0:03

Hi everyone and welcome to this edition

0:05

of Snake Oil as the podcast we

0:07

do here at risky Busy Hq a

0:09

few times a year where vendors come

0:11

onto the shower to pitch you. They're

0:13

wonderful. Where's this whole thing is sponsored

0:16

and that means every you're about to

0:18

hear from in this podcast paid to

0:20

be here. If you're looking for the

0:22

regular weekly podcast, just go back to

0:24

to one of the other podcasting this

0:26

feed that has a number on us.

0:29

So we're gonna hear from three vendors

0:31

today. Push security, knock, knock and. I

0:33

verified. Push Security is essentially I

0:35

browser plugin that is extremely useful

0:37

in preventing identity based attacks. Fishing

0:39

account take over as and so

0:41

on are. It's a much more

0:44

compelling pitch then you're expecting. I

0:46

promise you that. Knock.

0:48

Knock is our second Snake Oil

0:50

and.yeah a lot of you would

0:52

remember that. for the last couple

0:54

of years, I've been praying for

0:56

someone to build a product that

0:58

dynamically firewalls all your enterprise crap

1:00

based on a uses Ssr status.

1:02

And to knock, Knock have built

1:04

exactly that. and we even use

1:06

it at Risky Business to lock

1:08

up our content management system and

1:10

to dynamically ip restrict Ssh to

1:12

people who are actually signed in.

1:15

Out. So yeah, you can fi well

1:17

off your confluence, your Citrix, your crummy

1:19

web apps, whatever. But when a user

1:21

is oft, they can access it like

1:23

normal. It's are you know it's it's

1:25

magical. We love us are And then

1:27

we're going to hear from I Verify,

1:29

which originally spun out of trial of

1:31

bits but is it's own company now

1:34

and I verify his I Mobile security

1:36

suite that actually identifies real threats. They

1:38

caught up Pegasus in the wild with

1:40

this tool and you can use this

1:42

as a substitute for something like Mdm

1:44

to for compliance purposes. So yeah, If

1:46

you need a mobile security package for

1:48

your employees are the because you attracting

1:50

serious attack or for compliance purposes it's

1:53

one to look at closely. But first

1:55

let's get into it with Push Security.

1:58

And I really think this one is I compare. Pitch

2:00

or at the moment, Enterprise security teams

2:02

don't really have much visibility or control

2:05

over how identities are being used, which

2:07

when you think about it, is more

2:09

than a little bit nuts. We've got

2:12

Adiala, we've got India Us, but we

2:14

can't tell when someone enters the Ssr

2:16

password into a phishing site, right? So

2:19

it just seems like maybe maybe that's

2:21

a bit out of whack. So Poor

2:23

Security has developed a browser plugin that

2:26

does identity securities, and you might think

2:28

of a plugin, you know, It's up

2:30

at the browser as the engrossed Point Four

2:32

Identity Information: If you want to tackle identity

2:35

by stress, that's why you need to Bates

2:37

Adam Bateman is the cofounder and see our

2:39

have pushed Security and he joined me to

2:41

pitch push and he is what he had

2:44

to say. And just as a disclosure, ah,

2:46

I'm an advisor to Push Security and an

2:48

enthusiastic one at that. He is out. Of.

2:51

At. When people imagine what are the and sees

2:53

activist exhausted I think about a centralized out and

2:55

she saw and and every employee has one I

2:57

don't see. Which. Acts as everything and

2:59

Stephanie to stay. You want to get saved values

3:01

when you actually. Going. To point to

3:04

get a day I you end up with your primary

3:06

I D P with like get have been enough of

3:08

that and salesforce hang off of on a bunch of

3:10

other applications are out there as well. The whole things

3:12

like a big. Masses. It over like

3:14

you know jerry network diagram look so pretty but

3:16

then you go off and or big soundscan or

3:18

like as a discovery scanner actually a kind of

3:21

different side. Is active you're in

3:23

the browser you seeing everything everyone's logan

3:25

into him on where you can see

3:27

that say we have to different parts

3:29

of the platform One side is detection

3:31

and response say will actually draw cemetery

3:33

from. The. Browsers to does not

3:35

seem to talk to responses and attacks and

3:37

I'm stuck inside is more of a product

3:40

of side seat actually map out wide and

3:42

she's been use. We can observe as employees

3:44

crate or use identities, map out which ones

3:46

are vulnerable and then we can. We do

3:48

things I ask contrast to stop people from

3:50

accessing sabotage and one two and think though

3:53

that. Okay, so let's start with

3:55

the detection response part of this I in you

3:57

and I have spoken about this before. Ah, you

3:59

know a wife. Interviews and whatever And it's you

4:01

know it is. It's pretty cool. what

4:03

was you in the browser? You can actually do an

4:05

awful lot but why did you stop I just explaining

4:07

yeah what you doing on the detection in response sought.

4:10

Yeah. Doesn't deserve a raise. Simple example

4:12

to start with machine guns more some

4:14

or fancies cases while but. If.

4:16

He's think about like you've got a sin

4:19

and a big three data sources and probably

4:21

eat your network traffic logs i that of

4:23

ones already one said. When. You

4:25

add browsers to that gives you something

4:27

pretty unique and different. Say for example,

4:30

let's say that as a phishing attack

4:32

against of fifty employees inside the organization,

4:34

you want to know he's been he's

4:36

been hit by. That said, he looks

4:38

at your networks Ddr log data is

4:41

gonna show you fifty people visited a

4:43

phishing site. For. Weekend Air is

4:45

actually say no. Fifty people submitted that

4:47

I D P cries out to a

4:49

max of cards into that. And

4:52

by the way this is also shared with

4:54

these on it's when app say that wants

4:56

to talk of Cox's this crunches they can

4:59

then deposits rail credentials for stuffing own else

5:01

is wow She actually got a level data.

5:04

Are we're seeing takes our level. Sada.

5:07

To one are things we have is an

5:09

Ssh. Also protection said the browser extension. Will.

5:12

Actually observe when an employee logs into the

5:14

primary to pay and then pin the password

5:16

to the official login screen so it can't

5:18

be entered anywhere else as he can cigarette

5:21

depending on which are you in a guy

5:23

if you put it into sort of full

5:25

full made it will completely stop corporate possibly

5:27

a semi. sit their. Employees.

5:29

Can't reuse that. Say Optic Adventures

5:32

in any Other Apatow. Am

5:34

an hour to forty one freaks out about

5:36

you. You know, looking at these passwords you

5:38

just have and then take that back into

5:40

the hash and that's how you decide attacking.

5:43

Absolutely. As to one of our

5:45

very arty customers as yes a German syntax

5:47

he really helps with the privacy sides with

5:49

engineer who are suffering some into the into

5:52

the pass on yeah we do exactly that

5:54

that the extension does everything likely similar observes

5:56

as a password as it gets knocked down

5:58

and take a hassle. Though they can on

6:00

the my stash of is it has jumped in

6:03

half and a store that inside the brother sandbox

6:05

and then we use that to do it this

6:07

basically against any other seats and organ and then

6:09

we can. We can block and take action based

6:11

on. I mean I mean what's funny right is

6:14

already what you just described which is a very

6:16

small part of this product like I guarantee you.

6:18

There's like a lot of people listening to this

6:20

right now who were like well we should get

6:22

it just affects yeah I mean like on C

6:24

Drexel Fishing Still a massive problem and I need

6:27

to do stuff like to main categorization and you

6:29

can use like. I'm to do it is good

6:31

features but. It's. Just a really

6:33

simple approach Is like this: Passwords is

6:35

important and it cannot be used anywhere

6:37

else you can enter into a phishing

6:39

site. He can be used against difficult

6:41

apps.i just take thoughts. Tiger. Yeah, like

6:43

really strong control. Yeah, I mean

6:46

that Sat. You know, that's it. That's a great one,

6:48

But you're also doing stuff like fish kids detection, and

6:50

all of that usual you know, cool stuff he can

6:52

do once you're in the browser. Yeah.

6:54

Obsolete. The some really cool attacks like I'm Evil

6:56

James has these is a big popular one. The

6:59

people talking about this will save Evil V and

7:01

see we run of the Nc session. Saw the

7:03

browser and fish people that way and basically allows

7:05

you to still. An essay tokens and

7:07

session tokens and Isis things as well so

7:10

won't attack they so sufficient cats running saw

7:12

the browser and block those far less back

7:14

to where Pixie can percent she is Sam

7:16

We saw. And he can access to

7:18

every was a D. Stuff like can claim

7:20

site detection too can actually observes as someone

7:23

logs into an application. we take a fingerprint

7:25

of the outs of a legit and alpha

7:27

know that looks like and we cannot detect

7:29

and block when our slight variations of that's

7:31

that's really interesting is this attackers coming are

7:34

inclined like an important page and snap or

7:36

no idea here whenever we can see that

7:38

that is a potential fishing attempt to much

7:40

more generic whites but it also gives is

7:42

much more generic detection around. The. Fishing

7:44

shows because if you're using some like Evil Jinx

7:47

and you're relying as the at Me page three

7:49

a frame on I Die and Modifies Asylum and

7:51

we can pick up more generically as well. Yep,

7:54

yep it's now. You gotta tell everyone about the

7:56

stuff you doing with their head or injection in

7:59

Oct as cassettes. cool too. Yeah,

8:02

so session theft detection this is. Obviously

8:04

if you're in a position then where

8:07

you've locked down the credentials you can't get access to

8:09

the next thing that attackers are going to do is

8:11

just directly steal the session token and once you've got

8:13

that you can relay that against the applications and you

8:15

can gain control. This is a massive problem. So

8:18

what we do is just a really simple again

8:20

technique, always the simple ones that work, and

8:23

the browser extension will actually

8:25

effectively inject a one-time token

8:27

into the header of

8:30

an HTTP request. So as an

8:32

employee authenticates we inject the one-time

8:34

token into the browser and

8:36

then that token then appears inside the IDP

8:38

logs. So you can see them in your

8:40

Okta or Microsoft 365 logs. What

8:43

you can then do is use the sim,

8:45

look through the logs and you basically just

8:47

look for two matching

8:49

session IDs from two different requests

8:52

where one doesn't have our token. So effectively it's

8:54

like a the browser extension

8:56

is doing like a stamp of approval to say

8:58

this is an official session that came from an

9:00

employee. If you then discover one that doesn't have

9:03

that it's clearly session hijacking. Yeah,

9:05

it's funny man like just talking to you about

9:07

this it reminds me a little of like

9:09

and I know it's a completely different product set,

9:11

different problem set and everything but like

9:14

when I first started talking to Ireland and people would

9:16

be like oh an enterprise browser that sounds

9:18

dumb and it's dumb until you actually think about what you

9:20

can do with it and like this is the same sort

9:22

of thing right like a browser

9:24

extension for security that sounds stupid until you

9:26

think about literally like the million ways that

9:28

you could use it to make life less

9:31

miserable. Yeah 100% and that's

9:33

the thing attacks are moving inside the browser if

9:35

you do a phishing attack that's inside the browser

9:37

and so actually moving inside the

9:39

browser makes a ton of sense and you start

9:41

to see you start to see people doing things

9:43

like you know you haven't done anything

9:45

like TLS interception to try and get into the

9:47

stream between the browser and the application why not

9:50

just move inside the browser and do it directly

9:52

inside there so yeah it's really effective it's a

9:54

very really interesting area. Well and Especially

9:57

when you look at the the average log.

10:00

Except coming out of an Id pay isn't

10:02

really that illuminated. Yeah. I

10:04

mean so we we do do integrations back with

10:06

I D P's and pull those and as wild

10:08

thus eliminating one second for me to compare it to

10:10

what I'm saying no is on there aren't like they're

10:12

not all that than us. Yeah.

10:15

I think there's a couple of issues. There's it.

10:17

Is A says egg Agree plight Scott Spider

10:19

Any the others, they tend to go directly

10:22

to the Rdp. And. So if

10:24

you're in a position where you go,

10:26

use the esophagus and compromises a year

10:28

at a privileged I don't see straight

10:30

away. Negative. Going to start turning

10:33

off different logs to hide what they're doing.

10:35

This if you're just relying on. T.

10:37

I D p Logs it's you're relying on the

10:39

logs from a compromise device and say you're not

10:42

going to see everything you can a blind it

10:44

said. Another reason moving into the browser is kind

10:46

of kind of interesting. So what? Some people are

10:48

using our. Extension. For is

10:50

exactly that. You. Can stream back

10:52

every logan of and the happens inside the

10:54

browser. back to sin and so if there

10:57

is is a malicious of and like saw

10:59

you can actually corridor back and say wow

11:01

this as and like disabling logs didn't come

11:03

from college him employees browser, it came from

11:05

somewhere else as you can sort of pick

11:08

up that kind of. Activity

11:10

as well. Yeah. No,

11:12

you know, be spoken about the ah,

11:14

the detection response. Let's talk about the

11:16

more proactive preventative stuff, because yet, is

11:18

it Again, there's a lot you can

11:20

do once you start collecting the sort

11:23

of information from browsers. Yes,

11:25

If you're thinking about stuffing identity attacks

11:27

and you're looking to defend your high

11:30

density infrastructure is t pause rise reactive.

11:32

We just spoken about the response but

11:34

then as a practice pace and actually

11:36

doing hardening am so we all of

11:38

us bundled together in a single a

11:40

single product sale on a proactive side.

11:43

We. observe identities as there being created

11:45

or use and browser extension because it

11:48

can observe network traffic weaknesses hammond is

11:50

an identity is behind family behind i

11:52

d c or says passwords organ ah

11:54

we can then observe and actually see

11:57

do they hit d m a say

11:59

prompts one FA method they're using, is it

12:01

phishable, and all that stuff gets reported back up

12:03

to a dashboard. We can then see

12:05

if there's stuff like whether it's vulnerable to cred stuffing,

12:07

password reuse, and just general things like whether that password's

12:10

been leaked as part of a prior breach, and a

12:12

ton of stuff like that as well. So

12:14

what you end up with in the dashboard is just this

12:16

full graph of, okay, this is the percentage of apps

12:18

that are off SSO, these are the ones

12:21

that are on SSO, and then people can actually

12:23

use to move those over onto

12:25

SSO themselves. So

12:27

yeah, we do a lot of stuff around that. That

12:29

obviously helps you build out a really good app inventory, so you

12:31

can see everything everyone's logging into and putting that data in as

12:33

well, there's a bit of a freebie in there. And

12:36

then we do access enforcement, so you can

12:38

actually start to say which apps people are

12:40

allowed to access, and you can actually put

12:43

out block screens to stop people from gaining

12:45

access to particular applications. Yeah,

12:47

this ain't a Dropbox place, buddy. What

12:49

are you doing? Get the hell out of here. Yeah,

12:52

one of the really popular use cases that people

12:54

have been using it for is things like, there's

12:56

been a big craze around chat GPT or whatever,

12:58

and so you can

13:00

actually drop a banner- And pasting corporate documents

13:02

into them and asking for them to be

13:04

summarized, basically. Exactly that,

13:06

yeah. So you can show a banner

13:08

inside the screen, inside the browser, and

13:11

so when an employee goes to visit the login or sign-up

13:13

page to one of those applications, you can just drop a

13:15

banner across the top of the app, just reminding people and

13:17

saying, hey, you can use this

13:20

application, but please

13:22

don't put company data in here, and

13:24

here's our GenIO policy, as more of a reminder.

13:27

And you can actually tier that up to get more

13:29

aggressive if you want to, and make it a full

13:31

block screen, so, nope, you can't access this at all.

13:34

All right, Adam Bateman, push security,

13:37

killer pitch, man. I've got to

13:39

say, very cool stuff, really enjoyed

13:41

that. Great to talk to you again, and

13:43

we'll be doing it again soon, I'm sure. Thanks very

13:45

much, man. That was

13:48

Adam Bateman of Push Security

13:50

there, and you can find

13:52

them at pushsecurity.com. Our

13:54

second Snake Oiler today is Knock Knock, and I'm

13:57

pleased to say Risky Biz is actually a Knock

13:59

Knock user. user. So

14:01

regular listeners would have heard me say a bunch

14:03

of times that what we really need to

14:06

deal with a bunch of the threats that

14:08

are plaguing enterprises lately is a product that

14:10

we can plumb through to our IDPs that

14:12

can do dynamic firewalling. So think

14:14

of something like RDP. Wouldn't

14:16

it be great if you could dynamically

14:18

IP restrict it to users based on

14:20

their authentication status? So if someone tries

14:22

to hit that port, it's closed, but

14:24

if they're logged in via their IDP,

14:27

it's magically open. You know, would this

14:29

be a useful thing to put in front of

14:31

Confluence or Citrix or all the other

14:33

horrible enterprise crapware that's hanging off your

14:35

perimeter, gathering flies? You know,

14:37

your custom apps? Yes,

14:40

basically, yes, a very useful thing. So

14:42

Dave Kempe from Knock Knock has built

14:44

exactly this solution. So yeah, Knock Knock

14:46

handles that plumbing for you from the

14:48

IDP out to firewalls and again a

14:51

disclosure I'm in discussions with Knock Knock

14:53

to be an advisor to them as

14:55

well. But without further delay,

14:57

here is Dave Kempe talking all about Knock

14:59

Knock. Yeah,

15:25

I mean, I think about this

15:27

and I think about the problems that it solves and

15:30

there's kind of two product categories that it bumps up

15:32

against, right? One is the, you know, these sort of

15:34

access gateways into production environments, right, which are designed to

15:36

sort of ring fence prod. You

15:40

know, that's one area where you could do this

15:42

instead. I mean, you might not get

15:44

the centralized logging and all of that sort of stuff,

15:46

you know, with this, but you can do that. Like

15:49

If you want to put SSH behind this, you absolutely can.. The

15:51

other area... Ssh.of

16:00

a success whatever. The other area where it

16:02

makes sense is in places where people might

16:04

install an identity aware proxy, but they can

16:07

be simply because and even once you get

16:09

them up sometimes the origin is often left

16:11

exposed so you need to do supply willing

16:13

there anyway. it's this just seems like it

16:15

gets you the same thing but a lot

16:17

easier right? So is that is that. Typically

16:19

where people us is that how customers are

16:21

thinking about this as as sort of substitutes

16:24

for those two things. Yeah,

16:26

absolutely so they'd lodge benefit is

16:29

it because of be sort of

16:31

distributed and age based approach when

16:33

can have us on have unlimited

16:35

flexibility and what we can integrate

16:37

with your favorite web server Apache

16:39

Engine X, Ha, Profit applications, Wordpress

16:41

or whatever it might be, Databases,

16:43

Ssh, Firewalls, you paper devices, these

16:45

things can all be integrated with

16:47

and then and what typically happens

16:49

is that a custom as a

16:51

particular use case. the have an

16:53

old website that they need to.

16:56

In lockdown the have a copy of conference that

16:58

shouldn't be on the internet but still may pick

17:00

from outside to access it Though the people they

17:02

contemplate a Vpn to those people they may be

17:04

ever other problems. Getting too So

17:06

they pick one thing, they get deployed it

17:08

and they realize wait a minute. We can

17:10

use this for all sorts of other stuff

17:12

that we were previously using other solutions for.

17:14

because the simple and pragmatic approach ends up

17:17

being. Easy to understand, easy to

17:19

and for to roll out that uses. Low

17:22

barrier to entry for users and it becomes

17:24

bigger and bigger and bigger. Yeah, Yeah.

17:26

Hundred Percent. I mean, like as I said at the

17:28

intro, like this is the sort of thing the kind

17:31

of feels like a half isolation and then he guy

17:33

will hang on. It's gonna actually achieve what we needed

17:35

to achieve and we can put it here here. Here

17:37

are their their that's and Us? That's what happened to

17:39

us when we looked at it is we started realizing

17:41

all of the different places we could use. Yeah.

17:44

Absolutely hundred percent. And I think

17:46

typically it. Part. Of the

17:49

journey customers will need to go on

17:51

is this mindset approach of looking at

17:53

their system from the outside, understanding that

17:56

attack surface and then going well. Wait

17:58

a minute if we just. Sort of

18:00

luck these things down. What else do we

18:02

need to do like an elastic? The are

18:05

actually get this kind of moment where it's

18:07

like well can it be that simple sentences

18:09

success. Can I sleep at nights? Hopefully in

18:11

on an assumption to solve Evolve management problem

18:14

but a kind of mitigates a lot of

18:16

right sir. One example that you know when

18:18

I was talking about this before you'd even

18:20

announced the product. Try I didn't know you

18:23

guys with with building this was something like

18:25

you know you for the gates or you

18:27

Citrix gear at the edge of your network

18:29

you. Can absolutely use his to restrict access

18:31

to those things so that even if I

18:34

have er die in them, no one can

18:36

touch them. And. Unless they're an authentic. I did

18:38

use. Ah, Two percent. So

18:40

our Citrix is a good example. The attack

18:42

of that is some. Giant. It

18:45

has had a whole series of

18:47

vary widely publicized vulnerabilities so of

18:49

of why not just completely block

18:51

it absolutely until people someone in

18:53

a simple gateway can allow it.

18:55

and I'd. We.

18:57

Have customers were. That's definitely their

19:00

plan and and what? The guys

19:02

with implementation phase of that now

19:05

decentralize authentication, the Isis oh, integration

19:07

and then opening a portal you

19:09

know let people actually access? Excellent

19:12

continue on is actually. In.

19:14

A reasonably easy for users to manage. they they

19:16

pick click here they click their than their own

19:18

it has it's not it's money and asked a

19:21

question that scenario like whereas the Firewall the you

19:23

actually instrumental five or on the Citrix boxers the

19:25

something usually in front of. It. Yeah.

19:28

We're We're We're We're We're generally have

19:30

a reverse proxy in front of the

19:33

Citrix virtual house. So Citrix.my company.com is

19:35

actually connected to her of his se

19:37

terminated at a proxy that then back

19:39

and into the situation as scalar, environmental,

19:42

whatever my base and not Doc is

19:44

controlling and a seal on that reverse

19:46

proxy yet? nice, nice and I believe.

19:48

Also like this is a really hilarious

19:50

example but you've got a customer at

19:53

the moment who is setting it up

19:55

so that the fireball on there for

19:57

a net. Device. is

19:59

actually going to control access to

20:02

its own VPN ports,

20:04

right? So they're actually using Knock Knock

20:06

to instrument a firewall on the thing,

20:08

which is quite hilarious. We're

20:11

adding a feature to firewalls that

20:13

doesn't exist in many cases. Which

20:15

is SSO integration. Exactly.

20:18

So we're bolting this feature on and

20:21

Knock Knock Agent is able to

20:23

dynamically add and remove people from

20:25

firewall objects. And

20:29

the feature doesn't exist. Firewall vendors

20:32

will only be incentivized to add the feature

20:34

for their stack. They won't be incentivized to

20:36

add a set of

20:38

tools and typically people don't just have

20:40

one vendor. They have many different vendors

20:42

and virtual hosts and you know, okay

20:44

they've got a firewall that needs this

20:46

feature. But then after that they've got virtual hosts that

20:48

they just visit, they've got websites and all these other

20:50

kind of things that need this. So

20:52

Knock Knock allows them to do all of those things with

20:55

the one tool set and might look

20:57

simple but then allows all these extra integrations

20:59

to be from the one place. Now

21:01

from a user experience it's pretty straightforward right?

21:04

Which is if they want to open up

21:06

these ports, all they need to do is

21:08

be authenticated, load a browser tab

21:10

and hit a Knock Knock URL which will

21:12

then spit out a list of all of

21:14

the stuff they can access. And you know,

21:16

by through the process of actually hitting that

21:18

page, you know, that's how Knock Knock collects

21:20

their IP and makes the necessary changes to

21:22

grant people access, right? That's correct.

21:25

It's a straightforward approach.

21:28

The source address is updated

21:31

in the back end of your choosing and

21:33

then the access is allowed for a period of

21:35

time, a timer starts and the

21:37

SSO integration or any other, we've

21:40

got, we support SSO, local users and LDAP and

21:42

we add two-factor authentication

21:45

on top of those legacy

21:47

authentication systems. For SSO

21:49

we outsource that MFA to

21:51

the SSO provider and

21:54

then groups are provided by that, groups are mapped

21:56

to ACLs and different groups of users

21:58

are given access to different results. resources

22:01

depending on which groups are in and the way

22:03

they go. So from a user's point of view,

22:05

they literally will click a button and

22:07

a firewall will open because that button authenticates into

22:09

their SO provider. They've already logged in and away

22:12

we go. And, you know, I mean, it's one-click

22:14

firewalling. I don't know if someone

22:16

has a patent on that, Amazon, hopefully they don't,

22:18

but it's

22:21

a one-click operation and then you're on.

22:24

That could be simpler. So people,

22:27

I mean, I know it's early days, right? But what are people

22:29

mostly applying this to so far? Legacy

22:33

websites, confluence. Yeah,

22:36

it's not legacy, but hey, it's. Well, but I

22:38

mean, you could throw this at like your file

22:41

transfer appliance. You could throw this, which would get

22:43

tricky when you've got unauthenticated users who need to

22:45

do stuff or whatever. But that's just one example.

22:47

You can throw it at your payroll system, for

22:49

example. Those things are just ready to get owned.

22:51

Right. Like I had a chat with a guy

22:54

from Kroll a while ago who's predicting they're the

22:56

next big category of systems that are going to

22:58

get mass owned on the Internet. And I think

23:00

he's probably right. But all of those creaky web

23:02

applications, you can lock them up pretty good. Yeah,

23:05

absolutely. And file transfer is actually definitely

23:08

one that we have a number of

23:10

customers pursuing, sorry, not pursuing, rolled out

23:12

with. And there are

23:14

ways you can get around having, you

23:17

know, sharing links work and all those

23:19

things from a reverse proxy

23:21

URL matching point of view. The

23:23

ACLs can don't just

23:25

have to be I can get in or not. They can be

23:27

I can do certain things with

23:29

it with it with an adequately featured reverse

23:32

proxy like HA proxy. You can even block

23:34

HTTP verbs. You know, we've turned web pages

23:36

read only for certain people, you know,

23:38

just block, you know, a GET request

23:40

or a POST request, however you want it to work. So

23:43

you can be a fan of it more nuanced about that.

23:45

You can obviously have URL matching and other things and

23:48

away you go. So it doesn't have to

23:51

be all or nothing either. Yeah.

23:53

And do you expect people to start throwing at a stuff

23:55

like SSH? We already

23:57

have the traditional the traditional thing within.

24:00

SSH is maybe like restricted to an ASN or

24:02

whatever, but this is so much better. Absolutely.

24:04

We already have that one of our large

24:06

customers, Massive Australian Telco uses that

24:09

for SSH jump box access over the internet.

24:11

They have, you know, roving teams of network

24:13

engineers rolling in things around the world and

24:16

this is the way they've chosen to do

24:18

that and it works great. They've got SSH

24:20

restricted to knock knock and then the SSH

24:22

has 2FA on it and they use that

24:24

as a bastion host and jump on from

24:27

there and they find that's a fantastic mix

24:30

of usability and flexibility for their tool

24:32

set. Yeah, and it's not like

24:34

you need to VPN an SSH connection. Exactly. That's

24:37

my brain a little. It's already encrypted,

24:39

it's already strongly authenticated, but you just don't want to

24:41

sit it on the internet. Now just

24:43

quickly, I want to talk about the history of the

24:46

product because it does have an interesting history. It was

24:48

initially developed, I believe, for the broadcast industry as a

24:50

way for broadcasters to

24:52

make video streams available when, you

24:55

know, VPNs

24:57

might introduce latency and sort of

24:59

problems and whatever. Often it's a

25:01

fire hose of UDP, right? So

25:04

you created this product

25:06

initially to allow broadcasters

25:08

to offer, you know,

25:10

streaming video just

25:13

over the raw internet in

25:16

a way that was sort of IP restricted and

25:18

put at least some guardrails around that content. Yeah,

25:21

that's absolutely correct and this is not for

25:23

consumer use, this is for back end production

25:25

purposes. Yeah, yeah. This is when you got

25:27

a field crew who's got to get some

25:29

video back to head office, right? Exactly.

25:32

They have low ability to modify the environment they

25:34

turn up to, they turn up to a racetrack

25:36

or a sports stadium and they

25:38

have to deal with the equipment they have. They

25:41

need to get the job done quickly, they need the

25:43

video to be low latency so they can add audio

25:45

to it so that you can then broadcast it and

25:47

Knock Knock was a perfect fit for that and we've

25:49

had it rolled out for many years in that

25:52

environment and our original installation is actually still

25:54

going strong to this day. The

25:56

product has evolved significantly since that

25:58

original time. And our background

26:01

in the next firewalling and web application

26:03

hosting for some twenty five years is

26:05

has created that necessity and as they

26:07

say you know necessities the mother of

26:09

invention and we have refined the product

26:12

over many years rolled it

26:14

out into a full featured product

26:16

ready for market and those

26:18

customers will be upgraded to that to the

26:20

new version within the presence of doing that

26:23

now so you know the. The

26:25

origin story is very much one born

26:28

out of necessity

26:30

where the users

26:32

of the application are necessarily your stuff

26:34

they may be vendors or they may

26:36

even be customers to the barrier to

26:39

entry has to be. Pretty

26:41

low you have no way of dictating

26:43

how that might work and another example

26:45

for the original customers is in hospitals.

26:47

They have a lot of manages they

26:49

go to a hospital the environment restricted

26:51

they want to be able to get

26:53

to the remote access environment of the

26:55

specialist but that outside the hospital network

26:57

and they but they can't modify the

26:59

hospital computers so he doesn't allow for.

27:02

Even admin rights so that the specialist

27:04

is able to do his consultations from

27:06

the hospital environment using their computers with

27:09

minimal. Interaction yet that machine

27:11

so two things real quick cuz we're running out

27:13

of time first of all you mentioned agents before

27:16

i presume their agents that actually run on the

27:18

boxes that are doing the acl like so that

27:20

that's either going to be running on a firewall

27:22

or running on a proxy whatever that's the agent

27:24

they're not for the users correct. That's right agents

27:27

are back end devices that update acl on the

27:30

target machine just wanted to confirm that for

27:32

everybody listening and they run adjacent to whatever

27:34

it is you want to modify. But we

27:36

should say also just before we leave that

27:38

not not is still pretty new right like

27:40

there are still a few rough edges on

27:42

it like i think we need to be

27:44

realistic inside that right. Yeah i

27:46

think that's fair enough where we're active

27:48

development we recently added internationalization support that's

27:50

about to be rolled out we picked

27:53

up a number of European customers and

27:55

we realize the translations very helpful for

27:57

users. We

27:59

have a. aggressive roadmap to add features.

28:02

But yes, we're a small startup that

28:04

is for product that

28:06

we feel is mature and ready for market. However,

28:09

we're keen to hear from our customers, keen to

28:11

get it rolled out, keen to get it used

28:13

in their environments. There's no shame

28:16

in it, Dave. You're an early stage startup. There's

28:18

no shame in it. We're getting it done, mate.

28:20

We're getting it done. All right, Dave Kempe. Fabulous

28:24

to talk to you. So happy to finally get

28:26

this interview out. I'm absolutely stoked

28:28

to be working with you and yeah, to the

28:30

moon. Let's go. Thanks, Patrick.

28:33

Love your work. That was Dave Kempe

28:36

there from Knock Knock and that is

28:38

spelled K-N-O-C, K-N-O-C. And

28:41

yeah, pretty easy to find once you get the spelling right.

28:43

Our third and final snake oiler today

28:46

is iVerify. iVerify was originally spun up

28:48

by Trail of Bits but has since

28:50

graduated into being a fully independent company.

28:54

It's a mobile security platform that can run

28:56

with or without MDM and it

28:58

does useful stuff.

29:00

As you'll hear, they're really presenting this

29:02

thing as being like EDR for mobile.

29:05

It can find bad stuff. They do

29:07

legit threat hunting. I spoke

29:09

with Danny Rogers and Rocky Cole from iVerify about

29:11

their platform and here's what they had to

29:13

say. And the first voice you hear is Danny.

29:16

It used to be that you would buy an

29:18

iPhone out of the box and you can consider

29:21

it secure unless you were, say, some super

29:23

high level terrorist fugitive. Unless you're Osama

29:26

bin Laden, you can basically consider this

29:28

phone to be secure and

29:30

that can all change in the

29:32

last few years with the rise

29:35

of this mercenary commercialized spyware that

29:37

now anyone with a 50 grand

29:39

could rent the capability to pop

29:41

an iPhone and

29:43

all of a sudden you had to think

29:45

about that as an uncontrolled risk. So the

29:49

base technology within iVerify became a

29:51

really great platform to build out

29:54

what we're considering kind of the first

29:56

real true mobile threat hunting company that's

29:59

focused on this. more advanced threat? Essentially

30:02

what mobile

30:06

security problem has just gotten more

30:25

dire since the last time we checked in on iVerify. Let me just give you a couple of interesting data

30:27

points. I don't know if you guys saw these two reports a couple weeks ago, one from Kaspersky and

30:29

one from Google. Kaspersky said that about 40% of attacks these days are mobile attacks. Now that's driven largely

30:31

by adware but a big piece of that is credential harvesting as well. And there were these series

30:33

of reports from Meta and Kaspersky. And

30:36

Google that emerged a

30:39

couple weeks back too. And Google said that

30:41

about 80% of zero days they

30:43

caught in 2023 were related

30:45

to commercial spyware vendors and about half

30:47

of all the zero days they found

30:49

were related to mobile spyware on both

30:51

Android and iOS. And I live and

30:54

breathe mobile security for a living these

30:56

days but those numbers were frankly astonishing

30:59

to me. And these data points

31:01

to me suggest that

31:04

essentially mobile is where

31:06

desktop was about 15 years ago

31:08

which is to say about everyone

31:11

was using antivirus software of some

31:13

kind but their computers were somehow

31:15

always infected anyway. And

31:17

the adversaries fundamentally had the upper hand and

31:20

could just attack faster than the

31:22

vendors could repel them and the problem

31:24

demanded a fresh approach and

31:26

you know that approach looked

31:28

a lot like crowd strike and a

31:30

lot less like traditional antivirus

31:32

and so to answer your question. What

31:35

we're trying to do is apply some of

31:37

those same historical lessons to mobile.

31:39

So what I verify is today is it's

31:41

a mobile threat hunting platform that

31:44

offers a mobile EDR service

31:46

that combines deep iOS and

31:48

Android access automated

31:50

detections and then expert analysis to

31:52

scale advanced threat detection while

31:55

staying true to our roots

31:57

as a company that puts privacy at the center of the

31:59

network. Everything we do, I can see

32:01

you mentioned that. Now it's about deep

32:03

access and instrumentation basically. And you know,

32:06

pulling telemetry and logs offer. You know

32:08

of Android and Ios devices? That's hard.right

32:10

Because I O S is notoriously or

32:12

pipe sir. how on earth are actually

32:14

able to instrument and I phone in

32:16

a way that's actually gonna tell you

32:18

when there's an attacker messing with. A. Secret

32:22

thought as he says a little bit by

32:25

bit know is that we've death dustbin. The

32:27

big development work that we've done as our

32:29

own company is is take that basic knowledge

32:31

in. Build. The threat hunting capability,

32:33

which is essentially kind of. Product.

32:36

Tithing Mobile Friendly. So so you're

32:38

using external tools for example, to

32:40

the. Turret. A rapidly poll

32:42

forensic data it all off the

32:45

operating system. To. To build

32:47

heuristics to to pool data from.

32:49

From. Kind of our our collection

32:51

of have come naturally occurring honeypot like.

32:54

One of any things stood out to me

32:56

when I joined is just how. Widely.

32:59

Adopted interested this tool is among the frontline

33:01

folks are the folks are some most in

33:03

the cross hairs of this and the most

33:05

in mans threats. And. So that

33:07

gave us an opportunity to work collaboratively with

33:09

that community. To. To gather data

33:12

and to build a sort of collective the sense

33:14

that if we all shared and pull data. And

33:17

this is not content to be clear

33:19

like we're not pulling them. you know,

33:21

text messages and images and emails right?

33:23

Was not pulling as as operating system

33:25

met a dealer and process information and

33:27

things like that somehow If I guess

33:29

my question still, how are you getting

33:31

that when Apple takes really deliberate steps

33:33

to stop applications from being able to

33:35

do that on I O S. And

33:38

he without getting into that that the

33:40

details. The. Know if leads us to

33:42

get into different it's that elsewhere. Well and with

33:44

not is not that I it is, there's there's

33:46

There's some of the secret sauce that we have

33:49

in terms of how he acts of said you

33:51

know saw that is using the same Apple interfaces

33:53

that exist and on they were doing anything particularly

33:55

magic or particularly like we're not. We're not exploiting

33:57

anything when I do any you're not supposed to

33:59

do. Where. Did you the a lot

34:01

of the existing Apple interfaces but the really is

34:03

more around product eyes and raised around. The.

34:06

Open. There are already mobile friendly tools that you

34:08

can download and Vt is a great tool, but

34:10

it's. It's. Big and cumbersome and you

34:12

have to have a lot of tech savvy so giving

34:14

that to like. A you know a

34:16

human rights activist on the front lines in

34:19

Central Asia isn't is a non starter right?

34:21

whereas of we can build a product I

34:23

certain that that requires him to quit Two

34:25

or three buttons and and all the data

34:27

gets extracted and pooled and analyzed automatically. That's

34:30

that's going to result in a lot more daily

34:32

been on in. I I one hundred percent see

34:34

why you said previously. It's like you know if

34:36

you had to sum up the pitch, it's like

34:39

crowd strikes on mobile phones right? Like I have

34:41

played I absolutely cannot arm and you know we

34:43

we do obviously need something like that's Ah, The

34:45

question becomes are like have you actually caught stuff.

34:48

Ah, You know about commercial spyware

34:50

in the wild with results. Oh

34:53

yes specific yes very very First thing

34:55

we did with cats the latest copy

34:57

of Pegasus which we have in which

34:59

will be presenting a black at Asia

35:01

very soon as an die and and

35:03

but we've also that I think that

35:05

the real story though as as we've

35:07

deployed this across you know. Everything.

35:10

From Think Tanks Enterprises. We've.

35:12

Caught a lot more stuff to mint and Iraq

35:14

you have stories of of have some of our

35:16

customers catching all kinds of like. You. Know

35:19

they're not as sexy but they're just as

35:21

valuable and of information for and for enterprises

35:23

in terms of those identify risk risk profile.

35:26

Yeah, I mean here's one story that says

35:28

that's frankly horrifying. I think if you're a

35:31

society we have a customers are called him

35:33

a large and us a large defense contractor.

35:35

We had a detection the other day. That.

35:38

Years ago of a malicious application

35:40

running running on an Android phone

35:42

and we looked into it and

35:44

essentially the application. Looks. Like

35:46

overly that it was left there by a

35:48

large telecom. a large carrier when you dig

35:50

a little. When you dig a little deeper,

35:52

you know. We found out that the it's

35:54

the Same app is running on about three hundred

35:57

devices in the Enterprise. And.

35:59

i know that what it wanted Is this stuff called? It's

36:01

the interface crap. It's bloatware kind of thing.

36:03

Bloatware, yeah. No, no, there's a

36:05

specific one. Anyway, I saw one of

36:07

the As-Enough people do a talk on

36:09

it like 10 years ago and it

36:11

was horrifying. Yeah, well it's pretending to

36:13

be like basically or it is or

36:15

is pretending to be like a demo

36:17

application that has, I mean when you

36:19

dive into it, it essentially has spyware-like

36:21

capabilities. It's certainly persistent and it's on

36:23

about 300 devices floating around in this

36:26

company's fleet. But the interesting part,

36:29

these phones were sold to them by

36:31

their supplier as brand new phones out

36:33

of the box. So someone,

36:35

there's either a supply chain vulnerability

36:37

where someone's going around harvesting demo

36:39

devices from a large carrier, shipping

36:41

them overseas and selling them as

36:44

new and they

36:46

have these essentially

36:48

quasi-malicious applications that are sitting there waiting

36:50

to be a backdoor for someone. Or

36:52

the telco ordered more demo phones than

36:54

they needed and somehow they got packaged

36:56

up. Something like

36:58

that I just think looks like

37:00

a stone-cold mistake somewhere. Whatever

37:03

it is, the point is that for

37:05

starters it was wild because it was a

37:09

carrier application for

37:11

a carrier that didn't exist in that country. It was

37:13

like, it was a US carrier on a phone that

37:15

they had bought and only ever used in the UK.

37:18

It was like, what is this carrier even doing here? It doesn't exist here. But

37:22

when we found the original malicious

37:24

app, then they scanned the rest of

37:26

their devices and found it on 300

37:28

other phones and realized that they'd been

37:30

conned by their own mobile phone vendor

37:32

and then just created this huge gaping

37:35

hole in their mobile security posture. These

37:37

company owned devices. When

37:40

you start to look under the hood,

37:42

suddenly you see the wild west comes

37:44

to mobile devices. We found employees running

37:46

jailbroken phones. Which

37:48

employees are being stalked by their exes. You

37:51

just find all kinds of stuff

37:54

that you would never have thought of

37:56

as the original risk. I

37:59

think that's a real story. I mean, yes, we

38:01

found Pegasus, but we've also found all these

38:03

other kind of, you know, different kinds

38:05

of vulnerabilities that we never expected to find. Yeah,

38:07

and I imagine there's like a lot of a

38:09

lot of crappy consumer apps with really bad SDKs

38:11

and stuff. Do you alert on that stuff as

38:13

well? Yeah, I mean it

38:15

depends. I mean, you know, no, no, we'll

38:17

never claim to have a hundred percent coverage

38:19

But certainly like malicious apps on Android we

38:21

cover, you know, gel breaks on iPhones We're

38:23

just all kinds of different things that can

38:25

be vulnerable and we're adding to that list

38:27

constantly, too So look

38:30

another question I guess is which

38:32

verticals Is this

38:34

I mean you mentioned a defense contractor that is

38:37

utterly unsurprising to me that the types of

38:39

organizations that would be buying This are

38:41

the ones that are concerned by You

38:44

know nation-level threats, you know

38:46

intelligent trying to prevent things like intelligence collection

38:49

More so than crime ransomware BEC that sort

38:51

of stuff. Is that about right? I

38:54

think there's two categories because because we we

38:56

have this advanced detection capability We have this

38:58

threat hunting capability So, you know

39:00

anywhere where someone's particularly worried about

39:02

their threat profile, right? As you said,

39:04

right you know that defense and

39:06

government adjacent right space industry that kind

39:09

of stuff Also cryptocurrency

39:11

kind of you know people that whole industry.

39:13

They I mean they keep huge amounts of

39:15

money on their phones. Yeah So

39:18

so anywhere that's a particularly juicy target

39:20

from either a you know Economic or

39:23

a counter espionage perspective or whatnot The

39:26

but remember I verify does come with from

39:28

these sort of privacy routes privacy first routes,

39:30

right? And so there's a whole another category

39:33

of folks who don't Who

39:36

say like I need so as you kind of

39:38

said at the outset, right? I need some sort

39:40

of mobile security posture, but I don't want

39:42

full-blown MDM because say I have you know 5,000

39:45

employees be YOD. We need something to make

39:47

sure that they're all doing some basic level

39:49

of security hygiene But they'll never let us

39:51

put you know Profiles management profiles on

39:53

their phones or you know, MDM is just too

39:55

creepy or whatever it is I mean, there are

39:58

plenty of places where we deploy alongside and But

40:00

there are also plenty of places where we're used to

40:03

achieve a basic security posture like like I

40:05

was I was a user So so so

40:07

what you're saying is it's in life and

40:09

death cases and also compliance Well,

40:12

it's it's compliance where you

40:14

care about like where you care about privacy

40:17

or you care about your employees feeling comfortable

40:20

On their own personal devices. Yeah, that's what need

40:22

is actually in the overlap that is really interesting

40:24

Like there's some well, you can do

40:26

this so you don't have to do MDM I

40:28

mean, I don't even think it's about caring about

40:30

your employees. It's just that MDM is a giant

40:33

pain in the you know What yeah, you hear

40:35

that a lot Do that we were talking to

40:37

we were talking to someone the other day who

40:39

manages really large political campaigns in the United States

40:41

And he was essentially Railing

40:43

against the very large I won't name them But

40:45

the very one of the biggest MDM's out there

40:47

if not the biggest you can read between the

40:49

lines and figure out who it is He

40:52

was essentially, you know saying I need a PhD in

40:54

order to just figure out how to how to configure

40:56

it so that it doesn't Break my enterprise. Yeah,

40:58

right. So there's this there's these there's it's this

41:01

dual opportunity of There are

41:03

CISOs out there who think that MDM's

41:05

a road trust between their office and

41:07

their enterprise and they'd rather

41:09

spend their political capital on something like two-factor

41:11

authentication, which I think is totally fair and

41:14

And then there's this kind of other You

41:17

know, there's this other aspect of it of operational

41:19

efficiency, which is people they want mobile endpoint security

41:22

But they also don't want to have to get

41:24

a PhD or hire a solution

41:26

engineer in order to implement it All

41:29

right, Danny Rogers rocky Cole. Thank you so much for

41:32

joining me to talk through the latest with I verify

41:34

I wish you all the best with it. Thank

41:36

you very much pleasure to be here. Yeah. Thanks for

41:38

having us Oh That

41:41

was rocky Cole and Danny Rogers from I verify

41:43

there and you can find them at I verify

41:46

I owe and that is it for this edition of

41:48

the Snake Oilers podcast. I do. Hope You enjoyed it

41:51

I'll be back soon enough with more risky biz for

41:53

you all. But Until then I've been Patrick.