podcast over the last at least a decade and a half. It's time for this week's sponsor segment now and this week's show is brought to you by Zero Networks, who make a really, really cool micro segmentation product which orchestrates existing gear within your network to deliver micro segmentation. And the way it deploys is actually pretty cool because you, you throw it out there and it learns which machines, talk to which machines and then you can sort of put it in an enforcement mode and bang, you have micro segmentation. Now, a lot of products have promised to do this sort of thing over the years and they don't really like the experience, doesn't live up to the marketing claims. So this week, instead of having someone from Zero Networks actually on the show to talk, talk about their product, instead, they suggested I speak with one of their users. Aaron Steinke works for Latrobe Financial, which is a financial services firm based in Melbourne, Australia. And yeah, he rolled out Zero Networks and is a very happy customer. Obviously a vendor is not going to give you one of their unhappy customers, but I will say I spoke with Aaron, I don't know, for a good half an hour after we recorded this interview. You know, this is a guy who knows his stuff, absolutely 100% knows his stuff. And, you know, I find I found this interview interesting because he really does mount a compelling case that what Xero claims it can do is actually what it can do, which is more than you can say about a bunch of vendors. Anyway, here's Aaron Steinke from La Trobe Financial in Melbourne talking about his experience in installing and spinning up Zero Network's network micro segmentation product. Enjoy.
[45:07]
Aaron Steinke
We're a financial institution. We are very paranoid. That's the nature of working in finance. And getting those controls over lateral movement in our network is really essential and it's a hard thing to do and we knew it was a hard thing to do before we committed to it. But like all the most effective controls, there's a fair bit of work to get it done. We have actually found that with Xero's product there's actually a lot less hard work than there is with some of the alternatives that we have played with in the past. This isn't our first rodeo and it's been a. There's been a few failed attempts in the past to get to a proper segmented and micro segmented network with. With varying degrees of success.
[45:52]
Patrick Gray
Yeah. So that's the interesting part.
[45:54]
Adam Boileau
Right.
[45:54]
Patrick Gray
And I think that's one of the reasons it's not, you know, a commonly done thing as yet. Right. Is it is hard to do. It's. It's been hard traditionally to do it. Well, like what were the sticking points with other attempts that you'd had had at this with different tooling?
[46:09]
Aaron Steinke
With some of the other tools you've got a huge complex rule base that you end up having to maintain manually. There's a lot of work and a lot of feeding and watering. And even when it goes to new product rollout where the documentation is never what it should be, you're putting in a system created by someone else and there's some weird little port that only gets used once a month that pops up. The tooling with Xero has really made that whole automated learning process work really well. Which. It's another one of those features that everyone promises and it.
[46:43]
Patrick Gray
I was actually about to say. So like what you're saying is that this time it's not all lies. Right. Because everybody's like, you just drop it and it automatically does everything and you know. Yep.
[46:53]
Aaron Steinke
And that's where the rubber hits the road. It really has done what it said on the sticker.
[46:58]
Patrick Gray
Yeah. Well that's good. I mean, so look, I mean it can't have all been 100% smooth sailing. Right. I'm guessing there's still a few corners to round off. Like you know, if someone's thinking about doing this, like what should they prepare themselves for?
[47:10]
Aaron Steinke
There's a little bit of trial and error in it, as you would expect. We also. So here at La Trobe we have a network that has been chugging away and evolving for. Since the 80s. There's some weird little hollows of legacy horror shows in there like there are.
[47:29]
Patrick Gray
Yeah.
[47:30]
Aaron Steinke
In most places. A few of the headaches we had were things where people had in the past tried some odd little tricks with group policies. And I think this is where Xero really shines. Is that a lot of those problematic bits and pieces that we have tried in the past that were really complex became a lot simpler and we have things that require agents is where we've had a long struggle in the past. And I got to admit to that. I was a little bit cynical when we first started talking to Peter about how the whole product runs on Winrm, which has also been a bit of a horror show for those of us who have been around for a while. I was cynical that it could actually perform and do its job in a timely manner. And they've clearly done a fair bit of work in the background and got that working and got that working quite reliably and it's scaling pretty well. We haven't had any issues with latency, at least not yet.
[48:33]
Patrick Gray
And it's funny what you were talking about, the nature of your network is like what came across was like yeah, there were a few sticky parts but that was our fault, not theirs kind of thing.
[48:44]
Adam Boileau
And it is.
[48:44]
Aaron Steinke
And that's actually a problem that I've seen in the past too with other microsec products. They work great if you're in a cloud native environment. If everything is modern and shiny and new and we down here in the real world where you and Adam like to rubbish us a bit, we have to deal with some pretty horrible old school protocols that don't play nice, that aren't predictable and it means things like the zero trust approach to a lot of our software has been really difficult with zero networks. And the way that it is identity aware at the point where you're making your network connection has let us retrofit a lot of those smarts to products that really haven't lent themselves to it, that would have needed an inordinate amount of development time in their authentication mechanisms to get us to that sort of continuous identity.
[49:35]
Patrick Gray
Yeah. So we're talking like essentially bolting on at least some sort of identity aware access control onto like on prem legacy crap horror show awful stuff that you can't do it any other way. Yep.
[49:50]
Aaron Steinke
I mean you can always do it another way but it's not necessarily cost effective. And bear in mind too that some of these products are things we have already already have an axe hanging over their head. But it's a multi year process and hundreds of thousands if not millions of dollars to get rid of them. We have to do something to get us over that gap and it's been a real godsend.
[50:10]
Patrick Gray
Well yeah, and I'd imagine too. So I work with a company that does something similar but for external resources, not so much internal resources. One thing that's really interesting that we keep hearing from people around that one and I imagine it's the same for the internal use case is the user attribution you get on who's doing what on the network like actually tied down to a user who actually exists in a directory somewhere who you can identify. I imagine that's something you're probably doing something with that. Yep.
[50:38]
Aaron Steinke
Our security guys love it. The Feed that's going into Splunk is making their eyes water in a good way.
[50:45]
Patrick Gray
Yes, they are tearing up Misty tears of joy.
[50:49]
Aaron Steinke
We've even had a bit of a tinker with those high risk protocols. The SSH into boxes, rdps into things. It's also letting us put in an MFA step before the firewall even gets opened, which is really nice. That's historically been incredibly hard. We've had a few shots of that with other products that don't necessarily work in that sort of segmentation model, but where they intercept the authentication mechanism, they tend to add latency, cause bugs, cause errors, cause headaches. Because this is happening before it triggers where you're finding it's a lot more successful and less intrusive.
[51:23]
Patrick Gray
Yeah. So, you know, like, have you racked up any, you know, any tangible wins since you've started doing this? Like, is there something you can point to and say, well, that saved our bacon.
[51:34]
Aaron Steinke
One of our biggest wins is a common audit question. Every time the auditors come through, which is every five and a half minutes in a financial instance institution, we're getting asked why we're not doing MFA on certain products and protocols. And it's given us a way of implementing that that's probably the biggest. The use case we didn't really expect to be solving that. It's really got us a nice little green tick for.
[51:57]
Patrick Gray
Yeah, it's funny actually Benny, who's the, you know, the founder of Xero, when I've had him on the show previously and asked him like, what's driving growth? Because I know they're growing and he's like, man, the amount of compliance stuff that people are just like, oh my God, I can just get this in and it solves that problem. Like they, you know, the security benefits, like a nice benefit to the compliance side, which is like, not the way it should be. But hey, I don't know, maybe it's a good news story about compliance.
[52:23]
Aaron Steinke
I think it is. And the other thing it has solved for us is, you know, we don't have a huge team here. We are, we are not, you know, we're not noble Commbank. We need something that's reasonably easy and straightforward to manage so that we can get the best out of our, out of our people and that it really is quite straightforward to add exceptions where we need them to respond to. Do all those things. I like to think of as doing a bit for our network segmentation what the likes of Airlock do on.
[52:53]
Patrick Gray
Yeah, yeah, yeah. For files. Right? Yeah, it's similar thinking. It's similar thinking, right, which is default deny and open up only where you need to. So yeah, now we were chatting before we got recording and I actually asked like, did you hear of Zero Networks from the podcast? Because you are apparently a long term listener who's listened when I used to put music at the end of the shows and whatnot. And you said, yeah. You remember us talking about their remote access product, right? So this is for people who aren't familiar. They've got their micro segmentation thing, but they, Xero developed a remote access solution for people who are wanting to throw away their horrible VPNs and get something in place that was less risky. What they've done is they've got a VPN where all ports are closed until you mfa, until you go through your idp, it opens up the port and then you can go through and it's sort of IP restricted and just a lot safer. You know, this is good thinking, but you, that's where you actually started with them. Right? And what's funny is I know from talking to people at Xero that like that product has been like way more successful than I think they realized it would be. Which in retrospect I guess kind of makes sense. But you wanted to talk about that too because you're, you're a big proponent of it.
[54:03]
Aaron Steinke
I'm a big proponent. Not just because the whole ecosystem of VPN solutions sucks, but also because when we look at more modern approaches to VPNs, the zero trust network access, the SASE solutions, the enterprise browsers, they're pretty useless to us. We have a whole lot of legacy protocols and legacy applications and things where we have users who directly interact with SSH FIC clients that use RPC all over the place. Those sorts of things which the more modern approaches don't really work that well with. We've tried enough of them to have zero confidence in them actually being a fit for purpose solution. So we've sort of stuck with a more traditional VPN type of approach. And what we had been going down the road of was sort of segmenting our users as they VPN in so that we could get some sort of classification and firewalling there and again we're.
[54:54]
Patrick Gray
Back to a really deep well, yeah, that gets complicated real quick.
[54:58]
Aaron Steinke
And even trying to get the sort of same class of service when you are on prem versus remote has been a real nightmare. Whereas once you put the two together, the connect and the segment product, you end up with that the user gets the same user experience whether they are remote or in the office and we get that same level of security. Whereas historically we found that you often end up in a scenario where people have more network access when they're on the VPN because you can't categorize them and classify them well enough. So that's really, I think, hugely improved with a, you know, with a typical workforce that we have where people are regularly working remotely these days, which they weren't pre Covid. It's given us a much more robust solution to how we treat those remote workers without having to completely throw out our entire stack, which, as I said earlier, is not a cost effective solution, at least not to happen in three months time.
[55:56]
Patrick Gray
All right, well, Aaron Steinke, thank you so much for joining us on Risky Business to sing the praises of one of our sponsors, which is Zero Networks, which is, yeah, certainly a company we think makes cool stuff. Great to meet you and fantastic to chat to you. Cheers.
[56:09]
Aaron Steinke
Thank you.
[56:11]
Patrick Gray
That was Aaron Steinke there talking about his experience of being a Zero Networks user. And again, you know, Zero Networks doing one of those companies that's taken an old concept and actually made it workable, much like Airlock Digital. I did find it funny actually in that interview when Aaron made an airlock reference because that implies that he's an airlock user. And I can just imagine being a very sad pen tester if you landed on a network that is running Zero Networks and Airlock Digital at the same time. That's a, that's a bad day at the office. But, yeah, that is it for this week's show. I do hope you enjoyed it. I'll be back tomorrow in seriously Risky Business. But until then I've been Patrick Gray, thanks for listening.