B (2:52)

Yeah, it is, as I said, it's kind of chaotic and it hasn't gone absolutely wild. And it may still. Just because of the nature of this kind of self replication, you don't really know how wild it's going to go until it gets there. For now, it's kind of calmed down a bit, but people got onto it pretty quickly and it seems to like, a number of the compromised packages have already been pulled and so on.

A (3:14)

Well, you'd also think NPM would be able to throttle this, right, like once you know what it's doing. Like, unless the attackers are just constantly playing the detection evasion game, surely NPM would have some detections in place for this.

B (3:28)

Yeah, yeah. And like, there's a lot of things that you can use to spot it and put the, you know, put the brakes on it. And I guess in some respects this is one of the advantages of centralized repositories is that there is kind of a way to be able to control this in one place versus, you know, a more traditional Internet when it's kind of propagating independent of any one sort of central oversight, you know, someone who's in a position to be able to stop it easily. But, you know, it's. You just got to. I don't want to have to hand it to them, but I, you know, I'm kind of here for the. Just like the chaos of it. And look, man, I mean, we've been.

A (4:06)

Doing this a long time and the pace of like, cool stuff happening has definitely slowed. So I'll admit to being a little bit stoked when I woke up today on a show day and this had happened. I'm like, hell yeah, let's see. This is gonna be fun. You know, we should also mention too, apparently some of CrowdStrike's packages. I don't know what they were using them for, but they're like, oh, they've got nothing to do with the Falcon sensor or whatever and everything is fine. I don't know. I mean, that seems a little light on detail there, guys. But yeah, apparently some packages what, maintained or used by CrowdStrike got impacted by this.

B (4:37)

Yeah. So like somebody who is a maintainer has the ability to upload packages to the CrowdStrike's account on npm got hit by this. The kind of the nature of the bits of code that are there are not particularly fancy. They're things like some stuff for integrating with logging and a few other bits and pieces. Not major parts of their overall ecosystem. But still, it's not a great look when you're a security company like Crowdstrike to have someone supply chaining your code, even if it isn't particularly super exciting parts of the product.

A (5:09)

Yeah, I mean, I think there was. Yeah. So I've just googled it here. Crowdstrike Falcon prevents supply chain attack involving compromised NPM packages is one of their blog entries there. So, yeah, as you say, it's like.

B (5:23)

Throwing themselves in front of the bullet.

A (5:26)

The optics of it just aren't great. Right. And it's just. Yeah, I don't know, it's just every time something happens that makes Crowdstrike look bad, their response seems to make it look even worse. But I'll just leave that one there. Let's move on. Um, we've talked about it over the last couple of weeks, but this ransomware attack that is impacting Jaguar Land Rover, look, I mean, some production could still be shut down until November. Some of their upstream suppliers who make, you know, all the little bibs and bobs and pieces that go into cars could face bankruptcy. So there's already, you know, I would say, premature talk that there might need to be some sort of government bailout for the automotive industry in the uk. Now keep in mind that the alleged attackers here are domestic. Right. So they're English speaking, sort of scattered, spidery, you know, the comm style kids. They are going to get caught, like.

B (6:23)

Yeah.

A (6:24)

I mean, I would bet solid money that within the next year they're getting caught.

B (6:29)

Yeah, I mean it was one thing to go after, you know, Marks and Spencer and co op and sort of retail things in the uk, but, but I mean, Jaguar Land Rover is a particularly large part of the British export economy and I don't see British authorities, you know, being relaxed or gentle about this. Like they are not going to let.

A (6:47)

They'Re not going to let this one go. It's not just kids having fun. Right.

B (6:50)

You know, so I mean, you know, you certainly got that sort of sense from that, you know, the British part of the comm, that there was a sort of a bit of escalation where they were just going bigger and bigger because they could. And you know, I think they may be reaching the Find out phase at some point soon.

A (7:06)

I mean, I do find it interesting though that the threat actors in this case are homegrown, right? So when we used to see stuff like JBS meats or the Colonial Pipeline, I mean, this was very much, you know, Russian organised crime. I mean, I don't think we can infer too much from this, to be honest, but it ties into that bigger discussion we've had in recent months about how gauging the impact of recent counter ransomware initiatives is actually very, very difficult. We don't really know how much has worked. One thing I will say though, is I've heard that data extortion is really on the rise. Right? Like that seems to be the crime du jour for a lot of these, a lot of these crews. I would say that if we convince ransomware actors to get into data extortion, I would call that actually a massive win. Because even though this is a crime type that's making them lots of money, it's way less disruptive than something like ransomware. It's not going to stop a car maker from being able to make cars, for example. You know what I mean?

B (8:01)

Yeah, yeah, it is. It's kind of. The impact is still bad, but it's kind of more gentle. Right. Because everyone who's got a, you know, your data has been stolen, you know, kind of privacy notification from some company, you know, once you've lost it once or twice, the third or fourth time stop kind of mattering so much. And that is, you know, even though it's not great, it's still better than, you know, your meat supply chain shutting down or your car factory is not working. Right. So the availability impact does hurt more than the, you know, the confidentiality part.

A (8:32)

Yeah, 100%. I mean, I would say that, yeah, it's much less impact from these sort of incidents and I don't think, I would say that ransomware that can shut down factories and these sorts of things like that is a national security issue. I would say data extortion is not. I would not think that using sort of hound release against those types of crews. Unless we're talking about extremely sensitive types of data, I just wouldn't think that's an appropriate use of resources, to be honest.

B (9:03)

Yeah, I mean, you can certainly see it in the case of like, you know, medical data or, you know, back when, what was it the people who did the clearances in the US got hacked and all of the data taken by.

A (9:13)

But in that case, your hound release might be limited to trying to Destroy the data that is in the possession of the attacker. You don't need to do the full disruption, I don't think. I just think it's a completely different sort of paradigm.

B (9:24)

Yeah, I mean, the Australians burning down that, you know, bulletproof hosting provider in Siberia or whatever it was to get rid of stolen medical data. Yeah, like you could see that response being, you know, kind of more practical and less, you know, less big, like just kind of smaller scale, which, you know, I guess that's an improvement, right?

A (9:41)

Yeah. Well, I will just. The last thing I want to say on this too is this is exactly why it really gives me the irrits when people conflate ransomware with data extortion attacks. So we've seen, you know, vendors, other media, you know, through things like these file transfer appliance compromises that resulted in a lot of, you know, customer records and stuff going missing. People referring to that as a ransomware campaign. It's not. It's a data extortion campaign. And we really need to start making that, that difference clear because that's going to help us, you know, form policies and plan for the future and do all of those sorts of things. So, you know, that's just my pet peeve. Just had to mention it again.

B (10:19)

Yeah, certainly agree. You know, those things were pretty well conflated early on as it started to come in. And then now that distinction is more important because as you say, the disruption attempts the, you know, the things to counter it are different, the approaches that we take. So, yeah, they should have different names.

A (10:34)

Now we've had some big news relating to TikTok. Not strictly a cyber security story, but it is one we've covered over the, over the years there's been many, many twists and turns and the latest is that apparently, according to the Wall Street Journal, TikTok's US business could be con. Could wind up being controlled by an investor consortium that includes Oracle, Silver Lake and Andreessen Horowitz. And the idea is that the, you know, the Chinese company is going to license the technology to, to the Americans but not sell it to them. And the, you know, the algorithm will be trained on US data. And honestly, Adam, when I saw this as an Australian who likes TikTok and enjoys TikTok, it made me really sad because it looks like we're going to have. Have to choose between. Well, we won't even get the choice in the end, but the choice is going to be made for us and we're either going to wind up with a TikTok that's controlled by a bunch of lunatic Americans or a TikTok that's controlled by the Chinese Communist Party. And at the moment, I don't know which one I would prefer. Like, I actually don't like, do I want to be scrolling? Like, The Muskification of TikTok, like, would be awful. You know, CCP also bad. But like, I'm just like, oh, this. I don't, I don't know what to think here.

B (11:54)

I'm kind of right here with you. Like, some of the bits of the story suggest that Maybe it's like TikTok may fork into a separate app in the US and maybe in, you know, in the provinces, like you, you and I in Australia, New Zealand, maybe we will have the option of, you know, Chinese real, you know, authentic OG TikTok.

A (12:12)

Yeah, can we, can we keep the Chinese one, please?

B (12:14)

Crazy Maga TikTok.

A (12:15)

Yeah.

B (12:16)

And honestly, yeah, I'm, I mean, if current TikTok is the Chinese Communist Party version, like, I can't imagine the American one is going to be better than current TikTok. Right. It's only going to be worse in ways that for those of us not in America probably aren't better.

A (12:34)

I mean, when cone, when Conehead and Friends take it over, it ain't going to get better. It just ain't going. And the interesting thing is here, like, there's a bit of a, there's a bit of a question as to whether or not this deal, which people are describing as like the ultimate taco deal, you know, the Trump always chickens out thing, because this is not a forced sale, Right. And it's very unclear at the moment whether or not this is even legal and whether it lines up with the bill that passed the U.S. congress that would force this divestment. So who knows if this is even going to happen, right? But like, wow, what a world. What a world we find ourselves in.

B (13:13)

Yes, it certainly is pretty. Well, it's a wild ride is one.

A (13:16)

Of the things is now speaking of Chinese propaganda, there's been a big leak out of China that's detailed the Great Firewall and we've learned a whole bunch about the so called Great Firewall of China, about how sort of, you know, content access, control and censorship and stuff is implemented and what some of the strategic objectives of that are. I don't know that we've discovered anything that surprising here, but it's certainly hit the headlines. What, what have we learned, Adam?

B (13:46)

I mean, so I guess we've learned that, you know, China is Pretty good at capitalism and the like. The idea of a monolithic great firewall of China, the reality is that, you know, there's a bunch of commercial companies and in particular one quite big one G Edge. G Edge. I don't know how one says that was one of the companies behind the technology and that they are, you know, they've spun out of university research and it works, you know, a lot like it does in the west, you know, where technology firms, you know, come out of good ideas in academic institutions, partner with government agencies to sell their services and so on. And actually also have been packaging up and selling like a great firewall in a box to other countries in the world that have, you know, similar sorts of censorship goals. I think the leak of data that we saw from inside Gedge, they used code names for the countries. So like it was a number, like a letter and then some numbers after a bit of, you know, research work has suggest that one of them was Kazakhstan, one was Pakistan, one was Ethiopia, one was Myanmar. There's another that starts with A might be Algeria, who knows? So we've got an idea of what those customers are and some of the specifics of the details. One thing that was actually quite funny was I think one place, maybe it was Pakistan. Sandvine, the Canadian company, was originally in Pakistan helping them build censorship. And after, you know, that kind of went on, went a little bit wrong for them geopolitically and they pulled out. GED's got a contract to go in and kind of take over the Sandvine gear, repurpose it and then ultimately replace it with, you know, their great firewall in a box. So, you know, a few interesting details like that, you know, a bit of a peek behind the curtain of how this all comes together and yeah, nothing super surprising, but just kind of interesting.

A (15:29)

Yeah, well, I mean, China has innovated in this massive censorship at scale stuff. I mean, I am old enough to remember when people in the west, you know, us nerds in the west, would ridicule the great firewall of China because they're like, you can't stop the Internet. How ridiculous. People are always going to find a way around it, go try, because you can't. And you know, I've got mates who have to go to China for, for work and they will try to tunnel stuff. It doesn't work and like it'll work for five minutes and then you get detected and then you get sent into like a little cordoned off area of the Chinese Internet where all you can access is like, you know, Xi Jinping correct thoughts of the day sort of thing. So you sort of get penalized for a couple of days. You sort of get, you know, cordoned off and then gradually it'll sort of open up access again. But if it detects anything weird like, oh, DNS tunneling, boom. More. Some more G thoughts for you, bud. You know.

B (16:22)

Yeah, yeah, they've got a bunch of real smarts and you know, looking for like, yes, sure, stuff inside. TLS is encrypted, but they can do kind of traffic analysis, they can look at metadata, they can use machine learning tricks. There's all sorts of, you know, kind of smart tricks that work well enough to, as you say, spot something that looks like tunneling, spot something that looks out of the pattern of regular web traffic and then like, it doesn't cost them anything to throw you in the naughty bin for, you know, a few days. Right. There's no real downside to them to doing that. So they can afford to be quite aggressive. Whereas, you know, if you were in a corporate environment and your, you know, your outbound proxy was really aggressive at blocking people, you get a bunch of pushback from your users. Management would get angry. Like you have to tune it to be less aggressive. But when you're the Chinese Communist Party, you don't really have that kind of degree of feedback. So yeah, kind of, you know, they have a slightly easier problem than perhaps it looks sometimes.

A (17:16)

Well, and everything gets done on WeChat anyway. Right. So between WeChat and all of the mini apps and everything, and that's all sort of state controlled or state observable and that's turned into the inspiration for stuff like the Max messenger app in Russia. Right. So China, it seems, has really perfected this sort of control, digital control at scale, information control, access control, messaging environment control and everything. And you know, other countries have learned from this and as you point out, this is turning into an export industry for them. So other wonderful governments can decide that they just want a piece of this and write them a check and away they go. I mean, it's depressing, isn't it?

B (17:54)

It is depressing, but also like it's kind of what it's what the world looks like these days and, you know, somebody's innovating and China is the place where, you know, there is demand and clearly now there is also supply to match it and you know, opportunities for export follow. So capitalism.

A (18:12)

Yeah, well, they're, what is it? Free market communists I think they call them. Yeah. Now let's take a look at this Atlantic Council report into the global spyware market. I mean from based on the write ups that I've seen, the key takeaway here seems to be that more and more US Capital is investigating, investigating investing in this market. I'm sorry. And you know, I, I think it's kind of funny that people have dumped a whole bunch of money into the spyware market just as Apple releases the, you know, memory integrity stuff which is going to make life extremely difficult for exploit developers. But you know, you and I and Tom, you're in. We're actually having a conversation before we got started and it's, it's hard to know whether that's going to be bad for the investors or good for the investors because the rewards for people who can get around that are just going to be astronomical. But you know, what's the gist of this report here?

B (19:04)

So this is a report that they have been kind of maintaining for a few years now and they update it regularly. And this is this year's or 2024, I guess the data from 2024 updated and it pulls in some changes in ownership, it pulls in a bunch of details of new operations that have come up. But basically it's just their work at, you know, keeping a holistic view of what the spyware industry looks like. Who's buying, who's selling, the people involved. They have quite a nice like pointy clicky diagram thing. You can kind of click through and explore the relationships between entities and so on. And in terms of new things in this, I guess there's a few new players in the market. You know, they tracking the money, you know, from sources in investment firms in America into mostly Israeli firms. You know, that's doesn't seem like a new insight but it's good to have some kind of details of the scale of that. But it's just, you know, overall it's just really good that someone is keeping tabs on this and producing good quality work that you can then build further research, build other things on top of.

A (20:03)

Yeah, I mean if you know, you say it's nothing new, but then you look at the actual chart of the number of investors who are getting involved in this market from the United States and it looks like someone made a mistake on the graph. It's going to the moon, which is. Yeah, I mean I don't know what that tells us about the amount of money or whether there are details in there. Anyway, look for people, for those who are interested in that market and understanding it like this is some solid work from The Atlantic Council and of course, we've linked through to it from this week's show notes. Now, let's talk about the Vestamo case. Of course, Vestamo was this psychology clinic in Finland that was hacked and the data was, you know, patient data was extorted back to them. I mean, there were suicides as a result of this attack. Eventually the. What was the guy's handle? I've got his name here. But what was his hand?

B (20:47)

Zekill, I think.

A (20:48)

Z Kill. That's right. This Z Kill guy was eventually convicted for doing this and sent off to prison. Looks like he's out, though, at the moment, Adam. Halfway through his sentence. Why is that?

B (21:00)

So he is appealing an aspect of his sentence and apparently under Finnish law, you're presumed innocent during that appeals process. And so he has been allowed out whilst that appeal is underway and it hasn't overturned his previous conviction and he still got that sentence of six years. But I think, like, he is innocent whilst he's appealing and so he's out whilst he goes through that process. Now, I don't know if that means he then goes back to do the rest of it if he fails his appeal, but, you know, either way he's out walking around free, which feels pretty bad for, you know, the people that were impacted by this particular attack, which was just horrible, you know, like ransoming people's therapy notes back to them, just, you know, disgusting. So him walking free, regardless of the legal process, doesn't feel great.

A (21:46)

And if anyone wants to read about that Vastamo case, there is a book by Joe Tidey, who is a listener, and a BBC journal called Control Alt Chaos, which is very good. So you can go and look that one up. It's a good book. I haven't finished it yet. Sorry, Joe. But I did, I did crack into it and read a few chapters and it is typically good stuff from him. But meanwhile, look, relating to the same case, there's been another arrest, actually. Someone was it an American has been indicted by the Finnish. By the Finns.

B (22:18)

I'm sorry, this is an American guy who was living in Estonia and I think had. Was involved in, you know, in the scene, because I think Zekiel sent Alexanderi Kivimaki. He was Lizard Squad back in the day. So this is someone else from that kind of orbit. They found that he had. This guy had some shells on some boxes that Kivimaki was operating and was involved in some of the extortion, I think, of the actual company, Vastamo, as opposed to the individual patients. Anyway, he was arrested on request of Finnish authorities, so we'll kind of see how that goes. But it's kind of funny because it's been, you know, it's been a few years now. So seeing a fresh arrest now was, you know, a little surprising.

A (23:00)

Yeah. And look, staying with Law and Order, John Greig over at the Record is reporting that Connor Fitzpatrick, AKA Pompompurin, who is one of the breach forum's administrators, because there's been so many breach forums since that you can't just say he was the, you know, I guess maybe it was the OG breach forum, but I don't even know if that's the case. But anyway, a big breach forum, admin Pompompurin, who got off real light and you and I have always thought that was really weird, has now been given a three year prison. Prison sentence. He's been re sentenced so.

B (23:32)

Well, yeah, yeah, he had originally argued that he wasn't going to do well in prison because of his autism or something like that. The DOJ didn't really enjoy that, went back and appealed and yet now he's gonna face three years. He was originally gonna get, what was it, 20 or something? 20 years of supervised release and then they asked for 15 years in jail and now they settled on, on less than that. So either way he's gonna see some time inside a jail. And yeah, I guess, you know, breach forums was pretty big and like a lot of bad stuff happened there. So I guess I don't feel too bad about him seeing the inside of the prison.

A (24:09)

No, me neither. Don't do crime, kids. Another one here from John Greig. Microsoft has disrupted some sort of phishing as a service operation. Is that right, Adam?

B (24:19)

Yes, they went after raccoon 0365, which was a phishing as a service platform that was being used to phish their users. They took out a bunch of the domains. I think Cloudflare was also involved in shutting down some of the infrastructure and there's Nigerian guy that they have identified behind it. I don't know that he has any immediate threat of arrest. I think this was just the technical infrastructure being shut down. But I guess anything that allows people to phish Microsoft users effectively, that's a thing that's worth Microsoft's time to take care of.

A (24:54)

Yeah, I mean, we could argue about other stuff they should be doing and in fact, that's what Ron Wyden is doing, the senator in the United States. This is the most widen of white widening things we've ever seen. He's writing letters about Kerberosting. This is a very specific thing. So why don't you start off by telling, explaining to the audience who might not be okay, exactly what Kerberosting is and why Ron Wyden, a US Senator, is jumping up and down about it.

B (25:24)

Right. So Kerberos is an authentication mechanism that grew out of, I think, MIT in the 80s. Microsoft adopted it with Windows 2000 for corporate network auth and it's a core part of on prem Active Directory. Kerber Roasting is a specific attack where any authenticated user in a corporate environment can request essentially a password hash for another account, which then they can crack offline. And this is a workhorse technique that people breaking into Windows corporate networks have been using for years because getting a password hash to a privileged account, cracking it offline with your GPU and then pivoting into that account, super, super useful. And Wyden's complaint here is that one of the reasons kerberosing is viable is that Microsoft uses RC4 crypto RC4 as a mechanism. In part of this process, it's not actually a hash. You get like a ticket signed with a hash of the near result, you can still crack it offline. It functions like a password hash. But the use of RC4 RC4 in it basically meant that you could do this at speeds in the order of, you know, like gigahashes per second, you know.

A (26:42)

Well, I mean, RC4 is not known as being the state of the art in encryption. Right. Like it has been broke forever.

B (26:50)

Yeah, it's a very old, like 1980s stream cipher. So like, yeah, it's a little long in the tooth. And that kind of combined with the other problems with Microsoft or the ecosystem in Active Directory, you know, it was a pretty sore spot. And there were a few common patterns where particularly Microsoft SQL Server, like the way that people installed Microsoft SQL Server, ended up resulting in accounts that were often specifically vulnerable to this type of attack. There's a few, there's a few prerequisites to it, and SQL Server installs often met those prerequisites and were often privileged. So, you know, if you landed on a network, you'd go find all the Microsoft SQL Server accounts, get an auth request token out of it offline, crack them, and chances are you'd get ideally a domain admin password within a few hours of cracking time. And super useful technique. And as to exactly why Wyden is mad about it specifically, well, apparently his.

A (27:49)

Office has been looking into the breach at Ascension, which is A healthcare play. I think there was a ransomware incident there and kerberosting was involved. But it just seems an odd thing to zero in on because say kerberosting wasn't a thing. Right. They updated the crypto, broke some backwards compatibility so that, you know, and just did the right thing. Do we think that breach wouldn't have happened? Like, I don't know. It just seems odd to go so specifically toward one thing. You know, like you, you sort of had the same take as well, which is like, yeah, like Microsoft should fix this and it is ridiculous that they haven't. But like surely if you're a senator you might be able to find some sort of broader message than hey, update from RC4 to stop Kerber roasting. It's just the whole thing's a bit strange.

B (28:32)

And even if like so Microsoft like RC4 is not the best way to do this anymore. Like Microsoft has a more modern crypto. There's an AES backed version of this encryption type 17 and 18 if you're wondering. And you can still offline crack those. It's just three orders of magnitude slower.

A (28:49)

What's the issue here is that by default can you request one that's like RC4 crypto or is it that people are. Is that it?

B (28:57)

Or So I mean the RC4 crypto ones are very, very fast to crack and they are still present in nearly everywhere because backwards compatibility primarily is the.

A (29:06)

So Microsoft hasn't turned it off as a default like you can.

B (29:08)

So Microsoft hasn't made it not the default. And you know, they could turn it off and they might break some interop with other enterprise stuff that uses it, but really they should have just turned it off a long time ago. But you know, if you asked the like Bloodhound Spectrops guys, you know, like if you don't have Kerberost, how many other paths are there through your Bloodhound graph? They'd be like lol, like a thousand infinity. So it really is just one little piece. And it used to be that kerberosting was like when I was doing, you know, sort of red teamy kind of stuff and you'd end up in Windows networks. Kerberosing was one of the really big, kind of like it was a big deal at the time. Its time was probably 10 years ago now and there are so many other techniques through certificate services and whatever other new stuff they've come up with that this isn't the big deal that it was. And to be honest, like if you were going to criticize Microsoft's security engineering choices, you might as well go beat them up for Lanman password hashes or NTLM challenge response auth or there's so many things in Active directory that Ron Wyden could go shake the Wyden stick about that. It's just weird that he picked this particular one. And if it makes Microsoft change the default, then good, I guess. But it's just a little weird.

A (30:23)

Yeah. So that's the takeaway, isn't it? It's like good but weird job, dude.

B (30:30)

You know, you sort of get that feeling that Wieden's office has that sort of, you know, Pepe da Silva board on the wall filled with a million things they can go complain at Microsoft about. And he's just, you know, picked the one of the day to go write a press release about or write a letter about to the ftc. But you know, and I'm not mad in the end, I am just not mad that a senator cares about whether you're using, you know, RC4 or AES for your curb service tickets. But at the same time, like, don't you have anything else to be doing, buddy?

A (31:00)

Yeah, yeah. Now look, let's move on to our next story. We've got a report here from Rafael Satter and Jana or Jana Winter over at Reuters. And there's communists, Adam. There are communists in the roadside weather stations. Yes, this is communists everywhere.

B (31:19)

This is another report about, you know, sort of industrial equipment or equipment deployed out in the field in kind of critical infrastructure ish roles that has hidden secret radios in it. In this case, I think there was cell modems in, you know, like weather stations and traffic cameras and things like that. And that's a threat to, you know, America's way of life because the communists might turn our weather stations against us. The thing that makes me a little mad about this reporting specifically and other examples of it in the past is the idea that there is a radio in these pieces of equipment is not that wild, right? I mean, many of these things probably have it as an option. Maybe it's just the equipment is there by default because it's.

A (32:04)

Well, it could just be a system on a chip sort of stuff, right?

B (32:06)

Could be a sock that's just got a modem in it. Like there's no detail here about were these devices, were the radios enabled, did they have SIM cards or ESIMs or service available to them? You know, were they being used for anything? You know, because there's a big difference between there's a radio chip on this board because economies of scale meant it was easier to put it in and not use it than cell as an add on or this stuff is actively plumbed in and you know, active on the network without the operators being aware of it.

A (32:35)

I mean, look, I just want to read you the lead here, which is US Officials say solar powered highway infrastructure, including chargers, roadside weather stations and traffic cameras should be scanned for the presence of rogue devices such as hidden radios secreted inside batteries and inverters. So it's like the solar kit they're worried about that is powering stuff like, I don't know, speed cameras. I mean, what are they going to do, man? They're going to mess with it so that people start getting fined for speeding when they're not speeding. I don't know, it just seems an odd to focus. I understand. When you're dealing with like the cranes were a good example, right? So like cranes installed at ports, you know, shipping with, with radios installed in them, undocumented, probably connecting back, you know, that's something you want to know about. It could be there for entirely innocent purposes, which is the, the people who manufactured the cranes might need to be able to troubleshoot remotely if there's something wrong with them. You know, the other case is, well, maybe the CCP wants to monitor container movements at that port and that would be a good way to do it. Right. So there are instances where you want to look at it. It's just this seems like an odd one to be, you know, this is an odd one. It's just strange.

B (33:49)

It's a strange one to be excited about. I just like, I feel like the important detail is missing which is that that they were doing something with it or that it was even, you know, that it's not just this was present, that it was actually active or in a state where it could become active. And you know, you could imagine, you know, if you could instantly conjure a botnet out of, you know, 100 million embedded devices on the, on the mobile network. You could destroy the mobile network, right. It would stop working. And I could see that being a, you know, like beyond the impact of a particular road sign or a particular, you know, crane. Right. There are things you could do with that kind of scale. But you know, China telecom already has quite big pipes. Like if your goal was denial of service of comms infrastructure between BGP hijacking and telco hacking and just having very big pipes, there is a lot of ways to skin that cat. And it just feels like rolling out, you know, modems in battery packs on solar things on the side of the road. Just seems like a weird way to go about it. So I'm, you know, I'm just kind of dubious that this is a huge threat, you know.

A (34:52)

Yeah, I mean we've seen the look, I understand, around solar inverter. So Australia has the highest uptake of solar, rooftop solar in the world. No surprises. We've got lots of sunshine. I mean I've got 10 kilowatts on my roof right now. We are literally having a solar powered conversation right now. A lot of that equipment is made in China, mine isn't. So I understand that there's, there can be some concerns around that stuff, but yeah, we've seen some crazy politics around it as well. I remember an Australian senator, James Patterson, who's with the Liberal Party, which, not to confuse the Americans, the Liberal Party in Australia is the Conservative Party. I think he's the shadow, like home affairs guy and he put out a release saying that the government's renewable energy targets were putting Australian national security at risk because the solar inverters were made in China so we should burn more coal or something like that. Like it was the, it was one of the worst releases I've ever seen. So yeah, so look, there's a, there's a time to like have a serious look at some of these call home features. And in those cases, those inverters that are installed domestically in Australia, we know they connect back because they connect through, you know, they're an Iot thing that connects via your wi fi back to something in China where you get your console and whatever and can see how much energy you've generated that day, change configurations and stuff like that. So in that case, I think it is actually a thing worth taking a look at. But yeah, it just seems like people sometimes grasping at straws like for the, for the China threat, when really there's a lot of stuff they are doing which is a lot more threatening than maybe having, you know, some non SIM carded radios in a solar panel controlling a speed light, a speed camera on a American highway anyway.

B (36:31)

Yeah, exactly.

A (36:32)

Moving on. And Israel has apparently seized a bunch of crypto wallets that are tied to the Iran's IRGC. There was something like $1.5 million in these crypto wallets, but crucially they say something like $1.5 billion had passed through them. I can't imagine that seizing crypto wallets, you know, crypto wallets are not hard to replace. I can't imagine that this is really going to inconvenience the IRGC all that much. But why don't you tell me how did they actually seize these wallets? Was this through a court action or through some 8200ing?

B (37:06)

So I think in this case, instead of actually being specifically seized, probably they have just added them to the, like, block lists that exchanges use to, you know, flag accounts that have been doing particular stuff. I think US Authorities have put out, like, a seizure notice saying that they are seeking to get. The one particular guy's cryptocurrencies was a guy that was arrested in Italy, but is actually physically in Iran. And that was like, half a million dollars worth. So I don't know that they are actually seizing in the sense of going and stealing the guy's wallet, taking the guy's wallet out of his back pocket. But the net result is that those accounts are probably burnt, you know, in terms of their utility for use on, you know, the open exchanges. As you say, you know, making a new crypto wallet not particularly complicated, but I think this does send a message that, you know, hey, we are watching you. And we're not really clear how Israel knew about the specific accounts, like, knew which ones, and that may have involved Zomati 200, and one assumes that that's kind of what they do. But, yeah, the important thing is that Iran knows that people are watching them, and, you know, $1.5 billion, you know, we don't really know where it came from. We don't know what Iran's using it for, but the point is that they will feel a little bit seen and may make them be a bit sneakier about how they do it in the future.

A (38:25)

Yeah, well, I do wonder how they were actually paying people in Australia to go and commit crimes. You know, I'm guessing there was a crypto element there. Interestingly enough, they were using usdt, which is Tether's US dollar, stablecoin. So it's funny, when we talk about the decline of the US dollar, even the IRGC can't de dollarize, Adam, which I find quite, quite fascinating.

B (38:47)

But I imagine it's because they don't want to wear the cryptocurrency speculative, you know, like, up and down.

A (38:52)

Exactly. So they choose the greenback, buddy. They greenback all the way. So that's a bit funny. All right, mate, we're gonna wrap it up there. Thank you so much for joining me to talk through all of that. Interesting as always. Now, oh, I should mention, too, you're actually on a break, off to a beautiful Sunny place in the Pacific and you'll be having some fun over there. And then when you come back, I'm off. So next week I think it's Rob Joyce who's going to come in and be bu next week. And then I think when I'm away for the school holidays here, you might be putting together an episode without me, which will be the first ever, Pat, free edition of Risky Business, which is.

B (39:27)

Very exciting, that is that we are plotting around the office to have a little fun while the boss is away. So, yeah, we may have a. There may be an extra special episode coming out to listeners whilst you are out of mobile coverage and can't see what we're up to.

A (39:41)

Oh, God. So I'll chat to you in four weeks from now, mate. Have a great break and I'll catch you soon.

B (39:48)

I'll see you then, Pat.

A (39:58)

That was Adam Boileau there with a check of the week security news. Big thanks to him for that. It is time for this week's sponsor review now and we're going to be chatting with Adam Poynton, who is the chief executive and a co founder of Knock Knock. Now, Knock Knock, many of you would know I'm actually on the board of directors of Knock Knock and I do hold some shares in the company. It's a company that I'm really, really into. Basically what it does is it. It's. It takes identity information or identity status, authentication status, and ties it to other events, like network controls, for example. So, you know, you can have a firewalled service on the border of your network that no one can reach, but then when they authenticate through their idp, they can then just hit a little button on a web app which opens up a port to that service. So we use it at Risky Biz HQ to manage the applications in the cloud that we access. But what's been really crazy is the extent to which this has taken off as a control for internal networks, because internal networks are just so messy these days, particularly at big organizations. And quite often people have just got really risky assets sitting there on flat networks that maybe the entire workforce doesn't even need to be able to access and they just want to be able to seal these things off quickly and easily. And that's becoming a huge use case. So I'll drop you in here where Adam explains that, like one customer who came to them recently, they just needed to get some controls on some KVM over IP switches pronto, and they chose Knock Knock to do that, which just, you know, really solved the problem for them in half a day. So here's Adam Pointon talking about that. And also further internal use cases for.

C (41:34)

Knock knock Enjoy KVM over IP devices. You know, they're embedded, there's a lot of unknowns in them. They run some sort of Linux Y thing and they're straight into your keyboard. So it's a real problem if they're exposed and they kind of brought in to solve a problem about access. Right? You need to use these things to get access and then you can't necessarily control them because you need that access. So what do you do? And that's where people have come to us saying, can you solve this problem? Yes, we're looking at our edge. Yes, we're looking at how we carve up internally. But actually we've got these things we want to introduce, but we don't want to just put them on the network and hope for the best. Can you help us with that?

A (42:16)

All right, so that's the KVM over IP use case thing. Pretty easy to restrict, pretty straightforward pitch. I did also want to talk to you today about the biggest customer actually that you have. And their use case is really interesting, right, because they have essentially a global flat network where users in a risky region are sort of required to have to access global resources on that network. But the customer wants to put in the ability to do user attribution to users from that region on the network and also to be able to restrict that region or specific parts of that region very, very quickly if they have to. So this is almost like micro segmentation. That isn't micro segmentation. Can you walk us through this one please?

C (43:07)

Yeah, it's sort of common in a way where organizations have firewalls, internal firewalls all over the place, but they allow or deny. So if they're allow, you've got network transit from different remote offices, manufacturing environments, et cetera, which essentially result in a flat network and always on access. So being able to reduce that exposure down to a human identity is sort of what they're also doing. But it's also the ability to cut access, so turn access off based on, you know, whatever decisions they're making. So organizations have these internal controls and firewalls, but they're open. So the angle really is about having time based access but using existing network layer controls as opposed to needing to go up the complexity, looking at different applications and saying, well, how do we do time based or limited access on this application or that application rolling in, Knock knock allows them to just do it at the Network layer, which makes it simpler and more yes or no as opposed to. Well, there's identity here and how do we restrict that up the application stack? They just cut it off at the network, which is sort of alluding to allows them to control broader things like that. Office is offline as of right now. Turn it off. Depending on whatever their response and needs are.

A (44:34)

Yeah, well, I mean you can start to set like pretty fine grained access policies, right, that apply immediately to network resources, which is nice. I mean I can't think of another real way to do that.

C (44:45)

Well, you end up doing at the identity level so this user has access.

A (44:49)

Yeah, but that's what I'm saying. Like at the network level you can't. Right?

C (44:52)

No, that's right, that's right. And the identity layer is a great way to do it because you got attribution at the individual identity. But it's complicated.

A (45:01)

But if someone's on the network and they're unauthenticated, that doesn't slow them down because they're on the network. I mean I think that's the point, right? Like if you're going after some pre auth rce on a flat network, you don't need to be on authenticated. An authenticated user.

C (45:13)

No, that's right. And that's a lot of the aha moments our customers have. Why do we have always on network access?

A (45:21)

What?

C (45:21)

These systems, the IP kvm, the servers, whatever those. Why are they always accessible all of.

A (45:27)

The time to everyone? Like pre auth? Yeah, yeah.

C (45:31)

Well look, they may not be accessible to everybody. Like the admins have access to the lights out management network. The manufacturing team have access to the machines that go being over here. But they have that access all of the time, 24 hours a day, seven days a week. You know, that's not necessarily required. And then it's harder to then go and say we need to carve this section out, all these users out. It's retrospectively going and tying it down. And that's the aha moment that a lot of people, what customers have is why am I allowing access all of the time? It just seems crazy.

A (46:04)

Yeah. Now to be clear, knock knock. In most instances you don't need to install a new box or anything like that. It's very much about just instrumenting what you already have. Right. So plumbing your identity provider, you know, sort of authenticated state information through to network controls. So that's really how that works. But in the case that people do need some hardware in there to control things like you Just roll in with a proxy, right?

C (46:33)

Yeah, that's right. So people have like we orchestrate firewalls, control layers if they have them, if they're there. But in some environments recently where they've got a flat network or a section of their environment that's flat, they want to add another layer of control in. So there's not always a firewall we can orchestrate. And they don't necessarily want to put another bastion, you know, jump box or VPN box with two sides on it in this, in this case. So we're actually working to drop in a reverse proxy that can either DO TCP or HCP layer 7 filtering and we just drop it in. Knock knock, orchestrates it and it gets them kind of protecting those assets really quickly. Because that's the other philosophy we have is don't have a big project because you're talking to a firewall because you're talking to an existing control system. It's not a RE architecture, it's not installation of every single machine. It's sort of drop in, solve the problem quickly, remove that attack surface at speed.

A (47:32)

So I've mentioned the KVM over IP case, I've mentioned the geographic restriction case. What's another one that you would want to think to name right now? Because again as I, as I keep saying like you know, originally the idea was man, you're going to be able to cut your external attack surface so efficiently with this. And there are people doing that, but the big ticket deals are all people doing this. And funnily enough it's like people for whom trying to do a full scale micro segmentation project is just a non starter. The environments are just too big, like forget it. But if they could carve out initial, you know, it's almost like micro asset specific micro segmentation. So you're just micro segmenting each asset instead of the entire entire network. But what's another example that you could think of off the top of your head of another use case?

C (48:20)

Yeah, recent ones, outbound access or the kind of east west access. So let's start with the outbound access. We've got customers that have air gap networks. Traditionally air gap networks, they may not have been updated in a while because they're not getting patches. They don't want to sneak in their updates, you know, run around with the USB key with the patches on them. They need those machines or those test environments or those experiment or air gap networks to get outbound network access for an hour while the admin logs in, syncs updates, pulls them down applies them, blah blah, blah, and then accesses remote egress.

A (48:58)

Right, so that's funny, right? Because I know the customer you're talking about there. And that's when they have to do build testing environments that are temporary and are relatively static and have to be disconnected. I mean, so we're not talking about like in this case classified air gap networks which cannot be connected to the Internet. We're talking about like, yeah, like in this case it's a test network that's important and testing important stuff and has to be static, has to be air gapped, but also would be nice if it got updated every now and then.

C (49:25)

Yeah, correct. And similarly, they don't want the machines just automatically updating either because it changes their test bed which can skew results. So it's about having a static environment until you intentionally want those systems to have access egress, access to download updates, etc. So it's about creating a static environment. And Knock knocks being used to an admin, will log in and say I now want this segment, this network environment to go out to the Internet or to go east, west and go across to these other systems and pull updates. And that actually ties into a new feature we built to support those customers. So traditionally Knock Knock has been all about the person and their IP address. So when they log in, their IP address goes places and allows direct trust from them into the systems. And this new feature that we've built in response to this is they can pre configure a network. So a user will log in and then say open up this network to this network, which is all preconfigured. They're not typing in random stuff to allow those machines to go out, get updates, do whatever maintenance they need to do again without changing that static test environment or whatever it is. It's really about putting them in control of network flows without an admin needing to go and make a change. It's preconfigured, they're just pressing the button saying allow it. An hour later it blocks it again.

A (50:43)

Why don't you just rattle off a few new updates like a few new things that you've added to the product recently?

C (50:49)

Yeah, one of them is that network feature I mentioned where it's not all about the user's IP address, but about pre configured or predefined networks. We've had a lot of support for new firewalls, Cisco software, other devices that customers have come to us around. We had a really in depth security review which is fantastic. So we, we had an external party and internally we sort of paired with them, went really deep on that and we're just sort of adding, got to.

A (51:15)

Give him a shout out, shout out to Matt and Elton, who did that work. Because it was, it was. They did a great job.

C (51:21)

Yeah, they did a great job. We sort of went around the world to look at who, you know, who, who would really give us the most in depth review. And Altum came out. So yeah, they've done a great job. So fixes in for that. We sort of hardened a few things as well. Like the agent can do things by default. And we're like, well, not everybody's going to do that. Let's turn that functionality off. And that kind of flows into our threat modeling as well. We spent a lot of time thinking about our threat model. It's evolved a little bit in the last six months, but it's sort of been thought through prior to that. And where, I'll say it here, Patrick, we're thinking of actually publishing it. You know, it's, I think it's the healthy right thing to do where we're comfortable with our threat model. Everything can always be better. But we actually want to share it and publish it because we think our customers will appreciate it. And I'd love to see other vendors doing that as well. You know, there's the S BOM and there's sharing what's inside, but actually sharing a threat model and saying, here's how we think about it here, where we think the risks and threats are, here's how we respond and handle those. So, you know, put it in your environment. We recommend these things, but at least we've done the thinking and shared it. So you can understand what introducing another new technology to your environment actually means to your threat. Your own threat model and risk profile.

A (52:37)

Well, as soon as you release it, we can talk about it here on the show, but that's all we've got time for today. Adam Pointon, thank you so much for joining us to talk about all things knock knock.

C (52:46)

Thanks, Patrick. Great to be here.

A (52:50)

That was Adam Pointon there from Knock Knock, which is Knoc Knoc. And yeah, I mean, Knock Knock is terrific. I love it. Go get yourself some Knock Knock. But that is it for this week's show. I do hope you enjoyed it. I'll be back soon with some more security news and analysis. But until then I've been Patrick Gray, thanks for listening.