Chapters
Shownotes Transcript
Hey everyone and welcome to Seriously Risky Business. I'm Adam Wallo. SRB is the podcast companion to my colleague Tom's newsletter of the same name. Hey Tom, nice to see you. G'day Adam.
This week's show is brought to you by Thinkst, makers of the Canary Deception Tech. And actually, I was talking to a new Thinkst customer the other day, and they were expressing some delight, actually, at how much of a pleasure dealing with Thinkst sales and onboarding processes. And when your customers are saying that around town, you're definitely doing something right. SRB is also supported by the Hewlett Foundation and produced in partnership with Lawfare.
Now, we here at Whiskey Biz across the main show and on Whiskey Biz News and indeed on SRB, we've said a lot of mean things about Microsoft lately. This week, you've written about the latest development of Microsoft. But the thing that really concerns me, Tom, is, is it time that we have to be talking about eating our hand? Yeah.
So no is the answer. And I'll give you a sort of potted history. So way back, way, in September last year, I wrote about Microsoft's security culture and I said it just basically wasn't appropriate. And that was because in the incident where...
Chinese actors had stolen keys that still worked. There was this whole series of what seemed like or what were framed as bizarre happenings. But I sort of looked at all of them and went, hang on, you know, those bizarre things only happen because people fundamentally don't care about security. And so if you care about security, you know, maybe one of those things would have happened, but not the whole string of them.
Now, subsequent to that, they came out with a secure future initiative and that just left me cold because there was no talk about changing priorities. So you get a good security culture when everyone believes that security is important and you end up with a subpar one when no one believes it's important. And that secure future initiative, it didn't have anything about how we're going to change the way we make decisions.
It had like, we're going to AI some stuff and that will make it better somehow. Yeah. My view on that was that doing extra security stuff is good and it seems like AI will help, but they don't fundamentally change the choices that you make. You can have great technology and great
AI, you know, magic machines that do wonderful things. But if you don't care about them, that's like the fundamental problem. Satya Nadella, the CEO, has sent out a memo that was reported in The Verge. And it's really, really clear that they're actively making a choice to choose security. And so that's great. That's the kind of thing that actually makes a difference because you deprioritize some other stuff
and you fix the problems that you've got. Now, the really interesting thing about this to me was that other companies have now seen security as a marketing point. So Microsoft's gone from, you know, a couple of pretty bad breaches from Russia and China, a cyber safety review board report that was pretty scathing. And now they've,
we're going to prioritize security. So AWS, for example, last month they had a blog post that was, you know, how the unique culture of security at AWS makes a difference. We have slightly less fancy bears inside our cloud than our competitors. And honestly, it's great to see competition on the basis of security because it doesn't feel like a thing that the market has really valued that much.
until relatively recently. Yeah, that's right. And I think it's like the natural skeptic in me says, I don't know if they're going to turn security culture into a marketing meme. But if in that process they have to also build good security culture, then I guess we could accept...
you know, being turned into a marketing show. Yeah, I think that's the happy place I've landed on. You know, even if they're embellishing what they're doing with marketing gumpf, they've got to start with something to embellish in the first place. Exactly. And instead of just trying to sweep out their security failings,
on Friday night with the trash. It's, you know, they're sort of proactively trying to establish that they've got good security. And I think that gives us something to hold people to account to rather than just the usual, you know, we take your security seriously. Exactly, yes. And I think, you know, I think...
Comparing with, say, Apple, who's made privacy a focus of their marketing and their public communications, or Google, who have done so much really great engineering work in security but kind of can't really talk about it because of the – well, it gets lost –
compared to Google killing products every five minutes or, you know, Google being an advertising company, you know, with amazing tracking of everybody or the Android app store being trash. So it's kind of lost for Google Cloud and, you know, Apple is doing it in a different direction. So I can imagine a world where we did see AWS and Azure and Google Cloud, you know, competing directly on security properties. Like that would be good for everybody, I think.
I was wondering to myself whether this is just a flash in the pan or whether it's an enduring thing. And I was thinking that Microsoft is going to have some difficulty for some time. There's a lot of, I imagine there's a lot of technical debt and it's going to take some time to work through. So I'm optimistic that it will be a basis for competition for a while to come.
Yeah, it probably will be. And, you know, Azure is a very deep stack that's been built very, very, very quickly. And you think how long it's taken us to get, you know, on-premise Windows Active Directory right, and you would argue that probably we still haven't got it right. So, yeah, there is plenty of room for improvement and for hopefully innovation and, you know, it being a thing you can actually use to sell. Yeah, yeah. So that's a fundamentally good news story. It's weird. You know, this disaster has...
hopefully looks like it's shifting the dynamic about what people care about. It's weird having good news on Seriously Whiskey Business. Speaking of good news, LockBitSup, the leader of the LockBit ransomware crew, has had a very, very bad day. And that's good news. Yeah, so there was a multinational law enforcement operation against LockBit. And they've just recently come out with an announcement and they said they've unmasked him
the leader who was known as Lockbit Sup, a Russian Dmitry Yurievich Koroshev, and US, UK and Australia levied financial sanctions against him. Now,
The interesting thing to me is that there seems to be things in the indictment that the US Department of Justice released that are entirely about making life difficult for Koroshev. So, for example, they just, you know, happen to mention that Koroshev and co-conspirators deployed Lockbit against multiple Russian victims. So, should be a no-no in Russia. And it just seems like, well, hey, you know, Russian law enforcement, if you want to take an interest...
I guess a complimentary piece is that they said that he had earned 100 million US dollars from his time. That's some real money. And so there's an opportunity again to get people to apply leverage against him. And the third thing is that there's a piece in here where Khorashev is talking to law enforcement. It doesn't say which law enforcement, but he's basically trying to get
information about his ransomware competitors so it's this piece seems to be designed to make sure that he has no friends in the ransomware community once he's done so i thought that was interesting those just little nuggets in there that to me seemed not uh super important for the indictment itself because they're you know they're dealing with what he's doing in russia
I guess they go to character. Yeah, but they're not strictly... They weren't necessary. And I mean, especially given that a person like this is pretty unlikely to end up in American hands to actually be prosecuted. Yeah. Including things that are not necessary but are going to make his life difficult does feel...
calculated in a way that... I'm thinking the fate of Ermikov, the guy who did the Medibank hack in Australia, seeing him subsequently arrested in Russia for computer crimes. We talked a little bit about whether that seemed like a thing that perhaps...
Some of the Australian Intel folks had helped along by making sure that information was understood in Russia. And this has some of that same flavor. If you've got $100 million in your house or in your Bitcoin wallet, then there's plenty of people in Russia who would shake you down for that. And if they're law enforcement, now you've given them a reason to start shaking you down. And if you're criminals, now you've got a reason to go exact some revenge. So yeah, it does seem...
calculated to exert a bad day on him in ways that, you know, you don't have very many levers to pull in Russia and it feels like they pulled three of them in the environment. Yeah, it's designed to make a bad day last a very, very long time. Exactly, exactly. So good job Western law enforcement and, you know, maybe some Russian criminals will pay attention to how this one goes down as well. Yeah, I think that's the hope. That's the hope.
Another thing that happened this week was the boss of Change Healthcare, or the parent company, UnitedHealth of Change Healthcare, talked a bit about how that had gone down for them in front of the US House. What did you pull out of that? Yeah, so the immediate sort of entry point was a Citrix portal that didn't have MFA. Womp, womp, womp, womp. So the...
The story is they think that credentials were bought or stolen and then, you know, Portal doesn't have MFA in you are and away you go. And so there was some reporting about, you know, what a dummy. Don't do that. But the kind of story is deeper than that in the change healthcare had been acquired by United Health and it was the United Health CEO testified. And
They acquired them 18 months ago and United Health actually has a policy. If you've got external facing assets, they should have MFA enabled. Very sensible policy, I endorse, yes. Yeah, yeah. And so then there's also other factors involved. You know, the technology, some of it was 40 years old. And so there's this complexity underneath this single point of failure policy.
that makes me want to try and understand what are the reasons why that wasn't remediated in that length of time. Like there's the dummy's answer or the obvious answer, and then there's the answers or the reasons that underlie that answer.
And I want to know what those are. And so this really reminded me of Conti Ransomware. They had a really big incident on the Irish National Health Service. Yes. And the Irish National Health Service commissioned an independent report from PricewaterhouseCoopers.
And they went through the technical detail of what happened. So they fished, you know, got onto a box. EDR wasn't configured correctly, etc., etc., etc. But the actual sort of ultimate reason they came up with is that in the health executive, in the health service, they just didn't care about security that much. So no one was checking that things were done correctly. They didn't really have proper plans. And they ultimately said it was a governance failure.
And that kind of report, I think, is tremendously valuable because companies get acquired all the time. You've got to figure out those kind of risks. How do you handle that? I've heard of some places, I think, where they just deliberately keep them segregated until they're in a happy place rather than sort of diving in and
mixing the systems. And I think, to be fair, in this case, that happened. Change Healthcare got rinsed, but UnitedHealth, it didn't spread to the broader network. And so I really think it would be a great idea to have that kind of report for this incident.
Yeah, because the simple answers are always very easy to go, yes, I understand what happened here, move on. But there's a lot of things that have to go wrong to get to the point where you've got single-factor Citrix on the internet, and that's an easy step from there to domain admin or whatever else. So it is more complicated than that.
And things like the CSRB report have showed us kind of how much depth there is in some of these things, like they went into Microsoft or even the one they did into the Lapsus crew, right? Which was sort of baby's first CSRB report, but there was a bunch of really interesting insight. And so-
seeing what happened in an incident that was this big that started with something so simple. Yeah, there is real value in understanding that and I think you mentioned in the newsletter it would be nice if Change Healthcare or UnitedHealth did commission a similar kind of report, did publish it, that would be useful for everybody. Yeah, I think that'd be great. And I think in the past Congress has actually done these kind of reports. So they did one on OPM. So that's a government body. So I think it's a different situation.
I'm not suggesting necessarily a CSRB report for this incident. I don't know that it meets that bar, but that style of what are the real underlying causes rather than
No MFA. Yeah, then the easy one. And as a funny aside, speaking of acquisitions, we actually did an engagement once in my Pentest career where the acquiring company was being kind of bamboozled by the people they'd acquired or they weren't cooperating with the process of integrating and whatever else. So we actually got commissioned to break into the target and
and do like all of the discovery of their environment and get a real answer about the state of their security in an offensive kind of uncooperative kind of way, which was a super interesting exercise. And I think the output was actually really valuable. So if you're thinking about doing acquisitions, having a red team go through your acquisition can give you some useful perspective.
Yeah, that's a fascinating story. And I guess it makes me wonder whether, you know, should that be kind of a standard practice? And to me, it goes through the if the acquired, you were saying the acquired company is not being cooperative. Yes. How often does that happen?
Exactly, I can imagine a fair bit. And, you know, is there a playbook for that? And I think that's the kind of thing the sort of report I'm suggesting might tease out. I'm not saying that it happened in this case, but, you know, if that is a problem, then the investigation or the review has enough...
there's the potential to try and reach out to other people and say like what how often does this happen what do other people do in that situation yeah it's always nice to have an engineering solution to a problem like let's just go hack it and see it answers a lot of things a lot of questions for me anyway thank you very much tom uh this week's news that it was great everyone should go have a read and thank you for your work thanks a lot adam
