
Loading summary
Patrick Gray
Foreign and welcome to Risky Business. My name's Patrick Gray. We've obviously got a great show this week. Lots and lots to talk about. We'll get into that in just a minute. This week's show is brought to you by Run Zero. And Run Zero's founder, H.D. moore will be along in this week's sponsor interview to talk about why Run Zero is going to be doing volume scanning now. And basically, HD makes a compelling case that the incumbent vulnerability scanning companies aren't really doing vulnerability scanning anymore. They're doing authenticated scans and they're doing stuff on endpoints. But in terms of being able to point a scanner at like an IP range and get it to give you stuff to fix, like, it's not really what they're doing anymore. They're not very good at that anymore. And Run Zero is going to step in and fill that gap. So that is an interesting conversation, and it is coming up after this week's news, which starts now. And of course, we are going to be talking about Signal Gates. Unless you've been hiding under a rock, you would know that senior government officials in the United States planned a military action against Yemen, against the Houthi rebels in Yemen, over a Signal Group chat. And they accidentally invited an editor from the Atlantic to the chat. They accidentally added him, and it's turned into a big scandal. Here's a look at how major media outlets reported on this.
Adam Boileau
How on earth did this happen? The Trump administration accidentally texted me its war plans. That is how the journalist Jeffrey Goldberg summed it up. He is the editor in chief of the Atlantic magazine, and he's written at.
Patrick Gray
Length about what beggars belief.
Adam Boileau
He accidentally received top secret war plans from Defense Secretary Pete Hegseth.
Patrick Gray
It is just shocking in several different ways.
Adam Boileau
This all happened on an encrypted text.
H.D. Moore
Messaging service called Signal, which is not approved for shar classified information, details so.
Adam Boileau
Sensitive, the reporter who accidentally received it all opted not to publish them out of concern for national security.
Patrick Gray
So, Adam, let's bring you into this now. Let's talk about this. And I mean, what do you, what do you even say here?
Adam Boileau
I mean. Yeah, what, what is there to even say? It's been, it's actually been really fun kind of watching this unfold because it's such an understandable story. Like normally when we're discussing, you know, deep cyber, you know, wonkery, it's not really very inclusive for the general public. Whereas this one I think everyone gets. And there's just been such a great amount of, you know memes and hot takes and jokes, you know, way beyond just the regular, you know, cyber security world. So it's been, it's been a fun ride.
Patrick Gray
I mean, I managed to do a, do a really nerdy joke on this, which is why is everyone mad? They were using a skiff signal chat in phone spelled with an F. But you know, there's also new phone houthis, you know, like lots of. Yeah, the jokes, the memes have been terrific. But we should break down like the story here. I've got to say though, the coverage of this has basically been on the money from the major, major media outlets. They very quickly honed in on the fact that the, the story here isn't that a journalist was added to this group. The story here is that the group existed in the first place. One thing I haven't seen talked about that much is the fact that this would indicate that there's probably a lot of other signal groups that we don't know about. And I'm sort of surprised to not see the media seizing on that.
Adam Boileau
Yeah, I mean, clearly if they're doing it in one place and this is kind of normal practice, they're going to be doing it in all sorts of places and you can kind of see why. Right? I mean, it's super convenient. Everyone's got a phone in their pocket. Actually trekking down to the skiff, you know, is totally a pain. So you can see why. But yeah, it's the, you know, it makes you wonder how much this is being used and you know, clearly, you know, sharing information from, you know, it's one thing to be having conversations, but also they were like, you know, copy pasting stuff. And my question is, well, where were they copy pasting from?
Patrick Gray
Maybe, maybe. And we'll get into that in a bit. But you're quite right that politicians and public servants alike, they do use messaging apps like these and sometimes in ways that aren't in compliance with government regulations. And I personally think government regulations around some of this stuff needs to change to just sort of better reflect reality, which is that, you know, a signal conversation might be the modern day equivalent of, you know, having a chat with someone in the hallway. You know, it might not be something that needs to be subject to government record keeping requirements and whatever.
H.D. Moore
And that's.
Patrick Gray
There's the whole other aspect to this which is it's legally just iffy in the first place because of records keeping requirements. And you know, but if there is reform here, under no circumstances would a principles committee planning a military strike be be allowed to use Signal. Right. So breaking down the story, obviously the news here is that the Signal group existed in the first place. I think the journalist involved, Jeffrey Goldberg, did a very, did the right thing to a T which is wasn't quite sure what was happening, was added to this group and thought it might have been some attempt to trick him and make him look stupid by reporting on the data that was in there. And then once they got closer to military strikes, he like turned on his radio and could turn on his radio and I think checked social media and saw that there were reports of bombs falling exactly when this group said they were going to and at that point left the group. But like we should probably talk about why planning a military action over a Signal group chat is a bad idea and it's because the endpoints aren't secure. Right. Like unquestionably a lot of the participants in this group chat were using their personal devices. Now America's adversaries would have already been targeting those devices but now with a story like this in the open, knowing that they could access classified information and that government business is being handled over these sorts of chats, you're going to think they're going to redouble their efforts. And further to that, you got John Ratcliffe, you know, Director of the CIA talking about how Signal has been installed on his work computer. So they're not just using the mobile app, you know, it's spread out onto other endpoints as well. Work computers, maybe some computer, personal computers, we don't even know. And that's kind of a problem.
Adam Boileau
Yeah, exactly. Because I mean, you know, given the alternatives of like let's have this conversation on SMS text messaging, which apart from the fact that it's not really a group medium, clearly not desirable, you know, Facebook messenger, not great. I mean if you're going to use an app, Signal, you know, it's probably the right choice if this was a right choice at all, which clearly it wasn't. But then yes, the linking it to other computers because I mean, you know, an up to date iPhone pretty, you know, about as best as you're going.
Patrick Gray
To get in the not if you're.
H.D. Moore
The Secretary of Defense device, but not.
Patrick Gray
If you're the Secretary of Defense. Adam, come on.
Adam Boileau
Well, well, yeah, exactly. Like if, if the prices, you know, prices for Apple bugs clearly have gone up over the years but they're still achievable and people still sell them because they still exist. So yeah, it's not ideal. And pushing it out onto computers just increases the amount of attack surface that you've got there by such a lot as well. So yeah, I mean, the whole thing is, is kind of concerning, kind of a mess. And even though signal is best case, it's still just bad overall.
Patrick Gray
No, best case is a skiff. Right. Even Trump's come out and said that. But again, we'll get into that a little bit later on. But look, we've got government officials denying that classified information was leaked into this, into this conversation. You know, Jeffrey Goldberg has, has made some comments that make that seem really unlikely actually, because apparently you had things like, you know, up to the minute weather reports and information targets like the human identities of targets, which weapons were going to be used to target them and things, things like that. So almost certainly classified information was leaked into this chat. But then there is the question of the cut and paste. Right. Because the level of detail that Goldberg describes going into this, into this group chat kind of indicates that it's at least a possibility that there was some copying and pasting going on. And you would presume that that copying and pasting was taking place from a, from a document that should have been on the, on the air, gapped high side of the network. And that is an aspect of this, that if there were to be an inquiry, that is the part that's the first question you'd want to answer is like, was high side info being copy pasted into a signal group chat that was winding up on endpoints that you don't even control?
Adam Boileau
Yeah, and that's just, that's not a, even the possibility of that is not great. And you can just imagine how many people are grinding their gears at Fort Meade and through all sorts of security agencies, thinking about how many training sessions they've had to go to, to learn not to do this and all of the rules and rigor and things that they have to do in their everyday job, all the inconveniences of managing sensitive information and then seeing it just kind of yoloed like this, it must just be super aggravating.
Patrick Gray
Now keep in mind too, the Houthis are essentially in control of something. Last time I checked, which was a couple of months ago, they control something. The areas where approximately 85% of the population in Yemen actually live. Right. So they are kind of the de facto government there now. And they are an Iranian backed militia, they're an Iranian backed organisation. So while the Houthis might not have much of a cyber capability to go after like government computers to try to read signal messages and stuff, you know, the Iranians do. Right. So that's something to keep in mind. So it is really, really bad. What's been interesting is I heard Trump on the radio this morning and he seems actually somewhat annoyed by this and seemed to actually acknowledge that this is extremely not great. He talked about having been in the Situation Room previously where other people were dialing in externally and he just said, terminate the lines. You know, that's not appropriate. He said the best place to have these sort of conversations is in the Situation Room, you know, preferably in a room lined with lead is what he was saying. So he sort of, and it was funny because then he pivoted into an attack against the journalist, calling him a slime ball and, you know, all of this sort of stuff. Right. So he sort of oscillated between acknowledging that this was not great. Also said that they wouldn't be using signal as much in the future. So sort of seem to acknowledge that this was an issue while also going on the attack, which is, you know, very Donald Trump of him. Pete Hegseth interesting thing there was. He did a, you know, he did, he did some comments to camera where he tried to do the Trump thing of attacking the lying media and whatever. And it just, it just doesn't work when he does it, you know, like no one can quite carry that like, like Trump. But yeah, I mean, there's many layers to this. There's the record keeping requirement side of it. There's the general sort of fast and loose with classified info side of it. There's the, I mean, it's just, you know, it's a little bit different to similar scandals we've seen in the past with like Hillary Clinton's emails, which did not involve real time planning of military action. You know, we have seen politicians sort of get caught doing this. We had another instance where a German military figure was dialling in from an insecure line into some sort of, I think it was a zoom call, like a, you know, gov grade zoom call or whatever, but could only dial in and was discussing details, limited details about delivering Taurus missiles to Ukraine for them to use against Russians. And that call was intercepted. But again, it wasn't like, ok, they're going to be in these trucks on these roads at this time. This just seems really bad and absolutely not the sort of stuff you would want in a group chat. The fact that they accidentally included an editor at the Atlantic is just the cherry on top here.
Adam Boileau
It's such a beautiful thing. Oh boy. I wondered actually, when I read some of this, like, I wonder what moxie, Moxie marlinspike who did a whole bunch of the work on Signal and developing it originally. And it's kind of a hippie, like, kind of a punk. I wonder how he feels about Signal being used to call.
Patrick Gray
Well, he was on social media the other day posting a. Yesterday posting a guide to how to make sure you are not accidentally adding the wrong people to your Signal group chats, which was pretty funny. Hey, just a reminder, folks, here's a guide that we wrote.
Adam Boileau
Yeah. Dear, oh, dear. I don't know. Honestly, I think it's been a great story just because it's so accessible for everybody else outside our sphere. And I think that's, you know, this is good reminder for everybody about how OPSEC works and keep an eye on the group chat and thinking about where you're talking about these kinds of things. So, you know, I can't imagine we'll see much change beyond a little bit less use of signal in USGov, but, you know, it's been a fun ride.
Patrick Gray
Yeah, I mean, I think probably the one aspect to this that's been misreported, though, is people are sort of left with the impression that Signal's very secure and there's not much of a risk because everything's encrypted. And of course, some stories are even now updating, saying, well, while the messages are not likely to be, you know, intercepted in transit, obviously there is a problem if a hacker is able to gain access to one of the endpoints on those computers. So I think that that part has kind of been lost. But, yeah, this is. I think there's a lot of listeners, or some listeners, at least to this show, who would be wondering whether or not this is a big deal and whether or not this is as bad as it looks. And it actually is this one, actually.
Adam Boileau
Yeah, it totally is. And, you know, I guess the good thing is people will learn some lessons from it, I guess.
Patrick Gray
Yeah.
Adam Boileau
From the fallout.
Patrick Gray
So, yeah, I think even Trump said that his National Security Advisor had learned a lesson here. Right. So I just found it interesting seeing Donald Trump acknowledge that this was not ideal. Right. Because that's not his normal style.
Adam Boileau
No, no, you have to. You have to really screw up before. Before you get that out of him.
Patrick Gray
But again, you know, again, the issue here is that this isn't going to be the only group chat. You wonder what else they're doing and you wonder what the security of the endpoints where this stuff is winding up is, and they need to rein it in, they definitely need to rein it in. And then there's the record keeping stuff and yeah, just top to bottom, a bit of a cluster, as they say. And just, you know, in the same theme, we spoke previously about some of this DOGE stuff and how it was a data governance concern because we weren't sure if people were being careful and whatnot. And this sort of feeds into all of that, as does this next story. Lily Hay Newman has it for Wired. Apparently figures at the White House are like slapping starlink dishes on the roof to like boost the WI fi on the White House campus. And again, probably not ideal.
Adam Boileau
No, certainly not ideal from a, you know, kind of like it's just shadow it, right? And shadow it. Any workplace, workplace is going to cause you trouble. And doing this in the White House seems extra dumb, especially when, you know, the point of starlink is to service regions where you have not great coverage. And clearly, you know, both mobile and wired network coverage in the White House is probably pretty good. Like their WI fi might be crap, which, you know, we've seen a few people complain that that is the case. But like, I think one thing I thought was funny was it's not like the dishes are on the roof at the White House. They're at the White House data center. And then they run it over fiber to the actual White House.
Patrick Gray
Which this doesn't make any sense.
Adam Boileau
It doesn't make. It just smells like Elon and Trump going, yeah, let Elon do whatever the hell he wants. And now there's a, you know, Starlink terminal serving the White House. But yeah, it just seems a little bit bonkers. And again, there must be so many aggravated people that work so hard, you know, on doing these things like both procurement and technical installation and so on and so forth in the right way. And then you see this and it's just, you know, kind of an affront.
Patrick Gray
This one, this one, this one is like, it's not the end of the world, right? Because WI fi, it's all unclass, whatever, right? Like it's not ideal, but it's not the end of the world. And it's kind of weird. Whereas that previous story we're talking about is like, oh my God, what are you doing? This is, this is, you know, critically dumb. So yeah, just. But they both come from the same place, which is to sort of throw convention out the window and just do it the easy way and, you know, move fast and break things. Right? This is a move fast and break things government. And you know, that's what all of that looks like. All right, so we're going to move on to other news and we've got an update here about the GitHub action supply chain attack that we spoke about last week. So new stuff has come to light. Like, you know, you and I. Absolutely not GitHub experts, right? And we were sort of speculating a bit last week about like GitHub Actions and like what they can actually do. Since then I've had listeners write to me and say, look, they're just glorified bash scripts, right? If, if the attackers wanted to, they could have absolutely exfiltrated this information. They did not need to write it into build logs as they were. I've had other people write to me and say that we missed it because no one was going to notice this information in the, in the build logs in the first place. So it was pretty smart. I'd counter that by saying, well, obviously someone did notice, which is how we know about all of this, what there is to update here. For those who missed it, it just meant that someone backdoored essentially a popular GitHub action which when they used it would scrape the memory of their build server for tokens and sensitive stuff. They would base 64, encode it and crap it out into the build log, which would be public for public projects, so the attacker could come back and then obtain that secret material. So the update is that it looks like only a couple of hundred projects were affected because I think maybe only a couple of hundred ran that build log and it looks like this was part of a supply chain attack that previously was targeting coinbase, which is interesting. So it looks like maybe, maybe crypto thief type stuff here.
Adam Boileau
Yeah, yeah, it does feel that way. We've seen the thread kind of pulled as to how people got access to the action. So it looked like there was another upstream action that itself got compromised and then access token for that was used to write into the, the one that we were talking about last week. But yeah, the. Some of the changes early on in this process as once we've started to see the whole timeline did look like it was specifically targeting an integration toolkit for like AI and blockchain that coinbase work on. And that was what they were actually trying to achieve. And it looks like they did in fact get tokens out of that particular project, whether or not those tokens were useful. Most of the tokens apparently were like time limited ones used by the build process that stopped being valid after it finished. But yeah, it looks like smaller scale than we thought, but not 100% sure whether it then resulted in them getting towards the target that they were going for, which was this code base from Coinbase.
Patrick Gray
Yeah. So it looks like this is essentially something that got caught in time. Pretty clever stuff, though. And it just has to be repeated. That crypto, you know, cryptocurrencies have done a lot for the state of. Of attacks. Right. Of the type of attacks that we see in. In public, because, you know, they're always interesting, right. You've got supply chain attacks, you've got. I mean, the. What was it? The Bybit thing was just fascinating. Like. Yeah. I mean, can you imagine going up against adversaries who do this? Like they're really clever.
Adam Boileau
Yeah, yeah, absolutely. That's great motivation. And you know, there's also the aspect that we get to see more of these attacks because of the publicity of the blockchain. Right. When it finally gets to action on objectives of stealing crypto, we then get to pull the thread backwards to see how it worked, whereas in so many other attacks we don't really have a way to pull that thread and see, you know, what this tradecraft looked like and how the targeting worked. And so it's. Yeah, it's kind of, you know, of all of the dumb things that crypto has done for us, you know, the way that it has pushed both the state of the art of attacking and also unraveling attacks forward, I think is. It's good for us.
Patrick Gray
It certainly is. I mean, it's. Yeah, it's like I find myself most stimulated by reading the incident reports on this stuff. You know, it keeps life interesting. We've been doing this a long time, right. So we got to say, like, you know, keep it going, keep going.
Adam Boileau
I mean, LulzSec was more fun, but this is still good.
Patrick Gray
Yeah, yeah. Well, this is better hacking, right. LulzSec was SQL Map and Jake Davis writing. Funny. Yes.
Adam Boileau
Better comedy.
Patrick Gray
Better comedy. That's true. All right, so now we're going to talk about a bunch of CVEs, like a bug chain in something called Ingress NGINX controller for Kubernetes. And it's rare for us to, you know, although not so much lately. We've been talking about a few bugs lately in the, in the news segment. Quite close to the top because there have been some doozies, but this is a terrible bug chain with like near 10 out of 10 CVSS, which is going to impact thousands, thousands of Kubernetes clusters around the world that are attached to The Internet and vulnerable to this. Walk us through it, because this is bad.
Adam Boileau
It is, it is. So researchers from Wiz pulled together this bug chain. I don't think they've seen it in the wild. I think this was, was independent research. And so Kubernetes is a kind of a cloud orchestration system where you have a bunch of compute that you want to run jobs on. And then Kubernetes lets you orchestrate all of the involved computer, the network connections and the kind of plumbing in and out. And Kubernetes is a big jumble of components. And you can kind of pick and choose which components you use to build your particular instance of a cluster. One of the bits of functionality is kind of for setting up paths into the cluster from the outside. So if you want to expose a web server running inside your application, running inside your cluster to the outside, there's a way of kind of plumbing it through from the network edge into the middle of the virtual compute. And the nginx ingress controller is one piece of software that you can use to kind of do a part of that process. And it uses the NGINX reverse proxy to kind of implement this network plumbing. So what they found was that when you are deploying this configuration into your cluster, there is a process by which this nginx controller will kind of validate the configuration. The overall plumbing generates configuration files to be fed to nginx so that NGINX can implement the network plumbing it needs. And that process of testing configurations you could inject into that configuration file that's being built and leverage behavior of NGINX to do things that the attacker wants to do. And through all of this, what Wiz did was they basically found a way to write files to disk, like by starting a file upload and then not finishing it.
Patrick Gray
So hang on, is this all pre auth?
Adam Boileau
So in this case, yes, this is pre auth. So I don't know that it needs to be pre auth, but you could reach the ingress controller pre auth in the common configuration. So they would do a file upload and then they would submit a configuration for testing that would load an external module. So a shared object file on Unix, DLL and Windows, but in this case a shared object file that lets you run arbitrary code. So by the power of kind of a midway through file upload and then being able to inject into the configuration file, they leverage that upwards into arbitrary codexec. So this is in the wrap up CVSS 9.8 codexec in a privileged spot in your Kubernetes environment. And because of the privilege that these ingress controllers need, it's roughly equivalent to having full access to the cluster. You can steal enough tokens to go onwards to great victory. And so yeah, this is a good bug. The Wiz researchers do point out that you could probably exploit this via server side request forgery or any other mechanism you can use to kind of make a web request from inside the cluster. So the remote unauthor from the Internet avenue to do this is one, but also anywhere where you can kind of originate a web request inside the cluster, which, let's face it, is pretty damn common.
Patrick Gray
Yeah, yeah, yeah.
Adam Boileau
At that point you need more than just an edge network controller.
Patrick Gray
Well, no one's doing the right sort of filtering on those sort of requests, right, to stop them rattling around inside.
Adam Boileau
So no, it's just, you know, Kubernetes is so complicated, like all of those kind of cloud in a box sorts of things are really complicated and mapping the network flows inside them is complicated. And yeah, yeah.
Patrick Gray
Now it looks like there's been some sort of data breach at Oracle Cloud affecting something like 6 million records from 140,000 tenants. Oracle came out and said, no, this is all nonsense. And then the researchers at Cloud Sec who were talking about this brought some receipts.
Adam Boileau
Yeah, this is not great. It looks like someone had some kind of either codexec or file read on the SSO system for Oracle's cloud edge. I don't really know how Oracle is claiming that this wasn't a data breach of some sort. But the researchers at CloudSec correlated the data they had with some tenants with public records of those tenants URLs and indeed found some people who could confirm that those were the correct credentials. So the attackers appear to have got like Java Keystore files and other kind of credential material from the SSO system. And that's just not good because, you know, there's like thousands of customers and you know, I don't know how many, how many important things are on Oracle's cloud. I don't know if TikTok's there yet, LOL. But yeah, it's, it's just not good.
Patrick Gray
Yeah, I think that's a, that's a decent summary. Not good. And speaking of attacks targeted towards major cloud platforms, Paige Thompson, who was the Capital One hacker and the reason I mentioned this as a cloud thing is because she was abusing the AWS metadata service, right, like an old version to do this attack, you know, when she was sentenced to time served and Five years probation. We even said at the time that we were really surprised that that sentence was handed down. Right. That it was so lenient. And a Federals appeals court has now overruled that sentence and it looks like she's off for re sentencing. So, yeah, probably not a great time to be Paige Thompson.
Adam Boileau
Yeah, yeah, I mean, I imagine, you know, it probably isn't a great time any point in the last couple of years, because this has certainly been a mess. But, yeah, I mean, I mean, on the one hand, you know, you feel for being transgender in the US Full stop at the moment, let alone going through the courts and through the, you know, incarceration system like this. But at the same time, you know, she was kind of gloating about this and encouraging people to hack the customers and stuff. So I can kind of see, you know, you can kind of see both sides of the, of the decision here. So, yeah, we'll see what the recentencing looks like.
Patrick Gray
Yeah, the original judge in 2022 said the hack wasn't done in a malicious manner and that Thompson was tormented about her activities. You know, noted that she's transgender, autistic and had suffered trauma. So I think, you know, the judge, I think by the looks of things, just felt for her. But, yeah, it could be. This is. It's. I'm probably expecting some prison time there. Let's see. Yeah. Now this is an interesting one. U.S. treasury. U.S. treasury has dropped its sanctions on Tornado Cash. Now, Tornado Cash, of course, is a cryptocurrency mixing service which runs without. It runs on the blockchain. No one's really controlling it anymore, but it is subject to sanctions, so you're not allowed to interact with it. Basically, you will fall afoul of US Sanctions interacting with it. The people who actually created Tornado Cash and who receive profits from people putting money through it have all been charged with various money laundering offences. But it looks like what's happened is some people who use Tornado Cash filed a suit to challenge the sanctions and it was backed by. The lawsuit was backed by one of the cryptocurrency exchanges. I can't remember which one, but it looks like they succeeded. And the courts decided that treasury had overstepped its authority in sanctioning Tornado Cash because it's not actually being operated by a foreign hostile government. Right. So they said, no, you can't sanction it. Looks like treasury has looked at the ruling, done its own analysis, and maybe not going to appeal this because they've actually removed the sanctions. So good news, if You're a North Korean money launderer.
Adam Boileau
Yeah. I mean, you can kind of see why the technicalities of this are a little fiddly. But at the same time, the outcome, which is apparently it's fine to just use Tornado Cash to launder your crypto if you're DPRK or anyone else. I guess the DPRK entities are still sanctioned in many cases, but yeah, in general, the fact that you could just money launder with it doesn't seem like a great outcome.
Patrick Gray
Money laundering is okay now.
Adam Boileau
Yes.
Patrick Gray
The charges, though, against the people who started tornado cash, they have not been dropped. Right. And we'll see. I mean, I'm guessing their lawyers are going to be all over this and they're going to try to see if they can turn this into a break for their clients. But, yeah, I wouldn't hold my breath necessarily if I were them. Now, what's going on with Cloudflare in Russia? Because it looks like Cloudflare got temporarily blocked and that this may have been a warning shot from the Kremlin.
Adam Boileau
Yes. So they got added to a list of services that weren't complying with Russia's rules about, you know, local data retention and deception and then so on. And being added to that list doesn't necessarily mean that you're automatically blocked. But clearly someone at Roscomm, Nadz or whatever else decided that they were going to go implement it. There's quite a lot of Russian customers for Cloudflare, both international properties, but also domestic stuff. And some of the Russian Internet commentariat has been suggesting that this might be a warning shot to discourage local customers and to encourage them to use alternative Russian equivalent DDoS protection or, you know, front end services like Cloudflare. Obviously, Cloudflare is not going to comply with Russia's rules for storing data domestically and handing them over to the Russian government. So, you know, clearly if you are a Russian user of it, probably it is time that you got off that platform.
Patrick Gray
Yeah. It'd be interesting to see if people actually do though, right?
Adam Boileau
Well, yeah, I mean, because, you know, Cloudflare has, you know, they're quite a. They're quite good at what they do. And hiding in the morass of other Cloudflare customers is part of the, part of the point of that, you know.
Patrick Gray
You can strengthen numbers. Right. Like you can't down at all. You know, that's the whole point. Right. So I'll be, I'm just curious to see if the Russian government can make this happen. I would be actually kind of Surprised if they can get everyone off Cloudflare without having to cause major disruption and do perhaps a longer. A longer block. Now we've got a great one here, Great bit of research from Binally, I guess that's, you know, I guess you would pronounce it like binary binaly where they found a uefi like keymat leak basically. Walk us through this one.
Adam Boileau
Yes. So they identified on a forum somewhere that someone was posting about, hey guys, it looks like this private key material in this bios, can we use it to make a BIOS that loads coreboot which is like an open source alternative BIOS implementation. So by now we went and looked at it and it turns out that there's a vendor called Clevo or Clevo who make kind of bare bones laptops, I guess, so laptop chassis which are then reused by a whole bunch of other manufacturers to sell their laptop. So if you buy a like gigabyte branded laptop, what you're actually buying is a Clevo manufactured device that the actual model number and specs have been then added on by gigabyte. And so Klevo provide the underlying BIOS for these systems and it looks like when they zipped up this particular BIOS update, they just left the private key files in the zip. So that's not great. So Binali went and looked through their archive of biocs and various things and figured out which actual systems matched the public and private keys that were stored in those things and identified something like, you know, 15 firmware images corresponding to 10 laptops, mostly gigabyte devices that, you know, match the key material. So yay, that's good, I guess.
Patrick Gray
I mean, it's great for the SIGINT operators who are listening to this who want to get some real, real persistence on a gigabyte branded laptop.
Adam Boileau
I mean, well, exactly, yes, yeah. And the open source hippies who want to run their own BIOS and so on and so forth. But yeah, it just underscores the complexity of managing, you know, hardware anchored trust routes in the open ecosystem, that is PC hardware versus a closed environment like, you know, Apple or Cisco hardware or whatever else.
Patrick Gray
Yeah, yeah. Now we've got a report here from cyberscoop. This one's done the rounds at a whole bunch of outlets. I think it was, was it Citizen Lab who did this report? Yeah, it was Citizen Lab looked at, you know, Paragon spyware, right. To try to identify more countries that were actually using it. And it looks like they found it in Australia, Canada, Cyprus, Denmark, Israel and Singapore. I Actually got a message from an Australian journalist. Like a. Not cybersecurity journalist. Hi. If you're listening, I won't. I won't name you, but, yeah, they were asking me, like, oh, what do you think about Australia being a customer of Paragon? And I just thought, well, you got to get your spyware from somewhere, right? Like, this is a major player that seemed to respond well. When it was, you know, revealed that the Italians had been abusing it, they immediately ceased any contracts with Italy. I just sort of feel like, you know, it's great to have this sort of information on the record, but. But as an Australian, I'm not particularly worried that Australia is a customer of Paragon, given the way that this stuff is used in Australia. It's overseen pretty heavily. Like, the oversight is good, the court oversight is good, the government oversight is good. So I don't know that there's much to say here.
Adam Boileau
Yeah, I mean, I think I went and read the actual research out of Citizen's Lab, and the way they did this was by looking at trying to build fingerprints for some of the devices involved. And like many of these spyware systems, there's kind of a couple of keys, tiers of servers that handle the initial contact and then subsequent Spira installation. And so they kind of looked for SSL certificate fingerprints and other kind of fingerprinting aspects and pulled those threads combined with historical records over time to try and identify where these systems were and then tie that back to address ranges and customers. And one of the more concrete ones they found was links back to the Ontario Provisional Police in Canada, for example. But, you know, overall, this is still kind of suggestions rather than it being like direct links or direct evidence, but still, I mean, it's really solid research and the sort of thing that Citizen Lab is well equipped to do. But I mean, as you say, like, other than, you know, telling your Aussie journal mates that maybe the Australian government should buy local, you know, spyware instead of imported foreign stuff. But, yeah, I mean, you know, as you say, it's got to come from somewhere if they want to have that capability. And better they buy it off the shelf than spend way more money trying to develop this capability badly in house.
Patrick Gray
Yeah. And I think, you know, from everything that we've seen, we just don't have any sort of concerns around the abuse of this stuff here. Like, famously, when Gamma Group got hacked and all of their help desk tickets wound up being leaked, I think the funniest thing that happened there was, was the tickets from the Australian authorities Were all about like them getting mad with Gamma Group who made, what was it, Finfish or Fin Spy or whatever. It was getting mad at them because they couldn't do as granular filtering as they would like to exclude intercepting material from their targets, like talking to their lawyers and stuff like that. So that was the stuff that they were lodging tickets over was like, we need to better comply with the warrants that we've been given by the courts to do this action. Which was really reassuring seeing I think it was New South Wales Police actually lodging those tickets, saying, come on, you got to, you got to help us to do better exclusions here because we don't want to get in trouble with the court. And that's the way it should be. Yeah. Speaking of Citizen Lab, they've got a great Q and A with the founder Ron Deibert and it's, it really just does go into how they do a lot of this research and you know, what their day to day process is for trying to look at, you know, spyware samples and examine the infrastructure and do attributions and whatnot. It was, It's a really good Q.
Adam Boileau
And A. Yeah, no, it's a good, it's a good interview. I think Ron Deibert is out there promoting a book that he's written, released earlier on this year, talking about kind of, you know, how Citizen Lab came to be and the work that they do. And you know, it's kind of interesting because I hadn't really, you know, I'd never really thought about the history of Citizen Lab, like how they came to be where they are. And now the, the two kind of original guys work together to, to do what they're doing. So yeah, definitely. Good interview. I haven't read the book yet, but I've added it to my list of things to read.
Patrick Gray
There you go. And that one was done by Susan Smelley, Suzanne Smelley, I'm sorry, over at the Record. And yeah, nice work because that was a really good Q and A. Now we've got a report here, another one from the Record. John Greig has reported that the Malaysian Prime Minister had just rejected a ransom demand when there was a ransomware attack against the major airport in Malaysia. It's nice to see. I mean he had some pretty strong comments. Just saying what, there's no way this country will be safe if its leaders and system allow us to bow to ultimatums by criminals and traitors, be it from inside or outside the country. I think that's fair enough, but I also think there's situations where there's no other choice. Thankfully, it doesn't look like this was one of them, although looks like they were like, doing a lot of stuff at that airport on, like, whiteboards and whatnot, just to keep going.
Adam Boileau
Yeah, yeah. I mean, you know, there are alternatives, but that alternative is some guy who has to stand in front of a whiteboard constantly writing flight information all day long and his hand must be very sore at the end of the day. Catalan has actually has a picture of the whiteboard in question in today's Risky bulletin. So if you want to see it, you can click through and have a look at that because. Yeah, it's. I feel, I feel bad for that guy.
Patrick Gray
Yeah. We've also seen a major hack at NYU New York University. Someone obtained data on millions of students there and, you know, claimed to be posting the data to prove that NYU was doing admissions that favored black people and Hispanics last year in contravention of a Supreme Court ruling that essentially ended affirmative action in the United States. So the group has a racist name as well. So, yeah. Ew, yuck. And meanwhile in Perth too, I mean, it's a, it's a small university, I guess, in the grand scheme of things, but Notre Dame University in Perth has been going through an incident that is just causing like, all sorts of drama for the students and staff. So I've linked through to that one in the show notes. And finally, Adam, we're going to end on this story. A number of outlets are reporting on it, but we've linked through to the 404Media report on it by Jason Cobler, which is 23andMe has filed for bankruptcy protection and is, you know, selling itself, trying to find a buyer, a new home for the company, which means the DNA information of 15 million people is now up for grabs, which is a very 2025 dystopian, cyberpunk future sort of thing to wrap your head around.
Adam Boileau
Yeah, yeah, it really is. I mean, and like, you know, it's one thing to lose your privacy, one thing to lose your password, but losing your genetic information. Like, what are you supposed to do? Like, go, go change your genes at a gene editing clinic that's probably also going to get hacked. But yeah, a very cyberpunk, unfortunately. And I guess, yeah, if the advice that the California Attorney General was saying is, like, if you have used 23andMe and you still have your account credentials, log in and ask them to delete it now while you still can. Because once they've sold it, then who knows what it's going to be used for. And we have seen other companies that have collected genetic information that have subsequently sold the data and we've seen it being used for other things that were not intended.
H.D. Moore
Well, I mean, I think one of.
Patrick Gray
The points though here is that it doesn't matter if you've been a customer. I mean, anyone who's related to you and I, you know what I mean, if they've done it, I mean, that is a degree of exposure. I think it's very interesting to see that these services have been used for crime fighting as well. And, you know, really hard to blame the cops for taking DNA samples and just sending them in to 23andMe to see if they get any matches, which is what they've done previously. But yeah, it's, it's, it's kind of nuts, right, that that store of data is just going to wind up who knows where. Could be private equity. Can it be sold to a foreign party? I don't even know what the data regulations on that are, you know.
Adam Boileau
Yeah, I mean there was a, one of the other companies that previously got sold, got sold to the Dutch. I don't know if they were originally a Dutch company or where it came from. But yeah, like it's just deeply cyberpunk and, you know, past me wants to be here for the cyberpunk future because, you know, I read a lot of books as a kid, as a teenager about what that future would look like, but actually living it, I don't know that I'm that keen on it now.
Patrick Gray
Gotta watch the Dutch, mate. Got to watch the Dutch. All right, we're going to wrap it up there. Adam Boileau, thank you so much for joining me on the show to talk through all of that. Always a pleasure. And we'll do it all again next week.
Adam Boileau
Yeah, thanks very much, Pat. I will talk to you then.
Patrick Gray
That was Adam Boileau with a run through of the week's security news. Big thanks to him for that. It is time for this week's sponsor interview now with HD Moore, who is a founder, one of the founders of Run Zero, which is an asset discovery platform, I guess you'd call it. You can throw it at an IP range and it will find your devices. It does it in a very intelligent way. It can even find stuff that you wouldn't expect it to because it's full of hd, more tricks. You can give it creds to your cloud environment and it can go and scan from the inside of your cloud environment and find, you know, take an Inventory basically of everything that you're running now. One thing that HD has been working on and Run Zero is pushing a new release which does this, is using Run Zero as a vulnerability scanner basically. And this kind of surprised me because vulnerability scanning, vulnerability management, it's such a mature market, it's one of the oldest sort of product types in cyber security. But as you're going to hear, HD thinks that the majors have kind of atrophied a bit, especially in that, you know, especially when it comes to the capability of being able to point a scanner at like an IP range or at an environment and getting it to bring back information. He says it's all gone to like, you know, crowdstrike, checking, you know, file hashes on an endpoint to figure out versions of software or doing authenticated scans or whatever, which is why nobody seems to know or find out when they have a vulnerable fortinet at the edge of their network. Right. So he's taken Run Zero and given it a vulnerability scanning capability which finds high impact stuff that people really need to deal with pronto. So here is hdmore talking about that now.
Jeffrey Goldberg
What we're seeing is all the legacy solutions out there are either reporting irrelevant vulnerabilities or not reporting the ones that are actually critical that'll get you out. So we're taking all the same discovery information, asset information inference we're doing on the fingerprinting side and using that to identify what is the most likely route of compromise in your organization and bubbling that to the top without just filtering someone else's list of poorly chosen vulnerabilities.
H.D. Moore
But I mean, isn't that what vuln scanners are supposed to do?
Jeffrey Goldberg
They're supposed to do that, but they haven't been doing it in a long time. I mean, the challenges are folks doing agent based vuln scanning are missing the entire network context and folks who are doing authenticated based vulnerability scanning are now missing all the vulnerabilities and exposure on their IoT and unmanaged assets. So either way you're really not getting the, you know, you're not really getting what you're paying for. And if you look at what vulnerabilities are being used to exploit, you know, in conference organizations more often, half the time these things don't even have CVEs or they don't have a CVE until three weeks afterwards.
Patrick Gray
Yeah, right.
H.D. Moore
So what, they're not even scanning for stuff unless it has a CVE or it's in NIST or whatever.
Jeffrey Goldberg
Yeah, there's some agent Based on scanning right now only reports software with CVEs, so by definition you're not going to get coverage for that until it's probably too late.
H.D. Moore
I mean, this is the way though, like what you're describing, Run Zero does. I mean this is the way vuln scanners used to work. You would essentially give them an IP range and say go. And I understand that, you know, IP ranges these days are less useful because we've got so much stuff in the cloud and so on and so on. But that's what they used to do.
Patrick Gray
They used to go out there and.
H.D. Moore
Actually find stuff, scan it, probe it and then figure out, you know, what vulnerable stuff was running. You're telling me now that it's all authenticated scans and endpoint stuff and no one's really doing that.
Jeffrey Goldberg
There's a tiny, tiny fraction of coverage that's being pushed out by all the main vendors that's unauthenticated to remote. And it's such a small portion, it's almost relevant to the number of checks overall. Also keep in mind there's something like 260, something,000 CVEs out there and even the best vulnerability scanners only cover about half of that. And if you look at the ones that cover exploitable software, they cover such a small portion of the exploit covered vulnerabilities. It's also kind of a crime. Like if you look at what's the coverage of nexpos versus Metasploit, for example, there's still not a perfect overlap. You still have vulnerabilities that there's an exploit for metasploit or there's no coverage in any major von scan.
H.D. Moore
How are people finding bugs in their palos and their fortinets and stuff right now? Like how is that process supposed to work when these scanners aren't really doing that job anymore?
Jeffrey Goldberg
That's a good question. I mean, what's happening now is you hear about in the news and you hope you get ahead of it before someone compromises your box. And then a week and a half later Palo Alto gives you a patch and you hope that over the weekend in between you weren't compromised and digging out Chinese IOCs. So it's kind of like the way of the world right now. We're seeing exploits moving so fast, by the time you hear about it, it's almost too late. So what we try to do at Run Zero is help you identify where that technology exists and get ahead of it as quick as you can. So it's not A question of, is my Palo Alto on patch? Of course it is. The bug just came out an hour ago. Where is your Palo Alto? Where is it exposed? Do you know where your backup appliances are? What mitigating controls do you have in place?
H.D. Moore
You know, we were talking before we got recording and I mentioned that, like in the early days of Risky Business, sort of, you know, 2007-20, 2010 timeframe, the way, the way that I ran this business is I would just have four sponsors every year, right? And I would sell 25% of the sponsorships to like, you know, four companies. And one of them was tenable. And this is when tenable, I think when they first sponsored, they had like 20 people and, you know, they would provide, you know, great content and whatever. And it was, yeah, all very wonderful. And then at some point, I think what they listed and then the founders left and it just turned into a very different type of business, right? It turned into a very sort of normal business, less of a, you know, people who care about security style of business. No offense to the, you know, I'm sure wonderful people who remain at tenable, but it seemed like the innovation kind of stopped there for a while. Do you think that, you know, the atrophy in capabilities in vuln scanning is, is sort of part of that mature product category syndrome? Is that kind of how we got.
Patrick Gray
Here, do you think?
Jeffrey Goldberg
A little bit. I mean, if you were being asked to grow, you know, 10 to 30% per year every year, after you've been around for 20 years, you need to go find another category and you go find something else to expand your business into. You don't want to make what you currently have better. What's happened though, instead is we've taken the eye off the ball for so long in mobile management that you have entire companies and even small industries coming out that all they do is filter the crap you get from one vendor and give you a smaller crap pile of crap to go address. And half the time they're starting off with the wrong set of vulnerabilities in the first place. So, example would be you've got to expose Mongo database on the network, no credentials. Your vuln scanner doesn't even report that. Your vuln scanner says, oh, I detected Mongo protocol, but that's it. And so you're filtering through all your vulnerabilities. You're only looking at ones that are high critical, that never pops the top at all because it's not something that's even on the radar as a higher Critical cve. And now at the same time, you now have your database open to the world and no one telling you about it. So our model of kind of doing authenticated coverage and software based vulnerability coverage and then passing through as many filters as we can to get the workload down has just resulted in us doing all the wrong things and missing the more important bones.
H.D. Moore
So when you run these types of scans against your customer base, what sort of stuff is falling out? And of that, what's the subset that people are being surprised by when they see it actually come out? They're like, oh my God.
Jeffrey Goldberg
Yeah, we do some crazy stuff. So we're trying not to add like a million different bone checks and hit 1000 URLs in every web server in your network, things like that. A lot of what we're doing today is taking the already amazing fingerprinting we have in run zero and then turning that into vulnerability inference. So we can say because you're running this version of this thing, therefore you've got these vulnerabilities and we can prove it because of these things as opposed to have to go through and do a secondary check to say, are you vulnerable to X, Y and Z? So we're able to go through and identify problems based on what we know about the asset. If it's an end of life asset, we know that it's got a bunch of vulnerabilities. And because there haven't been any patches of that asset since the firmware is last released, some of the ones we find that really interesting we've chatted about before on the show, which are our inside out tax, risk management. We can identify the unique cryptographic fingerprint of an internal remote desktop server and then scrape the entire Internet looking for anything that smells like it and say, hey, this device internally is actually, actually exposed over here on a cellular link and you had no idea it was out there. So you're able to do some really neat things by combining the outside in data with the inside out, scanning data through a unique correlation between those assets.
H.D. Moore
I mean, what's interesting here is like, you know, this is the modern twist on the old school approach, right? Where you know, I'm thinking back like a million years ago when if you wanted to look at a network, you know, first thing you do, you'd end map it, right? You might throw NESSUS at an IP range or whatever. If you found any web servers, you wouldn't even use nessus. Then you'd use something like nikto. Does NIKTO exist anymore? Probably not.
Patrick Gray
Right.
H.D. Moore
Surely not.
Jeffrey Goldberg
Nikto still does it actually. Still finds things. A lot of commercial phone scanners don't find things.
H.D. Moore
Amazing. Right. So, yeah, you'd throw Nikto at a web server and whatever, and you'd, you know, you'd sort of see what came, what comes back.
Patrick Gray
Yeah.
H.D. Moore
I'm just sort of surprised that the whole thing's atrophied at the. To the extent that it has. And I'm guessing it's because volume management is such a huge compliance issue that people just have to spend money on it and tick the box and, you know, I guess. I guess that's where we are. Right.
Jeffrey Goldberg
Arguably, the market stopped rewarding innovation. Right. The. The more vulnerability is your product found, the less your customers liked you because you made them look bad. Like, if you're succeeding at building a great vuln discovery platform, your customers will have a worse score every time you put an update out because you're finding more problems. Right. And customers hate that. So I was in that kind of predicament early on in my career where we were doing vulnerability checks specific to credit unions, and every time we found a new vulnerability in an online banking system, our customers would, you know, raise bloody murder. Because we gave them all critical risk scores and we're like, yes, go to Jack Henry, get your stuff fixed. But they didn't like the fact that made them look bad, even though it was accurate.
Patrick Gray
Yeah.
H.D. Moore
I remember once a friend of mine did a pen test on a online banking platform and found a bug, like the worst type of bug that would allow you to log in as anyone, transfer money around, whatever, and then, you know, had to give them the devastating news that it was a carryover bug and it affected their live environment as it was that day, because this was. They were testing the new platform before it was deployed, and the project manager was absolutely thrilled that it affected the existing platform because it did not affect their go live for the new one. So, you know, just a. Just an interesting story about incentives in security.
Patrick Gray
Now, you gave us a, you know.
H.D. Moore
A bit of a rundown of the sort of stuff it finds and, you know, how it finds them. But I'm guessing you've put this in beta for a little while now, and, you know, some of your customers have used it, like, what. What are the things they're finding that have surprised them?
Patrick Gray
Right?
H.D. Moore
Because I imagine a lot of it, they're like, yeah, okay, we expected to see that. But are there some categories that are.
Patrick Gray
Popping up where they're just like, oh.
H.D. Moore
My God, you know, they didn't expect that. Like, what are the unknown unknowns now?
Jeffrey Goldberg
The ones I think have surprised people are like, when we look at an asset and look at the vulnerabilities that are run zero, we're not just saying in this is this asset all by itself. We're looking at that asset in the context of all this neighbors and friends and connectivity, everything else like that. So one thing we look for is like shared crypto keys. If you've got a machine using the same remote desktop TLS cert as another one in the same network, or the same SH host key, or the same TLS cert and some other service, oftentimes that points to the machine being cloned and they're like, oh, I didn't realize we cloned our gold machines crypto key a thousand times and deployed it everywhere. Not only is that machine externally visible, but it's also across our internal system. So you find these kind of like weird, unexpected trust of things like shared crypto keys. And that's been a fun one. The other one we find a lot of are just unauthenticated services stuff just hanging on the wind, like ETCD Zookeeper. All these devopsy tools that are configuration databases are attached to all these new school virtual appliances shipped by vendors and exposed directly to the network and no one really scans them very well. The scanners don't cover them very well. No one's doing on device scanning because these things are better managed appliances and they leak your crypto keys, they leak your secrets, leak your API keys all over the place. So between the unexpected configuration databases and other sorts of like data stores being open to the world and vulnerabilities are only identifiable because they're present on more because there's an attribute that's shared across more than one host. Those tend to be the biggest source of surprises with our new capabilities.
H.D. Moore
Now, it's interesting too that you were talking about like authenticated scans as being kind of like the devil's work these days.
Patrick Gray
Right.
H.D. Moore
And to a degree I certainly agree with you. But you're kind of doing the same thing, but in cloud environments as well.
Patrick Gray
Right.
H.D. Moore
Like you are doing authenticated checks into cloud environments. How's your approach there different to the incumbents?
Patrick Gray
Right.
H.D. Moore
Because I'm guessing that you're not just sitting there trying to spin up scripts that check files.
Patrick Gray
Right.
H.D. Moore
Like, it's a bit of a different process.
Jeffrey Goldberg
Yeah. If you look at like traditional CSPMs, what they care about is like enumerating all your stuff, trying to figure out what configuration problems you have saying you've got this problem. We try to do it both ways. You try to both grab all your data from your cloud, backend your inventory, bring it all together and then actively go scan it and say what's actually reachable. We don't have to trust that your security groups actually look like what we think they look like. We'll actually go try to send it back and see if we can get to it. And that's kind of the big difference. It's like not just, oh, it looks.
H.D. Moore
Right, it's like, well, it is a big difference because if there's a misconfiguration that you're not checking for, it will manifest itself when you actually go, when the rubber hits the road and you actually try to reach something and you can, I mean, well, obviously something's wrong with the configuration.
Jeffrey Goldberg
Yeah, and we see wild stuff. A really common problem we see is companies will set up internal VPNs into an AWS VPC from the corporate network and they'll screw up the apples completely. And so you can have everybody in AWS now shelling into internal machines or vice versa. Right. So it depends on how it's configured, but we find a lot of misconfigurations of VPNs, especially from cloud to cloud and hyperscale.
H.D. Moore
Now look, one thing I wanted to get your thoughts on is, you know, I even work with a sponsor here, Nucleus Security, and I know that you plug into them as well. Right.
Patrick Gray
And what they do is they take.
H.D. Moore
The output of vulnerability scanners and you know, sort of normalize them and whatever so that you can get a bit, you know, a pretty sensible idea of what your vulnerability, of what the vulnerabilities in your environment actually look like. But you know, the issue is this is a company that would only. That only exists because the amount of data that comes out of these things is overwhelming. Like, are you a bit concerned that people are going to be like, well this is the last thing I need is like more vulnerability information. Like what have you done to sort of get around that?
Jeffrey Goldberg
Yeah, absolutely. There's two things we do. One is when we import data from, let's say like a Tenable or Qualys or another platform, we actually want to import the information level and the low level vulnerabilities. We don't necessarily like the high end critical. Those are great. But what a lot of folks do is they just ignore all the low end infos. But that's actually where all the best information is. If you're trying to Figure out, does the device run this service, is this protocol running, is this database installed? Those don't show up in critical vulnerabilities unless there's something even further wrong with it. We just want to know if they're there at all. So we parse all the information level vulnerabilities from those products to figure out whether there's something useful we can tell the customer. Second, when we report a vulnerability natively in the product, we don't just put it on one big phone list, say, here you go. Now we've actually done a new overlay on top of what we call findings. So we'll take a finding which is you've got misconfigured databases or you've got internal management services exposed to Internet. We put them all into one big category, put one big number on and say this is the thing to go fix as opposed to each individual sub issue behind that. So instead of getting a list of a thousand vulnerabilities with varying severities, you get a list of like five or ten. So you're trying to come up with a. Instead of starting off by just overwhelming the user with a flood of vulnerability alerts, we want to kind of like pre filter at the down into something that actually is relevant and matters to them, that is easy to action by, you know, per. Per exposure.
H.D. Moore
Yeah, makes sense. So final question. Are you finding that people who are wanting to buy this and use it, I'm guessing they're using it as a, as an additional component of their vul management program. Right. Like they're not throwing stuff out to get this like on the vul management side. I know they are on the asset discovery side and you've been having real success there. Actually taking market from some very large companies, which is awesome. I say that as an options holder in the company, but in terms of like the volume scanning side, I'm guessing that because there's not really much in the market that does this at the moment, it's just additive.
Jeffrey Goldberg
Yes and no. So what we're finding right now is a lot of customers have chosen to buy VUL management from their EDR vendor. So if you're a customer of an EDR vendor and you give them X dollars more per year per endpoint, they'll say here's a list of vulnerabilities. But the vulnerabilities are only based on installed software. They tell you nothing about the network exposure of that asset. So oftentimes you have a company where all their windows endpoints are being covered by let's say Tenable and CrowdStrike. And now they're trying to figure out, well, I'm doing authenticated scans with tenable and I've got a crowdstrike agent. Do I really need both? And we're saying, well, you're probably getting the same information for both of them at that point. So let's say if you stopped paying tenable and instead you pay a lot less per asset to Run zero, we're going to tell you what all the network exposure are of all those assets and you'll still get the software inventory based vulnerability feed from CrowdStrike. So we feel like there's a better together there. In a lot of cases, either with us plus an EDR or in some cases US plus Vulnerable management. We also find cases where vault management has only been deployed to half of the company, either because it's too expensive or because it crashes half the stuff in the network. And those are also cases where if you're already rolling out some kind of agent based vault detection on where you can, you're not losing a lot by missing the unauthenticated scans business products have fallen so far behind. That's where Run zero can often do it. Cheaper, better, faster.
H.D. Moore
Yeah, awesome. All right, H.D. moore, always great to see you, my friend. And yeah, we'll catch you in the next one.
Patrick Gray
Thanks.
H.D. Moore
Thanks again.
Jeffrey Goldberg
Thanks, Pat.
Patrick Gray
That was HD Moore from Runzero there and you can find them@runzero.com r u n z e r o.com and yes, Americans, I said Zed. It's Zed, but that is it for this week's show. I do hope you enjoyed it. I'll be back soon with more news and analysis for you all. But until then I've been Patrick Gray, thanks for listening.
Risky Business #785 – "Signal-gate is Actually as Bad as It Looks" Summary
Release Date: March 26, 2025
Host: Patrick Gray
Guest: H.D. Moore, Founder of Run Zero
Co-Host: Adam Boileau
In this episode of Risky Business, Patrick Gray delves into a series of pressing information security incidents, with a primary focus on the controversial misuse of the Signal messaging app by U.S. government officials. Co-host Adam Boileau joins the discussion, followed by an insightful interview with H.D. Moore, founder of Run Zero, who discusses advancements in vulnerability scanning.
[00:00 - 13:30]
The episode kicks off with a shocking revelation: senior U.S. government officials inadvertently used the Signal messaging app to plan military actions against the Houthi rebels in Yemen. In a critical misstep, they accidentally included Jeffrey Goldberg, the editor-in-chief of The Atlantic, in their group chat, leading to a significant security scandal.
Key Points:
Accidental Inclusion: Jeffrey Goldberg received top-secret war plans via Signal when Defense Secretary Pete Hegseth mistakenly added him to the group chat. Adam Boileau highlights the gravity of the situation, stating, “How on earth did this happen? The Trump administration accidentally texted me its war plans” [01:25].
Media Coverage: Major media outlets have focused not just on the accidental inclusion but also on the existence of such Signal groups, raising concerns about the prevalence of unauthorized Signal chats among government officials. Patrick Gray observes, “The coverage of this has basically been on the money from the major media outlets” [03:31].
Security Implications: The misuse of Signal underscores the vulnerability of endpoints. Personal devices used in these communications are prime targets for adversaries, especially Iranian-backed groups like the Houthis. Patrick Gray notes, “Because America's adversaries would have already been targeting those devices” [04:35].
Regulatory Concerns: The incident highlights the inadequacy of current government regulations regarding the use of messaging apps for sensitive communications. Patrick Gray suggests, “Government regulations around some of this stuff needs to change to just sort of better reflect reality” [04:35].
Notable Quotes:
Adam Boileau: “I mean, what is there to even say? It's been, it's actually been really fun kind of watching this unfold because it's such an understandable story.” [02:14]
Patrick Gray: “This would indicate that there's probably a lot of other Signal groups that we don't know about.” [03:31]
[06:11 - 13:30]
The discussion shifts to the broader implications of the Signal mishap, emphasizing the risks associated with using encrypted messaging apps for classified communications.
Key Points:
Endpoint Security Risks: The use of personal devices for official communications increases the attack surface. John Ratcliffe, Director of the CIA, has even installed Signal on his work computer, extending the vulnerability beyond mobile devices [06:11].
Operational Security (OPSEC): Adam Boileau emphasizes the importance of OPSEC, stating, “It's a good reminder for everybody about how OPSEC works and keep an eye on the group chat” [12:03].
Government Response: President Trump acknowledged the severity of the incident, stating, “Terminate the lines. That's not appropriate,” while also attacking the journalist involved [07:13].
Notable Quotes:
Patrick Gray: “People are going to think they're going to redouble their efforts” [04:35].
Adam Boileau: “Even though Signal is best case, it's still just bad overall” [07:13].
Patrick Gray: “Jeffrey Goldberg ... did the right thing to a T” [03:31].
[13:30 - 40:00]
The episode covers a series of other significant security incidents, providing listeners with a comprehensive overview of the current threat landscape.
[16:30 - 19:40]
A backdoored GitHub Action exploited build servers by scraping memory for tokens and sensitive data, encoding it in build logs accessible to attackers. The attack primarily targeted projects associated with Coinbase, indicating a possible crypto-theft motive.
Notable Quotes:
Adam Boileau: “It was pretty smart” [18:31].
Patrick Gray: “It's just something that got caught in time” [19:04].
[24:04 - 25:30]
Oracle confronted a data breach affecting six million records across 140,000 tenants. While Oracle initially denied the breach, researchers from CloudSec provided evidence linking compromised credentials to specific tenants.
Notable Quotes:
[25:30 - 26:46]
Paige Thompson, known for the Capital One breach, faces re-sentencing after an appeals court overruled her lenient sentence of time served and probation. The outcome remains uncertain but could involve significant prison time.
Notable Quotes:
[26:46 - 28:24]
The Treasury Department reversed sanctions on Tornado Cash, a cryptocurrency mixing service, following a lawsuit that argued the sanctions exceeded legal authority. This decision potentially facilitates money laundering activities.
Notable Quotes:
[28:24 - 30:23]
Cloudflare faces temporary blockage in Russia after failing to comply with local data retention laws. This move is seen as a warning to Russian customers to switch to domestic providers, although Cloudflare's resilience may mitigate widespread disruption.
Notable Quotes:
[31:19 - 33:13]
Research by Binaly uncovered that Clevo, a laptop chassis manufacturer, inadvertently included private key files in BIOS updates. This oversight exposes around 10 Gigabyte-branded laptops to potential security breaches, emphasizing the challenges of managing hardware trust in open ecosystems.
Notable Quotes:
[33:13 - 37:34]
Citizen Lab's research revealed the use of Paragon spyware in Australia, Canada, Cyprus, Denmark, Israel, and Singapore. The spyware is employed under heavy governmental oversight, but concerns remain about its potential misuse.
Notable Quotes:
[37:04 - 38:45]
The Malaysian Prime Minister rejected ransomware demands following a cyberattack on a major airport. In response, airport staff resorted to manually managing operations using whiteboards, highlighting the severe disruption caused by such attacks.
Notable Quotes:
[38:45 - 40:00]
New York University experienced a significant data breach affecting millions of student records. Additionally, Notre Dame University in Perth faced its own security incident, causing turmoil among students and staff.
Notable Quotes:
[40:00 - 58:35]
In an exclusive interview, H.D. Moore discusses the limitations of current vulnerability scanning tools and introduces Run Zero's innovative approach to vulnerability management.
Key Points:
Market Gaps: Traditional vulnerability scanners often miss critical vulnerabilities, especially on IoT and unmanaged assets. H.D. Moore asserts, “The incumbents vulnerability scanning companies aren't really doing vulnerability scanning anymore” [00:00].
Run Zero's Solution: By leveraging asset discovery and intelligent scanning, Run Zero identifies high-impact vulnerabilities that other scanners overlook. Jeffrey Goldberg explains, “Run Zero does the same discovery information, asset information inference ... bubbling that to the top without just filtering someone else's list of poorly chosen vulnerabilities” [44:20].
Innovative Capabilities: Run Zero not only performs unauthenticated scans but also correlates internal and external data to uncover hidden vulnerabilities. This approach ensures comprehensive coverage and actionable insights.
User Experience: Run Zero minimizes the overwhelming volume of vulnerability data by categorizing and prioritizing findings, enabling organizations to focus on the most critical issues without sifting through irrelevant information.
Notable Quotes:
Jeffrey Goldberg: “We're trying to help you identify where that technology exists and get ahead of it as quick as you can” [46:03].
H.D. Moore: “If you look at traditional CSPMs, what they care about is like enumerating all your stuff, trying to figure out what configuration problems you have” [54:05].
Patrick Gray: “It's such a mature market ... but that's what they used to do” [45:15].
Patrick Gray wraps up the episode by thanking Adam Boileau for his insightful news rundown and H.D. Moore for the enlightening discussion on vulnerability scanning. He underscores the importance of staying vigilant in the ever-evolving landscape of information security.
[58:35]
Notable Quote:
Final Thoughts:
Risky Business #785 offers a comprehensive examination of critical security incidents, highlighting the intricate challenges of maintaining robust cybersecurity protocols. The episode serves as a crucial reminder of the vulnerabilities inherent in modern communication and infrastructure systems, while also showcasing innovative solutions like Run Zero's advanced vulnerability scanning capabilities.
For more details and access to the full episode, visit Risky Business.