Risky Business #794 -- Psychic Panda outgunned by Fluffy Lizard and UNC56728242 - Risky Business

Summary7 min read

Risky Business Episode #794 Summary: "Psychic Panda outgunned by Fluffy Lizard and UNC56728242"

Release Date: June 4, 2025
Host: Patrick Gray
Co-host: Adam Boileau
Guest: Matt Muller, Field CISO at Tynes

Introduction

In Episode #794 of Risky Business, host Patrick Gray and co-host Adam Boileau delve into the latest happenings in the information security realm. The episode spans a broad spectrum of topics, from threat actor nomenclature to novel command and control (C2) techniques and an insightful discussion with Matt Muller from Tynes about the security shortcomings of SaaS providers.

Key Discussions and Insights

1. Threat Actor Naming Standardization

[02:31]
Patrick Gray initiates the discussion by addressing the ongoing issue of inconsistent threat actor naming conventions. Major companies like Google, CrowdStrike, Microsoft, and Palo Alto have agreed to create a unified database to streamline threat actor identification. Adam Boileau expresses skepticism about the initiative's success, highlighting past attempts often led to disputes over group identities.

Patrick Gray [00:00]: "Why do we think it's going to be different this time?"

Despite the optimism, both hosts agree that while centralizing threat actor names could enhance clarity for major groups, complexities persist for lesser-known factions.

2. Open Source Software in Military Applications

[07:09]
The conversation shifts to a 404 Media report by Matthew Galt, revealing that Ukrainian forces successfully deployed drones powered by the open-source software Ardupilot to target Russian aircraft. This incident underscores the dual-use nature of open-source technologies, where tools designed for civilian purposes are repurposed for military tactics.

Adam Boileau [08:36]: "It's good quality open source software... guiding these drones."

This revelation highlights the evolving landscape of modern warfare, where accessible technology plays a pivotal role.

3. Intelligence Gathering via Malicious Apps

[12:35]
Patrick Gray critiques a New Lines magazine report on a malicious app distributed to Syrian soldiers under the guise of a humanitarian tool. The app, promoted by the Syria Trust for Development, ostensibly offered financial aid but instead served as a conduit for intelligence collection through an Android Remote Access Trojan (RAT).

Adam Boileau [14:50]: "They would drop a RAT so that the attackers had a bunch of details about the users."

The segment underscores the vulnerabilities present in mobile applications and the exploited trust in official channels.

4. Deepfake Scams Impersonating White House Officials

[16:20]
Federal authorities are investigating a scam involving deepfake audio of the White House Chief of Staff, Susie Wiles. Scammers, having obtained her contact information, used AI-generated voices to deceive her associates into sending money by claiming distressing scenarios, such as being stranded in Venezuela.

Patrick Gray [18:01]: "What thought process goes through your head to arrive that that's a good idea to do so?"

This case exemplifies the increasing sophistication of social engineering attacks leveraging deepfake technology.

5. Sanctioning of a Philippine Cloud Provider for Enabling Scams

[19:59]
Krebs on Security reports that the U.S. has sanctioned a Philippine-based cloud provider for facilitating "pig butchering" scams—fraudulent schemes targeting victims for financial gain. Adam commends the move, emphasizing the effectiveness of sanctions against large-scale criminal infrastructures.

Adam Boileau [20:35]: "It's exactly the place to target these kinds of operations."

This action reflects a strategic approach to dismantling cybercriminal ecosystems by targeting their foundational services.

6. Takedown of AV Check—A Criminal Antivirus Service

[22:15]
The Dutch and Finnish police, alongside U.S. agencies, executed a takedown of "AV Check," an underground service akin to VirusTotal but designed for cybercriminals. This operation was part of the broader Operation Endgame, aimed at crippling large-scale cybercrime efforts.

Patrick Gray [22:45]: "They're going after anything that just makes it easy and is operating at scale."

The dismantling of AV Check signifies progress in international cyber law enforcement collaboration.

7. Identification of Trickbot’s Kingpin by German Authorities

[24:22]
German Federal Police have identified Vitaly Nikolayevich Kovalev, a Russian national, as the leader behind the notorious Trickbot malware. Despite the confirmation, Kovalev remains within Russia, making legal repercussions unlikely.

Patrick Gray [24:35]: "He was the dude that had the relationships with the FSB and so on."

This identification marks a significant milestone in attributing cybercriminal activities to individual orchestrators.

8. Australia’s Mandatory Ransomware Payment Notifications

[25:03]
Australia is pioneering a policy requiring businesses with turnovers above AUD 3 million (approx. USD 2 million) to notify the government of any ransomware payments. The move aims to provide the government with data to assess the ransomware threat landscape more accurately.

Patrick Gray [26:53]: "If you poll 100 out of 100 CISOs, I'm fairly certain you'll get similar sentiments."

This policy reflects proactive governmental measures to understand and mitigate ransomware impacts better.

9. Novel Command and Control via Google Calendar Events

[28:57]
Chinese threat actors, specifically APT41 tied to China's Ministry of State Security, have been observed using Google Calendar events as a covert C2 channel. This method involves storing commands within calendar invites, allowing malware to communicate discreetly by polling these events for instructions.

Adam Boileau [29:06]: "Looks on the wire, it's proper TLS, scripted connections to Google. Looks totally normal."

This technique illustrates the inventive measures cyber adversaries employ to evade detection by blending malicious traffic with legitimate enterprise communications.

10. Coinbase Breach via Outsourced Customer Service Agents

[32:07]
A Reuters report details a security breach at Coinbase, where outsourced customer service agents in India were incentivized through bribes to photograph their work computers using personal devices. This method bypassed traditional security measures, highlighting vulnerabilities in outsourcing practices.

Adam Boileau [33:02]: "You can't detect this with, you know, endpoint, you're not gonna, you know, spot this with your, you know, data leak prevention software."

The incident underscores the inherent risks associated with outsourced operations and the challenges in monitoring insider threats.

11. Insider Threat Arrest in the Defense Intelligence Agency

[34:15]
James Reddick reports on the arrest of Nathan Villas Latch, a civilian IT specialist at the Defense Intelligence Agency. Latch attempted to sell classified material to a friendly government in exchange for citizenship, motivated by political disdain.

Patrick Gray [35:03]: "He worked for the Defense Intelligence Agency in the insider threat division."

This case highlights the ongoing struggle against insider threats within sensitive governmental sectors.

12. NSO Group Appeals $168 Million Damages in Meta Lawsuit

[36:48]
NSO Group is appealing a substantial damages award against it by Meta (formerly Facebook) for its exploits. NSO claims the damages exceed Supreme Court precedents, arguing they are unaffordable.

Patrick Gray [36:49]: "They're saying they can't pay, which I just think, you know, lol."

The legal battle reflects the scrutiny faced by surveillance technology companies over privacy and misuse concerns.

13. Nation-State Backed Attack via Connectwise

[37:17]
John Greig reports that Connectwise, a software company, has been compromised by nation-state actors using its platform to breach customer organizations. The attack likely leveraged previously identified vulnerabilities, emphasizing the cascading risks posed by compromised third-party software.

Adam Boileau [37:42]: "Once you've realized that a piece of software like this gets you into places that you want to go, why not keep going?"

The breach underscores the importance of securing third-party services integral to enterprise operations.

14. Google Removes Incompetent Certificate Authorities

[38:29]
Google has expelled Chunghua Telecom and Netlock from its trust store due to ongoing security deficiencies. This action ensures that certificates issued by these authorities will no longer be trusted within Google ecosystems, enhancing overall security.

Patrick Gray [38:59]: "They're getting booted out."

This move highlights Google's commitment to maintaining a secure digital infrastructure by enforcing stringent standards for Certificate Authorities (CAs).

15. Meta and Yandex’s De-Anonymization of Android Users

[39:33]
Dan Gooden reports on Meta and Yandex deploying techniques to track Android users by interfacing with local network listeners and exploiting browser functionalities. Meta, in particular, used WebRTC media connections to covertly gather user activity data, bypassing privacy measures like incognito mode.

Adam Boileau [41:16]: "Your users are using incognito mode... You're doing the opposite."

The exploitation of legitimate browser features for tracking reveals ethical and privacy concerns surrounding major tech companies' practices.

Sponsor Interview: Matt Muller from Tynes on SaaS Security

[45:00]
The episode transitions to an in-depth interview with Matt Muller, Field CISO at Tynes, discussing JP Morgan Chase CISO Patrick Opert's open letter criticizing SaaS providers for inadequate security practices. Opert's letter emphasizes the need for SaaS companies to prioritize security over rapid feature development, modernize security architectures, and foster collaboration among security practitioners.

Matt Muller [46:04]: "What do you see as, you know, you're a SaaS, Tynes is essentially a SaaS. Right."

Muller highlights Tynes' commitment to "Secure by Design" principles, ensuring deep inspectability and robust security measures within their automation platform. He advocates for better API integrations, transparency in logging, and minimizing excessive administrative privileges to enhance security postures.

Harun Mia [55:21]: "You get to see the full chain of what's actually happening."

The discussion underscores the critical role of SaaS providers in the broader cybersecurity ecosystem and the necessity for stringent security standards to protect interconnected systems.

Conclusions

Episode #794 of Risky Business offers a comprehensive overview of pressing information security issues, blending high-level discussions with technical insights. From the challenges of standardizing threat actor nomenclature to the innovative yet concerning uses of open-source software in warfare and the ethical lapses by major tech companies, the episode underscores the dynamic and often perilous landscape of cybersecurity. The interview with Matt Muller further emphasizes the urgent need for SaaS providers to elevate their security practices to meet the demands of increasingly interconnected and sophisticated digital environments.

Listeners gain valuable perspectives on both the macro and micro aspects of cybersecurity, making this episode a must-read for information security professionals seeking to stay abreast of current threats, trends, and industry responses.

Loading summary

Transcript140 lines

[00:00]
Patrick Gray
Foreign and welcome to Risky Business. My name is Patrick Gray. We've got a great show for you this week. Adam and I will be chatting through all of the week's news in just a moment. And then we'll be hearing from this week's sponsor. And this week we're chatting with Matt Muller from Tynes. Matt is the field CISO over there and he's going to be talking to us about an open letter written by the JP Morgan Chase CISO Patrick Opert, I believe his name is. And he wrote this open letter basically saying that SaaS providers need to get their act together. What I find funny about this letter is it could have been a letter from 20 years ago talking about like on prem people and how they need to get their act together. So that's me, just old man yelling at Cloud for a moment. But yeah, that one is coming up later. Before we get into the news though, I just wanted to mention a couple of things. First off, Casey Ellis, the Bug Crowd founder, he's done an interview for us in the Risky Bulletin feed. He sat down and had a chat. It was a sponsored segment with HD Moore all about Run Zero and why they're integrating the Nuclei open source vulnerability scanner into their tech. So that's Casey's first interview with us and we hope he's going to do a bunch more. So that's pretty much pretty exciting. And I also wanted to mention something that I forgot to mention last week when we had Harun Mia on the show, which is that thinkst Canary is now 10 years old. So there you go. How time flies. So happy birthday, little birdie. Well done. But Adam, let's get into the news now. And this first story, it's funny because it's actually turned into a thing, right? Like everybody's talking about it. A bunch of companies, including, like, what is it like Google and CrowdStrike and whatnot, have got together and agreed that they're going to spin up like a database of threat actor names so that we're all on the same page. Now this has been a problem for a long time when we're dealing with, you know, this threat actor, is it a fuzzy lizard? Is it a twinkly hurricane? Or is it UNC 59612 1385? You know, threat actor naming is a mess. But every time we've seen someone try to deconflict this stuff, it winds up being a huge argument because people will say all these two groups are the same. And then all the CTI people start arguing and saying, no. They're an adjacent group and this one just used a bit of their infrastructure and blah, blah, blah. Why do we think it's going to be different this time?
[02:31]
Adam Boileau
I mean, I think the answer is probably we don't. I mean, there is a little bit of, you know, it's a bunch of companies. There's Microsoft, CrowdStrike, Palo Alto and Google. So that is a big group of them, at least. And maybe there is some reasoning, you know, for it this time around. But I don't think I'm. Honestly, I don't think I'm particularly. I don't think that I particularly feel like it's going to go super well. It's not like they're making yet another taxonomy, so that's good. They didn't agree, like, we're just going to make new names or everything, so then we'd have an extra name to track. So they are at least going to publish some documents describing how their individual naming conventions overlap with each other. Now, how useful that's going to be and how much is just going to devolve into, as you say, a bunch of threat intel people having fisticuffs at dawn about whether or not winter is a real thing. You know, I'm not sure it's going to be super helpful. But on the other hand, I mean, the amount of times on this show, like, in preparation for the show, I've had to Google, like, is this group this group? Or we've had to like, you know, phone a friend, ask Dimitri, like, hey, Dimitri, do you remember that group called Bloody Blow? Is that the same or is that part of gru or were they part of, you know, because trying to understand, like when we're doing, you know, a conversation about it was like. And we want to be able to say it was the Chinese mss and we don't care that it's, you know, as you say, a furry this or a fuzzy that, you know, or an APT41 or whatever. So it would be useful to have a central kind of document repository that covers these things. But I'm not, you know, I mean.
[04:10]
Patrick Gray
I think it's going to work for some stuff, right? Like for some crews. But like, when you've got everything from, you know, Apt 1, which is also unit 21398 of the PLA and like, that's their official designation, other people call it different, it just starts getting a bit confusing. So I think for some of the major groups it'll work, but I don't know how useful it's going to Be around the edges, because these companies need to talk to each other as well to make sure that they're talking about the same people.
[04:34]
Matt Muller
And I don't know how that's going.
[04:35]
Patrick Gray
To work, but I don't know. We're cynics. This could work. I think though, you know, Chris Krebs and I spoke about this in Sydney when we recorded that live podcast. And you know, he's got a beef with the way these groups are named because, you know, you've got a news anchor talking about some nation state actor targeting US critical infrastructure and it's like we've been attacked by a fuzzy lizard, you know, and we're not serious people, right?
[05:01]
Adam Boileau
So it undermines the gravity of the.
[05:03]
Patrick Gray
Situation somewhat, I mean, even. And then you look at some attributions which aren't really attributions. This actually came up for us last week because we spoke about a scattered spider like group that is targeting domain registrations or targeting DNS to change MX records and then, you know, onto full enterprise takeover. And that was based on what your former, former colleagues at Cyber CX were saying. And I got a call from one of the guys, he's like, well, I got an email and I called him back, but one of them was saying, well, you know, you put, oh, it's scattered spider doing this in the headline and it's really just, you know, similar in terms of ttps. And then that sort of led to a conversation of, well, what even is scattered spider? You know, is scattered spider a group or is it a collection of ttps that emanate from one community? And wouldn't we think these actors have a foot in that community anyway? So doesn't that make them fit the TT, you know, the TTPs which are the attribution. I don't know, it just gets very confusing. And I'm not tremendously hopeful that this will solve the entire problem. But I look, I mean, it's a, it's a positive, right?
[06:07]
Adam Boileau
I mean, you know, it is stupid how many names we have for these things and keeping track of them is, is a pain. So if it improves that, then great, you know, whether it can get past the, you know, hoarding of information by individual companies that need to protect their own sources of their own customers or their own turf or whatever else. And then I think we, I think.
[06:26]
Patrick Gray
We'Re kind of past, we're probably past that part of it, I think, I.
[06:29]
Adam Boileau
Mean, I hope, right, I hope, I sure hope so. But yeah, as you're like, you're right. It's not as clear cut as this is a unit of the pla. Like when you're dealing with something like scattered spider or a bunch of kids, or a bunch of kids that sell access to, you know, state groups or like it all gets very, very murky once you start trying to over tax anonymous taxonomy, taxonomy, tax, taxonomize, over taxonomize, this kind of stuff.
[06:56]
Patrick Gray
So yeah, also that was not a criticism of the guy@cyber cx who was like just a bit un. Trepidation, trepidatious about a headline saying that it was scattered spider. Because he's like, well we don't, you know, we haven't quite made that attribution. It's like, well, I mean we were clear in that.
[07:10]
Adam Boileau
Precise. Yeah, good.
[07:11]
Patrick Gray
But I mean in the show we were precise. But it's like. But that led to that conversation of well, what even is a scattered spider? Which is, you know, depressingly enough a fair question. Now look, this is just a, I guess it's not really a cybersecurity story, but it's great to have an excuse to talk about it. We've got a report here from 404 Media from Matthew Galt, looking at the open source software that powered those Ukrainian drones that blew up a bunch of Russian airplanes a couple of days ago. You know, I'm guessing most people who listen to this would have seen that news where the Ukrainians managed to smuggle a couple of trucks, a few trucks into far flung places in Russia and like as far north as like Siberia. And at a certain time the roof of the trucks popped open and a bunch of drones flew out and started blowing up Russia's long range strategic bombers. You know, the Ukrainians say they killed 40 of these planes, which can't be replaced, mind you. They're Cold War production. You know, the true number is probably substantially less than that. But more than what the Russians are saying, which is like eight, I'm going to go with 20. Just, you know, gut feel and rumours of like some very valuable defence material being being blown up. But it turns out, you know, chances are these drones were running a piece of software called Ardupilot, which you're familiar with, Adam.
[08:36]
Adam Boileau
Yeah, so it's an open source like flight control firmware for drones for UAVs and things. And then also like ground station software and all of the comms mechanisms, that kind of thing. And actually I had a drone that ran that stuff. The original developer of Ardupilot actually used to, I think, be the editor in chief of Wired.
[08:56]
Patrick Gray
Yeah. Chris Anderson, left in, left in 2012 to found a company, was it 3D.
[09:02]
Adam Boileau
3D robotics, that made, so I had a 3D robotics drone, which is kind of where I knew the stuff from. And yeah, like it's good quality open source software. And they, I think he was posting on maybe LinkedIn or something saying, oh look, that's my software, you know, guiding these drones, Honda, Russian backfire bombers or whatever else, which, you know, I know a lot of open source developers that do feel funny about seeing some of their, you know, their code pop up in military applications or other strange places. But yeah, he doesn't seem upset.
[09:33]
Patrick Gray
He doesn't seem upset.
[09:33]
Adam Boileau
He doesn't seem. Well, I mean, part of the pitch of 3D robotics, the drone company was to be a domestic US drone manufacturer that didn't rely entirely on overseas everything. And then they pivoted actually into selling drones into the national security space. So like, you know, take from that what you will, I suppose. But yeah, just kind of funny that, you know, all of this open source stuff, you know, very low cost software and hardware, you know, being used to take out very, very expensive, I imagine old Russian, you know, Cold War, as you say, Soviet era military hardware.
[10:06]
Patrick Gray
Well, it's like the meme we can't even build this anymore. You know what I mean? Like that's the issue with those planes that have been destroyed is that they don't have the ability to replace them. So it is, I mean, what I find fascinating about this is it's quite as you say, it's these modern essentially toys, you know, running open source software that are being used to hit one of the legs of Russia's nuclear triad, which is just amazing. And there's a bunch of people listening to this show who work in the national defense space who have to think about this now and.
[10:37]
Adam Boileau
Well, yeah, yeah, yeah, exactly, right. It's pretty serious business because I mean, you could also imagine this being scaled up into terrorist operations, for example. I mean, there's a lot of planes, you know, sitting around in airports. You know, you could do similar things to civilian aircraft or other infrastructure. It's a, you know, there's a lot of, there's a lot of lessons to be learned from the Russia, Ukraine conflict and very few of them are about the cyber war like we were expecting. And between two nerds has opined at length about how useless, you know, the cybers have been. But there are certainly a lot of lessons to learn from other aspects of this conflict.
[11:08]
Patrick Gray
Yeah, and I mean, we are talking about, you Know, commodity open technology. I mean, it's hard to think through the steps of what the national defence implications of this are because I had one person say, oh, it could be used for terrorism. And I'm like, look, you know, the Oklahoma City bombing was a truck bomb. You know, you don't need to get fancy, you need explosives. And that's where a lot of the counterterrorism efforts focus is trying to detect when people who shouldn't have them are like pulling together, you know, large quantities of explosives and whatnot. But when it comes to, you know, countries trying to do this to you, like state adversaries, you know, it's certainly something to think about moving on. And this one is interesting. Again, not necessarily a cyber story, but definitely ties into the sort of stuff we talk about, which is Despiegel and Danwatch managed to pull together a whole bunch of public documents that gave staggering insight into Russia's nuclear program and the modernisation of its nuclear program, you know, various underground facilities and whatnot. And, and they were able to do this by siphoning off like tender documents from public sources. This is despite the Russian government passing a law in 2020 that asked construction companies and stuff to stop publishing sensitive material into public tender documents. But they sort of didn't do it. And this is the result.
[12:36]
Adam Boileau
Yeah, they appear to have been scraping some of these Russian procurement, government procurement systems for quite some time and extracting the documents and analyzing it. And they've got, you know, all sorts of details about, you know, the construction specifics of, you know, nuclear missile silos and air bases and as you say, underground facilities that are being built to connect these things together and you know, details about just sort of, you know, like pattern of life stuff, I guess, like where do the soldiers sleep, how do they, you know, how do they get in and out? What are the, you know, there's some details like what are the signs on the walls say? And so this is all, I imagine, pretty interesting stuff. And if you were, you know, I'm sure if you were like American defense establishment, you probably got this kind of intel already. But you know, having it just out there in public places for people to rummage around and find, I mean that's a very 2025 kind of story, isn't it?
[13:27]
Patrick Gray
Yeah, it sure is. We've also got this piece from New Lines magazine to talk about this week and it's look, honestly from, from the perspective of someone who reports on cyber security stuff and you know, cyber enabled intelligence, it's not a great story in of the way it's constructed because it has looked at this dodgy app that was promoted to Syrian soldiers, like, six months before the regime there collapsed. And it seems clear that whoever was promoting this app and getting soldiers to Syrian soldiers to install it on their devices was using it as a means to collect intelligence. The story sort of intimates that this helped accelerate the fall of the regime. But then it doesn't even really make an effort to. To understand the attribution here, like, who was behind this app? Was it Americans? Was it the Israelis? Was it hts? They don't really have any answers there. And yet the story does really try to link the use of this app or the spread of this app to the downfall of the Syrian regime. So I don't think it sheds any light on the actual interesting things here. It strikes me as a reporter who doesn't know a tremendous amount about this sort of stuff, getting a bit excited when discovering this story, but. But nonetheless, it is interesting to see, you know, reports of an app like this spreading amongst the rank and file in Syria with a decent enough lure.
[14:50]
Adam Boileau
Well, that's the thing that I found interesting about this, is that the lure is pretty good. So the. The trick here was they. This app was promoted as kind of being related to, like, a humanitarian, I guess, humanitarian organization run by Bashar al Assad's wife, the Syria Trust for Development. And part of the shtick of this is that it would kind of offer small financial, like subsidies or payments to, you know, people who are in need or whatever. And if you were, you know, a defender of the regime, you could kind of sign up for this, fill in a bunch of forms explaining what you were and which units you were in and what you're doing, what your rank was, all that kind of very useful data in at the promise of, you know, some relatively small payments being sent to you via, you know, some app payment system in the country. And it was a little bit unclear from reading if people were getting these cash transfers. It does seem like maybe they were. And so basically paying people to install these apps on their phones and then it would drop a, you know, off the shelf Android remote access Trojan so that the attackers had a bunch of details about the users from the signup process and then access to their devices, which then from, you know, then what? The. Then what part of the story is not particularly clear, but the idea of just straight up paying, you know, a foreign military to install your app, you know, with a convincing enough lure like that, that makes total sense. And why wouldn't you do that?
[16:20]
Patrick Gray
So, yeah, I mean, I think the main thing is here though, that the average rank and file Syrian army soldier probably wasn't getting paid properly at all. And you know, this is just the sort of thing that's going to happen when you've got an army being asked to do horrible things and not really paid for it, like.
[16:39]
Adam Boileau
Yeah. And plus, you know, horrific amounts of inflation, meaning that salaries are worthless and you know, endemic corruption. Some of the stories here around, you know, like, you know, army leadership selling material or selling supplies that the soldiers would normally have get to kind of line their own pockets that sort of. In a military where those sort of things are happening, the idea that people would install a random app and give up their details for 40 bucks. Yeah, not, not, not exactly a surprise. But also that's not the sort of army that's going to win a war. So. Well, linking, yeah, you know, cyber to this seemed like a bit of a stretch given all of the other things that were going on.
[17:14]
Patrick Gray
Yeah, well, let's see. You know, now that this initial report is out there, we might discover more in the future. Who knows? Now something a little bit more bread and butter. This one's interesting. This seems to me to be a case of a scammer who. Like the dog who caught the car kind of thing.
[17:30]
Adam Boileau
Exactly.
[17:30]
Patrick Gray
This is how this reads. Federal authorities in the United States are investigating an effort to impersonate the White House Chief of Staff, Susie Wiles. And it looks like what happened is someone managed to obtain her address book, her contacts, and has been then using like deepfake audio to try to talk to some of these contacts. But really like low effort stuff like ringing from a different number saying, hey, it's Susie Wiles here, you can you send me some money? Kind of stuff.
[18:01]
Adam Boileau
So I'm stuck in Venezuela and I have lost my passport.
[18:05]
Patrick Gray
Exactly right. So this is like low effort scamming that just happened to have hit someone. You know where there's going to be a response to this, surely. The Wall Street Journal has a write up here from Josh Dorsey. Pretty interesting story.
[18:19]
Adam Boileau
Yeah, yeah, it is. And you know, you do wonder whether, as you say, like, it's just someone who kind of didn't really think this through. We're not clear if the like, address book contacts are from her phone, from an online service, from data leaks, from, you know, there's all sorts of ways, I think this was particularly her personal phone, so not a government one. So, you know, that detail, that data could have come from anywhere, I guess there's so many places you might have, you know, might have leaked that. But then, yeah, just the brazenness of like, I'm going to make an audio deep fake of, you know, high ranking US White House official and try and scam their friends for money. Like what thought process goes through your head to arrive that that's a good idea to do so? Yeah, I don't know, man.
[19:05]
Patrick Gray
Yeah. Well, we've got another example here from the record. Dorina Antoniouk has reported on this one. The Home Minister in Malaysia, apparently, you know, their WhatsApp account wound up spamming all of its, you know, contacts and whatnot. Similar sort of stuff like low level scamming. I just find it fascinating that, you know, they really are just like us in the sense that they're using the same tech that we are and are susceptible to the same sort of, same sort of scam. So, you know, this is two in one week. I just think that's interesting.
[19:34]
Adam Boileau
Yeah, yeah. Well, that's exactly the point that you ended up making about the signal chat. Right. In the end, there's just no safe way to use civilian tech for core government stuff and not expect, you know, some crossover at the edges and you know, the Atlantic guy who, you know, ending up in the Houthi bombing chat or whatever else, like these things happen when you use the same infrastructure and the same ecosystem. So.
[19:57]
Patrick Gray
Yeah, yeah, crazy times.
[19:59]
Adam Boileau
Rough.
[20:00]
Patrick Gray
All right, so now let's have a look at some reporting from Krebs on security about this cloud provider funnel, which is based in the Philippines. It has now been sanctioned by the United States government for being an enabler of pig butchering scams. You know, this is the stuff that we, you know, we've been saying for a couple of years, like sanctions activity will, will, you know, scale up against these sorts of operations because they exist at the sort of scale where sanctions can actually be helpful. And we've seen a bunch in the last few weeks and you know, this is just another, another case of that and it's great, like, I'm all for it.
[20:36]
Adam Boileau
Yeah, this is absolutely to the, absolutely the place to target this kind of, these kinds of operations because they share infrastructure, you know, and organizations like this that were, this is essentially like a criminal cdn. They provided a mechanism to get end users through a set of infrastructure to the scanners, to their infrastructure. So kind of like, you know, like Cloudflare, I guess, in a way, or acmi, but the same thing for criminal services. And they handle all of the fiddly bits of Moving domain names around and having a bunch of C names to redirect things and a bunch of cloud services in, I think Azure and Amazon, they're primarily using to eventually get this traffic through to where it needs to get to. And that's, you know, it's a service that if you're just trying to do crime, you don't really want to specialize in providing, you know, infrastructure plumbing like this. It makes sense to buy it off the shelf and deal with. And have somebody else deal with those problems. And indeed, I think on the back of some of the reporting around this, Microsoft appears to have thrown them out of their infrastructure. Amazon's still struggling a little bit, apparently. But yeah, I mean, anything that increases friction for these kinds of big boots during large scale, you know, cybercrime operations, hey, it's great.
[21:53]
Patrick Gray
Yeah, yeah, indeed. What else have we got here? We've got another takedown of a underground surface here, which is AV check, which I guess is kind of like a, you know, virus total for criminals where they can throw stuff at it and see if they're going to fire any detections. And, you know, it's been, who took it down? Doj, Secret Service and the police somewhere. Can't remember.
[22:16]
Adam Boileau
So, yeah, I think this was Operation Endgame, which was a big kind of coordinated international takedown of various bits of cybercrime stuff. So this was, you know, we've seen details. I think last week we covered some bits. So we're just going to see more and more stuff.
[22:28]
Patrick Gray
Yeah, it was the Dutch. Sorry, it was the Dutch and the Finnish police, as well as the Justice Department, FBI, Secret Service. So, yeah, nice one. But I mean, you know, these sorts of things. Right. I think there's a, there's a theme here which is they're going after anything that just makes it easy and is operating at scale because why wouldn't you.
[22:45]
Adam Boileau
Yeah, and these kinds of things are legitimately handy. I mean, when, when I was back at Insomnia Cybercx, you know, we built an internal one of these for testing our payloads against stuff because it's just like, you know, you need one, you need to be able to know is my payload going to trigger, you know, F Secure or Norton or whatever else. And it's maintaining a stack of, you know, here's the 1015 antivirus products we're likely to see, keeping them running, licensed, operational, running in a sandbox in a way that's not going to leak your detections up. You know, provide telemetry back to the vendors. But still, Detect properly. Like that's a lot of fiddle work.
[23:25]
Patrick Gray
Yeah, some real effort involved in that. You just made me remember a funny story which was your colleague Pipes, I think one of your tools got snapped once by, I think it was like fireeye or someone. And they wound up writing a blog post about it, like talking about like this unknown threat actor who, you know, we snap their malware and whatever. And it was your stuff that was pretty funny.
[23:47]
Adam Boileau
Yeah, yeah, yeah. That was Cartel, Thomas, Thomas Hibbett, rest in peace, unfortunately. But yeah, that was his work. And he was very pleased actually when he saw that write up. He was quite chuffed.
[23:56]
Patrick Gray
Did he ever tell them, did you guys ever tell them that it was yours?
[23:59]
Adam Boileau
I don't know if we did. Like it's a little bit orcs to have to say actually, by the way, this bandware was just, you know, was just us on a gig. I know he told a few people on the choir, but I don't know we ever made a song and dance out of it.
[24:11]
Patrick Gray
Yeah, fun stuff. All right, now we've got the German police claiming they have ID'd the kingpin behind the Trickbot malware. This is pretty big news.
[24:22]
Adam Boileau
Yeah, I mean, Trickbot's been around for a long time and that sort of family of, you know, that's got lineage back into Conti and all sorts of other groups that, you know, have been kicking around for a long time. And the main dude behind Trickbot, who went by the alias Stern, we've seen, you know, sanctions around, we've seen a bunch of, you know, charges filed over the years, but no one was ever particularly clear or had ever really attributed to a real world person. And it was complicated by fact that one of the people behind Trickbot had a nick, had a nickname, had a handle. They used that then somebody else in the group also used at a later date. So it all got very murky. Anyway, the German Federal Police have decided that the guy is actually a Russian man. Vitaly Nikolayevich Kovalev, 35, 36 year old Russian man and you know, clearly still inside Russia, so not going to go anywhere. And that's a guy that, when we saw that the chat logs of Conti and Trickbot leaked, this is the guy that many of the people inside the group thought was like their tie to the Russian security apparatus. So he was the dude that had the relationships with the FSB and so on and so forth and was kind of ultimately responsible for their, for their state cover. So interesting detail. I don't know whether he will ever face Any justice for it, though?
[25:40]
Patrick Gray
Well, let's see if he tries to go to bloody Disney World in Orlando or something.
[25:43]
Matt Muller
Right.
[25:44]
Patrick Gray
Because you always think these guys will never get caught and then they just do something really dumb.
[25:48]
Adam Boileau
Yeah, go to Thailand or whatever.
[25:50]
Patrick Gray
Yeah, exactly. But I don't think so. After this, you would think he would be staying put. Some news from here in Australia. Alexander Martin has reported on this. For the record, we are going to be the first country in the world that requires victims of ransomware attacks to notify the government of extortion payments made. This only applies to companies with a turnover in excess of 3 million Australian dollars, which is about 2 million US dollars. And, you know, I think this is a good first step. So they were mulling a ransomware payments ban initially and they've settled on this first, which I believe is a good step in working out whether or not you want to impose a ban, which is, let's start by understanding who's paying and what the circumstances are when they're. When they're paying. So I've seen some people bizarrely criticise this as, oh, well, this isn't going to do anything to stop ransomware. It's not really designed to do anything to stop ransomware. It's designed to give the government a better understanding of the scope of the problem. And I think that's a really good bit of policy, personally.
[26:54]
Adam Boileau
Yeah, now that makes total sense to me. And it's, as you say, there's a limit on the size of the business, so it's meant to affect only kind of large things. I think they said the top six and a half percent of businesses in Australia meet that kind of threshold. But that does cover a pretty significant portion of the economy. And given the high profile, number of high profile ransomware attacks and data leaks, data extortions that you've had in Australia over the last few years, it kind of makes sense for the government to do something to get an idea. And as you say, there's no point whacking a ban in without understanding the impact and the circumstances and the scale and so on. So, yeah, makes total sense.
[27:31]
Patrick Gray
Well, and if you were to introduce a ban that had carve outs where someone could pay, but they would have to notify the government, you would want to understand, well, hey, what's our evaluation criteria going to be? It can't just be some random bureaucrat goes, no, I don't think you should pay that, and you could just have to go bankrupt. They need to actually do the policy development work. If they're going to introduce some sort of control on payments and that policy framework needs to be good. So honestly, I think this is the right way forward. But let's see if they decide they collect a bunch of data and in two years they decide to do something crazy. Because you never know. You never know. Now let's talk about a novel type of C2. Apparently Chinese threat actors are using Google Calendar events as a command and control, which look, you and I have spoken about this over the last few days because this is something that immunity. You know Dave Itel's company back in the day, I mean they came up with similar approaches to C2 20 years ago. They really did. You know, they, they even had a proof of concept that could do C2 through comments in on Britney Spears Instagram. Right. Like this is not a new approach, but it is interesting. Finally 20 years later, we get to see it in the wild. I mean, I'm surprised it's taken this long because yeah, I mean it just seems to me to be a much more stealthy way to do it. But everyone always argues back and they're right. Why would you do this if you don't have to and people don't have to? So maybe this is a sign that certain crews are getting snapped on the network and they just, they have to do this.
[29:06]
Adam Boileau
Yeah, I mean that's, that's a great spin of this into like legitimately good news story. And that honestly, I think makes a whole bunch of sense. This is the research came out of Google's threat Intelligence group and they said they had spotted APT41, which is Chinese Ministry of State Security if my memory is correct. And the fact that they were actually using this like they were storing data in Calendar invites for a particular date and then the malware would poll Google, check the calendar, get its commands, return the results of command execution in that meeting, invite in the calendar on a particular day. 30th January, February, March, April, May, May 30th of May 2023 was the day that they were using. And yeah, makes sense. Looks on the wire, it's proper tls, scripted connections to Google. Looks totally normal. It's going to blend in with enterprise traffic. If you're going to pick a covert channel, totally seems a reasonable place to put it. So good work mss. But yeah, the fact that we are at the point in history where people must be getting snapped on the wire enough that this is worth doing then yeah, good.
[30:16]
Patrick Gray
They should have been getting snapped 10 years ago. But I think one, one big development we had in security was this huge push to the endpoint, right. Where companies like CrowdStrike, you know, Sentinel One, Microsoft with its Defender and whatever, like Endpoint Security Solutions actually got pretty good. So that meant that people, I do really think they neglected network detection. I think stuff like Corelight, you know, full disclaimer, they're a sponsor, but you can use their open source, you know, Zeek sensors and whatever to spot stuff on the wire. But honestly, a lot of people just don't bother, right. And I think perhaps, you know, network detection, if it is having a resurgence, that could explain this move. But you do wonder where it's going to go, right? And like, okay, say your endpoint protection has been bypassed. You ain't going to see this stuff on the network, as you pointed out earlier. Right. Like, so this, you know, I don't know, it's. It's always made me a bit funny that whole paradigm of like using legitimate services for C2. Conversely though, you know, once there is a detection, it's going to be pretty easy to roll up a campaign like for Google. Oh, well, they're using our calendar service. They can go hunting for it and roll it up. But then you've got redundancy and whatever. Maybe then they move to Britney Spears Instagram posts or whatever. But yeah, you wonder if this is the future of C2. I've thought it was, but I've been wrong because it's been. I've thought that for 15 years.
[31:36]
Adam Boileau
Yeah, like, clearly if this was going to be a game changer, they would have already done it. And then, you know, part of me thinks about, you know, every time whatever Israeli university is that does all of the radio side channel stuff and it's like, maybe we'll move to, you know, modulating the data out of the VGA cable or out the, you know, HDMI cable by flickering a little pattern of bits somewhere on the display. And that would be new C2, but, you know, yeah, there's always exotic things to do, but the reality is most people, yeah, just bung it down a TCP socket on the wire and Bob is, Bob is your uncle.
[32:07]
Patrick Gray
Yeah, you just showed your age a little bit there with that VGA reference guy. I know what next? They'll sneak it out through the parallel port. Okay, what else have we got here? Oh, we got more details on the coinbase. The Coinbase breach where it looks like the root of this. I mean, this is a story from. Where is this? From Reuters that says really what was happening here is it's outsourced, you know, customer service agents in India, they worked for a firm called Task Us. We're sitting there taking photographs of their work computers with their personal phones in order to get the data out. And they were doing this for bribes. And I was just thinking, you know, if you've got a bunch of sort of, you know, people in not great working conditions getting paid awfully while they're watching just rivers of crypto money flowing all around them, of course this is going to happen.
[33:02]
Adam Boileau
I mean. Yeah, exactly. Right? What did you, what do you expect? And I mean, yeah, what do you do? Like, I mean that, you know, you can't detect this with, you know, endpoint, you're not gonna, you know, spot this with your, you know, data leak prevention software. That analog gap is a very real thing. And ultimately, as you say, it comes down to inequality. And if you have to pay your customer services people for Coinbase or whatever they were doing for Coinbase, you know, sufficient to handle security of, you know, and, and the physical, like personal finger level security of multimillionaires or billionaires of the crypto world, then you know, that gets a lot more expensive than I imagine. Many, you know, many places are willing to pay. And, you know, how many people's fingers do you got to get chopped off before it's worth paying these people? Yeah, such that they don't want to take bribes. I don't know.
[33:53]
Patrick Gray
Well, and then you look at the alternatives to this, which are just really oppressive levels of surveillance on the staff, where you've got cameras on them, making sure they're not pulling their phones out of their pockets or doing anything weird or stripping them of their devices before they can come into work. And I don't know, man, it's not going to make them love you more, you know, I just think this insider threat for any cryptocurrency platform at scale is always going to be a big problem.
[34:16]
Adam Boileau
Yeah. And the interesting thing is this feels like a thing the regular financial industry has largely solved through having transactions that are more reversible or more inspectable or, you know, more regulatory oversight or, you know, all that stuff that we threw out as, you know, boring fiat currency. You know, manipulatory mutability is a feature.
[34:38]
Patrick Gray
Not a bug, I would say, of the financial system. I think that's where we're going with that. And look, speaking of insider threat, a civilian IT specialist. This is a piece from James Reddick over at the Record. A civilian IT specialist at the Defence Intelligence Agency has been arrested for trying to sell or exchange classified material to a friendly government in exchange for citizenship. Because he doesn't like Donald Trump.
[35:03]
Adam Boileau
I mean, he's kind of got a point, perhaps. Yeah, this is, It's a funny story also because the guy worked for the Defense Intelligence Agency in the insider threat division, which. Yeah, irony much. Yes. But of course he fell for a FBI sting, offered, you know, classified data to FBI agents, turned up on a park bench or whatever with. With the thumb drive full of confidential classified information and then, yeah, needless to say, is now probably going to go to jail. So.
[35:35]
Patrick Gray
Yeah, Nathan Villas Latch, 28 years old, so. But yeah, pretty funny that he was with the military agencies insider threat division.
[35:44]
Adam Boileau
Yeah, I mean, you know, I guess he had some ideas of, you know, what he could do, but. Yeah, yeah, that's. I don't know. How do you, how do you deal with that? You know, that's. Well, I guess this is how you deal. You entrap them and put them in jail.
[35:56]
Patrick Gray
You know, it's really funny just you saying, oh, he might have a point that Donald Trump is no bueno is going to be enough to get us mail and like, down votes on YouTube. Like, there is not a more fragile group in the world than Trump supporters because they get so sad when someone just says, I don't like the leader that you like. They're like, no down vote, you know, angry emails. Pretty funny. Anyway, look forward to reading them all. Not. Suzanne Smelley, for the record, has reported. A bunch of places are reporting this, that NSO Group is appealing the damages awarded to Meta in that lawsuit. You know, they're saying $168 million, you know, goes against Supreme Court precedents which should limit, you know, damages to being a certain multiple of compensatory damages and blah, blah, blah, blah, blah. They're saying they can't pay, which I just think, you know, lol.
[36:48]
Adam Boileau
Good.
[36:50]
Patrick Gray
And, you know, there was always going to be an appeal on this one. So I don't think this is terribly surprising.
[36:56]
Adam Boileau
No, you're right. There was always going to be an appeal and, you know, they would find something to appeal about in this case. You know, they are claiming that the damages are sufficient, that, you know, the damages are the jury deciding to bankrupt NSO and that should therefore be beyond their, you know, remit or whatever else. So, yeah, appeal is going to grind on and, you know, we'll see you in a couple of years with an update.
[37:18]
Patrick Gray
Yeah, exactly. Now we've got some updates here. Another one from the record. John Greig with This report about Connectwise. Now we saw some time ago that there was some sort of campaign, some sort of threat actor using Connectwise to breach all sorts of organizations. Details were never pinned down particularly, but it looks like this was nation state backed attackers doing this. That's the new info here, I guess.
[37:42]
Adam Boileau
Yeah. So the company Connectwise says that it's engaged mandiant because it has found some, you know, nation state, foreigners, whatever, inside their environment and that has then been used to attack some of their customers. They said a small number as they normally say and they have had a pretty rough ride. We did, I'm pretty sure we did see the Chinese using one of the earlier Connectwise bugs because they had like a CVSS10 where you could just show up, talk to the web appliance or whatever and say please create a user through the setup, spx, whatever it was. So we saw those bugs being used and it would make sense, I guess, that they probably got into Connectwise as well. And there's avenues onwards. Once you've realized that a piece of software like this gets you into places that you want to go, why not keep going?
[38:30]
Patrick Gray
Yeah, that's it. More details to come on that one, I guess. Google meanwhile, has booted a couple of casualties out of its trust store. It doesn't look like anything necessarily nefarious here, just they look like really incompetent cas. There's Chunghua Telecom and Netlock. Bye bye into the bin with you. And Google has cited that they just, you know, haven't made any improvements. They keep getting owned and not really changing anything. So they're getting booted out?
[38:59]
Adam Boileau
Yes, yes, they certainly are. I think Changhua Telecom is very Taiwanese and Netlock from Hungary, so if you were relying on those particular CAs, then your stuff will stop working when they ship out. Chrome 1 through 9.
[39:15]
Patrick Gray
Yep. Now the last thing we're going to talk about this week is a piece from Dan Gooden looking at what Meta and Yandex are doing in terms of de anonymizing and tracking Android users. And the technical details here are actually quite interesting.
[39:34]
Adam Boileau
Yeah. So the deal here is that if you're on a mobile device and this is specific to Android in this case, and you've got say like the Facebook apps, so Instagram or actual Facebook app, they will fire up a local network listener on localhost on the device and then when you hit a site on the Internet in your browser that's using Meta's tracking JavaScript or Yandex is tracking JavaScript in the Yandex case, it will attempt to connect to localhost on a specific port and then provide a bunch of details about the session to the Facebook app, which then calls it back to Facebook's Graph API or whatever and sticks it in this database so they can track that you are visiting sites and that, you know, bypasses things like incognito mode. It bypasses things like clearing cookies because they've got a way to tie the app on your phone to browser activity. And that ability of a web browser to talk to a web server or local host is a thing that is kind of by design. There's a bunch of complexity these days in doing that, you know, reliably. And part of the interesting bit here is that Facebook was actually using technical tricks to bypass some of those controls. So they were using, for example, WebRTC media connection, like session setup that we'd use for video conferencing, whatever else.
[41:01]
Patrick Gray
So they'd go out and then back in sort of thing.
[41:04]
Adam Boileau
No, this was. They were basically video conferencing to localhost and then sticking the data inside the setup messages for the.
[41:13]
Patrick Gray
I mean, at this point, at this point it's kind of hacking, you know what I mean? And that's what makes this interesting.
[41:17]
Adam Boileau
Yeah, it's, yeah, legit hacking. They had like three or four different techniques where they were kind of abusing browser functionality to be able to connect to local host in ways that you weren't really meant to be able to do. And browser manufacturers have been somewhat tightening up on this stuff when we've seen it being abused for things like attacking people's home networks and home routers through cross site request forgery type stuff. But you know, pretty scummy for, I mean, I mean, Yandex, okay, I can imagine Yandex doing scummy stuff, but like Facebook, come on, like you're meant to be a grown up corporation, you know, that behaves by the rules, you know, plays by the rules. And this is just kind of weaselly hacker crap. And ain't no one got time for hacker crap.
[42:01]
Patrick Gray
Why does, why does the Facebook app need to spin up a service on localhost though?
[42:06]
Adam Boileau
Well, that's exactly. And there is no good reason for it to be doing so except for this kind of type of shenanigans.
[42:12]
Patrick Gray
So yeah, and I believe that, you know, the iOS restrictions on, you know, communications to local host, I mean, they're a lot tighter. Right. So it looks like this is not necessarily working on iOS, but I mean, this is really bad. Like it is really Bad.
[42:29]
Adam Boileau
You know, there's the technical part of it, like they're doing. They're doing hacking in a sense, but there's also the like. Your users expect some certain things and I've given you kind of consent, be it implied or explicit, to do some certain things, but you're kind of circumventing the intent of that relationship. Right. Your users are using incognito mode in their browser because they don't want you to track them and associate this activity with their Facebook account. That's what they are saying they want by doing that. And you're doing the opposite. So, you know, weasel, nasty. No, biscuit, bad Facebook.
[43:04]
Patrick Gray
I mean, it's funny. I think the difference between you and me on this one is I am not surprised at all. I am Jack's complete lack of surprise that Meta would be doing something like this.
[43:13]
Adam Boileau
No, no, I mean, I am not surprised either. I'm just disappointed.
[43:17]
Patrick Gray
You're still disappointed, man. You're an eternal optimist. All right, we are going to wrap a Facebook account. We're going to wrap it up there. Adam Boileau, thank you so much for joining me to walk through this week's news. A pleasure as always.
[43:30]
Adam Boileau
Yeah, thanks very much, Pat. I'll talk to you next week.
[43:42]
Patrick Gray
That was Adam Boileau there with a check of the week's security news. Big thanks to him for that. It is time for this week's sponsor interview now with the field CISO from Tynes, Mr. Matt Muller. Tynes is a terrific automation platform that is indeed very popular with a large section of risky business listeners. Just very, very useful stuff. You can find them at Tynes if you're looking to automate certain tasks, like people in security might use it for stuff like phishing, response, automation. That's just one example. But it is very much a Swiss army knife. And yeah, very, very cool stuff. So check them out. But today we are not talking about Tynes stuff, we are talking about SAS and how woeful it is. According to Patrick Opert, who is the Chief Information Security Officer of JP Morgan Chase, he has published an open letter titled an open letter to third party suppliers, in which he gives SaaS companies a serve for really not having their act together when it comes to security, doing all of the usual stuff like prioritizing feature expansion over security and whatnot. The stuff we've been complaining about when it comes to vendors writ large for a couple of decades now. So here is Matt Muller walking us through Patrick Opit's letter, all about how SaaS companies basically suck. Here it is.
[45:01]
Harun Mia
Yeah. I mean, you know, he calls it a call to action. I suspect it may have been a little cathartic for him to write this letter as well. But Patrick calls out a couple core things about the fundamental state of cybersecurity in the SaaS world. First, he says, you know, software providers need to prioritize security over rushed features, which. Yep, absolutely agree. He says we need to modernize security architecture to optimize SaaS integration. Again, totally agree. And he says security practitioners need to be more collaborative in solving the security problems that this new generation of highly interconnected systems has created. And if you poll 100 out of 100 CISOs, I'm fairly certain you'll get similar sentiments, at least on an individual level. But I think what's driving so much attention around this letter in particular is the fact that it's coming from JP Morgan and, you know, forget about being a big player in the market. I mean, JP Morgan often is the market in a lot of senses, in the financial system.
[46:02]
Patrick Gray
Yeah.
[46:02]
Harun Mia
So it's, you know, it's causing people to pay attention.
[46:05]
Matt Muller
What's amazing about everything that you just said, though? I mean, people would have said 15, 20 years ago about non SaaS tech, right, which is, oh, we've got to break down silos and get everyone working together and maybe they could architect this in a less insane way. And, you know, and geez, look at.
[46:20]
Patrick Gray
All of these useless features that they're.
[46:22]
Matt Muller
Building just for one client and shipping to everybody. I mean, it's just. It is amazing how much stuff doesn't really change. Right.
[46:29]
Harun Mia
I mean, Microsoft had a whole trusted computing initiative over, I think, similar sentiments. Right. So everything old is new again.
[46:37]
Patrick Gray
Yeah.
[46:37]
Matt Muller
So, I mean, what do you see as, I mean, you're a SaaS, Tynes is essentially a SaaS. Right. So what do you see as being the major issues with SaaS? Like, what lit a fire under this guy to go and write this letter? In your view, what sort of thing? What sort of specific issues? Because it's one thing to sort of wave your hands and say, oh, you know, people need to break down silos.
[46:57]
Patrick Gray
And what, you know.
[46:57]
Matt Muller
But what, concretely, what sort of challenges are we actually talking about here?
[47:02]
Harun Mia
Yeah, I mean, I'll be honest. When I first read this letter, my first question was, okay, what happened? Right. Because, you know, if you see a sign that says no riding motorcycles on the casino floor, you sort of suspect there may have been an incident that caused that sign to be put up. Right.
[47:16]
Matt Muller
It's funny Actually, at the hospital where my son was born, there is actually a sign in the parking lot of someone, like, riding a motorcycle on one.
[47:25]
Patrick Gray
Wheel, a little drawing of it with.
[47:27]
Matt Muller
The circle and the slash, and you're like, okay, that's interesting. So I know exactly what you mean.
[47:33]
Harun Mia
Yeah. So you sort of suspect there may have been a root cause here, but that certainly doesn't have to be the case. Right. And if you look at some of the examples that he calls out in the letter, like AI integrations into Calendar apps, you also suspect that, you know, maybe just the influx of AI tooling and the demand from the business to integrate AI into everything, everywhere, all the time, maybe, you know, may have caused a little bit of a tipping point here.
[47:58]
Matt Muller
Well, and compliance headaches is what I'm hearing, too, about AI everywhere is people are literally selling products now to help you block it from, you know, browser extensions. From. Yeah, from browsers generally from, you know, users visiting sites that use them. And. Yeah, like, it's. It's a headache.
[48:14]
Harun Mia
Yeah. And, you know, I think, you know, JP Morgan has a. Has a very strong security reputation, but I can imagine even within their walls, there are people that are clamoring for AI use. Right. And so I can certainly imagine, you know, being in his shoes and looking out at the world with a little bit of despair because, you know, you look at even. Even common platforms that everybody uses, like, you know, Google Workspace, and it still lacks, I think, a lot of the security features that, you know, you sort of expect from enterprise tooling. I thought it was sort of interesting that, you know, in his letter, he calls back to, you know, the old days when you had network segmentation and, you know, these things. And, you know, we can maybe quibble over whether Moat and Castle security was actually more secure, but there certainly was more inspectability. Right. You were literally able to sniff all the network traffic and, you know, and had a lot more, you know, visibility into the hosts that were running and so on and so forth. And so, you know, that. That lack of inspectability in a lot of tools, I think, is killer for folks.
[49:12]
Matt Muller
Yeah, I mean, I certainly see where you're coming from there. I mean, the lack of sort of a standard way to look at logs out of these services. I mean, I do think it's changing. Right. Like, there's a bunch of good products now that'll take, you know, logs out of CloudTrail, they'll take logs out of your M365 and your Google Workspace, and they'll actually be able to do stuff. But they're all really expensive, like third party solutions. Right.
[49:33]
Patrick Gray
Like you would think a lot of.
[49:34]
Matt Muller
This stuff should just be built in.
[49:36]
Harun Mia
Absolutely. And you know, ironically, one of the reasons that, you know, before I joined Tines, I was a Tines customer and one of the reasons why I used Tines was because, you know, again, going back to like this Google workspace example, you had to dramatically over provision admin users to get some basic security incident response stuff done. And even though Google has an audit log, it's a little bit lacking in detail in some areas. And so we said it's insane to give a massive team 50 super admin roles in our Google workspace tenant. Maybe we just do one, use it through Tines and have that audit trail, have that inspectability and have that control that. Again, quite frankly, I would sort of expect to see some of these major SaaS providers starting to build in. Right. If they're taking a true secure by design approach.
[50:24]
Matt Muller
Yeah, I mean I remember like 10 years ago the whole thinking was, oh my God, apps are eating everything, right? Like everything's going to be a web app. And it seems like we're in the midst of something now where everything's going to be SaaS. And I mean everything. Like it is absolutely insane the degree to which, you know, to which core enterprise functions and now done in third party, you know, on third party sites. And how are people authenticating to them? I don't know. I mean we set up sso, but there's like a bunch of other methods that work and like how are we logging them?
[50:54]
Patrick Gray
Well, we get a little bit here.
[50:55]
Matt Muller
And a little bit there and we sort of throw it onto a disk and you know, grep it occasionally. But I mean it is the case that SaaS is just eating enterprise computing now as well.
[51:03]
Patrick Gray
Isn't.
[51:05]
Harun Mia
Absolutely is. And you know, I think one of the things that this letter calls for is better collaboration around, you know, solving some of these problems. But right now vendors and software makers just aren't particularly incentivized to go do so. Right. And I think it's going to take people like, you know, Patrick OPET and the JP Morgan team and a lot more CISOs saying, you know, these are the standards, Right. That we expect from our software provider. You know, in the absence of any particular regulation demanding this, the market has to demand it instead. And that's, I think what we're starting to see here.
[51:40]
Matt Muller
Now you're a SaaS, what are you doing to not be one of these sasses that he's complaining about.
[51:46]
Harun Mia
Yes, our belief is build the software you want to use in the world. And so that includes everything from deep inspectability of everything that happens within the Tynes tenant to making sure that we're following Secure by Design principles. And the future of the CISA Secure by Design plan pledge itself is a little bit murky at the moment, but we signed onto that because we realized this is how we've been building software. We realized that we're a pretty critical part of the software supply chain and we don't want to be the place that CISOs are worried about a security breach occurring. And the other thing as well is you don't have to deploy tines as SaaS. We do have a fully air gapped, self hosted model where you as a customer can have full control over where and how you deploy tines. And so we recognize that everybody's security models are a little different and we want to be able to make sure that even if you're using Tyin's default security mechanisms, you're protected out of the box, but you can customize that pretty much however you want.
[52:50]
Matt Muller
You know, to me it felt like, and you did an interview recently with my colleague Tom Yoren talking about the secure by design stuff, but it did feel like Secure by Design was initially like the idea behind it, this CISA initiative, was to get border devices into better shape. Right. Like, you know, corporate firewalls and VPNs and things like that, which, which were the really sort of, you know, the quality just wasn't there. Right. So how does Secure by Design apply to SaaS though? You know, like, because it didn't seem like they were really targeting SaaS with this initiative.
[53:21]
Harun Mia
Yeah, I mean, you know, if you look at the, at the SaaS World, I do think that, you know, again, a lot of the inspectability that you get when you have full control over your own hardware and software stack often isn't there. Right. And oftentimes security features are gated behind a higher subscription tier or what have you. Things like there's literally a website that tracks the SSO tax that different providers have. And so I think even for SaaS providers, there is absolutely an obligation to make sure that they're abiding by these principles and making sure that defenders have the ability to use SaaS platforms in a way that makes them comfortable. Right. Everything from how they do RBAC to how they make sure that, you know, you can, you can do incident response even if it's in a vendor's platform.
[54:11]
Matt Muller
Now you know, Tynes is an automation platform, right. Used to do like, it's a generic tool, right. You can use it to basically kick off any sort of automation you want. Now you've talked about inspectability. What sort of logs are people grabbing and what are they doing with them? Right? Because I'm, because I'm. Because it's so generic. I mean, that's a pretty wide gamut of activity that you're going to be logging. So how are people even using Tynes logs?
[54:34]
Patrick Gray
Or is it more that they're just.
[54:35]
Matt Muller
Storing them and, and it's got a complete picture of what's happened in case they need to go and like just.
[54:40]
Patrick Gray
Scroll back and look a little bit.
[54:42]
Harun Mia
More of the latter. You know, we, we make sure that every action that's taken within the Tynes tenant is instrumented so you can get a sense, you know, full kind of replayability of who has done what, which is great from an admin point of view. And then even within the workflows that run, those also have their own separate audit trails of what credentials were used, what actions were taken, what data was sent and received. Right. And so again, there's sort of a very clear trail of what's happening within the platform. It's not some opaque system where you throw data in one end and hope you know what's going to come out the other end. You get to see the full chain of what's actually happening.
[55:22]
Matt Muller
It's funny that you mentioned Google Workspace. Like we're a workspace shop and there's people out there who will have like cloud security platforms and whatever that will promote features that are designed to do things that you can already do in workspace. But it's all click Ops and really frustrating. So they're like, look, you can just press this button and get a list of users who don't have mfa, whereas you can do that in workspace. But it is, yeah, it's not a fun experience. Right?
[55:46]
Harun Mia
Yeah. And you know, you see vendors do some very eyebrow raising things when it comes to, you know, Enable, like operating on some of those features. Like I've seen vendors say, provision us with an actual user account and we're going to do some sort of, you know, magic screen reading with those super admin privileged credentials in order to do the click ops for you, which, I mean, it's a little bit of an interesting approach, not necessarily one I'd recommend. I think this is again one where you know the world collectively. Hopefully Google is listening. Right. And you know, understanding that to truly serve enterprise clients. You have to be available over API. I mean, you know, again, this, this world talks about SaaS, but I do think APIs and, you know, programmatic access to all these platforms has to be the future.
[56:31]
Patrick Gray
Well, it gets interesting.
[56:32]
Matt Muller
Like, you know, you just touched on something interesting there, which is a bunch of these products. A bunch of these SaaS products are designed to do things to other SaaS products, right? So they need highly privileged access to them and the way that access is provisioned is sometimes quite insane.
[56:45]
Patrick Gray
You've got, you know, just going back.
[56:47]
Matt Muller
To cloud security platforms, you got a lot of these where you have to give them, you know, really highly privileged roles so that they can go and remediate some of these issues. And that means there's like, you know, very powerful credentials just sitting around in these sasses, which means if they get owned, oh, man, you've got.
[57:02]
Patrick Gray
You've got problems.
[57:03]
Matt Muller
I feel like that could be one area where. That's the one area where I look at SaaS and I'm a little bit worried. And you've even got situations where you can OAuth add other SaaS apps to one big SaaS app that's acting as a root of trust. So it's almost like Some of these SaaS apps are even acting as identity providers for other SaaS apps which are outside your SSO. It just gets real confusing real quick.
[57:27]
Harun Mia
Yeah, and it's so funny too, because, you know, OAuth was supposed to solve the problem of the fact that we were all storing passwords everywhere and now we just oauth everywhere. Right. We just moved the problem a little bit and made it a little bit more complicated.
[57:38]
Patrick Gray
Yeah.
[57:38]
Matt Muller
Great news. Great news, everyone.
[57:39]
Patrick Gray
All right, Matt Muller, thank you so.
[57:41]
Matt Muller
Much for joining us to have a bit of a chat about that letter from JPMorgan Chase and how. And about how Tynes is trying to not be the subject of the next letter.
[57:50]
Harun Mia
Yeah, absolutely. Thanks so much for having me, Patrick.
[57:53]
Patrick Gray
That was Matt Muller there from Tynes. Big thanks to him for that and big thanks to Tynes for being the Risky Business sponsor this week. And that is it for this week's show. I do hope you enjoyed it. I'll be back soon with more security news and analysis, but until then, I've been Patrick Ride. Thanks for listening.