Risky Business #792 -- Beware, Coinbase users. Crypto thieves are taking fingers now - Risky Business

Summary6 min read

Risky Business #792 Summary: "Beware, Coinbase Users. Crypto Thieves Are Taking Fingers Now"

Release Date: May 21, 2025
Host: Patrick Gray
Guest: Adam Boileau
Sponsor: Tony De la Fuente, Founder of Prowler

Introduction

In episode #792 of Risky Business, host Patrick Gray engages in an in-depth discussion with Adam Boileau, dissecting the latest developments in cybersecurity. The episode delves into significant breaches affecting major platforms like Telemessage and Coinbase, explores the evolving tactics of cyber adversaries, and examines the implications of these incidents on both individuals and organizations. Additionally, the episode features an insightful interview with Tony De la Fuente from Prowler, highlighting advancements in cloud security tools.

Telemessage Data Leak via DDoS Secrets

The episode kicks off with alarming news about DDoS Secrets, a leak site operated by Emma Best, which reportedly obtained 400 gigabytes of heap dumps from Telemessage's message archiving servers.

Patrick Gray [00:00]: Introduces the issue, stating, “DDoS secrets... got its hands on 400 gig of like heap dumps from Telemessage’s message archiving servers.”
Adam Boileau [01:28]: Explains the technical breach: “The Telemessage backend is written in Java and they're using the Spring Boot framework... somebody found this with a brute forcer and just started scraping memory every few minutes.”

The breach was facilitated by an unsecured endpoint in an older version of Spring Boot that allowed unauthorized access to heap dumps, containing sensitive information such as credentials and message content.
Patrick Gray [03:51]: Criticizes Telemessage’s flawed password handling: “They’re doing client-side MD5 hashing of passwords, then submitting the hash, so... you just use that to log in with.”

This vulnerability not only exposed sensitive communications but also highlighted poor security practices, making it trivial for attackers to breach the system and access confidential data.

Implications:

Government Exposure: The leaked data includes messages from government agencies like Customs and Border Protection, raising concerns about national security.
Technical Oversight: The incident underscores the critical importance of securing backend systems and properly configuring frameworks to prevent unauthorized access.

Coinbase Breach and Its Implications

A significant portion of the episode focuses on a disturbing incident involving Coinbase, a leading cryptocurrency exchange.

Patrick Gray [07:00]: Details the breach: “An overseas-based Coinbase support agent was cooperating with some sort of threat actor and handing over customer data to some extortionist.”
Adam Boileau [09:27]: Highlights the severity: “The hash is the password... This information is everything that a thief would need... account balances.”

Coinbase faced a formidable challenge when a compromised support agent facilitated the unauthorized access and attempted extortion of customer data. The breach potentially exposed sensitive information, including names, addresses, and account balances of users, making high-net-worth individuals ("whales") prime targets for further malicious activities.

Violent Repercussions: The discussion touches on violent crimes linked to data breaches, such as the attempted abduction of a Paymarium executive’s daughter, emphasizing the real-world dangers of cyber extortion.

GovDelivery Email System Compromise

The conversation shifts to a breach affecting GovDelivery, an email alert system utilized by various government agencies.

Patrick Gray [14:37]: Summarizes the incident: “Someone got their account compromised and it was being used to send scam messages.”
Adam Boileau [15:54]: Analyzes the attack vector: “Either phished or info stealer.”

The compromise allowed attackers to send fraudulent communications leveraging government credibility, enhancing the legitimacy of their scams and increasing the likelihood of successful phishing attempts.

Telegram’s Actions Against Blackmarket Services

Telegram has recently taken steps to curb illicit activities on its platform.

Patrick Gray [17:14]: Notes Telegram's crackdown: “Blocked a couple of massive black market services... released a transparency report.”
Adam Boileau [17:14]: Adds specifics: “[They] blocked WeDo Guarantee and Zinbi Guarantee, major fronts for money laundering.”

Despite these efforts, Telegram faces criticism for its handling of other issues, such as alleged censorship pressures related to the Romanian election and its stance during geopolitical tensions, particularly concerning Russia.

Cross-Site Scripting Attacks from APT28 (Fancy Bear)

Adam Boileau discusses a sophisticated campaign by APT28, also known as Fancy Bear.

Adam Boileau [19:45]: Describes the attack: “They were setting up mail forwarding rules to send your email off to the Kremlin for ingest into their intelligence pipeline.”

Targeting open-source webmail platforms like Roundcube, Horde, and Zimbra, these attacks exploit vulnerabilities to steal and forward emails, thereby infiltrating sensitive communications of targeted organizations, including governments in Africa, the EU, and South America.

Tax Fraud in Australia Through MyGov Compromises

The episode highlights emerging tax fraud tactics in Australia.

Patrick Gray [21:27]: Reports on increased fraudulent tax returns: “Based on people getting their MyGov accounts compromised.”
Adam Boileau [22:10]: Connects the dots: “These are transferable ways to turn personal information... into something monetizable.”

While currently limited in scale, the potential for widespread tax fraud leveraging compromised government accounts poses a significant threat to personal finances and national revenue systems.

High-Profile Cases: Eric Council Jr. and Power School Breach

Two notable cases underscore the personal and organizational impacts of cybersecurity breaches.

Eric Council Jr.:
- Patrick Gray [23:03]: Explains the incident: “He was paid $50K to perform a SIM swap and take over the SEC’s Twitter account, causing temporary bitcoin price fluctuations.”
- Adam Boileau [24:04]: Discusses the sentencing: “He was sentenced to 14 months in prison and ordered to forfeit the $50K.”
Power School Breach:
- Patrick Gray [25:19]: Details the breach: “Matthew Lane, a 19-year-old, compromised Power School accounts, affecting data on approximately 60 million children.”
- Adam Boileau [26:11]: Comments on the sentencing: “He’s looking at something like nine years over this thing.”

These cases illustrate the severe legal consequences of cybercrimes and the extensive damage inflicted on victims, ranging from financial losses to the exposure of sensitive personal data.

Ivanti Vulnerabilities and Their Exploits

The discussion transitions to another critical security issue involving Ivanti.

Adam Boileau [34:31]: Outlines the vulnerabilities: “There was a bug chain being exploited to compromise Ivanti Endpoint management platforms...”
Patrick Gray [36:05]: Criticizes Ivanti’s response: “They're not going to tell you which one... it’s like an AUTH bypass if there's no auth.”

The exploitation of open-source components like Hibernate Validator by Ivanti led to unauthorized access and potential execution of malicious code, highlighting the risks associated with third-party dependencies and misconfigurations.

Sponsor Spotlight: Prowler's Latest Releases

In the sponsored segment, Patrick Gray interviews Tony De la Fuente, founder of Prowler, an open-source cloud security platform.

Tony De la Fuente [38:50]: Announces the release of Prowler 5.6 and introduces new tools, Prowler Hub and Prowler Studio, enhancing cloud security monitoring and compliance checks across various platforms, including Microsoft 365.
Patrick Gray [43:04]: Emphasizes the value: “Instead of just some weird check... Prowler Hub explains what it is.”
Tony De la Fuente [44:14]: Highlights the integration with AI in Prowler Studio: “Prowler Studio understands that using AI and creates the code for you... you can create your own custom checks.”

These tools aim to streamline cloud security management, offering both command-line and user-friendly interfaces to ensure robust security postures across diverse cloud environments.

Conclusion

Episode #792 of Risky Business provides a comprehensive overview of current cybersecurity challenges, from data breaches and cyber extortion to sophisticated state-sponsored attacks. The discussions emphasize the critical need for robust security practices, vigilant oversight of third-party dependencies, and the proactive development of security tools. The interview with Prowler underscores the community-driven efforts to enhance cloud security, offering valuable resources for professionals aiming to safeguard their infrastructures.

Listeners are encouraged to stay informed, adopt best security practices, and leverage advanced tools like Prowler to navigate the ever-evolving landscape of information security.

Notable Quotes:

Patrick Gray [01:02]: “DDoS secrets... got its hands on 400 gig of like heap dumps from Telemessage’s message archiving servers.”
Adam Boileau [03:51]: “They’re doing client-side MD5 hashing of passwords, then submitting the hash, so... you just use that to log in with.”
Patrick Gray [07:00]: “This information is everything that a thief would need... account balances.”
Adam Boileau [14:37]: “Either phished or info stealer.”
Patrick Gray [32:44]: “These are people who you don't really want them being victimized again.”
Tony De la Fuente [44:14]: “Prowler Studio understands that using AI and creates the code for you.”

For more detailed discussions and the latest in information security, tune into Risky Business weekly.

Loading summary

Transcript107 lines

[00:00]
Patrick Gray
Foreign and welcome to Risky Business. My name's Patrick Gray. We're going to check in with Adam Boileau in just a moment and talk about the week's security news. And then we'll be hearing from this week's sponsor. Tony De la Fuente is the founder of Prowler. Prowler is an open source cloud security platform, which is really awesome. It's also a company. But Tony is going to be joining us later on today just to talk about the latest open source, completely free release of Prowler and some associated tools and like a portal and whatnot. It's very cool stuff. So, yeah, Tony's basically coming along to give you all free beer, so stick around for that one. Very interesting. But we're going to get into the news now, Adam, and we've got a bunch of really awesome stuff to talk about. Let's start with the fact that DDoS secrets, which I guess is, I mean you would call, call it like a leaks site run by Emma Best. It's Emma Best, isn't it?
[01:02]
Adam Boileau
Yeah, it is, yes.
[01:03]
Patrick Gray
Yeah, run by Emma Best apparently got its hands on 400 gig of like heap dumps from Telemessages message archiving servers. They've zipped them up, put them online and if you're a journalist or a researcher, you could write to them and get access to those messages. But who knows what's in, in there. It seems like it's going to be a can of worms that is going to be opened very shortly.
[01:28]
Adam Boileau
Yeah, yeah, it certainly is. The specific details of how that hack went down have also kind of come out and that's really interesting. Michael Lee did a guest piece for Wired kind of talking through this process and it turns out that the person who, you know, stole message content stole these, these heap dumps from Telemessage. The headline is it took 20 minutes and actually now reading the story. Yeah, it really did. This person pointed like a brute force discovery tool that just makes a whole bunch of web requests to a web server and finds endpoints that maybe they didn't think about. The Telemessage backend is written in Java and they're using the Spring boot framework. And one of the common misconfigurations in Spring boot or particularly in old Spring boot is there is an endpoint that lets you dump the heap memory of the Java process for debugging purposes or whatever else. And in old Spring, this is on by default and not controlled like authenticated by default. And in more recent releases you have to make sure it Requires auth. And yeah, somebody found this with a brute forcer and just started scraping memory every few minutes so they would get like, you know, 150 meg dump every time they hit this endpoint. They presumably sat there in a While loop scraping 400 gig of memory out and that's how they ended up getting messages that were going through the server along with creds and all sorts of other interesting bits and pieces in there.
[02:58]
Patrick Gray
Well, the creds bit is interesting, right, because you skipped a part here. And by the way, for anyone who's lost about what Telemessage is, for those who haven't been following this story, Telemessage is the signal clone that archives messages in a very insecure way and was being used by like the National Security Advisor to the United States President and blah, blah, blah, blah, blah. But you missed a part, which is where they went and had a look at like their admin Panel, which is secure.telemessage.com and discovered that the way that they were handling passwords. And I read this story, I had to read this a couple of times to actually understand what they were saying because I'm like, it just didn't occur to me that it was like as written. But yeah, they're doing client side MD5 hashing of passwords, then submitting the hash, so not even hashing the passwords on the server, which, which meant that if you scrape a hash out of a heap dump, then there you go, you just use that to log in with.
[03:52]
Adam Boileau
Yeah, the hash is the password.
[03:53]
Patrick Gray
The hash is the password.
[03:54]
Adam Boileau
Yeah, yeah, yeah. Which is the sort of thing you see when you get a developer that is kind of cargo culting security. Like they know they should use hashy something when they're doing password submission, but I don't really understand the specifics of why. Yeah, not entirely surprising. But yeah, it does seem that, you know, that piece of software was probably pretty old and you know, there's been a whole bunch of bugs in spring framework, in the spring framework over the years. But this particular one, like the heap dump endpoint is pretty well known and you wouldn't have to get like, I don't even know if a pen test is necessary to find this. Like, even if you ran some like off the ship, like, I'm thinking like, this is probably the sort of thing that like, you know, Nikto would have found, you know, like a basic scanner would probably pick it up. So that's pretty embarrassing. And then, yeah, that's of course now turned into, you know, the 400 gig of dumps that DDoS secrets have available for people. So, yeah, I mean, you don't really expect the story to get stupider, but I feel like it has.
[04:57]
Patrick Gray
And yet, you know, we don't know that there are messages from. I mean, there are messages in this dump, obviously, but we don't know that there are any messages from senior government officials. I mean, it's entirely possible that they stopped using this application pretty early on the piece when someone who knew what they were doing saw the initial story broke and then just said, oh my God, stop using that app. So we don't know quite what's in there. It looks like people from staff at Customs and Border Protection were using it. And indeed the person who obtained this material scraped some creds out of a heap dump and logged into the portal as a CBP staffer. So, you know, there's going to be stuff in there. I also think this is a bold move, shall we say, from DDoS secrets. In fact, you know, when I first saw this pop up, it was very early. I just woken up and someone sent me this and I said to you, look, because I thought it was on the open web, I said, look, grab this before it's gone in five minutes from now, you know, because I wasn't thinking clearly. And then I'm like, maybe we don't want this material because it's absolutely radioactive. Of course, I didn't tell you that. And you lodged a ticket to get access to the data, which we have since abandoned to any authorities listening. We do not have that data. We don't want the data. We're not going to collect the data. But I'm sure, you know, many media organizations are going to go through, through and, you know, pull out interesting messages that might be newsworthy from my perspective. I was just more interested to see, to do some secondary reporting around what those heap dumps looked like, I guess.
[06:27]
Adam Boileau
Yeah, like what the software looked like on the inside. And, you know, you can tell a lot from, you know, when you've got a memory dump of the server side, you're going to be able to see a bunch of structural information, you know, and details about dependencies and yeah, it's kind of, you know, it's interesting technical stuff as well as the content that may be, you know, in flight when the dumps were taken.
[06:46]
Patrick Gray
Yeah, I mean, you would have to think that government organizations, particularly like nsa, needs to get their hands on this material to see what might have been exposed. Right. Because if media's got it you know, you got to assume that foreign adversaries have it as well.
[07:00]
Adam Boileau
Yeah, yeah, exactly. And of course, this endpoint has probably been exposed since this thing went on the Internet. So, you know, we've got a series of dumps from May 4, I think was the. Was the date. But, you know, it really could be literally anybody who looked at that thing with a hacker's eye would have probably spotted this.
[07:18]
Patrick Gray
They would have had to have known who was using the app, though, you know?
[07:22]
Adam Boileau
Well, I mean, if you pull the dump out and you had a quick look, you'd be like, huh, this looks kind of interesting. But yes, who was using Telemessage? I guess. Interesting. But given the amount of crypto companies that were using it, makes you think it probably would be a reasonable target for, you know, the people who attack that ecosystem as well as.
[07:37]
Patrick Gray
So I guess. I guess instead of looking at these heap dumps, they need to go back and look at the full archives because they would have those archives because they're Telemessage customers.
[07:47]
Adam Boileau
Yeah. Which, you know, kind of concerning.
[07:49]
Patrick Gray
Indeed. Kind of concerning. That's a. That's a way to put it. All right, so the other big news story of the week is an incident at Coinbase where it looks like a overseas based Coinbase support agent was cooperating with some sort of threat actor and handing over customer data to some extortionist who then tried to ransom it back to Coinbase for 20 million bucks. Now, Coinbase has come out and said, no, we're not going to do that. We'll offer a $20 million bounty to find the people responsible, which I think is fine, you know, good fine. They are downplaying it a little bit in the sense that they're saying, well, this stuff might be used in social engineering. Indeed, it looks like it already has been used in some social engineering incidents. We've got some additional reporting here from Cyber Security Dive that suggests they've had a look at SEC filings and whatnot. And it looks like this might cost coinbase anywhere from 180 to $400 million between reimbursements and remediation, which is a fair whack of cash. But the one thing that they're kind of downplaying Coinbase, is they're saying, oh, there might be social engineering. They're not sort of pointing out that this information is everything that a thief would need, a violent thief would need to go and extract Bitcoin from people who just hold it. Right. Like it's got their names, their addresses and their account balances. Right. And it looks like something like 1% of the company's monthly active users. So there's probably a few whales in there and they are at serious risk at this point. You would have to say.
[09:27]
Adam Boileau
Yeah, it's a pretty strange. I mean, the story is strange in a number of levels. Right. It's strange that we're at the point in our cyberpunk dystopia where private companies are putting up $20 million bounties on people who attack them. I mean, that's kind of funny in itself, but yeah, where we have seen this data used in the past, which is, as you say, for like scam emails. If I send a scam email that says hi, gives you your full name, gives you your account balances, or some kind of information that only the organization you're impersonating would have, it increases the legitimacy of your phishing attempt or whatever else. But that's a whole nother thing. When we're talking about physical attacks in the real world against people who've got immediately transferable assets of millions, hundreds, millions, whatever else, it makes it a very attractive target for physical stuff. And we've seen stories of home invasions, we've seen stories of, you know, people being attacked. And of course there was. Was it. Wall Street Journal had a story about some people getting like. Was like the wife.
[10:36]
Patrick Gray
No, it was the daughter of someone who runs Paymarium, which is a French cryptocurrency exchange. Someone, a couple of guys pulled up in a van and tried to abduct her. She was walking down the street with her with her husband and child. And I mean, it was pretty cool. The husband, like big ups to the husband because he just would not let go. They were beating him over the head and he was bleeding and he just like would not let her go. And they gave up. But you know, they. This Wall Street Journal piece documents a whole bunch of incidents of this happening, including one of the co founders of Ledger being abducted along with his partner and actually having a finger cut off. And this is something that has happened multiple times. Like people are actually losing fingers over this stuff. And I'm glad that's not where I store my wealth because the last thing I need is for my details and my balances to be leaked in some sort of, you know, bribery incident a la this Coinbase thing. And then to have a bunch of guys with balaclavas and rubber hoses turn up at my house with a set of bolt cutters to start chopping off my fingers. No thanks.
[11:38]
Adam Boileau
Yeah, yeah, yeah, exactly right. I mean, there's a reason we kind of invented banking, you know, so that you didn't store your gold or your treasure under your bed where people could come in and steal it. And, you know, the crypto ecosystem is very keen that we, you know, do things differently, but there's a reason we kind of do it.
[11:57]
Patrick Gray
Look, I remember 20 years ago interviewing an executive from Commonwealth bank, which is one of Australia's major banks, and he had a. John Gertz was his name, and he would be long since retired by now, I would imagine, but he was the head of group security. And this is when, you know, digital threats were becoming more of a big deal. And he said something really interesting to me back then. He said, look, banks are security companies. We've always been security companies. The whole point is we, you know, you give us your money, we keep it safe. Right? And I think about that a lot. But I want to quote from. There's. Look, I've mentioned on the show in the past there's a terrific newsletter from Bloomberg written by a guy called Matt Levine called Money Stuff. And I'm not particularly interested in finance, but Money Stuff, like Matt Levine is just such a good writer that I read his newsletter because it's. It's often just really hilarious. And he wrote something really interesting on this in an edition this week and we've linked through to it in the. In the show notes. But he said, I think sometimes about the term structure of crypto futures. Buying a bitcoin for delivery in seven months costs about $4,000, or 3.8% more than buying a bitcoin today. Some of that is time value of money. I could get interest on my dollars for the seven months, which is probably less true of the bitcoin. But some of it is what I have half jokingly referred to as storage. If I buy a bitcoin future, I don't have to put the bitcoin anywhere for seven months. If I buy actual bitcoin, I do have to store it. It's not like storing crude oil in that I don't need a big storage tank. The bitcoin is electronic, and storing it just means remembering the password. But it turns out that storing your bitcoins is very expensive. You have to remember the password and pay bodyguards. Similarly, I am perpetually baffled by. By the fact that MicroStrategy Inc. Is a publicly traded pot of bitcoin and trades at roughly twice the value of its bitcoins. But presumably you won't get kidnapped for your shares in MicroStrategy, perhaps that's worth paying a premium for. So.
[13:58]
Adam Boileau
Yeah, I mean. Yeah, amen. Right. There's, you know, considering whole life cycle cost, you know, is a thing that, you know, if I held a lot of Bitcoin, you know, you're not going to sleep well.
[14:13]
Patrick Gray
No, that's right. So yeah, let's just see if wrench attacks start raining down on the Coinbase customers. They're about to go public too. So anyway, what a time. Now let's talk about some more bread and butter infosec here. Tell me about this incident affecting gov delivery, which is an email alert system used by governments. You know, it looks like someone got their account compromised and it was being used to send scam messages.
[14:38]
Adam Boileau
Yeah, yeah, that's basically the nuts and bolts of it. This company does email delivery for a number of government agencies. I think in this particular case it was the state of Indiana and somehow their user account with the service got taken over and was being used to send spam messages out that were saying, you know, like pay your fines here or you know, give us money in this particular way. Kind of using the reputation of the government as the way to do it. And I thought that was. It's a thing we've seen done before, but it kind of underscores the importance of assuming the identity of, you know, of things that are valid and important and have some reputation these days. You know, you can't just spam people and say you're a Nigerian prince anymore and these days you have to come from a princely house in Nigeria's email domain or something to add legitimacy to it. And we're seeing people do that, you know, the Coinbase example. Exactly. That like getting information to impersonate Coinbase successfully. Same kind of thing here.
[15:38]
Patrick Gray
Yeah. And I think this is another interesting example of where exposure to an extra. Like obviously I would, I would expect that these credentials were phished somehow. Right. From the original user.
[15:50]
Adam Boileau
Yeah, either phished or info stealer. Maybe info stealers. Right.
[15:54]
Patrick Gray
The other, you know, but the amount of risk that you've got to deal with from these external services, like everyone goes, oh yeah, we've got sso. And then this happens, you know, because it's great for protecting your internal services and some external SaaS. But yeah, you got to sort of COVID everything and there's not many easy ways to do that.
[16:13]
Adam Boileau
Yeah, I mean it just underscores that identity really is the critical thing now because everything's so distributed and you can pop up in interesting places in People's, you know, software systems, because they're all on the Internet.
[16:25]
Patrick Gray
Yeah, I mean, gratuitous plug here for push security. We've just actually set it up internally to deal with stuff like this. Right. For phishing risk. And it's just, you know, I do sleep a little bit better using it, if I'm honest. What else have we got here? We've got some Telegram related news, actually a lot going on with Telegram at the moment. They've blocked a couple of massive black market services, apparently. So Telegram seems to be playing ball to a degree that it really wasn't before the French put handcuffs on Pavel Durov. They've also released a transparency report where they're talking about how they gave. They've coughed up data on more than 20,000 users, which is like, you know, quadrupled or something since the equivalent period prior to that arrest. So it really does look like Telegram's doing stuff now.
[17:15]
Adam Boileau
Yeah, exactly. And about goddamn time. The two services that we were talking about getting shut down on Telegram, one of them is we won Guarantee, which is the big Cambodian, you know, money laundering front, which is laundering tens of billions of dollars for pig, but through scams. And the other one was Zinbi Guarantee or Jinbe guarantee, which is a kind of Chinese language equivalent of that. So those are, you know, on the face of it, looks like a pretty big blow for that pig butchering ecosystem's ability to money launder at scale. Whether there's, you know, a dozen that will pop up, you know, smaller ones that will pop up in their place, we don't really know. But, you know, our instincts about that being the place to hit this particular crime type, I think makes sense. And the fact they're on Telegram, I suppose, is a good sign that, you know, Telegram really was a haven for all manner of criminality.
[18:07]
Patrick Gray
What's been really interesting over the last week is watching Telegram trying to juggle, doing things like that, like taking down scam marketplaces and whatnot and coughing up data on criminals versus watching them having to maintain a very pro Russian line on things like the Romanian election. Because, you know, before the Romanian election, Durov was saying, oh, the French were telling me to censor conservative voices and blah, blah, blah, blah, blah. Which, you know, you talk to Catalan, our colleague, who is Romanian in Romania, and he's like, yeah, no, that's not really what was. What was going on. There were like disinformation networks and stuff, and perhaps there were a few, you know, users where it's like, okay, these are Disinformation things. And you know, this always turns into conservative voices are being silenced when it's some, you know, Russian bot. And now he's like offering to go and testify in EU courts and trying to get the Romanian, you know, trying to get a, the Romanian election overturned because Russia's guy lost. And you know, so it's really interesting, this guy is sort of caught between the EU who will put him in prison or the Russians will put him out a window. Right. So.
[19:14]
Adam Boileau
I mean, he's bad, so I guess he has to lie. But yeah, I, yeah, I don't envy that choice. It's not good.
[19:19]
Patrick Gray
Yeah, I guess he's got billions of dollars to sort of make up for that, I guess, you know. Now let's talk about some pretty sweet cross site scripting attacks that have been used to do things like set up mail forwarding rules, which I think is, as I say, pretty sweet. Like cookie theft, you know, you need the Drake meme cookie theft, you know, don't want that. You know, using cross site scripting to set up mail forwarding rules and dump inboxes.
[19:45]
Adam Boileau
Yeah, yeah. So this looks like a campaign that is APT28 or Fancy Bear Russians behind it and they've been going around hitting a bunch of open source webmail platforms. So M. Damon Roundcube, Horde, Zimbra, the sorts of things that if you are not willing to be a Google shop or a Microsoft shop that you end up running because that's, you know, those are the options. In some cases these are bugs that have been around for a long time. In some cases there were slightly different, fresher ones. But yeah, the, the sophistication of the payload that was being emailed around really is the, the thing that was, was interesting here. So you get an email and it gets rendered by the webmail thing in the context of your browser, then it could do whatever it pleases. And in this case they were X filling your mail spool and then also setting up mail forwarding rules to send your email off to the Kremlin for ingest into their intelligence pipeline, which you know, intelligence agencies love that kind of thing. So, you know, I guess good work, Russians. And if you are one of the people that runs this kind of like, you know, early 2000s era open source webmail software, I mean, you're probably already having a bad time, but it might be worth double checking. You applied all the patches.
[21:01]
Patrick Gray
I mean there's a lot of Zimbra out there, man. You know, especially when you think about governments that don't want to pay all of that money, like maybe in lower cost, you know, countries, countries with smaller economies that don't want to just, you know, shovel money at Microsoft or Google. Like they wind up using this stuff. Right. So apparently this was targeting governments in Africa, the EU and South America. And it was apt 28. Fancy bear living up to their name. Yeah, pretty fancy.
[21:24]
Adam Boileau
Solid work, you know, good job. Good job. Russians.
[21:28]
Patrick Gray
Yeah, yeah. Just wanted to mention this one quickly, but we've seen a spate of like four fraudulent tax returns lodged here in Australia based on people getting their like MyGov accounts compromised. Looks like it's pretty small. But I do find it interesting that we've, you know, because a lot of this sort of highly organized scam activity, we don't see a lot of it in Australia, you know, stuff this sort of fraud because we saw them going after superannuation funds not so long ago as well, and now they're going after tax refunds. So don't know how they're going to go. But it's always interesting when I see these sort of headlines pop up in Australia because I wonder if we're about to get smashed with a whole bunch of it or if they're just, just going to, you know, give up and go away because our bureaucracies are as frustrating as everyone else's.
[22:11]
Adam Boileau
That's a good question. We've certainly seen like the scale of tax fraud in the US has been pretty significant and it makes sense. It's a transferable way to turn, you know, personal information or account information into something. I think in the Australian case there's kind of like, there's a Central, like what MyGov, like the government identity part of it. And then once you've taken over that account, people can use that to authenticate for other government services like your tax returns. So being able to either cred stuff or info dump or whatever else your way into individual's accounts and then you go figure out which ones have things that you know how to monetize and off you go. And some of the scale of tax fraud that was being reported, I mean, you know, tens, fifteen thousands of dollars, you know, it's not, you know, that's reasonable for a day's work. So.
[23:04]
Patrick Gray
Yeah, but it's not something that's going to cause a massive pile on like when people really, when fraudsters really dialed in on their ability to defraud the IRS and they figured out how to basically industrialize the process like they were off to the races. So that's What I mean about like whether or not they're just going to get bored and go away because it's not, it's not worth it and they can pile back into America. Now let's talk about Eric Council Jr. He is the guy from Alabama who did the sim swap and account takeover of the SEC's Twitter account. And you know, he of course was the guy who posted that, you know, Bitcoin ETFs had been approved, causing the price of bitcoin to rise by like $1,000. Not all that much because I think that news was already kind of priced in. It wound up being announced the next day. Anyway, it looks like he was actually paid to do this. He got paid 50 grand to do it. Yeah, Bean busted. He's 25 years old and he's been sentenced to 14 months in prison and ordered to forfeit the 50K. I figure this is a pretty good result for him, if I'm honest.
[24:04]
Adam Boileau
Yeah, exactly. Given the kind of high profile nature of this thing. Yeah, I mean, 14 months, probably not too bad. I'm surprised he only got 50 grand for the amount of risk that he was taking. And, you know, clearly he's probably thinking about that as well at the moment. But yeah, it's, you know, I guess it just kind of fits into that bigger picture of, you know, kind of crime as a service in these underground worlds where you can go and buy, you know, in this case, presumably someone paid him to go down to the Apple store, buy a phone, go to the telco office, do the SIM swap, plug it in, retrieve the multifactor auth token that was being text messaged out to the SEC's account and then send it onwards to whoever had paid him to do it. You know, that's, you know, just being able to kind of buy that as a service, you know, is a thing that, you know, when you see the scale of, I'm thinking like scattered spider, that kind of wider crowd. When you see how they can kind of like glue all those bits together, you know, you can see how they end up in Marks and Spencer and in, you know, all these other kind of organizations when you can just go buy these services really easily. So, you know, getting a bit of prison time, I think here is good also good for deterring other people.
[25:19]
Patrick Gray
Yeah, but I mean, it is that, that's the way that whole thing works, right? Which is you've got a problem. Well, I know a guy for that.
[25:25]
Adam Boileau
Yeah.
[25:26]
Patrick Gray
You know what I mean? Like, that's kind of the, that's why it's not so much a group, more of a community, which is like, oh, you know, this guy knows how to do that. Like, let's loop him in. You know, it's very modern, very just.
[25:35]
Adam Boileau
In time sort of structure.
[25:37]
Patrick Gray
Yeah, exactly, just in time. Crime groups. Now, look, speaking to someone who is probably going to have a much rougher time, we've talked about this, this breach at Power School where someone stole a bunch of, you know, data relating to school children and was trying to ransom it back and they paid and then the data got out there anyway and it's, you know, blah, blah, blah, blah. This guy, Matthew Lane, 19 years old, a guy from Massachusetts, he signed a plea agreement and, you know, he's looking at something like nine years over this thing, which is, yeah, pretty serious. Yeah.
[26:12]
Adam Boileau
And I mean, he got credentials for like, a user account at PowerSchool, logged in and used that to gain access to data and things. So, you know, as. As hacking goes, not really, like, you know, wild zero day, etc. Etc. Etc. Like, we'd like to think pretty boring stuff, but in terms of impact, right? I mean, extorting using the data of what, like 60 million kids or something like that. And whether he did the actual extortion part where he passed on to someone else, we don't know. But, you know, you have to kind of think about what you're getting messed up in, you know, and that prison sentence kind of reflects.
[26:47]
Patrick Gray
Yeah, but he's 19 years old, brain not fully formed. Like, I get it, I get that this is a serious thing. Look, we don't know what his sentence is going to be, but he's agreed as part of his plea agreement, not to challenge a prison sentence shorter than nine years and four months. That's according to this piece here by Kevin Collier over at NBC. But, you know, and I don't think it is clear if he was doing the extorting or not. It's. I don't know, it's just. I hate seeing someone flush their life. Yeah, yeah, you know, over something this dumb. So, yeah, I feel sorry for the person extorting children.
[27:24]
Adam Boileau
It's a funny world somehow, isn't it?
[27:28]
Patrick Gray
Now, let's look at a piece from seven News Australia. And we would actually have to go back to when this guy was 19 as well, or thereabouts, because apparently he's in possession of some bitcoin that was allegedly stolen in 2013 from a French exchange. So the story here is that this guy in Queensland, which is a state in Australia, has had to, forfeit $4.5 million worth of stuff. So that's what looks to be a fairly nice house, an AMG E63S, which I got to say, little bit jelly there. I am a petrol head and that's a very nice car. So he's had to forfeit all of this stuff. This is the guy who was previously convicted over the Riot Games hack and now the federal police have sort of gone after him for proceeds of crime, getting him to forfeit all of this stuff, which they say these bitcoins. And he's had to forfeit bitcoins as well. They say these bitcoins are linked to a theft from a French currency cryptocurrency Exchange back in 2013. So they don't, they're not actually charging him over that crime, but they're saying that that's where they came from. They're not saying that he stole them, it's just that that's where they came from. These are the proceeds of crime and you need to forfeit all of this stuff. And I just think, wow, you know, like, is he getting off light or is he getting off heavy? I can't, I can't figure it out. He's losing all his money, but he's staying out of prison.
[28:54]
Adam Boileau
Yeah. And, well, I guess it's also like how much of that bitcoin, you know, because like, The Bitcoin from 2013 is worth quite a lot now. I think they said, what, like, 150 million ish. If you had hoddle all of that bitcoin. It's kind of funny that, you know, that you can show up and go, look, you clearly did not earn all of this money. You don't have a way to have, you know, afforded a $4 million, you know, house and car and whatever else. So I guess you better hand it over, son. You know, avoiding jail. If you had stolen $150 million, I think you'd be pretty happy with that as an outcome.
[29:30]
Patrick Gray
Yeah. You know, and to be clear, we do not know whether or not he was. No allegation is being made about whether he actually stole the money. It's just the, the courts are saying, yeah, you didn't, you didn't work for this money. But apparently he was. In 2013, he made 32 grand by selling access to inactive League of Legends accounts. So there you go. He's claim to fame, full spectrum threat. But yeah, just a, just a fun story there. Now we've got one from the Washington Post which says that Pegas NSO Group's efforts to lobby the US Government to get off various sanctions, trade blacklists and whatnot has not been going so well.
[30:11]
Adam Boileau
No. Apparently a bunch of lobbyists, a bunch of Israelis and their Washington lobbyists were planning to meet some people at the White House to talk about taking NSO Group off the Department of Commerce's entity list. That kind of stops people from doing business with them and there's really a, you know, kind of a black mark globally in terms of trying to do business. So, yes, they were hoping that the Trump administration would look kindly upon them and no, not the case. They have. Apparently that meeting got cancelled or, you know, replaced with something else and yeah, they're going to go home empty handed.
[30:46]
Patrick Gray
Yeah, I think it's sort of like you can still trade, you can still run your business, but it's sort of like trying to swim through, honey, you know, when you've got these sort of restrictions on you, it's not terminal, but it's, it's not helpful. It's definitely not helpful. Now, Alexander Martin over at the Record has a report here about a logistics company called Peter Green Chilled, which is apparently some sort of refrigerated logistics company, you know, called Cold Logistics, Cold Supply Chain Logistics company in England which supplies supermarkets. And there's been some sort of disruption there, but the company says there's been a disruption, but not to its trucking. And it's all a little bit confusing. Pretty light on details, this report, but, you know, you would have to wonder whether or not this clusters together with the other activity we've seen in England recently affecting, you know, companies like Marks and Spencer, the Co Op and Harrods, although Harrods got out alive by the looks of things, after a ransomware attempt. But, yeah, you do sort of wonder if this is part of the same cluster of activity.
[31:45]
Adam Boileau
Yeah. And even if it isn't, in terms of public opinion and feeling kind of about the vulnerability of retail and supply chain in the uk, you know, people got to be feeling a bit worried about. I imagine the government is kind of thinking, what can they do to address this, you know, in a way that reassures people, because consumer confidence is, you know, such an important part of this. It's not just what technically happened, who technically did it, being able to rely on, I can get up in the morning and go to the supermarket and buy milk. That's the thing that people expect of their government. So, yeah, it's been a bit of a mess in the UK retail sector lately and this is not really going.
[32:23]
Patrick Gray
To help that yeah. Alexander Martin has another one also at the record about a massive data breach at their legal aid organization, the government legal aid organization there. So it looks like, yeah, all sorts of sensitive data has been coughed up in that one. You know, it's, it's, it's data on everyone who applied for legal aid since 2010.
[32:45]
Adam Boileau
Yes, like the scale of that is pretty bad. They had some kind of. It smells like ransomware. Someone got in help themselves with the data.
[32:53]
Patrick Gray
Well, I'd call it data extortion, not ransomware. It irrits me when people conflate those two things. But anyway.
[33:00]
Adam Boileau
But yeah, they were investigating a breach, but then it turned out that actually, yeah, it was more data effective than they thought. And you know, these are pretty vulnerable people. You know, if you're applying for legal aid and it's got details about, you know, your financial situation, the case that you're involved in, all the personal details like those are people who are, you know, you don't really want them being victimized again. And just, you know, for 14 years, 15 years worth of data, that's pretty significant. So, yeah, you know, I don't know what you do about that. You know, free credit monitoring. I don't know. Great. Yeah.
[33:35]
Patrick Gray
Well, I think this is just one more example of where it is appropriate to get some of the more heavy duty agencies involved in a response.
[33:43]
Adam Boileau
Yeah.
[33:44]
Patrick Gray
You know, you need to at least have a team with the authorities to try to find this stuff and destroy it.
[33:49]
Adam Boileau
Yeah, yeah, agreed. Right.
[33:50]
Patrick Gray
Because even if that means popping a shell on some hacker's laptop so that you can get to it and RMRF their box.
[33:57]
Adam Boileau
Yeah, that's an appropriate response. That bulletproof hosting provider that was storing a whole bunch of this kind of data, like. Yeah, I mean, whatever gets the job done and gets this stuff, you know, unstolen to the extent that you can cause data to be unstolen, you know, feels like a job for the government because who else can do it?
[34:16]
Patrick Gray
Yeah. Now we're going to wrap up this week's show, Adam, as we often do, by talking about some Ivanti bugs. And I Watchtower write up again. Very, very entertaining. Take it away, Adam.
[34:32]
Adam Boileau
We have talked about Ivanti so many times. So same company, same product, basically the same bugs as always. There was a bug chain being exploited in the wild to compromise Avanti Endpoint management platforms that people use for mobile devices or whatever else. Avanti patched bugs and they said in their patch notes that these were bugs in a third party open source component that they used and the wording of that was very much like, this isn't our bug. We are just, you know, this wasn't our fault. It's kind of what they're saying. Watchtower looked at the patches and actually pulled apart the bug. And it's not really as clear cut as Avanti would like you to believe. So Avanti use an open source library called Hibernate Validator and there is a kind of. There was a flaw in the version of Hibernate Validator they were using where it was unsafe to put attacker supply data into a particular kind of error message because if you control that data, then you could put expressions in there that would get evaluated and leverage that up with CodExec. So they were using this open source library in a vulnerable way and a way that's documented. So that was the first bug, which kind of more of auntie's fault than the open source projects bug. Open source projects.
[35:59]
Patrick Gray
Okay, so these are the same bugs that we talked about last week, right? Where they were like, oh, it's an or was. Did that just come up in Risky Bulletin? I can't remember.
[36:06]
Adam Boileau
I think we did mention it last week, I think on the main show.
[36:09]
Patrick Gray
So this is the one where it's like, oh, it's in an open source library, but we're not going to tell you which one.
[36:12]
Adam Boileau
Yes. Yeah, exactly. And then they said there was a second bug that was like auth bypass that lets you reach this bug. So what they actually mean is they did not put access control on this endpoint so you could show up.
[36:28]
Patrick Gray
Well, that is an AUTH bypass. Well, no, it's not an AUTH bypass if there's no auth, I guess. Really?
[36:32]
Adam Boileau
Well, that's the good question. Is it really an AUTH bypass if there wasn't any auth? And is it the open source library's fault that you didn't put auth on this endpoint? And the answer is no, it's really not the open source libraries file. You did not configure it to have auth. That's not on them. That's on you, buddy. Anyway, so Watchtower have the usual kind of write up you'd expect from them. Reverse the patch, figure it out the bug, come up with a, you know, an exploit for it, a few good comedy memes in the process and, you know, egg on Avanti's face. I kind of know. I don't know that like Avanti's face is already so covered in egg. What's another egg? But either way, I enjoyed the watchtower write up and I feel bad for Ivanti customers.
[37:16]
Patrick Gray
Yeah. And according to a story from David Jones about all of this over at cybersecurity dive, these bugs have been added to the Sisikev list. So good job, Ivanti.
[37:27]
Adam Boileau
Yes, good job. Dear, oh, dear.
[37:30]
Patrick Gray
Well, mate, that is actually it for the week's news. A pleasure to chat to you as always, my friend. And we'll do it all again next week.
[37:37]
Adam Boileau
Yeah, we certainly will, Pat. I'll talk to you then.
[37:46]
Patrick Gray
That was Adam Boileau there with a look at the week's security news. It is time for this week's sponsor interview now with Tony Delafuente, who is the founder of Prowler. Prowler is a terrifically popular open source cloud security platform. I guess you could think of it a little bit like an open source whiz where you can fire it up, point it towards your cloud infrastructure and it's going to check for a whole bunch of stuff. I think there's something like a thousand checks and growing and you know, they, they do offer a hosted version of this, but you can just run it like the whole platform is open source. If you want to run it for free, you absolutely can. Now Prowler just released a new release, a new version of Prowler of the Prowler platform. And they've also released a couple new things called Prowler Hub and Prowler Stud, which are both extremely worthwhile additions to the project. So Tony Delafuente joined me. He was not at home, he was in Madrid. He joined me to talk through the changes to Prowler and here's what he had to say. Enjoy.
[38:50]
Tony De la Fuente
Two days ago we released Prowler 5.6, fully loaded on features and a few and two more services products, free products first of all. Now in Parader 5.6 we have added a new cloud provider. It's the first time that we add something to Monitor that is not a SaaS or infrastructure. Let's say is Microsoft 365 is the first thing that we are a pure SaaS to monitor. Right. It's like we have realized that a lot of people is using Microsoft products and on top of what we already support, like Microsoft Azure, we support Microsoft 365.
[39:34]
Patrick Gray
That is, I mean, it's probably worth pointing out you just started with, you know, like most people in this space. You started with AWS and then grew out from there. Right now it's like all of the big three cloud providers and now you're starting to do the SaaS and the N365 and all of that.
[39:47]
Tony De la Fuente
Exactly. On top of AWS, Azure, GCP and Kubernetes. On any of those flavor of Kubernetes, on top of those cloud providers we have added Microsoft 365 and other providers are new providers are coming. So we are adding security checks and detections for teams. SharePoint of course.
[40:11]
Patrick Gray
What sort of stuff are you checking? Are you just checking for like no auth high proof users or what's the idea or checking for MFA gaps, things like that?
[40:20]
Tony De la Fuente
Exactly. The security best practices and configurations and we start by those checks that are for security best practices and also covering CIS center for Internet Security, the Level 1 and Level 2 and on top of that we build more controls and remediations. But our baseline, let's say is to support the CIS for any cloud provider. But we have more than cloud security compliance framework supported now.
[40:54]
Patrick Gray
I mean what else is there that will do that for free? Because I can't think. I mean there's probably some obscure tool that I just don't know, but there's not much out there that you can just use to do this, right?
[41:05]
Tony De la Fuente
To secure Microsoft 365 or all the most popular cloud providers. There are not many tools, not either command line or with ui, with an API, with a scheduler that you have to just configure it and the platform is going to do everything for you once a day or you can configure it manually and get insights all the time to see what is your security posture. Right. I don't want to say CSPM because that is very car nerdish but the point is beyond cloud security posture. Now we do also am we do any flavor of Kubernetes etc. And growing. Because the idea is for Prowler to be the holistic cloud security platform.
[41:48]
Patrick Gray
Yeah, yeah, you want the whole thing, right? And that's cool, I love it. So tell us about. Also there's. I got a note from your team over there and they said you've just launched a couple of things, one called Prowler Hub and one called Prowler Studio. What are these things?
[42:03]
Tony De la Fuente
Yes, Prowler Hub is a service that we realized we needed for our community of users, of course, and customers, which is the main point, to know what Prowler does in terms of detections, remediations and compliance. So Prowler Hub is like Docker Hub for Docker images, but for Prowler artifacts. So you can go to hap.prowler.com and see all our detections, remediations and compliance frameworks by cloud provider, by severity, by categories, etc. So that is the best way to know what you can do with Prowler, of course, but also to learn about security best practices, about remediations, about risk, about severity, and of course about compliance in the cloud.
[42:57]
Patrick Gray
So this is about taking a whole bunch of stuff that was scattered throughout GitHub and putting it in one place and actually explaining what it is.
[43:05]
Tony De la Fuente
Exactly, exactly. Basically this is pulling all the information that actually we have in code, but nice and well explained for everybody.
[43:14]
Patrick Gray
Yeah, exactly. Instead of just like some weird check that someone's committed to GitHub that nobody really explained. Well, exactly.
[43:22]
Tony De la Fuente
It's something that we needed because it's like, okay, parallel does a lot of cool things. And let's explain, well, in a knowledge base way and in a hub way, let's say to the community. And the good thing of this is, is a way to learn about cloud security because also we are going to highlight, we are highlighting the new checks, new compliance frameworks where you can get up to date easily, but also every single piece of information that we are showing in ProwlerHub is exposed in a free access API. So for example, if you want to get what is the risk of this problem with this service and this category, and you can pull that bit of information and embed it in your own application. So Prowler is the knowledge base and the unique source of truth for cloud security.
[44:14]
Patrick Gray
I mean, that's going to be handy if you want to kick some of this stuff out into a siem, right? And actually be able to have SOC operators click on it and say, you know and understand whether or not it's a big deal or not, because quite often I'm guessing you're going to get like cloud misconfiguration alerts that get kicked to some level. One SOC person who doesn't really understand that what they're seeing is a big deal. Right. Is that kind of why you did that?
[44:36]
Tony De la Fuente
Exactly. What do this do? Right. And to understand what you have to, why this is important, how to perform the remediations. If we have the fixer, the remediation handy, the command to do it. If you have an account in parallel Cloud, you can run it directly in parallel cloud. So is the knowledge base, let's say the actionable knowledge base.
[45:03]
Patrick Gray
Yeah, yeah, that makes sense. All right, now, Prowler Studio. What's that?
[45:07]
Tony De la Fuente
Okay. Something that we have also realized is that people want to write more Prowler controls what we call checks. Right. And remediations. With Prowler Studio is a command line tool and also a chatbot that you can download it, you can use it from the CLI or in a Docker container and create new checks for Prowler. And remember, this is important because this is totally different from Prowler and any other CSPM or cloud security platform. We do checks pulling that information from the cloud provider, not just querying our database. Okay. And this is important because the cloud itself is inconsistent, right? Or. And with Prowler we are putting that information from directly from the cloud provider. So with Parallel Studio you can tell Pro, hey, I have this issue. I want to know how is the security group configured or my workload to make sure that is secure or not. And Prowler Studio understands that using AI and creates the code for you. The code for Prowler is basically a metadata file in JSON and the Python code itself using the SDK for every cloud provider, which in theory is very simple, but we have created everything around it to give you in some cases the fully working check, but in other cases about 90 to 95% of the code for you to review, test and done run it.
[46:36]
Patrick Gray
It's funny, it's real funny you say that because I was just. There's another company I'm working with and same thing, right? Like they use an AI agent to write Sigma and it gets you 90% of the way there, but you definitely want to have a little bit of a look at it before you throw it into Prod. Right? And this is where AI is at the moment. I think in a lot of these applications is. It's 90% of the way there. But it's not that. It's just that last little bit of quality assurance that's not quite there.
[47:05]
Tony De la Fuente
Yeah, it's not quite there. It's not quite there. And even we have tested many different models and still need a lot of work from our side. I mean, it's like it helps a lot to, to, to do the job for something that you may take. It may take two hours now is going to.
[47:24]
Patrick Gray
But it helps someone who can. It helps someone who can do it themselves do the job when we're there is when it helps an idiot do that job.
[47:33]
Tony De la Fuente
Yeah, that's exactly. So if you don't know about class security or the SDK, this is not going to save your day. So you need to know to know the stuff. Right, but, but this is again, this is from something that took three hours, now is 10 minutes literally. So, and you can create your own custom checks because in Prowler we have our, our baseline foundation of controls, almost a thousand controls that you can see all of them and learn about them in Prowler Hub. But with Prowler Studio you can create your own and contribute them back into Prowler, but also your custom checks and you can run them with Prowler without having to, you know, push them into the repo or anything. You can use them. That is a feature that is in Prowler from long, long ago. But now with Prowler Studio there is no limit on what you want to check, but also what you want to fix, because Prowler Studio is going to give you the information about how to remediate it. And if you give the proper instructions that you have in the documentation, it can help you also to update or improve existing compliance frameworks. Because this is one of the most challenging part that we do in, do have in the cloud is to keep compliance frameworks updated with new services and new threats in the cloud that are growing every day. Right.
[48:54]
Patrick Gray
Well, I got to ask you too at this point, right? Because a bunch of people might be listening to this and going, okay, so he's here to promote a whole bunch of open source stuff, right? So you're basically standing here holding a sign that says free beer, right? And people are like, okay, they're probably thinking at this point, what's the catch, right? Like, where's the business here, Right? Just refresh, you know, for those who don't know, I mean, essentially the idea here is build this thing, make it huge, figure out how to make money out of it later, is the thinking, right?
[49:23]
Tony De la Fuente
Yeah, yeah, basically. So the business model of open source is nothing new. So we are not going to get a Nobel Prize. Inventing the business model of open source, this is a matter of helping the community, helping organizations to addressing their problems. And if you want to do it by yourself, you're welcome. Using the cli, using everything, maintaining by yourself, using the whole application, maintaining by yourself, updating it, making sure it works 247 and all the work that is needed to back up all the platform by yourself. Or if you don't want to do it, come to our SaaS platform, to what we call Prowler Cloud and pay for it. That's simple. That's simple.
[50:14]
Patrick Gray
Yeah, I mean, we should point out too, I would like to point out at least that the SaaS version of this is not expensive.
[50:20]
Tony De la Fuente
It's not expensive at all. So it's really Cheap.
[50:23]
Patrick Gray
Anyone listening to this who wants to do it can just do it, right?
[50:26]
Tony De la Fuente
Yeah. We charge based on resources in two different models. One is scan based results or scan based or resource based. That means that in some cases you do need only to scan once a week, your infrastructure once every twice a week or whatever, and you pay for that. But in other cases you want to make sure everything is scanned and you know how everything is configured every day it's like every 24 hours you get scans or every time that you need to scan by yourself or manual scans because you are doing your fixing, you are doing your hardening, you can do it as well. So it's very flexible and you pay only for the number of resources that you have. That is very, very much how AWS works, right? You pay per use, literally.
[51:24]
Patrick Gray
Yeah, well, and the thing is like you get people on both ends of that spectrum because there's people who are like, well, I just need to do this point in time scan just to check on something and make sure that these other things are working. I'm not going to spin up a whole open source platform to do that. I'll just get my credit card and you know, do this one time scan. So you get people on that end and then you get the other people on the other end who are using it to scan every hour who need high availability and it needs to be robust and reliable and they don't want to do that either. Right. So either way you win. All right, we're going to wrap it up there. Tony De La Fuente, thank you so much for joining me for that conversation. Always great to chat to you and yeah, we're going to check in with you again throughout the year. Thanks again.
[52:02]
Tony De la Fuente
Thank you. Patrick.
[52:04]
Patrick Gray
That was Tony De La Fuente there from Prowler and yeah, Prowler is good stuff. You should absolutely go play around with it. I love personally that it has a command line version that works just the same as the webby pointy clicky version. Which also means that, you know, you can use the hosted version to find problems and then if you need to use like a privileged role to fix the problems, you can just do that from the command line so you don't need to yeet highly privileged credentials into someone else's web application. So yeah, I think that's really cool. And yeah, Prowler is, is a good time. So big thanks to them for sponsoring this week's show. But that is it from us this week. I'll be back soon with more security news and analysis. But until then, I've been Patrick Gray. Thanks for listening.