Risky Business #786 -- Oracle is lying - Risky Business

Summary7 min read

Risky Business Podcast Summary
Episode: #786 – Oracle is lying
Host/Author: Patrick Gray
Release Date: April 2, 2025

Introduction

In this episode of Risky Business, host Patrick Gray delves into significant security breaches affecting Oracle, evaluates Oracle's questionable security practices, and discusses broader cybersecurity news. The episode features insightful commentary from guest Adam Boileau and concludes with a sponsored interview with Jaden Hess from Trail of Bits, focusing on the infamous Bybit cryptocurrency exchange attack.

Oracle Breaches

Oracle Health Breach

The episode opens with Patrick Gray addressing two distinct and severe security breaches at Oracle, with Adam Boileau providing an in-depth analysis.

Key Points:

Legacy System Vulnerability: Oracle’s health data subsidiary, formerly Cerner, suffers a breach due to lingering legacy systems connected to the internet.
Data Ransom Attempt: An attacker, identifying as "Andrew," accessed and attempted to ransom electronic health record data, targeting both Oracle and its clients.

Notable Quote:
Patrick Gray [00:00-03:36]:
“Oracle is having a really bad time because it looks like they've had two breaches... they're spinning hard on this one and kind of veering into outright porky pie lies.”

Oracle Cloud Auth Portal Breach

Following the health breach, another significant incident involves Oracle’s cloud authentication portal.

Key Points:

Exploitation of CVE: Attackers exploited a known deserialization flaw (CVE from 2021) in Oracle's identity and access management product, part of the Fusion Middleware suite.
Data Compromise: Approximately 6 million records, including LDAP credentials and certificates, were allegedly stolen.
Oracle's Denial: Despite evidence from cross-referenced customer data, Oracle publicly denies the breach, attributing it to legacy systems not part of the current production environment.

Notable Quotes:
Adam Boileau [04:28-06:35]:
“They have provided some of this data as evidence of their access... Oracle has flat out said this didn't happen. It's a load of bunkum.”

Patrick Gray [06:35-09:42]:
“Oracle has been having such a bad time... you can't imagine like having a look at the Azure IP space and finding a bunch of like NT4 boxes.”

Discussion on Oracle's Security Practices

Patrick and Adam critique Oracle's handling of security, highlighting outdated systems and poor management responses.

Key Points:

Outdated Infrastructure: Oracle continues to run unsupported 11G systems, maintaining legacy software with minimal patches.
Management Issues: The internal communication breakdown leads to misleading public statements, reflecting a lack of effective cybersecurity governance.
Worst Offender Allegation: Oracle is characterized as historically poor in security practices, worse than even Microsoft at times.

Notable Quote:
Patrick Gray [09:35-16:08]:
“Oracle just don't really have great practices. They tend to scapegoat researchers as well... Oracle is a company that does not get it.”

Other Security News

Signal Gate Update

The episode revisits last week’s topic on Signal Gate, exploring the misuse of Signal by high-profile individuals and the resulting security implications.

Key Points:

Public Exposure: Signal messages from officials like Pete Hegseth and Mike Waltz were leaked, revealing insecure communication practices.
Government Critique: The U.S. administration criticizes Signal, leading to political fallout and increased scrutiny of civilian apps for official use.
Endpoint Compromise: Experts suggest that compromised endpoints likely exposed these communications to foreign intelligence services.

Notable Quote:
Patrick Gray [19:00-24:33]:
“It's not a good look. I don't think ordinary people quite understand just how, just how sort of reckless all of this has been.”

FBI Ransom Recovery Efforts

Coverage of the FBI’s successful efforts to recover a significant portion of ransom paid by Caesar's Entertainment in a ransomware attack.

Key Points:

Recovery Success: Out of $15 million paid, the FBI froze approximately $11.8 million through cooperative actions with cryptocurrency exchanges.
Effective Tracking: The ability to track and freeze funds in real-time demonstrates improved capabilities in combating ransomware payments.

Notable Quote:
Adam Boileau [31:46-33:23]:
“They managed to track down, seize almost 300 bitcoin... which is like 11ish million dollars.”

Morse Corp Penalty Under False Claims Act

The defense contractor Morse Corp faces a $4.6 million penalty for violating the False Claims Act by misrepresenting compliance with security standards.

Key Points:

Self-Assessment Failure: Morse Corp’s self-assessment rated them highly, but a third-party evaluation revealed significant deficiencies.
Legal Ramifications: Failure to update the government on non-compliance led to substantial penalties under the False Claims Act.

Notable Quote:
Patrick Gray [34:14-34:39]:
“That would be the false claim part of this.”

Palo Alto Network Device Scanning Surge

Gray Noise reports a significant increase in scans targeting Palo Alto network devices, suggesting imminent exploitation campaigns.

Key Points:

Coordinated Attacks: Approximately 23,000 IP addresses are actively scanning for Palo Alto devices, indicating a potential large-scale attack.
Preparedness: Organizations using such devices are urged to enhance their security measures in anticipation of targeted exploits.

Notable Quote:
Adam Boileau [35:24-36:21]:
“Probably precursor to someone dropping some sweet, sweet Palo Global protect VPN bugs.”

New Malware Targeting Ivanti O Day

Emerging malware exploits a previously patched vulnerability in Ivanti systems, effectively treating it as a zero-day due to its exploitability timeline.

Key Points:

Timely Exploitation: Despite being patched earlier in the year, the slow adoption of updates renders the vulnerability a near-zero-day threat.
Complexity in Malware: The stack buffer overflow in Ivanti products allows for sophisticated exploitation, emphasizing the need for rapid patch management.

Notable Quote:
Patrick Gray [36:32-37:43]:
“So there was a while back when we talked about it... and it sounds like he probably wanted to keep working on it.”

Arrest of Aubrey Cottle

Aubrey Cottle, aged 37, is arrested in Canada on charges related to hacking activities, including targeting the Texas Republican Party.

Key Points:

Public Taunting: Cottle's public boasting on social media about his hacking exploits likely contributed to his arrest.
Legal Proceedings: Facing charges both in Canada and the United States, Cottle represents the growing crackdown on visible cybercriminals.

Notable Quote:
Adam Boileau [39:05-39:50]:
“...if you're going to shell things and then gloat about it on public social media, I kind of don't know what else you expect.”

GCHQ Intern Data Theft

Hassan Arshad, a 25-year-old intern at GCHQ, is charged with stealing top-secret data, highlighting insider threats in high-security environments.

Key Points:

Intentional Theft: Arshad copied sensitive data onto personal devices, potentially aiming to continue work unauthorized.
Security Oversight: The breach underscores the necessity for rigorous monitoring and auditing of internal access to classified information.

Notable Quote:
Adam Boileau [40:25-41:49]:
“...running a large company with a weird insular culture that doesn't listen to anyone else when you also don't really quite know what you're doing.”

Sponsor Interview: Trail of Bits with Jaden Hess

The episode features an interview with Jaden Hess from Trail of Bits, focusing on the catastrophic Bybit cryptocurrency exchange breach where $1.5 billion was stolen by North Korean actors.

Key Discussion Points:

Bybit's Security Flaws

Jaden Hess:

Cold Wallet Mismanagement: Emphasizes that cold wallets must remain entirely offline to prevent malicious code infiltration. Bybit's approach, which connected cold wallets to an online provider, was fundamentally flawed.

Notable Quote:
Jaden Hess [43:04-44:03]:
“For one thing, if you're going to have a cold wallet, it has to be offline... someone has connected their cold wallet to an Internet wallet provider.”

Improper Transaction Signing Procedures

Jaden Hess:

UI and Policy Shortcomings: Bybit’s transaction signing flow allowed overriding security policies, increasing vulnerability to unauthorized transactions. Proper user interfaces should intuitively display all transaction effects to prevent deceptive manipulations.

Notable Quote:
Jaden Hess [45:06-46:24]:
“...restrict the sort of variety of transactions that can be signed... the wallet needs to be rich enough to display intuitively all of the different effects of a transaction.”

Threat Modeling and Operational Guidelines

Jaden Hess:

Insufficient Threat Modeling: Bybit lacked comprehensive threat modeling and relied on insecure web-based transaction proposals, which should be isolated from full cold wallets.
Best Practices Not Followed: Compared to U.S.-based organizations with robust procedures, Bybit was notably more lax in securing its cryptocurrency assets.

Notable Quote:
Jaden Hess [48:25-51:27]:
“...the typical thing that we would find if we did a review... a lot of these things are actually not that complex.”

Industry Implications and Lessons Learned

Jaden Hess:

Cryptocurrency Security Standards: Highlights the rapid evolution of crypto security practices and the importance of integrating strong cryptographic measures with operational protocols.
North Korean Sophistication: Acknowledges North Korea's advanced yet opportunistic cyber capabilities, emphasizing that even basic security oversights can lead to massive financial losses.

Notable Quote:
Jaden Hess [51:45-53:31]:
“...they understand these processes internally with the... the degree to which they understand these processes...”

Conclusion

Patrick Gray wraps up the episode by reiterating the critical takeaways from Oracle’s security failures and the broader implications for cybersecurity practices across industries. The episode underscores the importance of rigorous threat modeling, maintaining updated systems, and fostering a security-first culture to prevent significant breaches.

Final Remarks:
Patrick Gray [54:44-54:44]:
“...thanks for listening.”

Notable Resources and Links

Lawrence Abrams, Bleeping Computer: Comprehensive reporting on Oracle breaches.
Becker’s Health: In-depth analysis of health data security issues.
Watchtower Labs: Detailed write-up on Ivanti’s stack buffer overflow vulnerability.
CrowdStrike Recommendations: Suggestions for enhancing VPN security.

End of Summary
For more detailed discussions and security insights, listen to the full episode of Risky Business #786 – "Oracle is lying."

Loading summary

Transcript105 lines

[00:00]
Adam Boileau
Foreign.
[00:05]
Patrick Gray
And welcome to Risky Business. My name is Patrick Gray. We'll be getting into the news in just a moment with Adam Boileau. And then it'll be time for this week's sponsor interview. And this week's show is brought to you by Trail of Bits, which is a security engineering firm based mostly in the United States. And we're talking to Jaden Hess from Trailer Bits this week. He works on their cryptography team. Trailer Bits does a lot of work with cryptocurrency exchanges. And we're going to be having a bit of a chat about what went wrong at Bybit, whether or not the sorts of practices they were engaging in are common. And you know, what exchanges really need to be doing to avoid having $1.5 billion stolen out of their wallets, which is, you know, I still can't believe I get to say that out aloud, but yeah. Let's get into the news now with Mr. Adam Boileau and mates. Let's talk about the lying liars at Oracle. Oracle is having a really bad time because it looks like they've had two breaches which are completely distinct and disconnected from each other. Although I'm not quite, quite sure you're the one who's done the research on this. And they are spinning hard on this one and kind of, you know, it's veering from sort of spin into outright porky pie lies. So why don't you walk us through what's happened with Oracle, starting off with the Oracle health breach.
[01:22]
Adam Boileau
Yes. So Oracle has a health data subsidiary which was previously called Cerna before it was acquired a couple of years ago. Now they spent, you know, quite some billions of dollars acquiring a very big, you know, health technology firm. And some of that environment has been integrated into, you know, Oracle's Oracle cloud and into their modern world. But it looks like some kind of legacy. You know, some bits and pieces of the original Cerner Health was still kicking around the Internet. Somebody has bussed into it and helped themselves to a whole bunch of electronic health record data. One of their main products for Cerner is tools for building health health data management platforms. And then the person who is doing it, who broke in there appears to be kind of trying to ransom that data back both to hospitals and medical companies themselves, as well as Oracle. The person behind it doesn't appear to have any affiliation with a known ransomware gang, but they do say that their name is Andrew. So that's.
[02:33]
Patrick Gray
That'll narrow it down.
[02:35]
Adam Boileau
So Oracle has been kind of quiet about this. They have, like, much like the other breach we'll talk about in a second. They haven't been saying a whole bunch publicly, but they have been reaching out to their health industry customers. And the word on the street is that those customers are being sent letters on like non, like plain paper, no Oracle letterhead, signed by some, you know, Oracle exec basically saying, look, we've lost a whole bunch of your data. It's a kind of a you problem. So you should figure out whether the data that we lost, you know, is violating, you know, HIPAA or whatever other regulations you may be subject to. And off you go. Let your customers know Oracle has very generously offered to pay for some form of, you know, like credit monitoring or, you know, the usual sorts of things you do when you have a data breach. But otherwise they are leaving their health customers out to dry. And, you know, people are not particularly happy. I think it's to say no.
[03:37]
Patrick Gray
And apparently the customers are being instructed to only sort of talk about this with Oracle's CISO over the phone and not via email. And their communications have said, you know, the data may contain patient data, but all the customers know that it does because I'm guessing they've been sent samples. So not a good look. And this comes hot on the heels of one that I think we spoke about last week, which is a bigger breach at Oracle, where they owned some sort of auth box and just got an absolute ton of info out of it. So we did briefly touch on it last week, but now we've looked into it a little bit more. This is a breach that Oracle denied happened. They said, oh, this totally was not a breach of Oracle's production environment. Like, why don't you walk us through exactly what it is that the attackers apparently did here, what they obtained and then why Oracle's response is a liar's lie.
[04:28]
Adam Boileau
Yes. So some person who goes by like rows 87169 on some underground forums is flogging off some data that they have stolen that they claim from a login portal, auth portal in Oracle Cloud. And they claim to have shelled one of the Oracle cloud login boxes using a known floor in a particular cve, which I think is a deserialization flaw in Oracle's identity and access management product, which is part of the wider kind of fusion applications, fusion middleware, Oracle Suite. That bug is a couple of years old now, I think Tweenie gets a 2021 bug and it's a little fiddly to exploit, but that is what the attacker says that they used and then they claim to have got something like 6 million records worth of customer of like login information. And this varies between ldap, kind of auth passwords, a bunch of certificates and other bits and pieces. And they have provided some of this data as evidence of their access on the forums and then to a couple of researchers. They also posted a text file on Oracle's login server with their email address in it so they could verify to, I think one of the outlets that they were talking to that it was in fact them. So they pasted it into the Text file x TXT with their ProtonMail email address in it. And then a few people who've got hold of this data have cross referenced it with a few customers that are listed and those customers say yes, this looks like our information. Oracle has flat out said this didn't happen. It's a load of bunkum. And I can imagine that Oracle wants to believe it didn't happen, but it certainly looks like it did. So I had a good rummage around yesterday into kind of what the data looked like, where it came from, and what some of the similar systems in Oracle's cloud environment look like.
[06:35]
Patrick Gray
Now. This is, this is where it starts getting tasty.
[06:40]
Adam Boileau
So the 11G release of Oracle's fusion middleware and associates, like that whole kind of stack is a thing that I have some personal experience of shelling. So like I, you know, I, when I first read this I'm like, yes, I 100% believe the hacker and I 0% believe Oracle. But then I went and had a rummage round and there is quite a lot of 11G era bits and pieces of plumbing in Oracle Cloud and the kind of login server that this person claims to have hacked. The headers suggest that it's running the 11G release, which is from, I want to say like 2009 or something. Importantly, that release is no longer supported by Oracle. They wouldn't support it for their customers. Although the funny thing is that Oracle's definition of end of life is not. They don't call it end of life, they call it sustaining support, which is available indefinitely. And that sustaining support means you get access to the patches they've already made. You don't get any access to any new patches because they're not making new patches, but you can have access to the things that you already had forever if you so wish, which is very generous.
[07:52]
Patrick Gray
Geez, helpful. Thanks Oracle.
[07:53]
Adam Boileau
But that's double corpo, doublespeak there. But yeah, like there is a lot of very shonky old looking Oracle gubbins lying around in Oracle Cloud. And most of this, like some of the bits that I was pasting in our internal slack yesterday for your amusement, have certificate names like cloud admin, you know, cloud admin.us9.oraclecloud.com or star.usgov.oraclecloud.com which doesn't feel particularly good.
[08:22]
Patrick Gray
Yeah, I mean to be clear, what you did is you hit up census, you're looking within the IP range of Oracle's cloud and you're finding ancient out of end of life boxes there with interesting certificate names. And this is while Oracle is claiming, oh, this never happened. So you have a theory about what actually went down here and I think it's a plausible one.
[08:43]
Adam Boileau
Yeah, My vibe is probably they have updated these things, they've built new ones or they forked them or copied the virtual machine or whatever it is and there are modern versions of these things on more modern Oracle software stacks and they just haven't turned off the old ones. And when Oracle sees this, they're going to, when they see someone mails in and says, hey, I breached your stuff, give me millions of dollars worth of crypto, they're going to go, we already updated that without stopping to think actually the old stuff still around. And I went and had a look when I was rummaging through sensors, I checked that a few of those boxes are in fact still live and answering requests. They're still there. Went and looked at the login prompt and it sure looks like an ancient Oracle login prompt. So yeah, I think that they are like they are going, well this is legacy old stuff so it doesn't matter. So therefore we can say our production Oracle Cloud didn't get hacked.
[09:36]
Patrick Gray
But yeah, I mean, but that's, that's crossing the line. That's, you know, Microsoft is amazing at putting out press responses where they're obfuscating and they're using doublespeak, but they're not going this far. Like this feels like an outright lie. And you know, having been, you know, cybersecurity journalist now for nearly 25 years, I can tell you that Oracle are like pretty much the worst offender when it comes to this sort of stuff. Like Microsoft used to be worse. They were quite good for a while, they're sort of back to being not so great. But I have a feeling that's changing because they keep getting in trouble with the US government and yeah, but I mean Oracle just don't really have great practices. They tend to scapegoat researchers as well. I mean, who could forget Marianne Davidson's blog post a while ago where you know, she was essentially threatening. She's a CISO at Oracle and has been basically since the Jurassic era and was basically threatening legal action against people for reversing their products because it's against the terms of service. Like Oracle is a company that does not get it. It has a weird culture, it's a closed ecosystem, sort of like, you know, very cult like company and they don't really appear to know what they're doing. And you know, this is the sort of stuff that happens when you are running a large company with a weird insular culture that doesn't listen to anyone else when you also don't really quite know what you're doing. You know, this is, this is what.
[10:56]
Adam Boileau
It looks like, this is what it looks like. And I feel like, you know, in the depths of Oracle there are plenty of smart people who work there who understand that they got themselves wrecked. But somewhere in the 47 levels of management, upwards from them, that message gets massaged into something that just looks to me like straight up bollocks.
[11:17]
Patrick Gray
Yeah, I mean when I say that they don't know what they're doing, I am talking about management in case there's anyone rage listening at Oracle who actually, because of course they're going to have good people there, but they're clearly not getting listened to. If you can pull up census and find this stuff in their IP space like, you know, in a minute.
[11:35]
Adam Boileau
Yes, yeah, yeah, it's, it's, it's nasty. Like I haven't seen some of those old sun, you know, kind of old, very, very old. You know, I wouldn't say sun style. It's not, this is, you know, obviously Oracle software, not sun software, although some of it is begat from the sun acquisition which does kind of put a, an age on some of this stuff because it's, it's just like it has a particular look that if you've been a UNIX hacker for a long time, you just know what that stuff, when you see it, it smells like old. You know, it's got that sort of, you know, I mean I've always vibe.
[12:09]
Patrick Gray
I've worked with a bunch of, you know, asset discovery startups, right? So asset note was 1 and then HD moreover at run 0 as well. And I've, I've had a front row seat when some of these tools have been thrown at extremely large clouds, right? And I'm talking, you know, name brand big clouds to find stuff like this. And they have come up really with very little, with, with, you know, running these sorts of scans against some of the very big cloud operators. Right. So the fact that you were able to find this in Census boggles my mind. You're telling me there's no one whose job it is at Oracle to flag something like that and maybe get something done because that's just, that's, that ain't good enough.
[12:50]
Adam Boileau
No, I mean, it's really not. But I mean, unfortunately that's kind of the Oracle jam. Right? That's just what they do. I mean, I've seen, I don't know, I guess I can probably tell this story now, but like at some point we looked at some systems that were like old Solaris stuff that was being lifted and shifted into Oracle cloud for a big customer. And the Oracle engineers did, the Oracle consultancy team brought in people to do that lift and shift and they picked up these boxes, moved them into Oracle's cloud, put them on the Internet as they were, as you would expect, like that's what they asked for. We want as like, for like migration, blah, blah, blah, blah. But that included leaving the like internal Telnet interfaces that previously were in the middle of a bank on 10, yada yada, now they're on the Internet with, you know, terrible passwords, like the normal kind of configuration that those boxes would have, but they just lifted and shifted and dumped it right on the Internet without even a word to the customer.
[13:43]
Patrick Gray
You may have let that one slip over a beer once upon a time, many, many years ago, but yes, Oracle, putting your telnets on, on the Internet.
[13:52]
Adam Boileau
Yeah. And especially when this, you know, we had that like Telnet FBN bug where you could just log in with no credits, which.
[13:57]
Patrick Gray
Yeah, I mean, I think, I think we have, you know, I think some questions need to be asked about the state of Oracle's cloud with all of this in mind and of course the state of their security culture. Look, everybody has incidents. Having two in such a short period of time is, you know, unlucky for them, but hopefully it'll actually put some attention on them because you can't imagine like having a look at the Azure IP space and finding a bunch of like NT4 boxes. It sort of feels a bit like that.
[14:32]
Adam Boileau
I mean, you'd want to believe that wouldn't happen and probably there wouldn't be any critical NT4 in Azure anymore. But yeah, Oracle, that's just not how they roll.
[14:43]
Patrick Gray
No, no it's not. And yeah, I mean again, the problem when it comes to these mega vendors is like, what's the recourse? Right. And the recourse is for the buyers of this sort of stuff to push back. But we see in the case of, like, government contracts and stuff, these are negotiated at such a high level that they're not really asking detailed questions about, well, have you run discovery tools to look for old versions and decommission stuff that hasn't been decommissioned? Like, it just doesn't. It doesn't really line up with the questionnaires, you know?
[15:09]
Adam Boileau
No, no, it really doesn't. And you can't just turn around and ask Oracle salespeople, so explain to me why you don't suck in the year 2025. And of course they're going to say, because AI, because best of breed or whatever. Well, Unbreakable, famous unbreakable, famously.
[15:27]
Patrick Gray
What was that? Like, 20 years ago, they had Oracle Linux that they called unbreakable and they called their products unbreakable. It was a whole campaign and at one point they said things were unhackable. And that's what led to the birth of an industry legend, which is David Litchfield, who I believe is now at Apple, when he was sitting in a presentation watching them describe this thing as unhackable, and he just started shaking their products and I think he dropped 42o day the next day. So that's Oracle. Oracle have always sucked. The idea that somehow they magically don't suck anymore was always a fantasy and we just. I guess it's a good week to remind everybody of that.
[16:09]
Adam Boileau
Yes, yeah, yeah, exactly. Try not to put your Oracle stuff on the Internet. If you got the database, keep it in the middle of your network, it's probably all right. But that all of their application stack just don't. It's. I know as a pen tester, when you saw it on the edge of the network, you rubbed your hands together. You know it's going to be a bad day at the office because you had to interact with their software and all of the nastiness, but you knew you were going to get shells.
[16:34]
Patrick Gray
Well, funnily enough, MSsql one of the reasons it's, you know, it really succeeded and became so widely used is because of these security concerns around Oracle's database product back in the day. So that is one of the rare cases where someone managed to squeeze a win out of a competitor's, you know, pretty awful lump security practices, I will say, too. Lawrence Abrams over at Bleeping Computer has been doing a lot of work on this and he's been doing A great job. We've linked through to one of his reports. Also kudos to Becker's health. It who've done some excellent reporting on this and I love it when you get these industry journalists who are, who are doing some of the best coverage. I remember the, the attack against was it like JB Meats or JBS or something? They got ransomware and like the best coverage was coming from like a beef industry journalist which kind of put the rest of the tech media to shame. So we've got a bunch of stuff linked through in this week's show. Notes that can, that people can take a look at. Now unfortunately we have to do some follow up reporting on Signal Gate. Since we recorded last week we had the question of like, well, was Pete Hegseth copying and pasting stuff into Signal from a high side document? It doesn't look like that was the case. The journalist Jeffrey Goldberg released the full Signal messages. It was interesting actually because if you look back at the conversation, most people were actually being pretty restrained and controlled and there were references to like you know, go check things in your high side mailbox and whatever. And it was Hegserf who just started dumping like specifics into the chat and the vice president, J.D. vance, you know, trash talking Europeans and stuff. Still not good to use Signal for this purpose. But, but they were the ones who really, you know, were the most indiscreet in this conversation. Now since then of course we've seen, we've seen unbelievably the US administration starting to smear Signal itself. Like there's even been this allegation that Catherine Ma, who's on the board of Signal is, I think she's the NPR CEO as well. And she's like got links to the Atlantic Council, Atlantic magazine. Atlantic Council. Put it together, sheeple. She probably lives in New York, mate. And you know where that is, that's next to the Atlantic Ocean. But you know, we're seeing some of these, some of these theories like being reposted by Donald Trump himself, which, I mean, you know, this is a typical sort of Trump strategy. I don't think for a second that he believes that that Signal was involved in a conspiracy to add a journalist from the Atlantic into a Signal Group chat. We're starting to see some political fallout. Mike Waltz, the, the national security adviser in the United States. His job is safe for now, but apparently he's lost sway with Trump and he's, he's pretty toxic. He's pretty on the nose at the White House. It turns out Also that he was running multiple other signal groups. And we obviously mentioned this last week that we expected that to be the case, including signal groups involving discussions about brokering a peace between Russia and Ukraine. Now, when I've spoken to, you know, former intelligence community typ about, well, what do you think the likelihood is that at least one of the endpoints involved in these signal message chains was compromised? They've all said, look, more likely than not. Verging on undoubtedly. Right. So you have to imagine that these conversations are happening in full view of a foreign intelligence service. We've also seen some reporting that Waltz is, you know, often uses his Gmail account to discuss government business. You know, no allegation that there was anything classified there. But we got a bit of a theme to talk about this week, right. Which is just like why the civilian Internet and civilian applications aren't really the appropriate way to conduct these sorts of, you know, discussions. And, you know, Despiegel has this excellent reporting where they've just gone out and looked up the contact details and passwords out of dumps for a whole bunch of prominent US national security figures, including Peter Hegseth, Tulsi Gabbard and. And Mike Waltz. So, I mean, there's been some good reporting here that just sort of shows like, you can't really mix this sort of business with the civilian Internet and app ecosystem.
[20:42]
Adam Boileau
Yeah, absolutely. And I get it's probably difficult, especially if you're coming from outside of traditional government circles, which, you know, if you're a Hegseth. I guess where he came from, Fox. Right.
[20:54]
Patrick Gray
I think he's got a military background, but he was working as a Fox commentator as well. And with hair like that, I will say he's a very handsome man with terrific hair. I'm very jealous. Those of you watching on YouTube would understand why. I wish I had Pete Hexit's hair. I suspect that's also a part of why he got, why he got the job. But yeah, he's also got like a master's, I think, from Princeton in, in public administration and stuff like, I think it's, it's, you know, people are very. He's clearly doesn't have the typical sort of work profile of someone in that job. But, you know, he is a well educated man with at least some, you know, some experience in the military. And terrific hair.
[21:31]
Adam Boileau
Yeah. I guess what I was going to say was like, it must be a bit of an adjustment coming from outside of very regimental communication circles, you know, regimented circles of where you have to control how you communicate and where you communicate, you know, that aren't civilian. It like, it's a bit of a shock and must take a bit of adjustment. But, you know, if anybody, if any government in the world is equipped to brief these people on the threats and what they have to do and provide them with alternatives, like, it's the US Government. They have been working on this stuff, you know, for a very, very long time. And so it is pretty inexcusable for them to be falling into these traps. But, you know, as the civilian Internet becomes so pervasive and we know, we see things like, you know, having to have an Apple ID to, you know, using Apple products, having to have Microsoft accounts use Microsoft products, the sort of, the extent to which you have to interact, it's not just you get software and use it and you can use it away from the rest of the infrastructure. And as auth gets integrated and identity gets integrated. And that's really where the criticisms of signals interface in this whole malarkey has been, that it is very difficult to determine exactly who you're talking to and navigate the avatar. What does the avatar look like, how do nicknames work? How do phone numbers tie into this, you know, identifying who you're talking to and who you're adding and getting that through Signals interface is kind of fiddly, and that's fiddly, you know, for everybody, because it's civilian tech.
[23:03]
Patrick Gray
Well, and that explains why Goldberg's, you know, was added to that chain, because the signal interface is absolute junk. I remember when they moved to the nickname thing, like, it's real hard when someone's using a nickname to understand who they are. And like, the interface is absolutely terrible. And for a security first app, I've, you know, always thought, geez, what, what on earth are they doing? But, you know, funnily enough, this whole thing has made signal downloads soar to record highs as well. Right. So it's been fantastic advertising.
[23:32]
Adam Boileau
Yeah, it's the classic there's no such thing as bad publicity. Right. Because, yeah, they appear to be really cranking. And mostly in the U.S. you know, it's just, you know, if it's good enough for the national security apparatus, then clearly it's good enough for everybody else's group chats. Although, like, I, I don't know about you, but basically every group chat I am in is posting, you know, war plan jokes. You know, at least some point in the last week, there's been a war plan joke in every single one of them because it's just really, you know, I think tickled the fancy of so many people seeing, you know, the technology that they use being, being used in this way. And yeah, the jokes just the jokes write themselves. I mean watching even the pop culture stuff, Saturday Night Live or you know, all of the late night talk shows, it's just, it's been such good comedy and good reminder for everybody about this kind of opseck about the importance of identifying who's in your chats. And you know, it underscores the fact that ultimately crypto is a solvable, easy enough problem, but identity, that's hard.
[24:33]
Patrick Gray
Yeah, it is, it is. I think my favorite one was like bomb Yemen tonight. Bomb, Bomb Yemen tonight. Queen. That was a, that was a good one. I would also just like to tie all of this off by saying the idea that these people didn't know that this was a risk seems pretty unrealistic to me. Like when I've had conversations, I might be going for a beer with like a senior official who is like publicly identifiable, right? Like so adversaries know, will know that this person holds valuable information, you know, so you know, I'll be going for a beer with someone like that. The phones get locked into the car during that beer because they treat these phones like they are Chinese listening devices. That is actually the way high enough profile government officials treat these devices. They are like, that is not my phone, that is a Chinese listening device. We're going to leave it in the car so that we can at least have a somewhat, you know, relaxed conversation. And you know, that is the briefing. That's the standard advice that they get, which is your phone could very well be a Chinese or a Russian listening device, you know, leave it in the car. So yeah, again, not a good look. I don't think ordinary people quite understand just how, just how sort of reckless all of this has been. One thing that's worth noting too is that there are commercial alternatives that solve some of these problems. Like a lot of people would remember Wickr, which was like a signal style app, it's the free version is no longer available because the whole thing got acquired by Amazon. So it's owned by iwc and that allows for at least, you know, semi secure chats. I'm guessing you could probably put this onto government devices and whatever semi secure chats that, that at least uphold like record keeping requirements and whatever. But again, you know, you wouldn't even use something like Wickr on a personal device to talk about peace negotiations between Russia and Ukraine. Like that's just that's just mad. Now, look, in a similar vein, when we're talking about communication security, Brian Krebs has a great piece here about some tactics that the Russian government is using. Well, presumably the Russian government is using to unmask people within Russia who are trying to contact organizations that are anti Russia. So this could be, you know, domestic organizations that are opposed to Putin or the Central Intelligence Agency and whatever. So what they do is they spin up lookalike websites for these things and then SEO them in local search engines so people will, you know, hit a site where they think they can give the CIA a tip, enter their personal information that lands in the. In the inbox, in someone's inbox at the fsb, and the next thing you know, they get vanned. This is a sensible, you know. Well, you know, it's not nice, but it is a sensible sort of strategy for a country at war, I think, to, you know, figure out who's trying to undermine them. It's hard to say that this is a bad strategy.
[27:28]
Adam Boileau
Yeah. Some of the sites that are being spoofed here, you mentioned the CIA, which, you know, clearly if you do want to give tips to the CIA, going to Yandex RU and typing CIA into the search box, probably not the right way to get there. But, yeah, some of these other sites are things like Ukrainian organizations that are doing outreach to Russians that want to, you know, contribute to Ukrainian causes as well as, you know, kind of like militias and, you know, other armed factions and things. But most of these are, you know, very low ranks outside of Russia on search engines, but inside Russia on things like Yandex are way up the top. And it does kind of feel like, you know, this is probably Russian kind of domestic counterintelligence, I guess, or whatever you would call it. And, you know, I suppose if you are, you know, wanting to sign up for one of these things inside Russia, you're probably going to need to be a little bit more careful than just pointy clicking your way through the regular Internet and ending up on a Google, on a Google form that's going to DOB you in to Russian authorities.
[28:34]
Patrick Gray
Yeah, but I mean, the average person looking to do this sort of stuff probably isn't going to understand the risks here. Right. Which is why it is. It is a smart way to start building a list of, like, domestic enemies. Right. Not that I am. Not that I think it's great that Russia is able, you know, I would fully support enemies of Putin within Russia. But. Yeah. Anyway, moving on. And it looks like the North Korean fake worker, you know, fake IT worker scams are kicking off in Europe and I think this is an interesting development because they've had some setbacks in the United States, particularly around the FBI being able to identify these, you know, laptop farms where people can, you know, the North Koreans can sort of access a local machine in the US and then they appear to be coming from the US and those things are pretty easy to identify and pick apart as we see here in this Google threat intelligence report. So perhaps they're moving to Europe because they've had setbacks in the United States, which makes this a good news story. Unfortunately, it's going to mean some more work for the European authorities who are going to have to, you know, I guess copy the template of the FBI and start going after these laptop farms.
[29:41]
Adam Boileau
Yeah, I mean, I guess, you know, it makes sense to go and leverage the scam elsewhere. It's clearly worked for them in the US Both in terms of, you know, just bringing in revenue from the jobs and also access to organizations and information. And I guess if you've got the people able to pull it off in the U.S. you know, at least in the English speaking, you know, in Europe, English is pretty widely used. So like they've got the language skills for doing it kind of makes sense. Google's, this is out of the mandiant bit of Google, they found at least evidence of at least one laptop farm operating out of London. And they said that there was one case they found where a laptop for a job, you know, for a work laptop for a person who was nominally in New York had then showed up in the laptop farm in London. So there was some kind of coordination across, across these things. And it's kind of like, it's funny because some of the feedback you get is that actually these North390 workers are pretty good because they actually have a whole team of people delivering the work. And so, you know, for your money you're getting, you know, more than one person's worth of expertise and they'll bring in the right person for the job. So the quality of the work is quite. But the risks, you know, clearly a problem.
[30:54]
Patrick Gray
The risks kind of outweigh the benefits on this one guy, I gotta say.
[30:57]
Adam Boileau
You know, exactly. But it is good news in that it shows that, you know, focusing on these laptop farms, operators like, is a great way that, you know, you can have some leverage locally. Google did specifically call out the challenges of organizations that use BYOD where you bring your own device and then just, you know, make it secure. And I'm, you know, making eyebrows here in the YouTube video. Make it secure by just running a virtual machine. And somehow that makes it fine to run, you know, a corporate, you know, SOE desktop inside a VM on an untrusted piece of hardware. And they are kind of prioritizing companies that do that because it removes that point of dependence on a laptop farm. So, yeah, anyone who thinks that's a good idea, you might want to consider that aspect to.
[31:47]
Patrick Gray
Yeah, indeed. And we got a good news story here out of 404 media. Jo Cox wrote this one up and he's looked at how the FBI was able to freeze much of the ransom that Caesar's Entertainment paid to. I think that was like a scattered spider in conjunction with Russian ransomware actors or whatever that was. That was their, you know, joint operation. And yeah, they managed to track down a. Seize millions of dollars worth of cryptocurrency. I think most of it I can't remember. You tell me.
[32:16]
Adam Boileau
Yeah, yeah. So there was something like $15 million worth of ransom that got paid. And the FBI were able to track one cryptocurrency transfer into a bridge where they were trying to move it from whatever cryptocurrency was in, I guess, bitcoin onwards into something else. And they managed to freeze like. Was it like almost 300 bitcoin? So that's like 11ish million dollars.
[32:43]
Patrick Gray
They got 11.8 million back out of the 15.
[32:45]
Adam Boileau
So, yeah, which is pretty good. And then there was also another kind of a bit under 5ish million that they got from another cryptocurrency exchange. So they're doing pretty well on tracking down those funds and like, clearly being able to do that fast enough to catch it whilst it's still in a cooperative environment of a, you know, of a bridge somewhere in a reputable place, you know, or a place that at least will cooperate with U.S. law enforcement. You know, that's. That's pretty good work.
[33:14]
Patrick Gray
Yeah. And if you're wondering why those numbers don't add up, where we said 15 was paid and then 12 was recovered and then 5. Because, I don't know, cryptocurrency movements, I guess.
[33:23]
Adam Boileau
Yeah, yeah, everyone's hodling and it's. Yeah, it's kind of, you know, whenever we report about cryptocurrency numbers, it's always kind of approximate point in time.
[33:32]
Patrick Gray
Yeah. Sometimes it doesn't balance at all. We got one from James Reddick now over at the Record. A defense contractor called Morse Corp has, is going to pay $4.6 million in penalties because it apparently violated the False Claims Act. We've seen the US Government go after companies for violating that act before where they sort of basically are promising that they're in compliance with things that they're not. In this case it looks like they were using like unaccredited third party email provider. And then when they looked into it more deeply, they weren't, you know, they weren't complying with all of the NIST standards they were supposed to. And yeah, they got in trouble. They got, they got in big trouble for that.
[34:14]
Adam Boileau
They did, they did a self assessment. They were required to do, did an assessment as part of their kind of like supplier onboarding with the US gov. They rated themselves 104 on a scale that goes from minus 210 to positive 110. So very, very close to the top. They subsequently got a third party to assess them and that third party scored them at minus 142.
[34:37]
Patrick Gray
That would be the false claim part of this.
[34:40]
Adam Boileau
And then they did not update the US Gov with this new information. They decided to, you know, presumably just quietly try and solve some of this stuff. And yes, that has ended poorly for them.
[34:52]
Patrick Gray
Yeah, it sure has. And speaking about something that's probably going to end poorly for everybody involved, we've got a blog post here out of gray noise. And they have observed this massive surge in people scanning for Palo Alto network devices and you know, gray noises take on that, which I think is a reasonable one, is this is like someone's got an exploit and they're trying to find where to throw it basically. So they are thinking, they are thinking that in the next few weeks there's going to be a pretty big campaign hitting Palo Alto network devices. It's hard to disagree.
[35:24]
Adam Boileau
Yeah, like when you look at the graphs they have of like number of machines scanning, so the granite runs a honeypot network and they've got data which shows I think 23,000 IP addresses in a coordinated manner. Scanning for, scanning for Palo Alto devices. And they can look at like they fingerprint how the tools, you know, the thing that's doing the scanning makes the initial connections. And so they can kind of say like there are three bits of software doing this behind this 20,000 IP pool. Most of them are coming from one particular, as you know, mostly in Finland, the Netherlands and Russia and mostly towards the US So they've got a pretty reasonable feel for this. Feels coordinated. It feels like one actor doing it behind maybe a bunch of proxies or you know, some kind of pool of machines and yeah, probably precursor to someone dropping some sweet, sweet Palo Global protect VPN bugs.
[36:21]
Patrick Gray
Yeah. Hooray. And speaking of, there's some new malware apparently targeting some sort of Ivanti O day as well. SIS is talking about this one.
[36:32]
Adam Boileau
Yeah. So this is. It's not actually. Well, it's not actually an oda. It was patched earlier this year, but as you quite rightly pointed out, you know, Pats in January, for the sort of people that run Avanti products on the edge of the network, it may as well be zero day at that point.
[36:48]
Patrick Gray
Yeah, that was when we were talking about whether to include this one. And you're like, it was patched in January. I'm like, it's an Avanti that may as well have been 10 seconds ago. Like, no one's. No one's got time to do that. But yeah, you're quite right, it's not an O day. I was misled by the, by the headline. I mean, maybe it was a zero day when it was dropped or something. I don't know. People misuse that word all the time.
[37:07]
Adam Boileau
And also, like, this is. There was a while back when we talked about it at the time, it's a stack buffer overflow. Yeah, it's the year 2025, and a security product on the outside of your network has a stack buffer overflow. I mean, okay, yes, you have to rope a little bit to get it back to CodExec, but there's proof of concept code out there. I think Watchtower Labs did a really good write up of the bug, as they usually do. And yeah, someone has bodged this together into a wider piece of malware. I think this was. I think this is one of the Chinese ones maybe, which feels kind of like orb hunting to me.
[37:43]
Patrick Gray
So there's. Yeah, there's not really a lot you can do if you're running these sorts of devices. Oh, in. Apart from patch them and, you know, buckle batten down for the next bug that's coming.
[37:52]
Adam Boileau
But God forbid you should patch them. Yeah.
[37:54]
Patrick Gray
I mean, there's one idea that was put To Me by HDMore, which is a reasonable one, is you can pull an IP list out of CrowdStrike. If you've got CrowdStrike on, you know, every endpoint that's coming through your VPNs, you should be able to get a list of the IPs that people are coming in from to these, to these VPNs and you can add them to an allow list on these devices that might get you something. Obviously if you wanted to do that dynamically, there's other solutions there. But I, I spend way too much time promoting that company so I won't say their name but you know, just looking at some basic network controls around this stuff to try to stem the bleeding, not such a bad idea. Now we've got some news here about this guy, Aubrey Cottle, 37. He was arrested on Wednesday in Canada. He's facing charges there, he's facing charges in the United States. This is like an anonymous adjacent person who's, you know, we first spoke about this guy hacking the epic web host, which used to host a lot of, you know, horrible websites and whatever. And also I think the Texas Republican Party. Yeah, like things are catching up with this guy basically is the, is the story here. There's one of these indictments has been unsealed and yeah, he's in, he's in big trouble.
[39:06]
Adam Boileau
Yeah, yeah, he's not particularly shy about it. Like he posts on his TikTok and on his Insta, you know, talking about his hacking exploits and stuff. So it's kind of not really surprising that he's been, you know, rolled up for this. But there's already, you know, I saw a hashtag free Curtainer, which is his name floating around somewhere. So, you know, it's normal kind of normal anonymous sort of stuff. But you know, if you're going to shell things and then gloat about it on, you know, on public social media, I kind of don't know what else you expect.
[39:35]
Patrick Gray
I mean, this guy strikes me as one of those sort of committed hacktivist types. Right. Who's actually prepared to walk the walk. And I mean this is the result of that. It's not a good time. But hey, at least you've got the courage of your convictions there guy, right?
[39:47]
Adam Boileau
Well, yeah, yeah, exactly. Yeah, yeah. I think he's very fair.
[39:51]
Patrick Gray
I think he's specifically in trouble for stealing data from the Texas Republican Party, which is, yeah, what the charges are centered on. And we're going to end this week with a fun one kind of, I mean not, not for the person involved. Alexander Martin has this report for the record. This guy, Hassan Arshad, who's 25 years old, he was doing an internship at GCHQ and decided in 2022 and just decided to copy a bunch of stuff, top secret data onto his, what is it, laptop or a portable drive or something and walk out with it. And of course got caught.
[40:25]
Adam Boileau
Yes. Not, not really the best plan. I think the story goes that this Guy was an intern and he had like a year university placement in the GCS gui. Done some previous work for them, you know, under an earlier program in his tertiary education, he got a year placement there and he was working as a developer or something on some tool. And he had come to the end of the year of his placement and then he copied the code and reading between the lines, it's probably he copied like a git repository or something because it said there were like names and source code, names of staff and source code. But it sounds like he probably wanted to keep working on it and he had aspirations to later get another, go back to working there, and he may not have thought it through. Although, on the other hand, the prosecution in this particular case, I think, said there was also examples of him talking about getting bug bounties for information leaks, which maybe is another possible motivation. Either way, taking your phone in, plugging it into your GCHQ box. And he had clearance and stuff, so he must have been through all the relevant trainings and then just copying stuff off and walking it out. Like, someone's got to look at that.
[41:39]
Patrick Gray
Someone's got to look at those logs eventually. Right?
[41:41]
Adam Boileau
Like, you know, well, especially in a place like that, you know, so, yeah, not. Not the sharpest. Not the sharpest move.
[41:49]
Patrick Gray
Yeah. I'm guessing there's probably like a log audit every now and then, akin to a stock take at a retail store, which is. Right, that's it. We got to do the. The annual check to see who we need to yell at. Yeah. So that's actually it for the week's news. Adam Boileau, thank you so much for your time, and we'll do it all again next week.
[42:09]
Adam Boileau
Yeah, thanks very much, Pat. I look forward to it. I will talk to you then.
[42:19]
Patrick Gray
That was Adam Boileau there with a check of the week's security news. It is time for this week's sponsor interview now with Trail of Bits, and we are speaking to Jayden Hess, who works on the cryptography team at Trail of Bits. They do all manner of sort of consulting and engineering work and have done a lot of work with cryptocurrency exchanges and people in that space. People and companies in that space. So I thought this week it was a great opportunity to ask them what they think about the whole Bybit attack in which, you know, $1.5 billion worth of cryptocurrency was stolen by the North Koreans. So I started off by asking Jaden, you know, for a quick assessment, I guess, of by Bits procedures. And here's what he had to say.
[43:04]
Jaden Hess
For one thing, if you're going to have a cold wallet, it has to be offline. The kind of root cause of this is that they're connected to an Internet wallet provider that North Korea hacked the server for and now you've got malicious code running in your cold environment. So you gotta keep your cold wallet offline. You can have a warm or hot wallet that maybe it is more featureful, but there needs to be a tight separation and bounded losses there.
[43:33]
Patrick Gray
Okay, so a hardware wallet is not a cold wallet. Right. I think that's kind of what you're getting at there. And you say it needs to be completely offline, but if it's completely offline, how are you actually able to do any sort of manipulation of the blockchain? I mean, obviously at some point data's got to come in, data's got to go out. You know, they were using a hardware wallet for that. You're saying that's not enough and that the computers that are doing these operations need to be disconnected, you know, completely from the Internet. But in that case, like how do you use them?
[44:03]
Jaden Hess
Yeah, so the data that's being transferred is relatively small. So in many cases you can just use something like a QR code or we've seen people use CDs where you burn a read only CD on the outside of the room, you bring it in, burn it on the inside of the room, bring it out, and that kind of gives you a nice isolated way to transfer relatively small amounts of data in and out.
[44:30]
Patrick Gray
Now just because this thing is offline, it wouldn't mean that you wouldn't need fairly robust procedures here. Because I'm imagining that if you can get control of the computer that is generating the QR code or writing to that cd, there's going to be subtle ways, aren't there, of doing similar sorts of things? Because in the case of this BYBIT transaction that was multi sig authorized by a bunch of people, the one thing that would have given it away was a single value changed in a very long string of hex. Wouldn't you be facing similar challenges under this scenario? How much of a solution is it, I guess is what I'm asking.
[45:06]
Jaden Hess
Yeah, so whatever you do, you need to have a user interface on the inside that that presents all the relevant data. And there's sort of two features that went wrong with the Bybit incident. One was that the sort of scope of transactions that could be sent using the normal signing flow included transactions which could totally overwrite any sort of policy that could be put in place on that wallet. So if you restrict the sort of variety of transactions that can be signed during the normal signing flow so that that none of them can bypass your sort of hard stop transaction flow values, then you have less risk if something were to go wrong. And then secondly, your wallet needs to be rich enough to display intuitively all of the different effects of a transaction. And so the safe wallet, if it had been operating properly, would have put all sorts of red flags up if it was trying to sign a transaction similar to one that was deployed. So in that case that would have worked. Okay, but still there's a lot of nuanced things that that smart contract wallet could do. And for like a real cold signing solution, you probably want fewer types of transactions, you know, less contract interactions, simpler guarantees on value per day, for example.
[46:25]
Patrick Gray
Yeah, I mean earlier you were talking about sort of restricting the ability of people to be able to sort of change the contracts. Right. I mean, there's a reason though, isn't there, that people have this sort of flexibility in the contract. And some of those reasons are related to sort of anti fraud security and safety, which is that, hey, if you've got a problem with your smart contract, you need to be able to fix it, to be able to patch it. You need that flexibility, otherwise you're stuck with a vulnerable contract. You know, isn't this a case of a little bit of you're damned if you do and you're damned if you don't?
[46:54]
Jaden Hess
A little bit. But there's things that you can do, right? So, so for example, for emergency upgrades that allow you to bypass signing limits, for example, you should need some sort of break glass key. Right. You shouldn't be able to do this in doing the normal signing flow, such that people might be confused into accidentally doing it. Someone should have to go to a bank, go to a safe deposit ball and get out a paper key. No, I mean, so that's basically it, right? Is that there's the normal signing flow has some level of privilege and in order to surpass that level of privilege, you need another actor, another piece of authentication which never comes out except in emergency cases.
[47:32]
Patrick Gray
Yeah, I mean, so really what you're describing is actually for them to have done some engineering work and put some thought into it.
[47:38]
Jaden Hess
Yeah. So that also threat modeling, right?
[47:41]
Patrick Gray
Yeah.
[47:42]
Jaden Hess
You should have an actual document which goes through all of the different potential attack vectors and the consequences if they were to be exploited. If they had done that, they would have seen someone pops the bybit Web server, all of our money is gone, right?
[47:57]
Patrick Gray
Yeah, yeah, yeah. So look, when we, when we look at. And you're much more likely to have an answer to this question than, than most people, which is when you look out there at the way most exchanges are operating, you know, would you say that BYBIT were about par, like were they doing it about how most exchanges and, and you know, crypto orgs are doing it? Like are they that blase or were they being a little bit more lax than most in your experience?
[48:25]
Jaden Hess
No, I think they were being more lax than most. From seeing sort of US based organizations handling large amounts of cryptocurrency. They seem to have much more thorough threat modeling procedures, operational guidelines. I mean, of course we've never sort of audited BYBIT specifically, so I can't say what their internal, you know, documentation and threat modeling and procedures look like, but clearly they're relying on a website for cold signing transactions out of a $1.5 billion wallet. So I'd say that's not normal.
[48:57]
Patrick Gray
Yeah. What is normal? Like, I was actually surprised when I saw that this Safe Wallet service actually existed because I'm like, hang on, you know, you've got a hardware signing wallet and whatnot and this is all going out to a cloud service that runs, you know, JS in your browser. And I'm like, I'm already thinking like this could go like wrong that way.
[49:18]
Jaden Hess
Yeah.
[49:18]
Patrick Gray
So I mean, I just, I, you know, we scratch our heads a little bit over here often when we look at the crypto world. Like what is that service actually for?
[49:28]
Jaden Hess
Yeah, so normally you would need something like this for your sort of hover warm wallets. Right. You need some way to, in the day to day operations propose, approve and sign transactions out of some wallet. And it's nice to have a rich featureful wallet that can have various sorts of policies and authentication flows and different targets and all that. And that's just part of normal operations. I'd say that what broke down here is that there should be another layer of value isolation. You shouldn't be using your normal warm wallet signing, you know, featureful system to do signing out of your full cold wallet. So in other institutions they'll have a similar sort of web based transaction proposal.
[50:20]
Adam Boileau
Right.
[50:20]
Jaden Hess
You have employees who need to make trades or send money from account A to account B. And you don't want those people to have to go into a cold room and move CDs around. But you should only be holding, I don't know, $10 million in that wallet. Or, or something that you're sort of willing to potentially lose in case of a major breach.
[50:38]
Patrick Gray
So I guess, you know, I guess really what you're saying is, you know, it takes a bit of work to sit down, work out your threat model, you know, come up with some compensating controls, procedures, you know, just the usual boring stuff that we do. I mean, it boggles my mind that often this isn't done. And this is why the North Koreans are having such a big party time. It's almost like we often make the joke on the show that, you know, the cryptocurrency world is speed running, the need for a lot of these financial regulations that apply to the banking sector. You know, it does feel like that sometimes, doesn't it?
[51:11]
Jaden Hess
Yeah, I mean, there's sort of a very short time between, you know, up and find out. Right. And it actually is kind of nice because it shows you exactly what not to do very quickly if you're someone observing it, on the other hand, could go very badly for anyone at any time. So trade offs.
[51:28]
Patrick Gray
Do you also find yourself, you know, looking at incident reports from, you know, North Korean hacks and just thinking, wow, okay, that's nice. Or even further, wow, I didn't think that someone would think to do that. You know, like, how much have you been able to learn from the way they do this stuff?
[51:46]
Jaden Hess
Yeah, they're very impressive, right. I mean, there's few countries which have sort of that much dedicated offensive capability willing to do things in the public. Right. That's the thing about North Korea is I think everyone has cyber offensive teams, but rarely are they going around stealing a billion dollars in plain sight. Right. And so it's very impressive. We know that they can do advanced social engineering attacks, but on the other hand, a lot of these things are actually not that complex. It's just a matter of having a lot of eyes on a lot of different protocols. Right. So I mean, even in this case, this was an impressive attack, but ultimately it was, you know, some malware on someone's computer. It was nothing that required, you know, a huge amount of time.
[52:36]
Patrick Gray
That wasn't the bit that we found impressive. The bit that we found impressive is poisoning the JS just for one organization and manipulating the transaction so that it looked really legitimate. They understood the smart contract, they understood the workflows, they understood the multi signing. Like that's the bit that we find. Yeah, and that's the bit that we find impressive is, you know, the degree to which they understand these processes internally with the, you Know, like, ah, chef's kiss.
[53:04]
Jaden Hess
Yeah. And I mean, of course.
[53:05]
Patrick Gray
But I guess, I guess what you're saying, I mean, the question was like, are you learning stuff from these attackers and thinking of new things to think about? And I mean, your answer seems to be not really.
[53:13]
Jaden Hess
I mean, yeah, to some extent.
[53:15]
Patrick Gray
Right.
[53:15]
Jaden Hess
But often it's, you know, the sort of thing that we would find if we did a review. Right. So, like I would say, in this case, yeah, like we said, like basic threat modeling. You know, it's a website. You're pulling it every time you do a signature. That's going to be a threat vector.
[53:32]
Patrick Gray
Yeah. Now, Trail of Bits has been offering services to the sort of cryptocurrency world actually for quite a long time. You know, what are the security services that are most popular? I'm guessing they're more on the smart contract audit side. I know that's a big thing for you. Are you coming in, though, and doing this sort of consulting around these transaction signing flows and all of that, or is it mostly just on the smart contract side?
[53:52]
Jaden Hess
Yeah, so actually I'm on the cryptography team, so I do less of the smart contract auditing, but we do a lot of sort of HSM signing consulting, key ceremonies, the sort of combination of, like, operational concerns and how to use cryptographic tools appropriately. So we have, we've done several engagements that involve some sort of sort of review of signing procedures, key generation ceremonies, that sort of thing.
[54:18]
Patrick Gray
All right, so it's top to bottom. It's, you know, look at the smart contracts, look at the signing procedures, do.
[54:23]
Jaden Hess
The consulting, build the systems, sometimes literally.
[54:27]
Adam Boileau
Yeah.
[54:28]
Patrick Gray
All right, Jayden Hess, thank you so much for joining us on Risky Business. To walk through. Yeah. What Bybit could have done differently and what should have been done differently. And the answer is, I guess, to both of those questions. Well, quite a lot. Great to chat to you and we'll do it again one day. Cheers.
[54:42]
Jaden Hess
Yeah, cheers.
[54:44]
Patrick Gray
That was Jayden Hess there from Trail Of Bits. A big thanks to Trail Of Bits for being this week's Risky Business sponsor. You can find them@trailofbits.com but that is it for this week's show. I do hope you enjoyed it. We'll be back real soon with more security news and analysis, but until then, I've been Patrick Gray, thanks for listening.