Risky Business #601 -- Everyone's messing with TrickBot
Hi, everyone, and welcome to risky business, your weekly information security news and current affairs showing my name's Patrick Gray. We'll be checking in without boy Laura in just a moment to talk through the weeks security news, and then of course, it will be time for this week sponsor interview, and this week Shar is brought to you by signal sciences but instead of having one of this. Stuff is on the show this week, we're going to hear from one of their customers Scott. Barron's is a senior security engineer at net flicks, and he works on the net flix product and application security team, and he'll be joining us to talk through the INS and outs of the upset program over there. That is a great chat that one I. Let it run long. But, yeah, that is lighter. But right now it is time for a check of the week security news with, Adam. and. Adam your last week when we were talking about how someone was interfering with the trick bought bought net and I said something along the lines of this kind of has the feeling of something that came off a whiteboard at Cyber Command. About that about that. Yes. Other news breaking that it wasn't fact Siva combined all up in trick thought. So yeah we well, you totally cold that one it it was the vibe. Yeah. It did feel coordinated that felt a little different than usual doesn't feel like the normal corporate tax downs we do know that the were some corporates involved as well as. Much. necessarily. The same operational whether it's incidence Mike stuff was also taking down some of the stuff in ways that we've kind of seen them do in the past But yeah, this one did feel a little different and yet it was. Yes. So it turns out Cyber Command were interfering with the trick bought botnets under the auspices of protecting the United States election, right the integrity of the election and confidence in the election because you know US security officials have been quite concerned that an adversary could use the deployment of ransomware on or around the election. Is a bit of a spoiler as a wide sue sort of arrived confidence in the US election I've seen some people pushing back on that on twitter. Some people insecurity saying, well, it's just a theoretical risk but look they have been thinking about this one table-topping this one for quite a long time I can tell you that with certainty I've been on this one for quite a long time. So I'm not surprised to see the move against trick much the same way that they moved against the IRA the Russian IRA that is before the midterms or during the midterms. A couple of years ago back in two thousand eighteen. So I'm not surprised to see them do this. Especially when you consider that trick bought has been linked to your all of shady state-sponsored stuff. Yeah. But I think it does make sense and when we talked last week, you know we speak that a bit about the healthcare impact was the trick bottle being involved in dropping the ransomware on the big hospital chain. We were talking about but I was focusing on the elections in a it's a thing that the Americans are particularly concerned about because it is a realistic thing that can happen but also it's A little bit more mandate to you know, go after and deal with things that are election-related and some of the tops with trick bought selling access rather actors on North Korea's one example incited. Does kind of tend to nations day territory. Both of those things are a little bit more in McMahon's wheelhouse than just like straight up criminal stuff and we've seen some people kind of suggesting that even if the technical risk to elections perhaps as pot credible who knows Hang on hang onto picked off. The trick on state and county systems right that could be involved in the election process some house I you know it does it does actually connect up pretty well I. Think and I had brief chat with Bobby Chesney about this he wrote a piece on it. For Law Fair and he says, yeah, if this is squarely aimed at ta protecting the election, then this type of activity would fall squarely within. The parameters of Cyber Command statutory authorities, right. So it which actually makes it less interesting because if they have done this because of the attacks against hospitals that would be crossing a big line but doing it because of the election actually less interesting. Yeah. It's funny. Funny because. It is a really interesting example of them acting against the network like this where election interfering is probably only one thing that trick part could be used where we've seen it being used for. But. Yeah. You're right. It would have been and we don't we taking action against the theoretical attack instead of the actual one which used down hundreds of hospitals. Just seems to be crazy. A place in the side effect right? If I do disrupt right but on that's it's also not particularly here to what extent this really has caused in payment. The operation of trick bought in the short term perhaps some in the long term doesn't really seem that way. You know we've made him a difference. We don't really know but anything that goes after those actors makes their lives more difficult is a good scientific even it wasn't the primary reason and we've also seen you know one kind of pot in public here and may well have been other actions going on and you know we may see ongoing. Activity against trick bottle you hang on hang on that's the part that's the part that comes next but let's just stay with the cyber command bit for now this could be signaling right? They are talking about this. The Washington Post comes out with four sources on this. They clearly talking about it to certain meteorite. Let's they're talking about it for a reason. Sorry. When people say this could be signaling I tend to think the fact that commanders even discussing it. Supports that theory. Yeah. I think that's a pretty straight line to draw. Obviously, Siva combines don a bunch of other things in the last year or two, and we haven't necessarily seen them discussed the same way as this during the previous mid Tim elections. You know he did see them saying you know we did the was some signaling. Russian ACA saying, Hey, we are up in your stuff we are watching you just. You know kind head things off. So the fact that we had some signaling then I think this has signaling now totally make sense it does. Now, where it gets interesting. Naira. As I said this isn't about the hospitals it's about a theoretical. That could could fall on election related systems right in a few weeks from now. But this begs the question couldn't you make the same argument for all botnets couldn't make the same argument for. In that case in that could be theoretically leveraged a state to undermine the election right and if that's the case why not attack them to? Know that there's any good reason not here I. Think it's very yeah absolutely you we've seen plenty of evidence of other Boston. It's being used to drop initial access as cover being used as unwittingly You know by other intelligence agencies to as vectors into places like there's absolutely a line to be drawn from all of the other big operation is such a natural good place to starve deniable they provide access the indeed they less well protected them. The networks are trying to break into our operation themselves. There's no reason not to go after the other ones under the same kind of logic to me. Well, that's the thing. Isn't it? Doesn't even though we're saying it hasn't crossed a line it kind of has. Saying, is that this? Is a national security risk that justifies the involvement of military organization. It's almost like this complicated. It's almost like this is complicated but of course, as you mentioned, there was another coordinator tight down a whole bunch of companies involved Microsoft Semantic Luhrman which used to be centurylink got involved and went after trick bought seats. It's funny too because while they were preparing tyke down. They were actually watching the cyber command thing going on and thinking what the Hell is. So, everybody's having a crack trick bought Microsoft used an interesting legal technique to. Get take down notices from US courts thought. This one was funny in that Microsoft appeared to have US copyright law to justify the take down of some of the infrastructure we takeover of some of the infrastructure on the basis that the attackers were using Microsoft's software development kits in ways that weren't permitted them in terms of the license which I mean Joe probably appropriately, they will correctly. Abiding by the terms and conditions of us. Hey, it's one way to skin a cat. Gets. The job. Done this is the legal equivalent of. Works right but. This is a new president and I can use this against UvA against and whatnot. Now, we should point out until four, seven, one that fund I track. Trick. Bought pretty closely. I haven't hasn't actually had much of an impact, and of course, trick bought does have fullback seats who methods. Among them tour seats and Emma Dns, which is like a blockchain based DNS that I'd never heard of until a few days ago and I've been reading up on MED and ask Yeah I mean it's it's all happening man but it doesn't look like it doesn't look like it's been a terminal blur to trick just yet. No, and some of the commentators are being suggesting that whilst this isn't going to be effective you know in the immediate term against sort of such a complicated operation multisided operation trek that anything that increases the overhead of operating an environment like that is still us when we do see kind of continued friction there were. Veterans. Using a lot. Yeah. Yeah. Trying just you know make the cost of running it and make fiddly and annoying and a pain and everybody's ass and they keep doing that then maybe it does provide some even if it isn't a long-term, completely kill the whole thing dead in the water. Well, we've seen a few people say that this falls under the Cyber Commands Hall Persist Engagement Model, and that's going to be a big pain in the ass trick boat operators if they just GonNa have a few operators dedicated towards like hassling them right and making their life Haad and I just I really do wonder if this was a shot across the bow. Bit of signaling or whether or not. It's the beginning of just a campaign of harassment against the trick bought operators because I would not want cyber command harassing me and just trying to make my life odd because it's that's sort of that's an isometric thing. You know you're GONNA. Lose. Exactly right and even just knowing that they they ever you're on May targeting lists that people tasked. Review and you right now it's know cyber level. But who knows what other stuff might be happening what else is going on and that's got away on your right amon anytime you're involved with a criminal syndicate you've got that kind of. Fear of what might happen to you hanging over your now you've got little fargos thin. Yeah I'm that's going to affect psychologically as well as you know the technical operational aspects well, I, am kind of surprised I gotta say I'm kind of surprised that if cyber command, we a do something here they didn't just are in the seats. And actually have the malware on itself. I am surprised there's got to be a reason why they didn't. Yeah I'm in the May Be and you know there's a bunch of tape lines that maybe they're trying to. Awesome. We've seen some of those arguments made in the past about you know, make an anti worm worms and stuff that maybe we're just not worth the hassle of trying to argue now and also know campaign like this is pretty new. They just going to try the you know the gentle option dunk too hard to see what happens get a feel for it, and then the next one we see is a bit more take-no-prisoners. Well, I saw in some reporting Krebs has been doing a good job on this one as well but in some of the reporting there was. Apparently they're all pissed off the trick board operators and they're going to boost their ransoms to try to loss just thinking guys when you've just been rumbled by cyber. Command you know sticking your head further up probably not. Not so much. But sort of Hubris that happens when you're twenty something year old cyber-crooks with millions of dollars in Bitcoin, you're going to think you you're invincible. They said any have been pretty untouchable. You know if you operate in roster within the constraints imposed upon you by being being in Russia, then don't go on holiday in Thailand then. Yeah the has been and maybe this is a sign that most times are changing a bit. All right. Let's move on what has actually Actually published a big place a big profile on the Cyber Command director poll, Nakasone. So that's just a rating list. Did you get through it? Yeah, and it's really interesting being a background of a guy that's pretty influential in. Command and you know is probably responsible for onto the things that are going on now. So he had a good good contextual reading. What's what's going on there doesn't sound like a super exciting guy, but that's paps what you want at the helm something. Yeah. Yeah that's the thing I mean. He's he likes pencils. That's something that by. Dustin volts from the wall, street? Journal was kind of saying that the space. But let me read the tweet. The director of the NSA is so boring. The most interesting thing about him is that he really likes number two pencils and has an either sized pencil gift sitting in his otherwise Spartan office. Which I think is a little bit cruel, right? Probably, want the director of Cyber Command and NSA being lie for the Party guy like. Exotic skateboarding around the office like I. Let the man like his pencils I think it's. Fair enough number two is a perfectly fine number of pencil. So yes, you have. Are you have our approval generally indeed now look staying with US government agencies the FBI chess have. said that ipt crews and now using that. That to mind controller bug that popped up a few weeks ago that real serious one where you could just get instant domain Adnan. No surprise there that people are using bugs I guess yeah that's pretty much the guts of the story came out hackers. Now use the bogged get shells, perhaps patch your stuff or look for the bug maybe both you know it makes sense that a bug like this is going to be picked up by a bunch of different operators, abt crews using this inside all sorts of interesting places. Unfortunately a lot of sense are reminded if the patches and when dad telling you to patch demand controls, probably you should patchy demand roles. Yeah. That sounds like reasonable advice on Norway has said that I recent intrusion into its parliament parliamentary systems was conducted by Russia I know. Cullum surprised. Exactly. Yeah. I mean obviously know Russia's very interested in what goes on in that region of the world and being open. The Norwegian parliament makes lot of sense or no surprises at all. But Russian organizations are having their own troubles at the moment Adam these I there's a group out there of Russian speakers pretending to be Chinese hacking brush organizations is that right? That seems to be the story. Yes. So whether it's Russians pretending to be Chinese or whether it's somebody else who speaks Russian Ukrainians. Pretending to be Russians, pretend to speak Chinese. Maybe it's the Chinese being Russian who even knows anymore about the point you think China's learned to speak Russian and then pretending to be themselves. Wheels within wheels man I'm not sure anymore by pointers. Russia. Organizations are being targeted by other russian-speakers according to reporting and. That doesn't sound that incredible given the things going on that part of the world lately. But yeah I mean. It's just so hard to tell what's going on. Any more than us is also using. We've got another Cyber Command Story here and I think that buried delayed because I, think the late here really is that Cyber Command actually does pretty good photoshop. This. Is a released from Alabama. They dropped some our enviros total that they attributed to. Chinese group. But yes. They dropped it with this like sweet further. Shopped me my guess for the group, which is called slothful media. They shot the pair of headphones on the sloth and they put a moon and then released it on the day of the Chinese Moon Festival I wonder if that could be related. But yeah. According to this story in Cyprus scoop this this one's by Shannon Beveren showing Lynn Gas this is Yeah, Chinese operators targeting Russia India yeah, and a bunch of other places I mean we've seen what Malaysia Kazakhstan as well. some criticism I think in terms of the quality of the work a slothful in the name apparently refers to the relatively lazy approach to cutting their tools. Being thrown. From here against twenty-first-century cyber weapon is shade via Photoshop. Hell of a wider win a war on. The minds of Adak Name Department that Sada Command continuing. Al Fame. If everybody can everybody else we've got one here from Raphael, center and Christopher being Reuters. It this is the right up of group that's been you know seeing operating the bunch of environments, but the diversity of environments being targeted is kind of interesting I've seen. Seek protests and Pakistani military and commercial organizations. What's and the conclusions basically suggested here this is another one of these of commercial. Misery Hacker outfits being tracked down here by from reporting from blackberry silence looking into into the Senate campaigns. Yeah. The idea that there are commercial operations out there you know isn't surprised. We talked about What was it the trucks Yatom Act coming out of? India. A little earlier on in the year But Yeah, interesting when you know trying to figure out who's behind something and it just doesn't make any sense maybe. It's just money behind it. Yeah. Meanwhile, I public broadcaster in Germany has done I really detailed report into ocean largest. This is of course, the Vietnamese I pay crew and it looks from the looks this story it looks like they are really an old purpose ipt crew. It's not like other countries with more developed capabilities where they tend to split off into different units for different purposes like these guys seem to do the law. Yeah, the report talks about some kind of Vietnamese people who fled persecution of political situations Ibn Nam. In this case, you know the guy that's residing in Germany that's you know kind of under constant attack by the Vietnamese ipt crew APP for political reasons. But we in the same cruise also been during a whole bunch of other stuff. As you said, the general purpose crew for anything, it's to get cyber out of Vietnam but yeah, it's just really interesting right up when it's been done by meteoric possession that's outside of the normal cyber and seeing their you know the way that they're trying to explain this to the. It's actually really interesting I quite liked the way that they wrote it up and tried to explain it without losing a whole bunch of technical detail but also explaining it relatively clearly. So I thought it was a good pace. Yeah they got some. animations and stuff in it. It's it's a good one to show normies I reckon exactly. Yes. Is is now seven is. Why the change is. So you know how like every single year at about this? The five is governments come out with a joint communique signed. The is of great concern and technology companies need to do more. They've basically dusted off last year's communique and put it out again but this time. India and Japan have signed up as well but I mean, it's the same old stuff. Yeah I. Mean That's pretty much exactly what we saw in the last years one year something knowledgeable. Into encrypt is important and useful in a commercial context. People do have some rights privacy and that governments in general in the way are willing to give up on mass surveillance in the way that the golden age of of cigarettes you know would have liked willing to give up a little bit but. They do expect facebook and social media companies and companies to come up with something. So that little for interceptor an options of law enforcement can do stuff. But yeah basically the same kind of statement that we saw last year. For governments like our here New Zealand haven't really started the process of trying to turn that into some actually. You know watching what other countries like a strenuous assistance and access bill, which is a little closer to what this five statement is. kind of Husky for seeing how that turns out is the smart move for people like us but who knows what's GonNa happen after the election in the US and Lindsey Graham and you know the movements against big take over this or maybe maybe more things will happen. Where we landed on that yesterday because I did work with Brett on this section of the newsletter do subscribe everyone I'm just GonNa say it again but yeah, I think we covered it off his allies paragraph on at the risk of repeating ourselves the use of a in of itself doesn't prevent a service provider from responding to a lawful access requests. Service providers could choose mechanisms into their platforms that allow. Africa for access to use a content the warrant, but he abi dragons any such proposals will be pretty fraud in the details. Sorry. The can gets kicked down the road. Once again, we can hardly wait for the two thousand, twenty, one statement. So that's that's pretty pretty much pretty much. You know it's still a hard problem with no easy solution. Ping of death the Ping of death is back and. Soft actually did a great right up on this. Microsoft has has said there's a CVS s like I. Think it's a CVS nine point eight. Gooden. Unlike the ICMP handler under the in their Ip six component. So it's like a straight up IP. Stack. Security Bug which suffer says they've got a park working for like Ping of death. To dos win ten with it. But we were chatting before we got recording an Iraq. You know someone might eventually figure out how to exploit this. I mean it's a pretty interesting bug. If this blog had landed in windows, xp you know something that didn't have modern exploit mitigation take then this would have been a planet melting body like an IP stack. Remote Code exact single packet off guard like that is. Six as well. So a whole bunch of are going to miss it. It is. It's the bug that ten fifteen years ago would have been a mazing, and now it's just kind of our the boxes a bit man. which is sad in a way explication works well ruins everything, but it's a a pretty much straight up in space stack overflow pausing the list of nine service in six router advertisement. Message and unfortunately, the route of relevant components are compiled with stack cookies. And yes I've watched the statement is that this is going to be difficult to shell remotely. There's no word on whether or not like a local attack might have more options, which is you know for local could be worth considering perhaps but yeah, this is GonNa get a lot of people looking at this back because if you can make it work, you know you're going to be happy. That's really like Scorpio, from the from the Simpsons, I mean gentlemen I have the doomsday device. That point. That's all. Right, if Ip Stack Remote and we haven't seen one of those for a very long time ago bucket modular ABC's mom lost year or whatever but it doesn't really count. But. Yeah, it's a that's a that's a hell of a bog. Am I part of me wishes it was genuinely like straight up Codex excusable because. We love to see things burn a little bit sometimes. Now Yeah an explanation take. This is why we have at Amazon justification for all the work that's gone into exploit mitigation stuff over the years because it just saved your ass, a bunch trouble MC soft. So I guess good job there. Was a bunch other juicy bogs. Microsoft's patches this month turn either shape map of a shape bog does some hyper V. Blogs you? Good collections. GDI. Plus Aussie is that GONNA. Be like a nightmare to patches well because it's Included in all sorts. You're. GonNa get ironed, from. Third Party. EMP Editor. I mean. That's a good question. That's why. That kind of system. It can be really hard to tell whether it has been embedded component and stuff that remember when there was that really bad jd I bought years ago and they actually had to Microsoft, actually had to ship a tool that scan your system to see if it was on your box. I yeah, and it may well end up like we've seen that kind of thing with compression bugs Ed Lebron. James and things like that get compiled into stuff. So yeah, like those sorts of bugs deepened the graphics system and windows. Heaven the power really delivered the goods medic I'm sure all of your application providers a using technology likes nick to fully understand card supply. No problem at all. Software AG having a bit of hard time over there in Germany. The biggest software vendor they've been hit by the KLOPP ransomware gang who have encrypted about staff stolen. A bunch of their falls are demanding apparently more than twenty million US dollars worth ransom suffering. Is a pretty big company, but twenty million dollars is a little box for anyone yet is I finally enough I had an interesting chat this week with Michael Montoya his the see-saw at. At equifax about their ransomware event, we're going to try to get him on the show at some point to talk about it but that was. That was a fun chat like it was just a case where you remember we were like how the hell did they attack is not get into the customer you know environment. And Michael. said. You know they had some segmentation and stuff and it was like it wasn't perfect but it was Josh, good enough to like they blew same and the defenses with just good enough to stop these this particular crew and it was a bit of a knife fight but they came out basically on top by the end of it. So there's more to it than that. But I'm hoping we can do that as a case study at some point when we got time but it was. Really interesting chat with Michael Sorry thanks guy if you're listening that was cruel. And now we've got a bit of a feature here from from Brian Krebs on at Krebs on security just really looking more at the business environment for people involved in ransomware. And in fact, it's a really good dovetail to that in anecdote about economics because the thing that Brian talking about is crews that advertise on Russian forums for operators to take things with initial compromises already happened, and then go into the all of the hard work to turn that into we understand the business we saw the data we've compromised everything we need to do on movement privilege escalation, get into point where you can actually deploy the ransomware to make the money and that's actual proper work and they're. Talking about a a guy called Dr Demille who's been advertising for people to do exactly that as a as a commercial service for other Russian of criminal operators are you kind of make sense of the economics is exactly why you'd want to go and outsource this through specialist rather than you know making a massive and not getting extracting the full value I actually think. Irregular businesses could learn a little bit from the way cybercrime operates piquet. Fully distributed engineering models like and just yeah. I just think they do it. They do it pretty well, do outsource to a center of excellence of privilege. Escalation on. That's the smart thing to do. Of course, crabs writes that up and then just at the end because he has to because it's crabs he goes ahead and just dachshunds the guy that he's talking about. Name and where lives in stuff you just a couple of the by the way it's his name Sergei and he lives and. He's probably using a hot while at Byu lead pot. Ace. Brian. I case we finally going to have to actually have a conversation about this. Little one one unfortunately, we're GONNA finally have to right into this conversation, which is about offensive security tooling. There's a subset of people in Infosec who feel like you know releasing tools like Mimi cats is really responsible because bad guys use him and we actually touched on this in a recent episode where you were saying like a lot of these offensive security tools were actually created to mimic the bad guys tools. But now the bad guys just use the ones that was designed to mimic. Imitating a little bit. But yeah, this Guy Paul Litvak he's a security researcher from INTISO. Labs has put together a presentation looking at the issue of offensive security tools being used. By militias attack is it's interesting. I'm glad someone finally done some real work on this instead of just feel pinions being thrown around on twitter, right? Yeah. That's exactly my I was going to say as well. I actually having some data to contribute to this debate because written and right now it's just been a lot of twitter kinda backward and forward from the different camps that really don't have a lot of middle ground to agree on and having some actual data understanding which tools being used in which kind of role in actual intrusions of actual sits of. Chains that real attack are using. That's useful data and it's an interesting kind of map of the guy has put together. All of you know where you know many cats for example is Widely, used for lateral movement but in some of the areas where the of less dominant. Offensive Security told and it's kind of interesting to see what you being used. I'm trying to draw some conclusions in one of the things he suggested that the more simple tools, the ones that do. Well are the ones that tend to get picked up and used whereas the more Kinda fiddly or clunky or require human input on the tools less well adopted which I guess it's an interesting insight about the overall discussion as. There's good points on on both sides and that what makes it Kinda difficult? Well, I mean sort of the thing where it falls down for me as a debate is, what do you expect to do about it? Right? Like site you lock up a lot of these offensive security tools say they're not open source anymore in this some vetting I mean it's not terribly hard to get yourself a pirated copy of either right? Yeah exactly. Right him in cobalt strike is licensed and yet it's widely used by attack when if that model was gone to work, it would. Strike, you just saw Brian the Brian Krebs story about the guy with a specialty i. mean you know next time Sir Guy will be offered offering tools, right? Like that's going to be the thing it might cost a little bit of money but I don't think it's going to make a meaningful impact. I think the Soga and the previous story was actually providing people with cobalt strike specifically well, go and the environment, right? It's part of the package deal. You get the access, the tooling, the entry point now if you go so yeah. That that angle I don't think it's working already. Yeah. So I, just don't i. mean this is way I haven't really discussed this and I'll get hype mile on this and people will be like, no. Tools a bad guy but it's like, okay sure. What are you? What are you expect to do about it like I just don't think there's really a solution here which kind of to me makes the debate feel a little bit. Moot. And I think if you look back in history and the ninety s hackles were underground right, you did have to know people to get them. They weren't freely available. The rise of security tools was a bit later on you know and it didn't make things better back. When you had to trade is say channels to get you know packet sniffers you know port scanners or whatever password crackers you know didn't make baiter back then sorry i. Look at the history suggests that you not really, GonNa, fix this Some young people are a whole bunch richer at the moment adam for doing cool stuff. You. Really Great. Right Up Front crew of bug bounty kids who sat down and spend three months working on apple's infrastructure and I ended up reporting something like fifty. What fifty five bugs to Apple's bug bounty program which apple's kind of working through an addressing, and some of these bugs are pretty significant managed to. China. Through I. Think Jive Portal Instance into you know code exist inside apples network and a bunch of other really interesting bog trains. That have made them at the moment I think two, hundred, Eighty, eight, thousand dollars worth of bounties I'm not sure if that's even the final number obviously apple has to triage all of the things that they've reported, but they did a really great blog post writing about you their bogs automated of the processes and things and just yeah, it was really really solid work and if you know you've gotta work the number's about how much time they spent on what they made out of it's pretty good money so. Yeah I mean this story here on Wide Osam Kerry who is one of the researchers who apparently twenty is old white ago Sam? He spiked to wired about this and apparently they could. Samuel Herb and Taina bonds well done to your and a final story. This week at Swiss post has gone from zero to hero when it comes to running a bug bounty program. Yeah. This is an interesting because the follow up to a story. We covered a while ago now where they had a bug bounty program for election software. Switzerland, and then a bunch of researches decided to drop stuff without going through the Bagbandy Burgers I disagree with the terms over the. Unknown disclosure staff that they felt was unreasonable. There was a bit of back and forth and disclosure drama and now this has kinda work over its language for running back Mandy programming, and the way that interacts with Swiss lower is kind of interesting. Buddy I. Mean it result is they've released it underground Commons license so that other Swiss organizations can use that as a starting point for their own bug bounty programs and I think this is a really good idea. You'd like to see this happening in other jurisdictions and it's the sort of thing where you can imagine the local circuits in individual countries, buildings and boilerplate wedding that other organizations can use inside that jurisdiction. Sorry I think this is a good a good story. That's actually it for this week's news. Our big. Thanks for joining us and we'll do it all again next week. Cheers Adam. Thanks so much pat talk to you then. That was Adam boiler they would look at the week's security news. Okay it is time for this week sponsored of you now, and this week's show is brought to you by signal sciences, which has apparently being acquired by fastly right. So might have to update that at some point maybe next time they come on but yeah instead of having one of their stuff on the shy single sciences asked one of its customers to join US instead Scott Barons is senior security engineer at net flicks and he joined me to talk through their approach to application security. As it turns out there. Challenge isn't really on the streaming platform side. That's actually pretty simple. But it's more to do with all of the other applications that they host and there's a lot of them. Scott. Barons explains. Let's actually talk feel like we think through the threat model of streaming product or even just the architectural complexity. It's not like a super complex authorization model. You're a member you're not you know. We think through a lot of the typical typical attacks. Like they're just there's not a whole lot in streaming product. Now, Truman product has all sorts of other security concerns so that we have to take into consideration fraud customer, trust abuse, all sorts of spaces, and that's actually where the George the focus on a streaming product is is is really around maintaining and establishing their customer trust. Now, where the complexity on the security side in the APP, space comes in is actually really around that that studio use cases supporting US cases, all the stuff that makes that streaming product rate, and actually that's Thousands of different applications that are sort of rolled in there. With way more complex operating models you know you're you might be a production manager shooting content over here, whole set of access control related to that and you or you might be an administrative assistant over here we have to do on behalf with permission modeling over here. So there'd becomes this really complex sorta supporting story to not flex, and that has been really cool for me. I started winning obviously on the streaming side and working to build security there as we started to. Do the studio stuff. Assist a lot different. It's a whole different threat. Is. Building you building like Administrative support systems for some of these productions, right so like. YOU SPINNING UP THE NEXT SEASON OF NOCCO HR system. So boom, that's a web APP guard. Yeah. Yeah and there's a lot of stuff that you can imagine in the studio. He's had a lot a lot of loss a lot of really cool technology Darren. So you know what we WanNa do is we need as security practitioners need to figure out like how do we sort of like increase earth like let teams stay with that philosophy without like getting their way right like to put another way like we don't want to be blockers because. I've worked at companies where like security's kind of the blocker and then what what people have doing either don't talk security. They find every way possible to like go around security, and so you have to find that balance like how do we keep fast but also keep them safe. And that's one of the interesting things. That's why I've been at Netflix for. So long as I find that that like that's like a tough tough area to straddle. Yeah so what what are the typical things look like? Why are you most in this scenario because I imagine there's a lot of Ip protection concerns on that right? Like you don't want leaks, scripts and videos and. Less on the security side but that would be top of mind right generally speaking. We focus on all sorts of different threats, and if you know if we were to sit down and think about like you know an application that manages content, a lot of different sort of things come to mind how would we steal your attacker how we feel that content odd we you know corrupt that content. How do we get access to that type of Information Selena, a lot of the threats that I'm thinking about it relates exposure frankly and I think that's common lot organizations. You know it's like how do we keep our data safe and I think unique to Netflix's as you know ethics. Has Lot of data just like a lot of companies do we have to be real sort of judicious on how we manage that data do it safely and a lot of my efforts in the last two years have actually been on the data side figuring out what is our data strategy in support of these big areas of Netflix's and amidst it's such an interesting place because you know data is. There's so much of it. Go. You know I don't know exactly how much logging but I know that it's a lot like there's just an it's wild amount of data. That's like sort of flowing through our ecosystem and be safeguarded. How do we make sure that developers business analysts are using it responsibly? It's tricky Talking about the applications that you're using internally to look at things like. US around Olympics. Things like that. What watching how long they want should for before they turn it off how many episodes before they lose interest all of that stuff, right? Yeah. Exactly. And then that's one part of it, and then you know how do we spend dollars better? How do we secure things better like where's our risk? There's a lot of us sort of motivating factors for sort of keeping that data and and I, think that Again. One of the things that that makes Netflix's interesting is like. I my my main focus is like keeping Netflix secure. It's also staying within our culture and making sure that I'm not introducing unnecessary friction like I guess put a different way. I want to be very cautious of doing any security work that that I really can't make good justification for because people that net flicks you know rightfully. So like they kind of want to know the context like, why why do I want to change my cross? Do I want to add this new security widget to my? and so you know we try to work a lot on our messaging and just being very clear with how we communicate with partners. And I think that's worth. Well, almost say that we've partnership focused to a certain degree. We'd rather I used to work as a consultant and I would just and test apps all the time when I started I started Netflix's Cape reports over the fence right side like and beat up an APP find every possible vulnerability. You couldn't just like he report over and I was like I'm successful at my job I'm like I find bugs and reports over, and then like you know six into my job I realized like. Defining sex like people weren't And kind of realized like Oh. Actually, I just was was sort of kicking stuff over the flip. Side, is it you know if you walk into a room and everyone in the room is an asshole except you maybe there's anyone else hall in the room. Yes. Yes. Exactly and I feel like that. That is like exactly what happened he and that's kind of what we kind of realized. Our approach really wasn't working like we needed to be a little bit more partner focused and find out like how do we straddle like actual security workers like other opportunities and all that. So how do you begin to tackle that? Right? Because that's I You know that's an issue that I'm sure many of the listeners grappling with. Yeah I'd imagine for a lot of people I know are who've found themselves in similar situations. A lot of it is about coming up with almost like a bit of a template or a God for the people that they tasked with sort of helping. Producing a bit of a guide or some God riles like do this way like and then corralling everyone just sort of uniform approaches is that is that the approach you took That's exactly right. Yeah. As you you hit it pretty much spot on, which is like we see ourselves as like experts, but ultimately, developer's they own this fear their product, and so when we engage with them, we we try to come in with tools approaches, preferred methodologies we call we use the terminology pay road paved path to think started the propagate a little bit across the industry. But that's definitely something that we're really focused on is like you're trying to solve this use case like here's the technology used here's. The approach to do it, and by the way, if you're using our attack, you get support and all these other things. So we try to release of wrangle in people with that approach which I think works well overall, and of course, the areas we have to improve as try to make our products better easier to use all those types of things I I've I've heard of a bunch of people in similar roles to you. One that I have. A lot of success is they build you know really security friendly. Repairs and whatnot right and have developers use their infrastructure. So they build it's like I don't know if you remember there was a Ted talk about a guy who ran a ethical. Where he basically built this garden for the guests who would just choose to fly and there was no France they would just fly in and feast on the on the plants. SORTA like that approach right you all the shiny tools. But they happen to be able to Code Scans and static analysis. It's all it's all. You're. Yeah. That's really what we're doing. We're trying to sort of we. We had this like minimum baseline. We really want people to use if you use the baseline sets of tools are preferred builds. This ship, your coat that production are preferred tools for secret management. A couple other things You know you get a lot of security benefit for that, and what we try to do is is we think about the types of operation our customers do they sometimes, they WANNA put an application on the Internet sometimes they WanNa talk to sensitive data. We try to curate a story for them to get there as fast as possible. So again, like showing them that if they use our tooling that not only. Is a reducing risk, but it's actually making them more productive and you've heard the analogy. Hey, security folks like brakes on a car. They actually let you drive faster not really slowing you down. You can drive faster because he breaks I really think that that's what we're trying to do like, Hey, we're gonNA give you all this stuff. You could actually go faster if you use our suffers rolling your own. Yeah. You don't worry about standing up all of this infrastructure you're going to need when you could just. A couple of extra controls, he about net win four. Yeah and one of the ways that we're really trying to sort of sell this and make this work better than even I think in the past over the last couple years like this idea of consolidating. And you know and I think. It's happening a little bit more serve external to security outside enough as well which is like it's one thing if we have these various tools that provide capabilities single sign on. Secret Management Certificate Management ETC CETERA have all these different products. Even. If I have all those things and I present them to you kind of have to be a little bit of an expert with all right like you have to kind of figure out like when do I go to one of these things? When do I set up by certificate? When do I set up my? My security component related to this part of the stack. And again, I think that we have an opportunity to start consolidating more of that stuff. So, big focus area for me lately has been even raising it up another level not just saying the paved road we're going to like consolidate these liked product or like a use case and think about that end to end so that when you adopt our piece of technology, not only do you get the single sign on but you get the firewall, you get the secret management, you get the certificate manage to get the logging in the telemetry, and when we start the bundle, all that stuff together our customers are getting quite excited because we're bundling with other things matches security like the mentioned telemetry like we're putting didn't logging in, they're putting in stuff. I mean this is the way to do it. Right you're basically a service provider offering them stuff that they need that's Thailand for your needs as well. Sorry I. Mean it is it is I mean have you had any specific areas of pushback on some of these things that you're offering? Yeah. Yeah you know I think in general the pushback Austin is like it works for me eighty percent. It gets eighty percent inish line and then it's who carries that last mile who carries that last bit of Technology and I don't think we've cracked that yet. I. Don't think we've cracked exactly. How do we straddle that last little bit of the integration worker the last little bit of on boarding the TAC. And I think we have a way to go there You know I think generally you can. You give me sort of real tangible example where a Dev just like this one little thing that pisses them off like what's an example? Sure well, let's talk access control because I think that's an interesting one and I've access control tends to be one of those security things that is kind of like. The security work do as defenders like falls and access control. It's like one of the best tools we have to mitigate risks. It's also one of the most complex it's like, do you think about it like fine grain access control? Some of these things are really hard. Our customers today even if we present them with like an aggregate project or an aggregated product, they still have to do access control configuration and it's hard You actually, they are required this way to actually go through and give function permissions instead of just. Everybody gets route. Yeah. Yeah. Yeah. Yeah Yeah Yeah Yeah. That that's a whole different can of worms there. But on the the the access control, it's complex for for our developers because something circumstances, they might have to manage policies in two different systems. So we kind of have them do double bookkeeping. They're like they go to one to configure the user off in another to configure the service off and so and this is part of the of organic growing of a security team in a in a in a company like Netflix we built some solutions and they got lied adopted, and now we have to really think about how we bring those things together. So that's Your problem to fix rather than their thing. Yeah that's exactly right and I think again, if I can if you know someone comes to me and says, hardest thing about working with securities is is access control and authorization. It's just is touch systems We'd developer come to us once and say this was really interesting. They said I don't know if I have the confidence and done the right thing like I don't know if my policy is right. which is interesting because. Access control requires like some business contacts, right if you think Abou. Right who knows if it's right problem isn't. Right and so and so I, started to think about that and was like, well, that's a real is that a problem that we could actually solve actually think yes, we can I think we can. We can address that and way we address that is similar to a travis mentioned when he talked to you a few years ago when you spoke to Travis mcpeek on his project, the REPO KID IF I. Remember. Him Yeah. And you know for listeners who might not be familiar with Repo Kid revoke was a mechanism to automatically tune. Aws US identity permissions overtime really by just kind of looking at how applications and infrastructure using those permission. Basically, if you weren't using a permission, it would go yeah go at we're thinking of the same thing with access access policies. So you know let's imagine that we have an application it's gotten so and you know today we have it locked down to everybody a netflix thousands of users. But over the period of like nine months, we really only see five users from one organization logging in. We might be able to then recommend policy to just lockdown that access politics policy that organization. So maybe we take that policy from eight thousand members to fifth. Now look. You're here obviously as as an employee of Netflix's, but this is a signal sciences sponsoring guessing the reason they nominated you to do. This is because you're all signal sciences as a matter of course, is that part of the standard tool kit? That's exactly right and again you know sigma scientists super easy for us us. We've been using them for years. It's our preferred mechanism for protecting all seven firewall in the cloud, but we again saw an opportunity to make that even easier. So what we've done is we have this. Effectively our product that works sort of shipping around is this like externalised proxy you know you're going to say like a sidecar that that we sorta ship alongside applications and what were you know aiming to what we've aimed to do with that is we've embedded Sixi- embedded other. Pieces attack into that developers get. Solution, they do a couple steps to get on boarded into this proxy and they're good to go. They don't have to manage the firewall. Bicycling running your own cloud Exactly right. Were serious step that solve your problem when it comes to aggregating looks doesn't it because it's all happening in the one place apps absolutely again. Not only do we get this sort of signal sciences is one of the interfaces we get the consolidated point where we do access control, which I can log to build policy improvements Setting us up to get to that end state where it's like not only do you get all these awesome benefits but every ninety days, I'll give you a recommendation on a new policy and Oh, maybe a new piece of technology comes out a new security control just roll it into the proxy and you as an owner doesn't don't have to worry about it and I really think that that's that's a nice shift before we a lot of focus in sort of run time and add this package you managed the. dependencies installed this client library. That's just a lot of work to shift onto developers. Again, if we can remove that whole part and say, don't worry about don't add our library will put it in the Sidecar that we've managed for you I think that that gives us a Lotta leverage. I think that that gives us a stronger conversation. All right well, Scott parents thank you very much for joining us on the shot to walk through your approach to the APP security challenge at Ta Netflix. It's a real pleasure to chat. Thank you. That was Scott Barron's of netflix's flicks. They're closing up the squeaks short he is, of course, was appearing in a signal science sponsor slot. Big Thanks to signal sciences for sponsoring this week's show an extra big thanks to them for lining up a customer interview odd because we always enjoy those. Congratulations to all of the the hard work and folk at passing single scientists on their acquisition by fastly anti that is it for this week show will be back next week with more risky, Biz. But until and I've been Patrick Greg. Thanks for listening.