Risky Business #787 -- Trump fires NSA director, CISA cuts inbound - Risky Business

Summary7 min read

Risky Business Podcast Summary – Episode #787: "Trump Fires NSA Director, CISA Cuts Inbound"

Release Date: April 9, 2025

Hosts:

Patrick Gray
Adam Boileau

Sponsored by Yubico

1. Episode Introduction

[00:00] Patrick Gray opens the episode by welcoming listeners to another edition of Risky Business, introducing himself and co-host Adam Boileau. He briefly mentions the upcoming sponsor interview with Derek Hanson from Yubico, focusing on the complexities surrounding passkeys.

2. Oracle Cloud Breach Confirmation

[01:00] Adam Boileau revisits last week's headline about Oracle allegedly lying about a cloud breach, confirming that their analysis was correct.

[01:28] Patrick Gray critiques Oracle's statement, highlighting the risk associated with breaches in obsolete servers, questioning the company's mitigation measures:

"Don't worry everybody. We hashed passwords, so it's fine." ([02:05])

Adam explains that Oracle distinguishes between their "Classic" cloud and the current cloud, emphasizing that the breach occurred in outdated infrastructure.

[03:01] Adam Boileau adds:

"We did not just slap a fresh coat of paint on this very old Solaris box and totally pretend that it's not part of the cloud." ([03:21])

3. Trump Administration’s Shake-Up at NSA and CISA

[03:44] Patrick Gray shifts focus to major administrative changes:

Timothy Haw/Hogg and Wendy Noble have been fired from the NSA.
Speculation suggests these firings are due to a lack of alignment with MAGA ideologies rather than operational inefficiencies.

[04:49] Adam Boileau comments on the resulting chaos and uncertainty within the leadership of cybersecurity agencies:

"We've seen all the uncertainty around CISA and, you know, the whole thing is just kind of a real mess." ([04:49])

Patrick further discusses the broader implications, including potential leadership replacements like Trey Stevens and Ezra Cohen, hinting at heightened partisanship:

"Project 2025 did outline the splitting of these roles and we're seeing a lot of stuff materialize out of that policy roadmap." ([06:09])

[07:12] Adam Boileau echoes the sentiment, describing the leadership changes as "nutty" and expressing concern over the stability of these agencies.

4. Cyber Attacks and Security Incidents

a. U.S. Treasury Intrusion

Patrick Gray highlights a Bloomberg report about a newly identified intrusion into the U.S. Treasury's Office of the Comptroller of the Currency, linking it to Chinese threat actors:

"This is exactly the sort of thing that CISA is there to cope with and deal with." ([10:21])

Adam agrees, noting the significance of maintaining visibility and defense against such sophisticated attacks:

"This is exactly the sort of thing that… CISA is there to cope with." ([11:02])

b. Signal Gate Incident

Patrick Gray and Adam Boileau discuss the accidental inclusion of Jeffrey Goldberg in a Signal group, attributing it to a mishap with contact synchronization. They emphasize the importance of using secure communication channels for sensitive information.

c. Australian Superannuation Scam

[14:00] Patrick Gray discusses a major scam targeting Australian superannuation funds, likening them to a combination of 401(k)s and Social Security:

"Employers pay into essentially like a mandatory 401k and we call it superannuation." ([15:08])

Adam Boileau analyzes the impact, noting that while the financial loss was relatively low (around AUD 500,000), the incident serves as a wake-up call for enhancing security measures:

"It's a very competitive space and you sometimes, you know, sometimes it's good to have something like this to happen so that regulators can really take a look at what their security controls are like." ([16:32])

5. Ransomware Crew Drama and Cybercrime Undergound

Patrick Gray reports on internal conflicts within ransomware groups, mentioning incidents like:

Dragon Force defacing websites such as Ransom Hub and Blacklock.
Everest ransomware group experiencing similar turmoil.

He also covers the Media Land leak orchestrated by the Blackbasta group, which exposed customer records and hosting data, causing significant interest within the Cyber Threat Intelligence (CTI) community:

"They have just laid out all of that data... it's a gold mine." ([20:33])

Adam Boileau adds context by referencing an earlier takedown of a Siberian bulletproof hosting provider, suggesting these internal conflicts disrupt the operations and data handling within cybercrime networks:

"They are super excited about it, and even if it is just infighting, like normal kind of organic infighting as opposed to being provoked or whatever else." ([21:37])

6. Vulnerability Disclosure and CVE Issues

Patrick Gray and Adam Boileau delve into the complications surrounding the Common Vulnerabilities and Exposures (CVE) system:

Criticism of the National Vulnerability Database (NVD) managed by NIST for falling behind on data enrichment.
Example of CVE-2025-22457, a buffer overflow in Avanti Connect Secure, highlighting the challenges in vulnerability management and disclosure.

[26:10] Patrick Gray laments:

"The National Vulnerability Database... it's been an absolute clown show over there." ([26:59])

Adam agrees, reflecting on the evolution and current state of vulnerability tracking:

"It's a pity how much of a mess it's turned into." ([27:39])

7. Microsoft Patch for Exploited Vulnerability

[28:36] Adam Boileau discusses Microsoft's recent patch addressing a critical vulnerability in the Windows Common Log File System:

"This bug was good. So this is a stack buff overflow in parsing the X forwarded 4 header." ([28:58])

Patrick Gray appreciates the thoroughness of Microsoft's response and the sophistication of the exploit:

"It's a really cool bug." ([30:13])

8. Sponsor Interview: Yubico on Passkeys

[40:04] Derek Hanson, Vice President of Solutions, Architecture, and Alliances at Yubico, joins the podcast to discuss the current state of passkeys:

Evolution of Passkeys: Transition from device-bound to synchronized across keychains via password managers, complicating user experience.
Security Concerns: Synchronizing passkeys increases the attack surface, potentially exposing key material to malware on multiple devices.
User Choice and Control: Emphasis on allowing users to manage where their passkeys reside, advocating for hardware-based keys like Yubikeys for enhanced security.
Enterprise Adoption: Organizations are weighing the benefits of passkeys for phishing resistance against the challenges of key management across diverse ecosystems.

Notable Quotes:

Derek Hanson on user confusion:

"Users are creating keys and they don't realize that the Apple, the Google, the Microsoft ecosystems may not play the way that they think they should." ([41:25])
Patrick Gray on security risks:

"My concern with these portable passkeys is the malware risk." ([43:39])
Derek Hanson on organizational trust decisions:

"Organizations need to be able to make that trust decision." ([47:41])

Summary: The interview underscores the tension between user convenience and security in the evolving landscape of passkeys. Yubico advocates for hardware-based solutions to mitigate risks associated with synchronized passkeys, emphasizing the importance of giving users control over their authentication credentials.

9. Personal Anecdote: Patrick’s Crypto Scammer Encounter

[34:02] Patrick Gray shares a humorous yet insightful story about being targeted by a crypto scammer. The scammer, believing Patrick was a low-profile podcaster, attempts to phish his account but ultimately fails when Patrick reveals the true popularity of Risky Business:

"My podcast says it has two viewers. And then when I tell him it's got like 23,000, which is about the number of downloads that a Risky Business weekly episode gets in its first week." ([37:14])

This segment highlights the pervasive nature of cyber scams and the importance of awareness and skepticism among users.

10. Closing Remarks

[38:34] Patrick Gray wraps up the episode by thanking listeners and mentioning upcoming episodes, including:

Seriously Risky Business with Tom Uren
Wide World of Cyber featuring Alex Stamos and Chris Krebs

Patrick concludes:

"Thanks a lot for joining me as always. And we'll do it all again next week." ([38:52])

Adam Boileau echoes his thanks before signing off.

Key Takeaways

Administrative Turmoil: Significant leadership changes within U.S. cybersecurity agencies raise concerns about stability and direction.
Cybersecurity Incidents: Ongoing attacks on government and financial institutions emphasize the need for robust defenses.
Vulnerability Management: The CVE system faces challenges in keeping up with vulnerability disclosures and data enrichment.
Passkey Evolution: While passkeys promise enhanced security against phishing, their synchronization across devices introduces new vulnerabilities, prompting a renewed interest in hardware-based authentication solutions like Yubico’s Yubikey.
Cybercrime Dynamics: Internal conflicts within ransomware groups offer rare insights and disrupt illicit operations, aiding threat intelligence efforts.
User Awareness: Personal stories of cyber scams reinforce the importance of vigilance and informed skepticism in digital interactions.

Notable Quotes

Patrick Gray on Oracle Breach:

"And just for the avoidance of any doubt… there's all sorts of opportunities for a real good time once you're on there." ([02:05])
Adam Boileau on Leadership Chaos:

"It's a real mess and it's hard to judge what's, you know, how it's all going to shake out." ([04:49])
Derek Hanson on Passkey Trust Decisions:

"If you replace a shared secret with a private key, everything comes down to where does that private key live and the controls around accessing it." ([48:17])

This summary encapsulates the critical discussions, insights, and conclusions from Risky Business Episode #787, providing a comprehensive overview for those who haven't listened to the full episode.

Loading summary

Transcript103 lines

[00:00]
Patrick Gray
Foreign. And welcome to another edition of the Risky Business podcast. My name's Patrick Gray. We're going to talk about all of the week's cybersecurity news in just a moment with our co host, Mr. Adam Boileau. And then it'll be time for this week's sponsor interview. And this week's show is brought to you by Yubico, which makes obviously the Yubikey. And we are joined by Derek Hanson. This week who works at Yubico. We're going to be talking about all things pass keys, right? Because, I mean, you would have heard Adam and I talking about how passkeys are like a little bit confusing to users at the moment and now they've become this syncable thing that are going into people's keychains instead of into, like secure enclaves on devices. It's all got a little bit confusing. We're going to talk to Derek all about that after this week's news, which starts now. And Adam, last week's show headline was Oracle is lying. Guess what? Turns out we were right.
[01:00]
Adam Boileau
Yes. Which is probably good given Oracle's 80% lawyers by volume. But yes, Oracle, last we were talking about how Oracle got their cloud, Oracle cloud breached. At the time, they were kind of denying it. They've now kind of confirmed that they had a breach. But don't worry, it wasn't an Oracle cloud. It was in a thing that looks very like Oracle cloud but is totally not because it's old.
[01:29]
Patrick Gray
No, I mean, what they said is don't worry everybody because a hacker did access and publish usernames from two obsolete servers. So these would be the ones in your cloud you didn't decommission. Is that what you're telling us? But don't worry because they're obsolete. I mean, this whole thing has been a shamozzle. Yes.
[01:47]
Adam Boileau
Yeah, it has been a total mess. They, along with claiming that they didn't get breached because those servers were not really in the main cloud. They also said that the hacker did not expose usable passwords because the passwords that they did get were encrypted and. Or hashed.
[02:05]
Patrick Gray
That's my favorite bit. Don't worry, everybody. We hashed passwords, so it's fine. Right. And just for the avoidance of any doubt when we're talking about this, you know, you get into an older, like, legacy machine there, you're probably going to recover some passwords or certificates that you could use on current machines because it's not like they're going to rotate through absolutely everything during A migration. And you might also find that the box you're on has multiple interfaces and is attached to multiple networks. And there's all sorts of opportunities for a real good time once you're on there. And of course, we're hearing rumors about, you know, pretty current data being passed around. I'm hearing this, you know, these rumors from, you know, you're seeing them on social media and hearing them from various CTI folks that, you know, this ain't old data. So I think this story still has a little bit to run, but just wanted to update everyone. That Oracle is privately confirming that there has been a breach of an obsolete box in the Oracle cloud. That totally is an Oracle cloud, so hope that clears up.
[03:02]
Adam Boileau
Oracle Classic is what they say it is. It's the classic one, not the current Oracle cloud. It looks nothing like it. It just happens to have domain names. Sure look like it. But no, it's totally different thing. And we did not just slap a fresh coat of paint on this very old sun, you know, old Solaris box and totally pretend that it's not part of the cloud.
[03:22]
Patrick Gray
We got some feedback. I can't remember if it was an email or a YouTube comment or someone who was very upset that you were giving, you know, that you were making fun of Sun Microsystems. And I'm like, cause sun was so good back in the day. And it's like, yeah, well, it ain't back in the day anymore, is it? You know, and they're not wrong.
[03:38]
Adam Boileau
Sun was great. It's just. Yeah, it's not 1997 AD anymore.
[03:44]
Patrick Gray
It's not 19 diggity do. So, yeah. Now moving on, other big news that happened over the last week is the Trump administration has fired Timothy Haw, or Hogg, depending on who you listen to, for the pronunciation there. They fired him as head of nsa. And also the deputy Director of nsa, Wendy Noble. So there's the. What. What's been described to me as the quote, unquote Fox News explanation, which is that the leadership at NSA were reluctant to start targeting Mexican drug cartels. I'm told that's not true and that really, this is just because they are not maga. Basically, they got moved on for not being maga. Did an interesting interview with Chris Krebs and Alex Stamos yesterday, which I hope to publish this week. That's for the Wide World of Cyber podcast. Chris is of the opinion that, you know, this is a leadership reset. And what they're planning to do is split the role of NSA director and. And you Know, Cyber Command, the head of Cyber Command. So that's an interesting thought there, but, you know, like, it's just more chaos, isn't it?
[04:50]
Adam Boileau
Yeah, like it has just been all over the place and there's just so much uncertainty about, you know, where. Who's going to be running these organizations. We've seen all the uncertainty around CISA and, you know, the whole thing is just kind of a real mess and it's hard to judge what's, you know, how it's all going to shake out. And we just, we just got to ride this, you know, this roller coaster and see where we end up, which.
[05:14]
Patrick Gray
I mean, it's not a great place.
[05:15]
Adam Boileau
To be, especially if you work there.
[05:17]
Patrick Gray
I mean, one of the craziest things about this is apparently Trump did this at the urging of Laura Loomer, who is, you know, very far right wing activist. This is the same woman who sewed a Star of David onto her clothes and chained herself to the front door of Twitter something like a decade ago. So this was apparently her thing. And I read her post about why these people needed to go and it was really the scribblings of a deranged idiot because, oh, they were connected to this person who served on the board of, you know, it was real Pepe de Silva, you know, string on a. String on a corkboard sort of stuff. Right.
[05:52]
Adam Boileau
Reminded me of your Atlantic Ocean. Atlantic magazine. Atlantic. Whatever it was.
[05:57]
Patrick Gray
Atlantic Council.
[05:58]
Adam Boileau
Yeah, Atlantic Council. Yes.
[06:01]
Patrick Gray
Dear, oh dear.
[06:02]
Adam Boileau
It's just, it's so dumb. It's just so dumb and I don't know, I'm sorry, Americans, I don't know what you're doing.
[06:10]
Patrick Gray
Well, there's been a couple names floated that I'm hearing. One is Trey Stevens, who's a co founder of Andyrill, the Defence Contract. We're also hearing that Ezra Cohen, who's been kicking around in NATSEC circles in the US government for, for quite a while, you know, he's another name who's been suggested. They're, you know, definitely maga, so we'll just have to see what happens there. I don't know even what the confirmation process is going to be is going to look like once they split these roles. It's all, you know, a little bit confusing. But, you know, again, Project 2025 did outline the splitting of these roles and we're seeing a lot of stuff, you know, materialise out of that policy roadmap. So, you know, I just don't understand why they had to let the leadership go. And you do wonder yeah, you do wonder what the future direction of NSA will look like under very, you know, hyper partisan leadership. Let's just, let's just put it like that. There's also been a clean out at the National Security Council. A bunch of staff let go again, I believe this is at the urging of Laura Loomer.
[07:12]
Adam Boileau
It's pretty nutty stuff, you know, kind of having someone with, as you say, like deranged. Deranged rantings, deranged ramblings, whatever. It was kind of changing up such important parts of the leadership structure. Like it's. Yeah, I don't know what, where we're going to head with that. Like, it's just nutty.
[07:31]
Patrick Gray
Yeah, I mean, look, there's plenty of people in the United States who don't feel free to express their feelings about the government there at the moment, which is a very strange place to be. I mean, people in industry are scared that if they speak up against a lot of the things that the administration is doing that all of a sudden their government contracts will go away. They might get audited by the irs, like, and also have mobs of, you know, modern day brownshirts, you know, sicced onto them. And this is a thing that's happening, Believe me, this is a thing that's happening. People don't feel free to speak. But I think we can say from the safety of, you know, here in Australia that, you know, this is not good and is not well thought through and just things over there just seem to be spinning out a little bit, especially with all of this trade stuff. But look, staying, you know, intelligence community and sort of cybersecurity related cuts and changes. Trump is apparently going to cut something like 1300 jobs at CISA. There is some reporting that this is going to affect the threat hunt mission at cisa. I think that's a poor place to cut, if I'm honest. People might think NSA does this sort of stuff, but they only do that on government, on defence networks and on defence industrial based networks. They don't do this sort of work for the civilian government. That is CISA's remit. And do you want to lose visibility there? That doesn't seem great.
[08:52]
Adam Boileau
Yeah, it really doesn't seem to make much sense. And I mean, the numbers that we've been hearing are going to be like half of CISA's workforce, right?
[09:01]
Patrick Gray
Between like a third and a half. Somewhere like that.
[09:03]
Adam Boileau
Yeah, it's a significant whack. And then of course, there's a bunch of external, you know, contractors and people that Help them out as well. And it's just really important work that they do. And I, you know, this of all of the points in history to cut the ability to find adversaries in your environment, it just seems like a poor choice, you know.
[09:24]
Patrick Gray
Yeah, I mean, look, that said, there's obviously always going to be places you can cut from a government agency which aren't going to result in disaster. I mean, CISA has tried various public private partnerships and sharing things and stuff that we've seen haven't really worked. Right. So obviously there's, there's. And you know, that's not to cast aspersions on any, anyone involved in some of those programs. You know, some of them just haven't worked. But you know, if the reporting that I've seen that this is going to affect threat hunting, you know, is accurate, that is bad. And you know, right on cue we've got this piece from Bloomberg here which says, which is talking about a, another intrusion at US treasury which apparently happened in 2023, but has just been identified. This was the, what is it, the Silk Typhoon or whatever a Chinese group had got into. What is it, the Office of the Comptroller of the Currency at Treasury and observed the email, you know, spied on the email of about 100 staff.
[10:22]
Adam Boileau
Yeah, this is exactly the sort of thing that, you know, CISA is there to cope with and deal with. And I am, I don't know that their threat hunting teams were involved, but it's kind of the sort of thing you would imagine that they would be and this, this particular campaign. So we saw the other two intrusions into bits of treasures, the, what was it, the CFIUS part and the ofac, the sanctions part. It does seem like this is probably the same bit of, you know, of China's capacity being doing this and this one may have predated some of those based on a timeline that we've seen. So either way, kind of seems like if China is interested in being in there, that the US ought to be interested in keeping them out.
[11:03]
Patrick Gray
Well, yeah, that's how it normally works.
[11:05]
Adam Boileau
But anyway, we are not in normal times.
[11:07]
Patrick Gray
We are not.
[11:08]
Adam Boileau
We are not.
[11:09]
Patrick Gray
We got a little bit of follow up reporting on Signal Gate here too. We're not going to talk about this for very long, but it's just so funny, the mystery as to how Jeffrey Goldberg, who is the editor in chief or whatever his title is at the Atlantic, how he wound up in that Signal group. The Guardian thinks they figured it out and it is absolutely as hilarious as you would think it would be. I mean, the assumption was that someone just added the wrong Jeff. Right. And Goldberg was in one of these people's, you know, ad address books. Turns out that's not actually how it happened and the real way is just, it's so much funnier.
[11:40]
Adam Boileau
So apparently Goldberg had at some point emailed the Trump admin to ask for comment about some particular story. That request got forwarded around by some staffers and eventually ended up in Mike Waltz's chat by virtue of a block of text being copy pasted out of Goldberg's email into a text message or something. It sounds like it's the, you know, when you send messages around with imessage and sometimes it would be like, hey, do you want to update the contact? Because it's got a new picture or a new whatever else. It seems like maybe he got trapped by that because they copy pasted the signature block and then it was like, do you want to update it? And he just smashed yes, presumably. And it ended up putting Goldberg's phone number into the address book entry for this, you know, kind of other staffer that had forwarded the message, which, I mean, I can kind of imagine falling for that. Like, it's not.
[12:37]
Patrick Gray
But again, let's, let's just go back to our, let's just go back to our mantra on this, which is that this is why you don't use civilian systems for these sorts of things, because things like this happening, you know, a little bit too easy and you just don't want, you know, you don't, you can't accidentally add someone to a conversation in a skiff who's not, you know, also.
[12:58]
Adam Boileau
Yeah, exactly. Ultimately, this is convenience for civilian use, right? This is not for war plan group chat.
[13:06]
Patrick Gray
No, no, I, I, I go and have a steak once a week with everybody, my mates around here, just to keep my iron levels healthy and, you know, get out of the house and I, you know, everyone's changing their group chat names. I think ours is Houthi PC Steak Chat now Steak Group. So, yeah, lots of fun. Anyway, moving on because we've all talked about signal gate to death. Big news in Australia. Like this was such a big story here, which is that some scammers were targeting our superannuation funds, right? So for Americans, like, our superannuation are like a cross between a 401k and Social Security. So employers pay into essentially like a mandatory 401k and we call it superannuation. It's a pension fund. So everybody has one, right? Everybody has an account and someone, it looks like they were just using like stolen creds from various, you know, data breaches and whatever to, you know, do mass log ons and whatnot into these super funds and try to get money out. Now I think the saving grace is here it looks like maybe half a million went missing, which is why I'm surprised it turned into such a big story because it was everywhere. And I think it's because everybody has one. All of a sudden everybody's worried about their money and you know, that's what made it such a big news story. But I think the saving grace here is that really until you turn 60 and you're actually drawing this money out, like there's not really a lot you can do in most super accounts when you log into them. Like you can have a look at a couple of statements and whatever, but if you want to do something like transfer to another fund, like with most of them it's like, you know, you're going to need to fill in a form and that form needs to be processed and whatever. And it's like a pretty clunky administrative process. But that said, you know, I don't expect that it's always going to be that way. And these funds operate on paper thin margins. Right. Because it's a very competitive space and you sometimes, you know, sometimes it's good to, for something like this to happen so that regulators can really take a look at what their security controls are like and if they need to be adjusted regulation wise.
[15:08]
Adam Boileau
Yeah, it did seem, I was kind of surprised at the numbers being so low as well, given how much, you know, coverage and traction it was getting because we saw some numbers that said like something like 20,000 accounts were targeted. Like one, there's like a bunch of different providers for this kind of superannuation scheme. And so we got different degrees of information from different providers. Like one provider, Australian super, said 600 accounts were compromised through stolen passwords. But we've seen numbers that are more like 20,000. But as you say, the fact that we only saw half a million dollars actually managed to be moved out suggests that there isn't a great path to rapidly monetizing this. Because as you said of the, you know, the kind of the friction involved in doing something with this money. But it does seem like the superannuation industry in Australia, you know, we've seen some industry bodies and stuff come out and say, hey, you know, remind all their members to member companies to, you know, kind of improve the quality of controls. So I think maybe this is a pretty good wake up call and hopefully the, you know, four or five people or whatever that had actual significant money taken, you know, will get reimbursed by the funds or they'll find some way to claw it back. But yeah, it's just that, you know, it's a good reminder because a service that you don't use very often or access very frequently, plus potentially an older user base, are a pretty ripe target.
[16:32]
Patrick Gray
Yeah, I mean, just to put things into context here, you know, the total amount of funds in Australian superannuation schemes is 4.2 trillion Australian dollars, which is what, I don't know, about US$2.5 trillion. Right. It is a lot of money. It is an incredible target. Everybody's got one. And I think that's probably why this made such big news. And also we saw, you know, a similar story, I guess here from this one's covered by James Reddick at, at the Record, which is that the Australian corporate regulator has deregistered 95 companies that were spun up by the looks of things, to make various scams like pig butchering scams look legit. So, you know, it sort of concerns me when we've started, we're starting to see sort of organized crime attempts to start, you know, playing around with our financial system a little bit. You know, like we've seen it happen to the irs. We see this sort of stuff hit other countries and I just hope this isn't the start of something here, you know.
[17:28]
Adam Boileau
Yeah, well, I mean, hopefully the Australian government's, you know, kind of move towards a little hound release on occasion just to remind people that Australia is not such a soft and easy target.
[17:37]
Patrick Gray
No.
[17:38]
Adam Boileau
Maybe there's some deterrence factor in that. I don't know.
[17:40]
Patrick Gray
When Anthony Albanese, our Prime Minister, was asked about this, he said he'd been informed about the attack and said we will respond in time. We're considering what had occurred. But bear in mind the context here. This is an attack, a cyber attack in Australia about every six minutes. This is a regular issue. We have beefed up funding for the Australian Signals Directorate. We will have a considered response to it, but the agencies of course will work very strongly on it. So, you know, there you have an example of the leader of a country saying, well, you know, we're going to kick this to ASD and figure out what they want to do. Right. Which is just, you know, this is such a positive development in policy in the last sort of five years. Right. Because this was unthinkable 10 years ago. That ASD or NSA or, you know, Cyber Command or GCHQ or GCSB and the Canadian one. That's always my joke. The Canadian one that I always forget. Seasick? Yeah. So the idea that they would be sort of emboldened to, you know, empowered. I'm sorry, to do anything about cybercrime like that was unthinkable 10 years ago. And now. Yeah. The prime minister comes out, first thing they say is, well, I guess we'll respond to this with asd.
[18:45]
Adam Boileau
Yeah, I mean, and I guess that's a. You know, what other options have you got? Because we tried a bunch of other stuff. We tried multilateral, you know, kind of law enforcement. We tried all sorts of international consensus and norms and whatever else. And where did that get us? Not particularly far.
[19:00]
Patrick Gray
But they're having a lot of fun with the RMRF shark, as we've discovered through various bits of reporting. Now, speaking of drama in the criminal underground, man, there's a series of stories this week like all hell is breaking loose among ransomware crews. There's this group called. What are they called? Dark Something. What are they called? Yeah, Dragon Force. Dragon Force have owned and defaced, like, Ransom Hub, Mamona and Blacklock. Now we're seeing the Everest ransomware groups. Darknet site is offline and has been defaced. Alexander Martin has that report. We've also seen, and we're not sure. I'm not entirely sure if that's Dragonforce as well. And then we've seen the threat actor behind the blackbasta leaks take down Media Land, which is a major bulletproof hosting provider, and they have just laid out all of that data. So there's all the customer records, all of the data they were hosting, just bang, dump it on the Internet. The CTI people I know, they're wetting their. Their little pants over this because it is the most exciting data drop they've had in ages. And they, you know, I mean, they spend a lot of time just figuring out who's who, and this is a gold mine. So, I mean, obviously it looks like some of this is, you know, red on red, but you got to wonder about some of it, too. I don't know what's happening here. I don't have any information to suggest that there's, you know, any intelligence action here, but I really hope there is, especially on the bulletproof host getting.
[20:34]
Adam Boileau
Yeah, yeah. Because we did see that Australian government takedown of another bulletproof hosting provider in Siberia, wherever it was. We covered that a few weeks ago, and like Just dumping all of the business records and you know, who's paying for what with what, cryptocurrency with, you know, what other payment mechanisms. Like that's all super useful data for clustering together, you know, some of these actors and their activity. And then also, you know, correlating bulletproof hosted services with who was paying for them, how they're being used. All those like, it's just a wonderful goldmine and I'm very sure that all the three people are super excited about it. And you know, even if it is just infighting, like normal kind of organic infighting as opposed to being, you know, provoked or whatever else, like we love to see it. Yeah, the, the Everest ransomware group one that you mentioned. So that one wasn't Dragon Force, but the people who defaced their site defaced it with don't do crime. Crime is bad. Hugs and kisses from Prague, which.
[21:38]
Patrick Gray
Oh, there was a conference happening at the same time, wasn't there? There was a security event happening at the same time.
[21:43]
Adam Boileau
Maybe there was. Yeah. I don't know. It's kind of hard to keep track of because like all this is also, you know, dark websites and you know, understanding the authenticity of these things requires a whole bunch of other, you know, like, am I looking at the real one? Was this the one last week? Is it the same one? Is it like. Yeah, this is why threat intel people, you know, are such a crazy bunch when you have to go out and have a beer with them and they're all like, you know, crazy eyed and this is their life, tracking all this kind of underground madness. But you know, it just feels like IRCC scene wars from the 90s, which I know is an analogy we've used a lot of times and you know, we just love to see it like chaos in these communities is just good.
[22:25]
Patrick Gray
Yeah. Now, I'm not exactly sure precisely what data, like what hosted data. I think I saw some reporting somewhere that hosted data was also exposed, but I'm not sure how that was exposed. I know there was a Telegram channel and according to this post on X I'm looking at, the leak was published exposing Media Land's backend system. So maybe that's how people were able to access data that was being hosted by their customers. So you would think if it is exposing things like data stolen from companies around the world, you know, exposing that sort of information, I don't think is something that an intelligence agency, you know, Western intelligence agency or a Five Eyes agency would do. So, you know, your options here are It's a CTI person just going rogue and having a good time.
[23:07]
Adam Boileau
Hats off to you, sir.
[23:08]
Patrick Gray
Yes, exactly. It's crime on crime or possibly it's, you know, some operator in a government building with no windows.
[23:15]
Adam Boileau
Yeah, I mean, look. Or you know, second order effects from any of those things like, you know, law enforcement or intel, you know, dumping creds and then somebody else jumping on and you know, kind of pulling the thread and turning into a bigger thing. Like there's just so many ways this can go down and they're all ultimately all bad for the underground crime group. So, yeah, I'm here for it.
[23:37]
Patrick Gray
Yeah, it's fun. Now look, last week we actually cut this from the run sheet which is there was reports of exploitation in a piece of software called Crush FTP. And you know, Crush FTP has been around since what, the Jurassic era? And you just sort of think, well, who cares? But it turns out that Crush FTP is what has sort of evolved. Like, what was the other one? I can't even remember. There was another one with FTP in the name. It was an old FTP which is now like a fully fledged file transfer appliance. And now CIS is warning about this because apparently people do use this Crush FTP file transfer appliance or file transfer software. I had a look at their website. They support a zillion different protocols. Right. You can do like SMB over this thing, which is like, oh great, you know. So, yeah, it looks, this one looks pretty bad. We've also had a group actually claim credit for this and it looks like they're doing, you know, the same sort of thing that happens with all of these file transfer, you know, server campaigns, which is they grab the data and then ransom it. This one's been claimed by a group called Kill Security.
[24:40]
Adam Boileau
Yeah, this one has been quite funny because of some disclosure drama as well. So the bug in Crash FTP was actually, which is like a. It's like a race condition in the auth process where basically they have pluggable auth where you can like use your Amazon session tokens or whatever to auth into this thing for easy integration. And it was basically a race where you could show up and say, hi, my username is Admin and I'm totally going to authenticate you to you with this Amazon method. And oh, by the way, sorry, I didn't provide you with that, can you just log me in? Anyway, that's the kind of gist of the bug. A research firm, Outpost24 found the bug, reported it to Crash FTP. Crash FTP asked for like 90 day, you know, kind of pause on disclosure, public disclosure, so they could patch it, notify the customers or whatever. They released a patch without a cve. So it was, it was, got allocated the CVE early on but they kept it quiet because they were trying to, you know, keep the bug quiet for a bit, suddenly reversed the patch, figured out the bug, started exploiting it. Somebody else then applied for another different CVE because they had seen it in the wild and, or reversed it off the patch or whatever it was. And then there was lots of angry back and forth about that and it's now turned into a bug that has two different CV identifiers and is being, you know, used in the wild and everyone's kind of, you know, a bit confused and upset I think. So, yeah, a little bit of good old fashioned disclosure drama.
[26:10]
Patrick Gray
Yeah, we'd love to see it actually, like if we're completely honest. Now look, speaking of CVEs, you know, this is something we've talked about a few times over the last year or so, which is, you know, the National Vulnerability Database maintained by nist. The, you know. Yeah, like it's been an absolute clown show over there. They fell behind on enriching the data. It got so bad that they had to pause it. Then I think new funding was allocated and they're trying to catch up with this new contractor and they've basically just given up. They're saying anything, any bug that dates back to like before the 1st of January 2018, they're just not going to enrich it because they, they've just realized like they're not going to catch up. So I mean, yay. What do you even say about that? And you know, this is an important database. Like it's just, it is, it's such.
[27:00]
Adam Boileau
A, you know, it may seem like a simple thing having consistent naming, but for those of us that remember what this was like before CVE numbers existed, like back when it was just random posts on full disclosure and random post on bug track and everybody had their own little tracking numbers and names and whatever else. Like having a taxonomy for this actually was really useful. And it's kind of, you know, it's a pity how much of a mess it's turned into. And you know, honestly I'm amazed that NIST still exists at all given, you know, the amount of government efficiency going on. So, you know, I guess the fact that they're still here putting out announcements about giving up on enriching their bugs, I Guess means there's still some people there. So that's good news, everybody.
[27:40]
Patrick Gray
We'll take the win. It is funny. You just like gave me flashbacks to bug track and full disclosure. And it was funny, right? Because full disclosure was basically unmoderated. These were email lists for people who aren't old like us. Bug track was pretty like controlled and like low volume and you would get, you know, details of bugs flowing through it pretty regularly. And full disk was interesting because it was like trolls pretending they had O day and just like doing these really elaborate posts that would like take you a while to figure out were wrong. And you know, posting pox, which would just RMRF people's boxes and. Exactly. Backdoor pox. And it was fun, right? Like full disc was fun, but it got like, it just got crazy after a while and then just sort of went away because, you know, if only we had something that was in the middle.
[28:27]
Adam Boileau
Yeah. Something with just. Just enough, you know, drama and trolling to be fun, but not so much that it's completely useless. Like just the middle ground.
[28:37]
Patrick Gray
Exactly.
[28:37]
Adam Boileau
That's what we don't. That's what we want.
[28:39]
Patrick Gray
Now Microsoft has patched a ODA that's being used by ransomware crews. And look, okay, it's a Privesque, but it's in the common log file system guts of Windows and it is such a cool bug. They have just patched it. Adam, walk us through it.
[28:59]
Adam Boileau
Yes. So they patched this bug, which I would like to note was one of 126 bugs. They patched this patch Tuesday. This one is being exploited in the wild. The common log file system plumbing has had so many bugs in it over the last, I don't know, I want to say like two or three years. It just seems like every patch Tuesday has featured a bug in this thing. Anyway, this is a user after free memory corruption bug in this log parsing system that people have been using to privesque, which, you know, like, if you're a logging system, you would hope that handling log data and handling the data in a safe way would be pretty kind of core thing, core requirements. But maybe I'm.
[29:45]
Patrick Gray
It's not like they're doing this anywhere important. Like in a, you know, kernel driver.
[29:49]
Adam Boileau
Yes. Up in very, very privileged context.
[29:52]
Patrick Gray
So they are doing it in a kernel driver. For anyone listening who didn't understand that joke.
[29:57]
Adam Boileau
Yeah, the whole thing is kind of messy. And like, I know not everything can be as simple as like Unix syslog and I understand why Windows logging subsystem is a little bit crazier, but like it's a log system. How could you screw it up, this pet bug?
[30:14]
Patrick Gray
Well, thankfully, thankfully Adam, Microsoft has written a pretty decent write up on this bug and it's not like single fire super easy to exploit. I mean you got to give the ransomware people credit for researching this one and actually finding it.
[30:26]
Adam Boileau
Yeah, I mean this is legit. Good work all around. Like I appreciate Microsoft actually doing a decent write ups. Like the regular advisory as usual, has essentially nothing. There's like one line that describes the bug, but they have written up kind of a blog post. The Threat Intel Microsoft Threat Intelligence team have.
[30:43]
Patrick Gray
Yeah. What's the actual process for exploiting this? It's not like you could just get a application to write to the logging system and you get this is not.
[30:49]
Adam Boileau
Like log four shell or something. It's not that kind of level of just log a bad string. Like this is a more nuanced memory corruption that you would use for privilege escalation. Like a Windows log to shell log for shell. That would be a wonderful thing. Unfortunately this is not it, but maybe one day we'll see one. That would be fun.
[31:06]
Patrick Gray
Yeah, well, you'd hope not, right? Like you'd hope not.
[31:10]
Adam Boileau
Do you, do you.
[31:11]
Patrick Gray
You live in. You live in hope.
[31:12]
Adam Boileau
I know I'm a bad person, Pat. I must confess.
[31:17]
Patrick Gray
I mean, a little, just a little, you have some redeeming qualities. It's fine. Now we're going to talk about a bug that we've already mentioned on the show, which is CVE2025 22457. And yeah, it's been a bug heavy bug heavy show this week. But there's a really funny write up from Watchtower Labs about this bug. So this is the Avanti. What's the Avanti Connect Secure, which I think was Pulse secure before being acquired by Avanti. I don't even, I can't even keep track. But this was like the straight up, like buffer overflow, like stack overflow bug. And it's interesting, it's got an interesting history though because like the other bug you were talking about a couple of items ago, I don't think anyone was exploiting this until they patched it and someone diffed the patch, found the bug and then hoo boy, it just started going everywhere. But Avanti talked about this being very sophisticated and that's why Watchtower Labs have written up the headline of their write up of this bug is, is the sophistication in the room with us.
[32:18]
Adam Boileau
This bug was good. So this is a stack buff overflow in parsing the X forwarded 4 header, which is an HTTP header that you use to record when requests are going through proxies. And they have a thing that parses the IP addresses the numbers out of that X forwarded 4 header. Now, originally, when Ivanti found and fixed this bug, they put out a security update that said this was very unlikely to be exploited. And part of the rationale for that was filtering in the parsing meant that you only had like 0 through 9 and dot so like valid IPv4 characters and that they did not think anyone was going to be able to exploit it with that. So they rated it quite lowly, you know, quite, quite a low. Gave it a low rating, shipped the thing and then, yeah, somebody figured it out, presumably reversed the patch or they had it in the wild and found some way to exploit it. And we haven't seen, I have not yet seen an example of what that exploit looks like, but everyone agrees that this is being exploited in the wild and some attackers figured out how to turn this into an actual usable bug primitive despite those restrictions. So that's always a great time. And now Avanti have to admit that actually this is a straight up pre auth remote codexec. So maybe not so much of the very low, very low impact variety that they originally reported as. So that's great fun. I'm looking forward to someone catching the exploit string and reversing it and figuring out, like, how this bug actually worked. I had a quick look in Gray Noise to see if they'd added, you know, caught it in the honey pots yet or anything. Not yet. So I'm hanging out. If any listeners have a scene, an exploit for this on the wire, I would certainly be keen to have a chuckle.
[34:03]
Patrick Gray
Now we are going to end this week's show, Adam, with something funny that happened to me, which is I was recently targeted by a crypto scammer, right? And it was interesting because this person was obviously English, right? So English accent. They first called me a couple weeks ago. I think I'd had a, like a bit of a barbecue slash party at my place and I was like, packing up. It was the evening they actually rang me and asked for one of my colleagues and I'm like, okay, that's weird. But just by the tone of voice, just by them being a little bit pushy, I kind of. I just got a scammy sense. And of course, after a full day of, you know, celebrating, you know, I wasn't totally locked in on this call. And anyway, I think I just hung up on them. They did call me back though, and it was a two stage scam thing. So there's a, there's a crypto exchange here in Australia called Coinspot and they did have an incident that leaked a bunch of data. A few years ago. One of my colleagues, one of our colleagues had an account there, but for some reason they matched like that account with my phone number. So I'm guessing they were like pulling together different data sources and because we work at the same place, like somehow my number wound up, you know, connected to this colleague's colleague's account. So the first call they ring up and the pretext is, you know, your Coin Spot account has been, you know, breached or whatever and there's all this money going to start flying out of it and whatever. So we're just going to send you an SMS where you can enroll in multi factor authentication. Of course I was already lying saying, oh, not my Coin Spot account, you know, that sort of thing to string this guy along. And then they say, oh, we're going to send you out, we're going to send you an SMS message. It'll have everything in there that you need. So I thought, okay, yep, no worries, see you later, bye. SMS never comes. Then they ring back for a follow through call and they're like, oh, we've detected that your mobile phone has malware on it. Do you know what malware is? And I'm like, yeah, I've heard of it, you know, sort of thing. And meanwhile I'm in my studio, so I'm recording the guy and I just want to see where the scam's going. And eventually, of course, he spells out a URL that was like, you know, 773256-Coinspot.com or whatever, right? So it's going to take me to a phishing site. So I enter it in. I'm not really worried that they're going to have malware for, you know, fully patched chrome. That's, that's going to do me. Like, this is clearly a cred fish, right? So I type in the URL and unfortunately it doesn't actually bring up a page because their phishing page had already been squashed. And that's when I decided to tell the guy that I was going to make him famous. So here's a clip of that audio now. No, nothing's loading. So I'm going to stop you and just tell you something funny, which is my, my job is I'm the host of one of the world's most popular cybersecurity podcasts. Is it? Yeah. So I've been recording you the whole time. Looks like this domain's already been flagged, so that's why it's not loading. Which is pretty quick. Yes, there's no. I don't believe you. So the podcast is called Risky Business. Yeah. And you probably got about two viewers, is that correct? No, actually probably about 23,000 a week.
[37:15]
Adam Boileau
And what's it called?
[37:16]
Patrick Gray
It's called Risky Business. Risky Business is that podcast. That's a podcast. So we do cover crypto theft, these sort of scams as well. It's unusual to hear a perfect English accent with someone doing one of them. I'm just lucky last time you called me, I wasn't in my studio. Oh, what a shame.
[37:40]
Adam Boileau
Oh, dear.
[37:41]
Patrick Gray
I mean, just hilarious. I think my favorite part of that is that he's like, doesn't believe me. Trash talks. My podcast says it has two viewers. And then when I tell him it's got like 23,000, which is about the number of downloads that a Risky Business weekly episode gets in its first week, you know, he's like. And what's it called? Like, that's the first time you hear him start to be a little bit nervous. So that was most enjoyable. But there you go. I mean, some of these scammers now, I mean, they, they do not sound like they're coming from a contact center in Burma, I guess is why I wanted to play that for people.
[38:14]
Adam Boileau
Yeah, yeah. I mean, that was a pretty good, pretty believable sounding English accent.
[38:19]
Patrick Gray
So, I mean, well, I mean, it's an authentic accent.
[38:22]
Adam Boileau
Clearly it sounded. Yeah, certainly sounded it. So, yeah, it was just that little pause. You know, you can just see him kind of googling and going, oh, well, it's time for the hang up button.
[38:35]
Patrick Gray
Yes, exactly. And stays on the line a few seconds and you can hear the wheels spinning. I think the only time he sounds nervous is like, like. And what's it called? Just too good. But, mate, we are gonna wrap it up there. That's actually it for this week's show. Thanks a lot for joining me as always. And we'll do it all again next week.
[38:53]
Adam Boileau
Yeah, thanks very much, Pat. I'll talk to you then.
[39:00]
Patrick Gray
That was Adam Boileau there with a look at the week's security news. It is time for this week's sponsor interview now. And this week's show is brought to you by Yubico, which makes the Yubikey. We use them Here at Risky Biz, they are a phishing resistant, you know, authentication hardware token. They're fantastic and I think everybody should have one. And we're going to be chatting with Derek Hansen, who is the vice president of solutions, architecture and alliances at Yubico. And we spoke to him about passkeys. You know, you would have heard Adam and I talking about how passkeys, the user experience can be a little bit confusing. And you know, Derek joined me to talk a little bit about that and also about how this sync fabric, like where the yubikeys. Sorry, not where the yubikeys, where the passkeys actually live. Are they in secure elements? Are they just in your keychain? Like how are they synced and whatever and how that, that sort of control has been taken away from users a little bit. He makes some really good points in this interview. So I'll drop you in here now where he's sort of explaining the scope of the, of the parse key problem, I guess. Here's Derek Hanson.
[40:04]
Derek Hanson
Ultimately, what people know and what is reality, unfortunately are not necessarily aligned right now because the way the Fido ecosystem has developed, we've changed the rules a couple of times. When you used to create a passkey, it lived on your device and it was bound to that device. But now in this new world where you have synchronized passkeys, you're creating a passkey that is actually anchored more to a keychain that is synchronized with your account and your profile. Most passkeys by default right now are getting created in and stored in a password manager, whether it's the icloud keychain, you know, in the password solution there, or it's, you know, a third party password manager. Google and Apple are promoting a user experience for consumers that are saying, hey, we need you to store your keychain, your passkeys in our password manager so that you can find them and we can synchronize them with you. And the problem is the users are really struggling to understand both the technical and the non technical users. Where did that key go? Where can I access it from and how do I sign in? Because that user experience is very focused on ease of use, single ecosystem.
[41:25]
Patrick Gray
Yeah, ease of use, transportability. But you're right, the rules have changed because I was very excited about passkeys. Like, like I have a reasonable degree of trust in my iPhone and the, you know, secure elements, secure enclave. What do you want? Whatever you want to call it, probably some crypto person is going to write me an email talking about the differences between those two things in a, you know, 2,000 word screed. But anyway, yeah, I mean, my expectation was that that key wouldn't leave that device. And even based on what you've just said, I'm not even sure if that is synchronizing like that. That control seems to have been taken out of the user's hands. Right?
[42:02]
Derek Hanson
Yeah. The user has a lot less visibility as to what choice they're making. I think that is from a Yubico perspective and this is going to sound vendorish, but the reality is we believe users should always have choice as to what they're doing with their keys. If you want to create one on a security key, you should be able to plug a Yubikey in and create it. And that experience should be very low friction as well. And I think what we've gotten into a place is that users are creating keys and I see this actually quite a bit in like the passkey subreddit or you see it with just social interactions with people that find out you're working on passkeys and all sudden they've got their latest thing that, you know, I registered a key here, but it doesn't work there because they don't realize that, you know, the Apple, the Google, the Microsoft ecosystems may not play the way that they think they should. We've got a state where users are responsible for managing their passkeys right now. And there is a lot of effort going on to make that ecosystem easier for users, but we've got to quickly make some changes so that we don't start to lose credibility with users in being able to protect the credentials that they're enrolling. Just because if a password ever becomes easier, even if it's a bad security habit, we've lost the war. And so we need to make sure that passkey is the best user experience, the most secure and the simplest to use, and that the users are placing trust in something that's very real for them that they understand.
[43:40]
Patrick Gray
My concern with these portable passkeys is the malware risk. Like, the whole reason I liked the idea of pass keys on a phone using a secure element and whatever is because, yeah, they're getting stashed, right? Like that key material is stashed, where if there were malware to wind up on my device, that malware cannot get that key, it cannot be extracted. Now when that thing is synchronizing somehow across to my like macOS box, malware on that Mac OS box could theoretically take control of that keymat. Right. Like that's my issue here. And I don't think people quite realize like what a big difference that is when you start exposing keymat to the os.
[44:24]
Derek Hanson
Well, it is a big difference. And I will say, you know, because I'm not here to disparage the work that they've done to protect those synchronizing mechanisms because they've done a lot of work to protect them. But the thing that unlocks all of those synchronizing mechanisms becomes your user account that is used as these keys migrate from system to system. And so if you've got your keys that you're trusting that are synced on one device and can now sync down to another transparently to you as a user, that's all secured by however you log into your account. So if your Apple account you've only protected with very basic authentication mechanisms, that now becomes the attack vector to get all of your synchronized keys to your.
[45:12]
Patrick Gray
I will say though, Apple has done more than any other major company, has done an incredible job of protecting icloud accounts at scale. Like, it is really amazing the sort of work they've done in the background to make sure that if something funny is going on, they'll just lock that account for 30 days. Right. Like, it's amazing. And I can imagine too, like I've got like a modern Mac now just recently upgraded from a Intel like Xeon, you know, Imac Pro sort of thing, which didn't have like these, this sort of, you know, secure co processors kind of thing. I'm now on Apple silicon. So I'd imagine that like in their sync fabric they should be able to do some crypto magic to zap a passkey from my phone into a secure element in that computer. But that's, you know, I'm, I'm pure Apple ecosystem, right. And I trust that they're working on the engineering solutions around that right now. They may or may not be there already, but then I'm also a Chrome user and other people use Windows and then the Windows, like Windows runs on a really fragmented hardware ecosystem. And I can't imagine that most pass keys are going to be created, are going to have Apple's team of incredible brainiac engineers working out how to solve this problem because it can't really be approached in the same way. So yeah, this whole idea of syncable pass keys, I think it's a matter of time before we see sort of perhaps keymat being obtained by malware, most likely in the Windows ecosystem.
[46:38]
Derek Hanson
Yeah, we work very closely with a lot of the Organizations you just talked about and all of them have brilliant people working on these problems. But it's the cross ecosystem challenges that are going to create user experience issues. And as we try to make user experience better, that's where I think we're going to potentially run into scenarios where synchronized pass keys, those ones that are copied from device to device, are going to be trusted at a different level from the ones that are created in a device that never leave a device. And so I think you'll even see that in some of the guidance that like US NIST has put out around synchronized passkeys, where the idea of passkeys is, yeah, you'll prevent phishing. But now the entire conversation gets focused on what are you doing to manage that private key material.
[47:31]
Patrick Gray
Yeah, if it's copying. I mean, here's the thing, right. I trust the secure processor on my iPhone more than I trust Windows DP API. Right. Like that's really what it comes down to.
[47:42]
Derek Hanson
Exactly. And I think organizations need to be able to make that trust decision. And that is to me, that is the big thing that's going on right now is how do I get the right signal to make a trust decision on exactly that. Maybe that's how you feel about it and somebody else feels differently. We need to be able to allow organizations to throw the levers of how their systems work based on where those private keys live. And that is, that's the crux of the issue. If you replace a shared secret with a private key, everything comes down to where does that private key live and the controls around accessing it.
[48:17]
Patrick Gray
Yeah, I mean, look, we should point out too that we're not taking a dump on passkeys because passkeys are leading us to a better place. I mean, Adam Walo and I have some concerns around the user experience and whatnot, but you know, it's a good thing. I also can't imagine that it's bad for Yubico. Right. Because even though it's like technically a competing sort of technology or a competing approach to solving the same problem, I'm guessing that with like a lot of enterprises looking at passkeys because there's sort of this passkey revolution right now, they might start looking at that for internal authentication or start thinking about getting rid of usernames, password based auth and code generator auth and whatnot. So they might be looking at that and then saying, oh, maybe we want to go with a hardware key instead, just so we don't have to deal with some of these issues. Is that kind of the experience right now for Yubico as a company. Is all of this actually working out well for you?
[49:09]
Derek Hanson
I actually think to go back to that foundational point, I actually am not intending to just shred what's going on in the synchronized passkey world because I think it's addressing an availability thing that is a very big concern in a lot of environments. I want to make sure my passkeys are always available. But to the organizations that are looking at I need to modernize my mfa. I've got a lot of legacy systems that I have not actually pushed into this new phishing resistant world. They are looking at where are those private keys going to live? And we are talking to a lot of organizations that are very concerned about the threats of phishing. Can I trick you into giving access to my synchronized passkeys? That's a whole nother risk that is starting to be evaluated. When you have a key on a device that never leaves, whether it was the secure enclave or a Yubikey or somewhere else, there's a security framework that you can build around that because you have assurances about certain properties. And so yeah, I think we are seeing an adoption of passkeys for the enterprise and a focus on how do I do something bigger than just passwordless. It's like I can get rid of phishing as a problem for my organization, for all of my users and they're going to pick and choose whether it is a passkey in an app or it's a passkey on a hardware. And that's going to come down to the app that they're accessing, the data that they're accessing and whatever the user group.
[50:46]
Patrick Gray
Right. As well, which is like this group of users, they're probably okay with a software based passkey. This group of users, not so much.
[50:53]
Derek Hanson
Correct. And I think even, well, even if it's user based, it's also going to be how do I get access to that software based passkey the first time? Because that is a chicken and egg problem. If I get all my passkeys stored somewhere and I go to a new device or I'm trying to register my authenticator for the first time, how do I sign in? A lot of our story for users, sorry for enterprises, has been that user life cycle is all about how do I trust a device the first time, how do I enable my passkeys to sync to that device. Moving pass keys around is a new identity security event that we are all going to have to start looking at. Just like registering a device to my account is a security event.
[51:35]
Patrick Gray
Yeah. So I guess, I mean, my question was, though, has this movement, I guess, to pass keys, which don't necessarily involve using a Yubikey, has that actually resulted in increased interest in hardware keys? I'm guessing from what you've said, yes, absolutely.
[51:51]
Derek Hanson
Yes. There is a lot of increased interest because people are trying to figure out exactly how do they change their business and where Yubikeys fit in. That and passkeys are becoming a significant component of people's strategies for zero trust or passwordless or these other initiatives that have been going on for a while in their organizations.
[52:11]
Patrick Gray
All right, Derek Hanson, great to talk to you, man. That was really interesting stuff. Pleasure to meet you and we'll chat again soon.
[52:16]
Derek Hanson
Sounds great. Thank you. Patrick.
[52:18]
Patrick Gray
That was Derek Hanson from Ubico there. Big thanks to them for that. And big thanks to Yubico for being a sponsor of the Risky Business podcast. But that is it for this week's show. I do hope you enjoyed it. We're going to be publishing two podcasts podcast tomorrow, Seriously Risky Business with Tom Uren in the Risky Bulletin podcast feed, and also an episode of Wide World of Cyber featuring Alex Stamos and Chris Krebs. But until then, I've been Patrick Gray. Thanks for listening.