Risky Business Podcast Summary – Episode #787: "Trump Fires NSA Director, CISA Cuts Inbound"

Release Date: April 9, 2025

Hosts:

• Patrick Gray
• Adam Boileau

Sponsored by Yubico

1. Episode Introduction

[00:00] Patrick Gray opens the episode by welcoming listeners to another edition of Risky Business, introducing himself and co-host Adam Boileau. He briefly mentions the upcoming sponsor interview with Derek Hanson from Yubico, focusing on the complexities surrounding passkeys.

2. Oracle Cloud Breach Confirmation

[01:00] Adam Boileau revisits last week's headline about Oracle allegedly lying about a cloud breach, confirming that their analysis was correct.

[01:28] Patrick Gray critiques Oracle's statement, highlighting the risk associated with breaches in obsolete servers, questioning the company's mitigation measures:

"Don't worry everybody. We hashed passwords, so it's fine." ([02:05])

Adam explains that Oracle distinguishes between their "Classic" cloud and the current cloud, emphasizing that the breach occurred in outdated infrastructure.

[03:01] Adam Boileau adds:

"We did not just slap a fresh coat of paint on this very old Solaris box and totally pretend that it's not part of the cloud." ([03:21])

3. Trump Administration’s Shake-Up at NSA and CISA

[03:44] Patrick Gray shifts focus to major administrative changes:

• Timothy Haw/Hogg and Wendy Noble have been fired from the NSA.
• Speculation suggests these firings are due to a lack of alignment with MAGA ideologies rather than operational inefficiencies.

[04:49] Adam Boileau comments on the resulting chaos and uncertainty within the leadership of cybersecurity agencies:

"We've seen all the uncertainty around CISA and, you know, the whole thing is just kind of a real mess." ([04:49])

Patrick further discusses the broader implications, including potential leadership replacements like Trey Stevens and Ezra Cohen, hinting at heightened partisanship:

"Project 2025 did outline the splitting of these roles and we're seeing a lot of stuff materialize out of that policy roadmap." ([06:09])

[07:12] Adam Boileau echoes the sentiment, describing the leadership changes as "nutty" and expressing concern over the stability of these agencies.

4. Cyber Attacks and Security Incidents

a. U.S. Treasury Intrusion

Patrick Gray highlights a Bloomberg report about a newly identified intrusion into the U.S. Treasury's Office of the Comptroller of the Currency, linking it to Chinese threat actors:

"This is exactly the sort of thing that CISA is there to cope with and deal with." ([10:21])

Adam agrees, noting the significance of maintaining visibility and defense against such sophisticated attacks:

"This is exactly the sort of thing that… CISA is there to cope with." ([11:02])

b. Signal Gate Incident

Patrick Gray and Adam Boileau discuss the accidental inclusion of Jeffrey Goldberg in a Signal group, attributing it to a mishap with contact synchronization. They emphasize the importance of using secure communication channels for sensitive information.

c. Australian Superannuation Scam

[14:00] Patrick Gray discusses a major scam targeting Australian superannuation funds, likening them to a combination of 401(k)s and Social Security:

"Employers pay into essentially like a mandatory 401k and we call it superannuation." ([15:08])

Adam Boileau analyzes the impact, noting that while the financial loss was relatively low (around AUD 500,000), the incident serves as a wake-up call for enhancing security measures:

"It's a very competitive space and you sometimes, you know, sometimes it's good to have something like this to happen so that regulators can really take a look at what their security controls are like." ([16:32])

5. Ransomware Crew Drama and Cybercrime Undergound

Patrick Gray reports on internal conflicts within ransomware groups, mentioning incidents like:

• Dragon Force defacing websites such as Ransom Hub and Blacklock.
• Everest ransomware group experiencing similar turmoil.

He also covers the Media Land leak orchestrated by the Blackbasta group, which exposed customer records and hosting data, causing significant interest within the Cyber Threat Intelligence (CTI) community:

"They have just laid out all of that data... it's a gold mine." ([20:33])

Adam Boileau adds context by referencing an earlier takedown of a Siberian bulletproof hosting provider, suggesting these internal conflicts disrupt the operations and data handling within cybercrime networks:

"They are super excited about it, and even if it is just infighting, like normal kind of organic infighting as opposed to being provoked or whatever else." ([21:37])

6. Vulnerability Disclosure and CVE Issues

Patrick Gray and Adam Boileau delve into the complications surrounding the Common Vulnerabilities and Exposures (CVE) system:

• Criticism of the National Vulnerability Database (NVD) managed by NIST for falling behind on data enrichment.
• Example of CVE-2025-22457, a buffer overflow in Avanti Connect Secure, highlighting the challenges in vulnerability management and disclosure.

[26:10] Patrick Gray laments:

"The National Vulnerability Database... it's been an absolute clown show over there." ([26:59])

Adam agrees, reflecting on the evolution and current state of vulnerability tracking:

"It's a pity how much of a mess it's turned into." ([27:39])

7. Microsoft Patch for Exploited Vulnerability

[28:36] Adam Boileau discusses Microsoft's recent patch addressing a critical vulnerability in the Windows Common Log File System:

"This bug was good. So this is a stack buff overflow in parsing the X forwarded 4 header." ([28:58])

Patrick Gray appreciates the thoroughness of Microsoft's response and the sophistication of the exploit:

"It's a really cool bug." ([30:13])

8. Sponsor Interview: Yubico on Passkeys

[40:04] Derek Hanson, Vice President of Solutions, Architecture, and Alliances at Yubico, joins the podcast to discuss the current state of passkeys:

• Evolution of Passkeys: Transition from device-bound to synchronized across keychains via password managers, complicating user experience.
• Security Concerns: Synchronizing passkeys increases the attack surface, potentially exposing key material to malware on multiple devices.
• User Choice and Control: Emphasis on allowing users to manage where their passkeys reside, advocating for hardware-based keys like Yubikeys for enhanced security.
• Enterprise Adoption: Organizations are weighing the benefits of passkeys for phishing resistance against the challenges of key management across diverse ecosystems.

Notable Quotes:

• Derek Hanson on user confusion:

  "Users are creating keys and they don't realize that the Apple, the Google, the Microsoft ecosystems may not play the way that they think they should." ([41:25])

• Patrick Gray on security risks:

  "My concern with these portable passkeys is the malware risk." ([43:39])

• Derek Hanson on organizational trust decisions:

  "Organizations need to be able to make that trust decision." ([47:41])

Summary: The interview underscores the tension between user convenience and security in the evolving landscape of passkeys. Yubico advocates for hardware-based solutions to mitigate risks associated with synchronized passkeys, emphasizing the importance of giving users control over their authentication credentials.

9. Personal Anecdote: Patrick’s Crypto Scammer Encounter

[34:02] Patrick Gray shares a humorous yet insightful story about being targeted by a crypto scammer. The scammer, believing Patrick was a low-profile podcaster, attempts to phish his account but ultimately fails when Patrick reveals the true popularity of Risky Business:

"My podcast says it has two viewers. And then when I tell him it's got like 23,000, which is about the number of downloads that a Risky Business weekly episode gets in its first week." ([37:14])

This segment highlights the pervasive nature of cyber scams and the importance of awareness and skepticism among users.

10. Closing Remarks

[38:34] Patrick Gray wraps up the episode by thanking listeners and mentioning upcoming episodes, including:

• Seriously Risky Business with Tom Uren
• Wide World of Cyber featuring Alex Stamos and Chris Krebs

Patrick concludes:

"Thanks a lot for joining me as always. And we'll do it all again next week." ([38:52])

Adam Boileau echoes his thanks before signing off.

Key Takeaways

• Administrative Turmoil: Significant leadership changes within U.S. cybersecurity agencies raise concerns about stability and direction.
• Cybersecurity Incidents: Ongoing attacks on government and financial institutions emphasize the need for robust defenses.
• Vulnerability Management: The CVE system faces challenges in keeping up with vulnerability disclosures and data enrichment.
• Passkey Evolution: While passkeys promise enhanced security against phishing, their synchronization across devices introduces new vulnerabilities, prompting a renewed interest in hardware-based authentication solutions like Yubico’s Yubikey.
• Cybercrime Dynamics: Internal conflicts within ransomware groups offer rare insights and disrupt illicit operations, aiding threat intelligence efforts.
• User Awareness: Personal stories of cyber scams reinforce the importance of vigilance and informed skepticism in digital interactions.

Notable Quotes

• Patrick Gray on Oracle Breach:

  "And just for the avoidance of any doubt… there's all sorts of opportunities for a real good time once you're on there." ([02:05])

• Adam Boileau on Leadership Chaos:

  "It's a real mess and it's hard to judge what's, you know, how it's all going to shake out." ([04:49])

• Derek Hanson on Passkey Trust Decisions:

  "If you replace a shared secret with a private key, everything comes down to where does that private key live and the controls around accessing it." ([48:17])

This summary encapsulates the critical discussions, insights, and conclusions from Risky Business Episode #787, providing a comprehensive overview for those who haven't listened to the full episode.