Risky Business #785 – "Signal-gate is Actually as Bad as It Looks" Summary

Release Date: March 26, 2025
Host: Patrick Gray
Guest: H.D. Moore, Founder of Run Zero
Co-Host: Adam Boileau

1. Introduction

In this episode of Risky Business, Patrick Gray delves into a series of pressing information security incidents, with a primary focus on the controversial misuse of the Signal messaging app by U.S. government officials. Co-host Adam Boileau joins the discussion, followed by an insightful interview with H.D. Moore, founder of Run Zero, who discusses advancements in vulnerability scanning.

2. Major Story: Signal Group Chat Leak

[00:00 - 13:30]

The episode kicks off with a shocking revelation: senior U.S. government officials inadvertently used the Signal messaging app to plan military actions against the Houthi rebels in Yemen. In a critical misstep, they accidentally included Jeffrey Goldberg, the editor-in-chief of The Atlantic, in their group chat, leading to a significant security scandal.

Key Points:

• Accidental Inclusion: Jeffrey Goldberg received top-secret war plans via Signal when Defense Secretary Pete Hegseth mistakenly added him to the group chat. Adam Boileau highlights the gravity of the situation, stating, “How on earth did this happen? The Trump administration accidentally texted me its war plans” [01:25].

• Media Coverage: Major media outlets have focused not just on the accidental inclusion but also on the existence of such Signal groups, raising concerns about the prevalence of unauthorized Signal chats among government officials. Patrick Gray observes, “The coverage of this has basically been on the money from the major media outlets” [03:31].

• Security Implications: The misuse of Signal underscores the vulnerability of endpoints. Personal devices used in these communications are prime targets for adversaries, especially Iranian-backed groups like the Houthis. Patrick Gray notes, “Because America's adversaries would have already been targeting those devices” [04:35].

• Regulatory Concerns: The incident highlights the inadequacy of current government regulations regarding the use of messaging apps for sensitive communications. Patrick Gray suggests, “Government regulations around some of this stuff needs to change to just sort of better reflect reality” [04:35].

Notable Quotes:

• Adam Boileau: “I mean, what is there to even say? It's been, it's actually been really fun kind of watching this unfold because it's such an understandable story.” [02:14]

• Patrick Gray: “This would indicate that there's probably a lot of other Signal groups that we don't know about.” [03:31]

3. Implications of the Signal Incident

[06:11 - 13:30]

The discussion shifts to the broader implications of the Signal mishap, emphasizing the risks associated with using encrypted messaging apps for classified communications.

Key Points:

• Endpoint Security Risks: The use of personal devices for official communications increases the attack surface. John Ratcliffe, Director of the CIA, has even installed Signal on his work computer, extending the vulnerability beyond mobile devices [06:11].

• Operational Security (OPSEC): Adam Boileau emphasizes the importance of OPSEC, stating, “It's a good reminder for everybody about how OPSEC works and keep an eye on the group chat” [12:03].

• Government Response: President Trump acknowledged the severity of the incident, stating, “Terminate the lines. That's not appropriate,” while also attacking the journalist involved [07:13].

Notable Quotes:

• Patrick Gray: “People are going to think they're going to redouble their efforts” [04:35].

• Adam Boileau: “Even though Signal is best case, it's still just bad overall” [07:13].

• Patrick Gray: “Jeffrey Goldberg ... did the right thing to a T” [03:31].

4. Additional Security News

[13:30 - 40:00]

The episode covers a series of other significant security incidents, providing listeners with a comprehensive overview of the current threat landscape.

a. GitHub Actions Supply Chain Attack

[16:30 - 19:40]

A backdoored GitHub Action exploited build servers by scraping memory for tokens and sensitive data, encoding it in build logs accessible to attackers. The attack primarily targeted projects associated with Coinbase, indicating a possible crypto-theft motive.

• Impact: Approximately a few hundred projects were affected. The attack was part of a larger supply chain compromise targeting AI and blockchain integration tools [17:29].

Notable Quotes:

• Adam Boileau: “It was pretty smart” [18:31].

• Patrick Gray: “It's just something that got caught in time” [19:04].

b. Oracle Cloud Data Breach

[24:04 - 25:30]

Oracle confronted a data breach affecting six million records across 140,000 tenants. While Oracle initially denied the breach, researchers from CloudSec provided evidence linking compromised credentials to specific tenants.

Notable Quotes:

• Adam Boileau: “They couldn't say ... someone had a file read on the SSO system” [24:34].

c. Paige Thompson's Re-sentencing

[25:30 - 26:46]

Paige Thompson, known for the Capital One breach, faces re-sentencing after an appeals court overruled her lenient sentence of time served and probation. The outcome remains uncertain but could involve significant prison time.

Notable Quotes:

• Patrick Gray: “This is not a great time to be Paige Thompson” [26:13].

d. US Treasury Drops Sanctions on Tornado Cash

[26:46 - 28:24]

The Treasury Department reversed sanctions on Tornado Cash, a cryptocurrency mixing service, following a lawsuit that argued the sanctions exceeded legal authority. This decision potentially facilitates money laundering activities.

Notable Quotes:

• Adam Boileau: “It could be a great outcome, if You're a North Korean money launderer” [28:24].

e. Cloudflare in Russia

[28:24 - 30:23]

Cloudflare faces temporary blockage in Russia after failing to comply with local data retention laws. This move is seen as a warning to Russian customers to switch to domestic providers, although Cloudflare's resilience may mitigate widespread disruption.

Notable Quotes:

• Patrick Gray: “It'd be interesting to see if people actually do though” [30:23].

f. Binaly’s UEFI Keymat Leak

[31:19 - 33:13]

Research by Binaly uncovered that Clevo, a laptop chassis manufacturer, inadvertently included private key files in BIOS updates. This oversight exposes around 10 Gigabyte-branded laptops to potential security breaches, emphasizing the challenges of managing hardware trust in open ecosystems.

Notable Quotes:

• Adam Boileau: “It just underscores the complexity of managing hardware anchored trust routes” [31:19].

g. Citizen Lab Finds Paragon Spyware in Multiple Countries

[33:13 - 37:34]

Citizen Lab's research revealed the use of Paragon spyware in Australia, Canada, Cyprus, Denmark, Israel, and Singapore. The spyware is employed under heavy governmental oversight, but concerns remain about its potential misuse.

Notable Quotes:

• Patrick Gray: “As an Australian, I'm not particularly worried that Australia is a customer of Paragon” [34:26].

h. Ransomware Attack on Malaysian Airport

[37:04 - 38:45]

The Malaysian Prime Minister rejected ransomware demands following a cyberattack on a major airport. In response, airport staff resorted to manually managing operations using whiteboards, highlighting the severe disruption caused by such attacks.

Notable Quotes:

• Patrick Gray: “There's no way this country will be safe if its leaders and system allow us to bow to ultimatums by criminals” [38:22].

i. NYU Data Breach and Other Incidents

[38:45 - 40:00]

New York University experienced a significant data breach affecting millions of student records. Additionally, Notre Dame University in Perth faced its own security incident, causing turmoil among students and staff.

Notable Quotes:

• Patrick Gray: “It's just, it's, it's kind of nuts, right, that that store of data is just going to wind up who knows where” [40:00].

5. Sponsor Interview: H.D. Moore on Run Zero's Vulnerability Scanning

[40:00 - 58:35]

In an exclusive interview, H.D. Moore discusses the limitations of current vulnerability scanning tools and introduces Run Zero's innovative approach to vulnerability management.

Key Points:

• Market Gaps: Traditional vulnerability scanners often miss critical vulnerabilities, especially on IoT and unmanaged assets. H.D. Moore asserts, “The incumbents vulnerability scanning companies aren't really doing vulnerability scanning anymore” [00:00].

• Run Zero's Solution: By leveraging asset discovery and intelligent scanning, Run Zero identifies high-impact vulnerabilities that other scanners overlook. Jeffrey Goldberg explains, “Run Zero does the same discovery information, asset information inference ... bubbling that to the top without just filtering someone else's list of poorly chosen vulnerabilities” [44:20].

• Innovative Capabilities: Run Zero not only performs unauthenticated scans but also correlates internal and external data to uncover hidden vulnerabilities. This approach ensures comprehensive coverage and actionable insights.

• User Experience: Run Zero minimizes the overwhelming volume of vulnerability data by categorizing and prioritizing findings, enabling organizations to focus on the most critical issues without sifting through irrelevant information.

Notable Quotes:

• Jeffrey Goldberg: “We're trying to help you identify where that technology exists and get ahead of it as quick as you can” [46:03].

• H.D. Moore: “If you look at traditional CSPMs, what they care about is like enumerating all your stuff, trying to figure out what configuration problems you have” [54:05].

• Patrick Gray: “It's such a mature market ... but that's what they used to do” [45:15].

6. Conclusion

Patrick Gray wraps up the episode by thanking Adam Boileau for his insightful news rundown and H.D. Moore for the enlightening discussion on vulnerability scanning. He underscores the importance of staying vigilant in the ever-evolving landscape of information security.

[58:35]

Notable Quote:

• Patrick Gray: “It is time for this week's sponsor interview now with HD Moore ... thankfully, it wasn't one of them” [42:15].

Final Thoughts:

Risky Business #785 offers a comprehensive examination of critical security incidents, highlighting the intricate challenges of maintaining robust cybersecurity protocols. The episode serves as a crucial reminder of the vulnerabilities inherent in modern communication and infrastructure systems, while also showcasing innovative solutions like Run Zero's advanced vulnerability scanning capabilities.

For more details and access to the full episode, visit Risky Business.