A (4:51)

Yeah, so speaking of those friends, I reached out to a couple of them this morning actually and I said is this a big deal? And they all replied with a single word answer which was yes, and then I said, can you come onto the show to talk about it today? And they're all very busy. I don't know if it's related to this. And they got to go brief a whole bunch of clients, but either way, yeah, this is apparently a big deal. We've seen Apple do this sort of thing previously where they introduce a powerful new memory corruption exploit mitigation. It seems though, that the exploit writers will always find a way around these things, but the costs just go up every time. So I'm guessing this is going to be another case like that where for the people who are purchasing exploits targeting iOS, everything just got a lot more expensive.

B (5:40)

Yeah, yeah, I think so. Like, anything that raises the cost is going to help. And Apple admits in the blog post there are some things that are very hard to defend against within the constraints that they've got. They talk, for example, about one of the variants of Spectre side channel execution stuff where they really can't easily 100% mitigate it, but they can make it statistically more expensive. So it takes a whole bunch more tries and every step of the way increases the chance you're going to get snapped. So there's costs you can impose, both at an ecosystem point of view, like making XP end to end exploits, you know, zero click, whatever, really expensive, but also costs for individual components of these kinds of exploits and the technical aspects. So they are imposing a whole bunch of costs on a whole bunch of people. And yeah, it's, it's great work.

A (6:26)

Well, you know, it's funny that they've done all of this because really, according to Venezuela's president, Nicolas Maduro, we should just be using Huawei phones because he did a press conference, and I love this, he did a press conference on Monday and he showed off a Huawei smartphone that Xi Jinping himself gave to Nicolas Maduro and he said the Americans can't hack it, neither their spy planes nor their satellites. So there you go. I did not know that the Americans hacked smartphones with spy planes and satellites. I just would have thought you'd use the Internet.

B (7:03)

What do we know, right? What do we know? Maybe the nsa, you know, Cybercom, maybe they have some amazing planes, you know, just loaded full of amazing exploits that they can throw out the window or out the Bombay onto, you know, the exploit express.

A (7:16)

That sounds pretty good. That sounds pretty good. I don't know whether he was just talking about this phone, as in it was a special one that Xi Jinping gave him that's like surveillance resistant. But I also Think that's pretty funny when, like, you know, the Chinese president gives you a phone and you're like, this one can't be surveilled. It's like, bro, you know, the MSS is, is examining every single keystroke of that device. But anyway, that's just some cheap laughs there. Now we're going to talk about a big story that's broken over the last few days, which is 18 extremely popular npm repos got hacked and then a really dumb payload inserted into them that was designed to steal crypto. And the attackers behind this got away with like, you know, a few hundred bucks kind of thing. It was a. It fell pretty flat. Now, instead of you and me just talking about this, you know, we've got a. We've got for us a book of DJ joining us just for a few minutes to. To talk through this for us, of course, runs Socket, which is a company focused on supply chain security around things like, you know, compromised NPM repos and whatnot. They have sponsored risky business in the past. Not currently a sponsor. That's not what this is. This is not a sponsored segment. But for us, thank you for joining us. My first question, I guess, is, is this a big deal? Because depending on who you ask, this is either the end of the world and the planet's melting or it's really not a big deal. Which is it?

C (8:42)

The answer is, it depends. I think I see it both ways. On the one hand, this is, by download count, probably the biggest supply chain attack that has happened in the NPM ecosystem. And maybe even beyond that, we're talking 2 to 3 billion downloads per week in the effective packages. On the other hand, the impact has been pretty disappointing, I'd say, like, the attackers managed to snap up about $500 worth of Ethereum and maybe 50 bucks worth of some other miscellaneous cryptos. So somewhat of a disappointing performance for having. They had access to everything and this is what they did with it. So it's, I don't know, somewhat disappointing.

A (9:22)

You sound like me and Adam when stuff like this happens, when we're just like, oh man, they could have done so much more with this. You know what I mean? They're very sort of disappointed in them. I mean, I guess one of the positives that this thing was detected, like extremely quickly and shut down extremely quickly. So we've seen a lot of headlines about how these packages get 2 billion downloads a week, but I mean, do we have any idea of how many downloads these packages received while they were compromised?

C (9:47)

You know, you can generally make some assumptions, but NPM statistics aren't very fine grained here and they also don't update in real time. So you have to do your best and really just extrapolate it out. So in this case the package was live for on the order of like an hour. So we're talking about in the hundreds of thousands or maybe tens of thousands of downloads. And so that's the part that's kind of interesting is we might actually see that long tail effects of this over time as this package might be cached in folks artifactories or even in local caches. So this still could go out into a production build of a piece of software over the next several days or weeks. So folks really should actually search through their dependency inventories and make sure that they're not using the affected versions. There still could be impact to this even though it's been taken down from the registry.

A (10:37)

Now I believe this is part of a broader campaign that's actually been going for a couple of months or it has similarities to a broader campaign that's been going the last couple of months. What can you tell us about that?

C (10:47)

Yeah, so the technique used by the attackers here was a phishing email that impersonates npm. So it looks like it's asking you to set up some 2fa on your account socket. Actually wrote about this about 2 months ago back in July when one of the engineers on our team received a phishing email. And what was interesting about the phishing email was it came from actually a legitimate domain that npm uses, npmjs.org but they actually use npmjs.com to send emails. And so they didn't set up DMARC or any of the other email security headers on the.org domain. And so an attacker was able to kind of send an email from this legitimate domain. And it got through because DMARC wasn't set up. So one learning there is folks, you should set up DMARC on all, you know, all domains that you use, even the ones you don't send email from here because you know, that's how it was able to get through. And that ended up affecting a couple of packages about two months ago. So prettier was a big one, a big style style kind of code formatting tool. And then the other one is, you're going to love this, a package called is. So what this is is a type checking library. It tells you is it a number, is it a string? But yeah, you think this should be part of the JavaScript language. You know, it's kind of a basic bit of functionality, but unfortunately, JS is one of these languages that has been around for 20 years now. And the rule is don't break the web. So they can never delete things or change things in the language. They can't go back and fix mistakes. And so this is quite a popular library, and it was one of the ones that was backdoored. And it's basically there to kind of create a bit of a better developer experience for folks who want to do type checking, which is a common thing.

A (12:31)

So just one more question. When you talked about how these phishing emails shared similarities and whatnot, do we think it's the same group of people who've been doing this for a couple of months and this whole thing's just sort of culminated now, or it's just Word got out that you could sort of do this email sending?

C (12:45)

I think Word got out. They're using similar techniques, but it's a different payload over the course of the last two months. So the thing they do is when you click the link in the email, it takes you to a full proxy version of the site. So everything about the site looks the same, and they're just transparently proxying through to the real site. So you get the two FA code and everything, everything works as it's supposed to. And so it's interesting that it does seem like this has been picked up by folks, and we're seeing a lot of different payloads now using the same kind of initial phishing email hook.

A (13:15)

But they're very disappointing payloads, as you pointed out. Right. Like, everybody's very disappointed that someone managed to get all of this access and then just deploy something so crappy. Adam, I've got a question for you. If you were going to, you know, so clearly you do something like this at this sort of scale, you're going to get snapped pretty quickly. Like, as we found out, these packages were live for, like, an hour. The malicious code was live for. For, like, an hour. If you wanted to pivot your access from, like, being able to own these NPM packages and pivot that into some sort of persistent access, how would you actually go about doing that? I mean, you could do something really dumb like, you know, popping up, you know, unsigned malware into people's browsers for downloads and whatever, like, that's one way you could go. But there must be a more elegant way here. What would it be?

B (13:59)

I mean, the answer is you need to be subtle, right? When you're doing something at this much of scale. This. At this kind of scale, you can't do anything obvious because it only takes one person to start pulling the thread. And like, with that backdoor, was it the Microsoft guys found in. Was it postgres ssh? No, it was an ssh.

A (14:15)

Ssh.

B (14:16)

Looking at ssh. And like. Yeah, that's. You know, you kind of want to be subtle, like.

A (14:20)

Well, that still got detected very quickly.

B (14:22)

It still got detected. So, like, you need to be real subtle.

C (14:24)

If you were subtle, like Adam's saying, and you. And you waited for. I mean, the thing that these attacks, they're doing wrong is they're not subtle. They do things like try to shut down the system or try to remove your files or they do all this noisy stuff. If you were just a little bit subtle and then you could get away with this being out there in the wild for even just like, seven days. We saw that with an attack. The first attack that turned me onto this whole thing was event stream in 2017. And they were able to persist for about seven days before they were caught. And that meant that the package got built into some real desktop software that was using Electron and it got shipped out to users. And so I think that's the thing they're doing wrong, is they're just getting caught in an hour. So I don't know if that's. That would be somewhat persistent because now you have literally built artifacts that are signed that are out there for users to install that they've put on their systems that are backdoored.

B (15:10)

Right.

C (15:10)

And that's what these folks are doing wrong. And what we're getting really lucky with is they're just being super noisy and super kind of childish about what they do when they get access to these things.

A (15:21)

All right, well, for us. Booker, dj, thank you so much for joining us for a quick chat about all things npm. Supply Chain, always good to see you. Cheers.

C (15:29)

Glad to be here. Thanks.

A (15:31)

Now, Adam, we're going to stick with the theme of supply chain. Now, just for a moment. You know, last week we were talking about this Sales Loft breach and the drift AI and whatnot. People who are unfamiliar can go back and listen to last week's show, but in essence, what happened is someone stole a bunch of oauth tokens, I guess, from Sales Loft. And the interesting thing was there was no detail on how Salesloft itself was breached and these tokens went missing. Mandiant has some answers. Now, according to this piece by Cyber Security Dive.

B (16:02)

Yeah, so it turns out that the GitHub account of Salesloft got itself compromised a few months back. The attackers spent a while kind of learning what they could from that before eventually starting the journey that led to them breaking into Salesloft systems and helping themselves to OAuth tokens and onwards to great victory. So we, I think we speculated at the time that that's kind of what it felt a bit like, but it's nice to have that, you know, kind of have a timeline for it and yeah, once again, just, you know, GitHub account access leads you onwards into the depths and, you know, steals a great many things.

A (16:38)

Yeah, so. So what would that look like? A pivot from GitHub into internal? I mean, you don't even need to go internal, you just need to affect their apps in some way to get them to spew out the tokens. Right, yeah.

B (16:49)

And it may be a case that that git may have been the source for code that was being built. So that would have been pulled into a build system. That build system's got access to key material and whatever else or it may have been, you can modify its supply chain or it may have been something else. We don't really know the nature of that particular GitHub repo. But whatever it was, it was enough to give them presumably key material or some other kind of access onwards into systems that then had access to production environments with real keymat.

A (17:17)

And.

B (17:17)

Yeah, good time.

A (17:19)

Now we're going to have a really annoying discussion about what is an oday. John Greig over at the Record has reported on this one. CISA has issued an order asking federal agencies or ordering federal agencies to patch a bug. They're calling it a zero day in something called sitecore. But this is first of all, what is sitecore? And isn't this just like a hard coded key or something?

B (17:40)

Yeah. So sitecore is, I guess, a content management system for building enterprise apps. So quite big E commerce. Big enterprise apps use it as a framework to build their things. It's in turn built on top of Microsoft. Net. And the crux of this vulnerability is that the install documentation for sitecore had some example key material in it. Normally when you deploy a. NET application, one of the things you have to configure is they call it the machine key. Essentially, it's a piece of key material that's used to encrypt the cookies that are used by the. NET framework. If you know that cookie, you can craft a cookie. So if you know that key material, you can craft a signed cookie and that signed Cookie is a serialized NET object. So in the process of normal operation NET apps deserialize data that came back from the user and rely on this machine key to secure it against tampering. And if you can tamper it by design you get codexec which that's a whole nother like what kind of design choice is that? But we'll leave that one aside for now. So the sitecore documentation had some example keymat back in like I think 2017 and prior is what their advisory said and some customers copy pasted that into their configurations and rolled with it live.

A (18:57)

I mean it's hard to know who to blame because sadly it is kind of foreseeable that that would happen.

B (19:04)

Well, yeah it is and I actually tried to rummage up the documentation from the time to see how strident it was about you needing to do this properly and this key material being really quite important because I can't imagine that the documentation said if you do this, if you don't make this unique, you will get pre auth remote code exec against your systems.

A (19:25)

I probably said you need to configure keymat. Here's what it looks like.

B (19:29)

The interesting thing is that in NET deployments if you have a single server instance generally it will auto generate it. It's stored in the Windows registry and you never have to think about it. And if you use a cloud deployment so cycle operate like an as a service version then they take care of it. The middle ground is if you have a cluster like a high availability system, they need to all have the same machine key available to them so they can share requests and at that point it's up to the customer to set it and manage how it's stored and whatever else. And if you're in a like an AWS or an Azure environment, you might put it in the key store in those platforms but if you're just running it on bare windows boxes by yourself, everyone's just going to stick it in the web config file and then those config files get put into git and onwards and that key material loses its magic value of remote code exec. So there's a lot of pieces in this puzzle that lead to the situation that we're in and honestly none of them are zero day. But everybody's a little bit at fault here because everybody played their part in this really ultimately foot gun design of the system which. Yeah.

A (20:34)

What did we learn? What did we learn Adam?

B (20:37)

What did we learn? We learned that documentation should be clear when there is A security critical setting is the main thing.

A (20:44)

I think it's fair. I mean, they're talking about patching it. There's actually a patch. Is there a patch or are they just using patches like a term of art here?

B (20:51)

Because I think they're using patch as a. Like you can fix it by setting your own key match.

A (20:56)

Yeah, right. Okay. That's not really what patch means. But, you know, words, what are they? What are they? Why do we. Do they even have meanings anymore?

B (21:02)

I mean, we are in the post truth world, so why do words even. Meanings don't matter anymore.

A (21:06)

Yes. Patch your duplicated keymat by not using duplicated keymat. Sounds like a good plan. And we've got some absolute LOL bugs going around in SAP, SAP, netweaver or something. Erp, I don't even know. I don't know ZAP very well, but apparently there's a CVSS 10 out there being exploited, so that's fun.

B (21:29)

Yeah, there's actually a bunch of them. So SAP make generally enterprise resource planning products. Sapnetweaver is their web server component that a whole bunch of the products run on. Some of the bugs are in netweaver itself, some are in applications that run on top. But there's like three or four 10 out of 10 CVE, you know, CVSS bugs on the list that got patched. And there was another one that was being exploited in the wild that was patched, I think a month ago. So it's not a good time because these systems are, you know, generally pretty serious business. I expect that probably people are just running crypto miners on them and getting $4 worth of free money out of these giant enterprise platforms.

A (22:07)

$0.50 in Monero.

B (22:09)

Yeah, exactly. So in that respect, probably better than what you could do with access to these systems. But yeah, SAP stuff, it's real. Like I've been inside a bunch of SAP systems over the years. It's hoary and nasty and just like it's a thicket of dirty deserialization nastiness. And I think One of the 10 out of 10s is a straight up deserialization bug again, because that's a bug class we just love to use.

A (22:36)

Yeah. And I should point out that Adam was saying hori, as in H O.

B (22:40)

A R Y. Oh, yeah, yeah, true.

A (22:43)

Just in case anybody had a reaction there. All right, we're gonna chat about something that happened last week. CA, I think. What were they, Croatian CA. Finer CA. They pumped out a whole bunch of TLS certificates for 1.1.1.1, which is Cloudflare's encrypted DNS service. I mean, I guess my question here would be why would someone try to. I don't even know if this is malicious, you tell me, but why would someone try to obtain TTLs certificates for 1.1.1.1 to use? Like, what would be the malicious use there?

B (23:18)

So the malicious use would be that you could. Man in the middle DNS over TLS or other encrypted DNS options. The why, I think is as dumb as they were just testing stuff internally. On one 1.1 is a super easy address to type because the CA has said that they have the private key mat, which if it was a customer getting them to issue it, they wouldn't have the key mat. So they said they had stored it internally. It sounds like it was just testing certificates and it went through their process, ended up in the certificate transparency logs, which is good. But, yeah, I think it was actually that dumb. And probably no one ever had these in the wild and used them. We are just taking their word for it, though. So, like, it may be that they actually issued it for some nefarious purpose, but the reality is probably Occam's razor is on the side of dumb.

A (24:05)

Yeah, I mean, that was my reaction here. I did not know the subsequent reporting that you just mentioned that they had discovered that they did this internally, which was, yeah, probably just a test run. But, you know, I think we're in a position where, you know, because I was thinking, okay, say you're doing a. Doing a malicious certificate. What you want to, you know, be adversary in the middle, swap out an IP for a domain you're targeting, what, for a software update or something? I mean, that doesn't really work these days because people sign their software updates.

B (24:32)

But you'd hope.

A (24:34)

You'd hope, right? And if you're going to do something mega, like subtle, you know, and targeted and whatnot, you're probably not going to pump out like a whole bunch of certificates. They're going to be immediately spotted. Insert transparency logs. So, yeah, it feels like, I don't know, it sort of feels like progress in a way where something like this happens and it's just, yeah, someone like, just doing something dumb instead of it being a malicious thing, which is what it would have been a few years ago.

B (24:56)

Yeah, and it's also useful because, you know, Cloudflare has definitely learned a few lessons about how close an eye they keep on the CT logs. You know, there's a few other bits and pieces of, you Know, anytime one of these things happens, the process of thinking through what does it mean, what could they have done, how would they have done? It leads to improvements, you know, for everybody's else, everybody else's infrastructure. And I think, you know, one of the things the story has brought into focus is Microsoft's lack of curation of its root CA list. Because this root CA was only trusted by Microsoft, which, let's face it, that's quite a lot of the planet.

A (25:28)

Well, I remember when we were doing the, doing the risky bulletin read of this, I was talking about this and it was like, I think it was Catalan said, well, they're only trusted by one browser maker. And I'm like, oh yeah, which one? He's like, Microsoft. And I'm like, well that seems kind of newsworthy. You know, that's the important one. Really.

B (25:48)

Yeah. So maybe Microsoft will take a few lessons and be a little bit more active in how they curate their root CA store. Like one of the things that Mozilla's stewardship of and Google's stewardship of their respective stores. I was, they're pretty aggressive about stomping on people that are being bad cas.

A (26:05)

Well, they were way too permissive. Way too permissive back in the day. Right. So it was actually kind of controversial when they started booting people, people out. But you know. Yeah, I think there's, I mean still if you take a wander through like who's trusted, it's, it's, it's still pretty wild, man.

B (26:19)

There's some dodgy looking stuff in everybody's root stores and it does not make you feel good.

A (26:23)

No, it doesn't. All right, so moving on. And Alexander Martin has some reporting for the record on this and there's reporting everywhere on this because this is probably the most consequential ransomware attack we've seen in a while, which has been targeting Jaguar Land Rover. Now that's the same company that make Jaguar vehicles and Land Rover vehicles. Jaguar is not really being produced at the moment. They are retooled, tooling and developing a whole bunch of new models that will come out sometime in the future. I'm a car guy. I've mentioned that before on the show. This is how I know these weird things. But yes, look, Land Rover is obviously a very large British manufacturer of vehicles, you know, mostly SUVs and four wheel drives and whatnot, you know, Range Rover and the like, and account for something like 4% of all goods exported by the UK every year. So, you know, it's getting to the point where they've, they've had to stand down enough their workforce that this could even turn into like this could actually have a measurable economic impact on the UK economy, which is crazy.

B (27:21)

Yeah, we've seen some reports that like staff being furloughed at downstream suppliers, upstream vendors, I guess, upstream suppliers from Jaguar Land Rover. So like, you know, it's a pretty. I didn't realize quite how significant. I think one of the numbers we saw was what, like roughly 4% of exports out of Britain last year are Jaguar Land Rover products. Right. That's pretty significant. And I think, you know, this is. I don't know if we've seen any attribution, but it certainly feels like it's just the comms get it spider lapsus, you know, the bunch of kids doing it and you know, they bit off a pretty big British properties with Marks and Spencer and so on recently. But this one's kind of a next level up again. And if they are asking for attention from the British security services, like this is how they're going to get it. Like they're kind of getting off the end of law enforcement into like they're going to have some real trouble if they're causing, you know, tens of thousands of people to be without work.

A (28:17)

Yeah, yeah, I would imagine so as well. But I mean, this show, I mean, this shows us that the big game ransomware still exists. I mean, what will be interesting is to see whether or not the people who did this actually get paid are actually able to exfil the money. I mean, if they're a professional group of Russians, maybe they'll be able to do that. Scattered spider kidlets. Probably not. Right. Like it is just they are not going to be able to do it. If they are trying to commit these sorts of crimes from within Western jurisdictions, just forget it.

B (28:42)

Yeah, they're going to have a very, very bad time if they are. And I think it didn't feel like the world's most competent ransomware, I think from some of the things we'd seen. But yeah, we don't know yet. So let's see, as I'm sure the British spooks and police are all over it.

A (28:57)

Yeah. One interesting thing to note, I guess at the moment is that the United States government is now executing criminals extrajudiciously in foreign countries, which is interesting. You saw that they blew up a, you know, alleged drug boat in Venezuela, which apparently, oddly for a drug boat, had 11 people on it. You'd think you would want fewer people and more, you know, I don't know, drugs on your drug boat. But like, okay, Trump had designated these things through IEEPA as like, terrorist organizations, but that doesn't mean you could just go and kill everyone who, you know is a part of one of these organizations. Like, that's not how those designation works. So essentially what we've got is the United States government murdering people for committing crimes, which I, you know, internationally, like, very, very illegal. I don't think we're there yet for ransomware operators. I'm just saying that we are in a position now where the United States is on presidential order executing people for committing crimes without a trial. So maybe something to think about if you're a ransomware operator. I don't know, like, you know, if you become enough of a pain in the ass, at what point are you gonna get, you know, hell fired or whatever?

B (30:10)

It's a crazy world. And I know, you know, I know we've advocated with some hound release over the years, but it's generally not straight up, you know, extrajudicial drone murder.

A (30:19)

Yeah.

B (30:19)

So there's a middle. There should be some middle ground. You know, maybe some middle ground.

A (30:23)

Maybe just, maybe just kneecap them, I don't know, tell them not to do.

B (30:27)

It again, turn their computers into a bomb.

A (30:30)

Apparently Bridgestone too is having some ransomware trouble, but they are recovering. I mean, you know, it's so often the, the arc of these stories is like, you see a story pop up saying, oh, there's been an incident, but they're recovering. And then a week later, you know, no one's talking about it anymore. Or you see, like, Marks and Spencer was one of them, where, oh, we've got a little problem, just a little problem, you know, it'll be fine. And then like two months later, it's like, you know, where it's amazing that we'll, if we're even able to survive this sort of thing. But yeah, Bridgestone, which is Bridgestone Americas, which is the American arm of Bridgestone, which is a Japanese company, they've been having some trouble and restoring another one from John Greig, writing about events close to home for me. Qantas had that data breach some time ago and their executives have taken a bonus haircut despite record profits. So I guess, is that what accountability looks like?

B (31:22)

I mean, I guess it's non zero accountability. And, you know, I think, you know, compared to, we take your privacy and security very seriously, have some free credit monitoring. I feel like, you know, $250,000 bonus cut, you know, it's not nothing. But on the other hand, I think it's what, like 15% of their pay. So maybe it was only 15% of their bonuses. I don't know. Like it wasn't, it's, it's not a lot when you put it in context like that. But hey, I mean, I guess, you know, the fact that the board is making the execs take at least some financial penalty on this is a good thing. And honestly, like, as breaches go, this was far from the worst.

A (31:59)

Yeah, exactly. It was like a third party thing as well. So my guess is this is optics. Qantas bonuses have been controversial in the past when they're like taking the money that would buy new airplanes and just putting it in the pockets of the, of the executives. I don't know, man. So I don't think a 15, you know, it's not going to hurt him, let's put it that way. They're doing, they're doing well. And Qantas is an interesting one, right, because you know, most national carriers have some sort of subsidy. Qantas, the way they've done it with Qantas, it's very different. It's an indirect subsidy which is all federal government travel is through Qantas. That's, that's how they get their subsidies. So they basically charge the federal government whatever they want for tickets and that's how they, they stay a nice and fat national carrier. And who pays for that? Adam? That's right, me and my fellow taxpayers, my friend. But you know, I'm glad they gave up a couple hundred K each of their massive bonuses. That's wonderful. Now, will they or won't they split out the Cyber Command and NSA roles apparently like we do? We have not had a director of NSA for a while. Well, the United States hasn't had a. I'm not American, but the United States hasn't had a director of NSA for a while since they fired the last one because a very online right wing influencer apparently didn't like him. So we've been waiting for a replacement to come along and there's been a question mark as to whether or not they would split the role. One advantage to the Trump White House of splitting the role would have meant that he could appoint a civilian into NSA leadership because the reason it has to be a military person is because it's a dual hat role with Cyber Command, which is military. Looks like that's not happening this time around. And indeed, I think we've even got a front runner for the position yes.

B (33:47)

It sounds like Army Lieutenant General William Hartman is a name we've talked a couple of times, I think, as an option for this role. So it sounds like he has done the necessary maneuvering and so on around D.C. to get everyone lined up behind him. And yeah, it seems like the idea of actually having to split up NSA and Cybercom at the head just proved too complicated. Would have taken, you know, years, it seems, to, you know, tease them part in the first place and then build a new structure to replace it. And, you know, I guess the Trump administration doesn't like thinking that far ahead anyway. So I guess, you know, we will be back to dual hat normality, assuming this guy does make it through the process and doesn't get thrown out at the last minute like some of the other, you know, nominations in that administration, I think.

A (34:36)

What is it? The new sister guy was doing a talk somewhere where he was talking about how they need to radically embrace Trump's America first policies, but for the, you know, the Internet security or something, I don't know, it was very strange. But I figured that's like just him trying to say the right things to keep the boss happy. Right. So. Yeah, because I don't know, what is an America First? I mean, it's already an America First Internet. Like most of what we use on the Internet's American. Like how much more America first you. Anyway, maybe they're going to start tariffing our packets. What do you think?

B (35:06)

Don't give them ideas.

A (35:10)

Now. Actually, speaking of this is straying into something almost political. I guess there's. This is the stupidest story I think we've ever covered. I'm not even going to try to explain it. You just take it away.

B (35:23)

Adam Dear so the US Federal Trade Commission sent a letter to Google complaining that Google preferentially spam filters Republican fundraising emails and that that's undue influence in the political process and they're trying to use their, you know, leftist woke agenda to, you know, tip the scales of US Politics. The actual fact of the matter seems to be that the, the organization that does Republican fundraising acts way more like a spammer than the organization that does Democrat fundraising. And they've ended up, you know, on all sorts of spam lists, spam block lists, because of the way they send email, the volume of email that they send, the way that their unsubscribe processes don't work so well. So they look like spammers and so they get put in the spam folder and the ftc, I guess in this administration Feels like it needs to do something about this. And I don't know, presumably Google will just tell them to knob off and that will be the end of that.

A (36:30)

But they'll probably adjust their filters. Man, it's a letter from the ftc, right? And you know, fine. I mean, if I'm them, I just adjust the filters, you know, I spin up an allow list for the, for the big orgs that are sending this sort of stuff and then I don't hear from them anymore, you know. But it is so dumb. It's so dumb.

B (36:47)

It is, it is, it is so dumb. They are censoring, censoring the Internet with that pesky spam filtering that's getting rid of spam.

A (36:55)

Now here's a fun one that Catalan reported on in the Risky Bulletin newsletter, which is the state owned oil company in Kazakhstan. There were reports that some brand new Russian APT had targeted this state owned oil company and was like, you know, doing all sorts of bad stuff. Turned out it wasn't actually a new Russian apt. Adam?

B (37:16)

Yes, Kazmune Gas. They came out and said, actually this was us. This was a regular phishing test that we were running. And it just happened to look like a Russian APT was targeting us because that's kind of how you want the phishing campaign to go. So this Indian firm, Sekright, I think found a zip file, you know, in Virustotal and they pulled it apart, looked at it and they had some targeting information, had some related infrastructure. The infrastructure was in like a sanctioned hosting provider in Russia. It had a bunch of like open sourcey, you know, like PowerShell post exploitation and bits and pieces. And they said, yeah, this looks like a, like an attacker wrote it up. And you know, I kind of a part of me feels like whoever put this phishing campaign together for the, for the oil and gas company, like clearly they did a pretty good job as kind of an attaboy. Like I know when, you know, back in the insomnia days, you know, when we had our stuff show up and people's threat intel as a, like this looks kind of nations 80. We're like, hell yeah, we did a good, that's, that's good, you know, good day around the office. So I guess, you know, I don't know whether this was in house at the gas company or whether they, you know, had an outsourced company do it, but whoever did it, like, I guess good job.

A (38:26)

Yeah. I mean that's either the case that they did a really good job or they've made up the story about it being a phishing test because they don't want people to know they're being targeted by a Russian apt group. You never know. Yeah, so we're going to wrap it up there. But I just want to mention something real quick, which is I had a ticket to the United States, booked a business class ticket there, thank you very much. To travel to RSA earlier this year. Obviously I had to cancel that trip. It's a non refundable ticket which I didn't know when I bought it. And the travel agent's like, no problem, we can change the name on the ticket. We'll just wait for someone else to buy a business class return ticket to the United States. The problem with that is travel from Australia to the United States has cratered. People are just not really traveling there like they used to and they have not been able to on sell the ticket. So if you, dear listener in Australia, would like to buy my business class ticket to America, you can use it between now and January sometime, I think. You know, if you want to go to the U.S. i can, I can, you know, I can do you a deal on my business class ticket with United. Let me know, Contact me, I guess by LinkedIn or Blue sky or whatever. But mate, we're going to wrap it up there. That's it for the week's news. Thank you so much for joining me and we'll do it all again next week.

B (39:36)

Thanks very much, Pat. I will talk to you next week.

A (39:45)

That was Adam Boileau there with a check of the week security news. Big thanks to him for that. It is time for this week's sponsor interview now with Tony Delafuente from Prowler. Now, Prowler is an open source cloud security platform. So if you want to find, you know, misconfigurations in aws, gcp, Azure, it's very, very good at that. It can also do automatic remediations. Like all of the checks and remediations are like Python. It's very, very cool. You can run it online or you can even use a command line utility if you don't want to. Just throw highly privileged creds into an online platform to get it to go and remediate stuff, just run it off your laptop. So yeah, Prowler is very cool. They've just added a whole bunch of new stuff though, which is doing SAS scanning so you can look for misconfigurations across M365, across Entra, they're also doing GitHub, they're also doing infrastructure as code. So yeah, a whole bunch of new features in Prowler. Tony joined me to explain why they why Prowler introduced them. And here's what he had to say.

D (40:46)

So we are focused on the most important services from the Admin Center, Defender, Entra ID, Exchange, Purview, SharePoint and Teams. The most important services looking for of course for entire ad from you know, to making sure you are following all the best practices to not to expose resources users to have mfa from the basics to the most advanced type of security best practices. All the requirements for example for SharePoint to not to have exposed OneDrive resources and to have a proper authentication in place.

A (41:29)

So it's almost like the OneDrive stuff is almost like what you would think of as like an exposed S3 bucket. I mean ultimately same thing, right? And I think you and I have indeed had this conversation about how is it SaaS, is it infrastructure? Who can even tell anymore? Right?

D (41:43)

Exactly. When you talk about Attack Surface, it's not. I mean we always think about RDS database in AWS or S3 buckets, but when you move to the Microsoft ecosystem, there are many other services that can be exposed. And we wanted to be in that party as well. Right. We wanted to be able to tell our community, our users, our customers, hey, you have more than this.

A (42:10)

Was it easy to do this once you've already got the experience with Azure was then building like checks for an Azure application or azure suite like M365 easy. And I can tell by the look on your face that no, it was indeed not easy.

D (42:26)

No, I mean we started as you said, we started as an AWS only security tool, but now we are not only multi cloud providers, but also multi cloud SaaS. Right. I may say that nothing related to Microsoft is easy at the first try. I mean of course the learning curve is important for everybody. But actually we had to develop a wrapper around PowerShell in order to do many different things. Actually you have in azure the Entra ID service and in Microsoft 365 the Entra ID service as well. And it's not exactly the same way to interact with the same service through different kind of meta service.

A (43:18)

Yeah, right. So it was like different teams with different priorities and here's how you wind up with two different Entra ID services. Is that kind of what happened?

D (43:26)

Yeah. And also if you don't do certain things using PowerShell, you cannot do it or you have to to tweak your own tool. So we did a wrapper, actually we open source that wrapper as well to use Python and interact with Microsoft stuff easier because in Prowler everything is Python and we want to make sure we can scale right, Because Prowler can be run from the CLI but also from an application from our SaaS service from Prowler Cloud. So that is like the big challenge, you know, to interact with our providers with, with a way, using a way that can scale, scale up.

A (44:18)

I mean, I remember like some years ago one of my big criticisms for the way Microsoft were handling their business was in order to get information about what applications were like oauth into your tenant. The only way to do that back then was via PowerShell. Right. So I think for a while Microsoft's expectation was, well, we don't need to buy the, you know, we don't need to build the pointy clicky interfaces for this stuff because that's for the, you know, that's for the third party vendors like you. Right. And then the third party vendors, those, you know, five, four, five years ago did not materialize. So it turned into a bit of an issue and then they had to do the, the pointy clicky. But it does feel like that's always been the way that Microsoft has expected third party vendors to build security features for Azure and whatnot is just like get really good at powershell.

D (45:05)

Yeah, well, the point is actually when we released Microsoft 365 integration the same week that we released, let's say on Monday and Wednesday that week, they change it the way applications can connect to them and we realized on Thursday, so we had to launch a new version with the fixes the following week. So that is the challenge, that is the challenge of also adding value using third parties. Right. But I mean it is what it is with Microsoft happens. I don't know if it's because they go very fast or because it's just as it is, but they are adding more security capabilities that are making the life of third parties not very easy.

A (45:56)

Another thing you've been working on is infrastructure as code and doing some stuff around securing infrastructure as code. I mean, what are you actually looking at there? Are you looking at the terraform that companies have and are you like scanning terraform looking for issues? Because again, this is different to the sort of traditional stuff you've done around looking at cloud configuration. I mean it's almost like it's a stat, you know, by the time you're looking at Terraform it's like static analysis. Right. So what exactly are you doing around infrastructure? Are you looking at the Actual terraform or are you looking at what the terraform does after it's done it?

D (46:32)

So something that we have seen in this open source cloud security world is that we can take advantage of multiple tools to solve multiple problems, right? Like Prowler helps many companies fixing the runtime cloud, cloud runtime security, right? If you have something running in the cloud, Prowler can see the security status of those resources. But at the same time, people come to Prowler because they want to make sure their cloud overall in general is secure. So we realized that we had an empty spot on the developer, pure developer side on the, the left hand side, right? So we wanted to add support for GitHub. So if you are a GitHub developer, you have a GitHub, your code, your cloud code or whatever other code is on GitHub, we want to tell you, hey, this is secure, this is not secure in terms of security best practices around your repositories, organizations, etc. With that done in Prowler, we have multiple checks for that. By the way, everybody can see everything that we do in hub.prowler.com we call it prowlerhub is our knowledge base of checks, the center of knowledge of our checks and compliance frameworks. With having that in mind, the GitHub support we said, okay, now let's use, for example, we have underneath 3D, Chekhov and other open source tools underneath Prowler. Now in order to bring that service, right? So what do we do? We can scan either locally or remotely in a git repo, whatever git repo you use.

A (48:22)

So you could plug into a git repo, find the code and then you can throw another open source tool at it and say, is this suicidal?

D (48:30)

Yeah, GitHub Actions, Secrets, Terraform code, cloudformation code, all that best practices now can be done with our AAC provider in Prowler as well. So we are adding more and more providers. Like we are planning to add an LLM scanner provider as well in order to scan LLMs. For the most common sense security issues in LLMs, if you are doing your own or scanning third party LLMs and also, you know the cloud is, when it comes to, to AI, you say, okay, AI is cloud security as well. Because AI has resources, content, right? That is in the cloud, data that is in the cloud, it has APIs. And those APIs are mostly in the cloud as well, right? So you have to secure those APIs as well that are built with, in many cases with other cloud security cloud providers and gpu. And where is the gpu? Unless you want to buy your own and have your own data center. The GPU is in the cloud as well. So securing AI is securing the cloud. So that is something that we can do as well with with Prowler. Actually, we are releasing our very comprehensive MCP where you are going to be able to do pretty much anything with Prowler using our mcp, from creating new controls to configuring Prowler as well and running Scan, pulling Scan, creating your custom reports, everything. Because everything that we do is in an API as well. So it's kind of straightforward.

A (50:15)

I've taken to saying recently on the show that, like, if you're not doing that sort of thing with your security product now, you know, you're going to get left behind, you know, especially any product that's trying to do something, you know, diverse and complicated like this, touching a lot of systems in a lot of different ways. Like, you can't. It's ripe for this sort of thing. When's that coming?

D (50:36)

Actually, today. So today is going to be released in our GitHub repo. That is where you can go to prouder.com and find our link to GitHub. And today is going to be released. We are doing that actually today. By the time that this is going to be published, it's going to be out for sure.

A (50:59)

Yeah. Excellent. All right. Tony Delafuente, fantastic to chat to you, my friend, about your march towards world domination. It's always good to see you and we'll catch you again soon.

D (51:10)

Thank you.

A (51:12)

That was Tony Delafuente from Prowler there. Big thanks to him for that. And that is it for this week's show. I do hope you enjoyed it. I'll be back real soon with more security news and analysis, but until then, I've been Patrick Gray. Thanks for listening.

B (51:36)

Sam.