Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:03
Hi everyone and welcome to this edition
0:05
of Snake Oil as the podcast we
0:07
do here at risky Busy Hq a
0:09
few times a year where vendors come
0:11
onto the shower to pitch you. They're
0:13
wonderful. Where's this whole thing is sponsored
0:16
and that means every you're about to
0:18
hear from in this podcast paid to
0:20
be here. If you're looking for the
0:22
regular weekly podcast, just go back to
0:24
to one of the other podcasting this
0:26
feed that has a number on us.
0:29
So we're gonna hear from three vendors
0:31
today. Push security, knock, knock and. I
0:33
verified. Push Security is essentially I
0:35
browser plugin that is extremely useful
0:37
in preventing identity based attacks. Fishing
0:39
account take over as and so
0:41
on are. It's a much more
0:44
compelling pitch then you're expecting. I
0:46
promise you that. Knock.
0:48
Knock is our second Snake Oil
0:50
and.yeah a lot of you would
0:52
remember that. for the last couple
0:54
of years, I've been praying for
0:56
someone to build a product that
0:58
dynamically firewalls all your enterprise crap
1:00
based on a uses Ssr status.
1:02
And to knock, Knock have built
1:04
exactly that. and we even use
1:06
it at Risky Business to lock
1:08
up our content management system and
1:10
to dynamically ip restrict Ssh to
1:12
people who are actually signed in.
1:15
Out. So yeah, you can fi well
1:17
off your confluence, your Citrix, your crummy
1:19
web apps, whatever. But when a user
1:21
is oft, they can access it like
1:23
normal. It's are you know it's it's
1:25
magical. We love us are And then
1:27
we're going to hear from I Verify,
1:29
which originally spun out of trial of
1:31
bits but is it's own company now
1:34
and I verify his I Mobile security
1:36
suite that actually identifies real threats. They
1:38
caught up Pegasus in the wild with
1:40
this tool and you can use this
1:42
as a substitute for something like Mdm
1:44
to for compliance purposes. So yeah, If
1:46
you need a mobile security package for
1:48
your employees are the because you attracting
1:50
serious attack or for compliance purposes it's
1:53
one to look at closely. But first
1:55
let's get into it with Push Security.
1:58
And I really think this one is I compare. Pitch
2:00
or at the moment, Enterprise security teams
2:02
don't really have much visibility or control
2:05
over how identities are being used, which
2:07
when you think about it, is more
2:09
than a little bit nuts. We've got
2:12
Adiala, we've got India Us, but we
2:14
can't tell when someone enters the Ssr
2:16
password into a phishing site, right? So
2:19
it just seems like maybe maybe that's
2:21
a bit out of whack. So Poor
2:23
Security has developed a browser plugin that
2:26
does identity securities, and you might think
2:28
of a plugin, you know, It's up
2:30
at the browser as the engrossed Point Four
2:32
Identity Information: If you want to tackle identity
2:35
by stress, that's why you need to Bates
2:37
Adam Bateman is the cofounder and see our
2:39
have pushed Security and he joined me to
2:41
pitch push and he is what he had
2:44
to say. And just as a disclosure, ah,
2:46
I'm an advisor to Push Security and an
2:48
enthusiastic one at that. He is out. Of.
2:51
At. When people imagine what are the and sees
2:53
activist exhausted I think about a centralized out and
2:55
she saw and and every employee has one I
2:57
don't see. Which. Acts as everything and
2:59
Stephanie to stay. You want to get saved values
3:01
when you actually. Going. To point to
3:04
get a day I you end up with your primary
3:06
I D P with like get have been enough of
3:08
that and salesforce hang off of on a bunch of
3:10
other applications are out there as well. The whole things
3:12
like a big. Masses. It over like
3:14
you know jerry network diagram look so pretty but
3:16
then you go off and or big soundscan or
3:18
like as a discovery scanner actually a kind of
3:21
different side. Is active you're in
3:23
the browser you seeing everything everyone's logan
3:25
into him on where you can see
3:27
that say we have to different parts
3:29
of the platform One side is detection
3:31
and response say will actually draw cemetery
3:33
from. The. Browsers to does not
3:35
seem to talk to responses and attacks and
3:37
I'm stuck inside is more of a product
3:40
of side seat actually map out wide and
3:42
she's been use. We can observe as employees
3:44
crate or use identities, map out which ones
3:46
are vulnerable and then we can. We do
3:48
things I ask contrast to stop people from
3:50
accessing sabotage and one two and think though
3:53
that. Okay, so let's start with
3:55
the detection response part of this I in you
3:57
and I have spoken about this before. Ah, you
3:59
know a wife. Interviews and whatever And it's you
4:01
know it is. It's pretty cool. what
4:03
was you in the browser? You can actually do an
4:05
awful lot but why did you stop I just explaining
4:07
yeah what you doing on the detection in response sought.
4:10
Yeah. Doesn't deserve a raise. Simple example
4:12
to start with machine guns more some
4:14
or fancies cases while but. If.
4:16
He's think about like you've got a sin
4:19
and a big three data sources and probably
4:21
eat your network traffic logs i that of
4:23
ones already one said. When. You
4:25
add browsers to that gives you something
4:27
pretty unique and different. Say for example,
4:30
let's say that as a phishing attack
4:32
against of fifty employees inside the organization,
4:34
you want to know he's been he's
4:36
been hit by. That said, he looks
4:38
at your networks Ddr log data is
4:41
gonna show you fifty people visited a
4:43
phishing site. For. Weekend Air is
4:45
actually say no. Fifty people submitted that
4:47
I D P cries out to a
4:49
max of cards into that. And
4:52
by the way this is also shared with
4:54
these on it's when app say that wants
4:56
to talk of Cox's this crunches they can
4:59
then deposits rail credentials for stuffing own else
5:01
is wow She actually got a level data.
5:04
Are we're seeing takes our level. Sada.
5:07
To one are things we have is an
5:09
Ssh. Also protection said the browser extension. Will.
5:12
Actually observe when an employee logs into the
5:14
primary to pay and then pin the password
5:16
to the official login screen so it can't
5:18
be entered anywhere else as he can cigarette
5:21
depending on which are you in a guy
5:23
if you put it into sort of full
5:25
full made it will completely stop corporate possibly
5:27
a semi. sit their. Employees.
5:29
Can't reuse that. Say Optic Adventures
5:32
in any Other Apatow. Am
5:34
an hour to forty one freaks out about
5:36
you. You know, looking at these passwords you
5:38
just have and then take that back into
5:40
the hash and that's how you decide attacking.
5:43
Absolutely. As to one of our
5:45
very arty customers as yes a German syntax
5:47
he really helps with the privacy sides with
5:49
engineer who are suffering some into the into
5:52
the pass on yeah we do exactly that
5:54
that the extension does everything likely similar observes
5:56
as a password as it gets knocked down
5:58
and take a hassle. Though they can on
6:00
the my stash of is it has jumped in
6:03
half and a store that inside the brother sandbox
6:05
and then we use that to do it this
6:07
basically against any other seats and organ and then
6:09
we can. We can block and take action based
6:11
on. I mean I mean what's funny right is
6:14
already what you just described which is a very
6:16
small part of this product like I guarantee you.
6:18
There's like a lot of people listening to this
6:20
right now who were like well we should get
6:22
it just affects yeah I mean like on C
6:24
Drexel Fishing Still a massive problem and I need
6:27
to do stuff like to main categorization and you
6:29
can use like. I'm to do it is good
6:31
features but. It's. Just a really
6:33
simple approach Is like this: Passwords is
6:35
important and it cannot be used anywhere
6:37
else you can enter into a phishing
6:39
site. He can be used against difficult
6:41
apps.i just take thoughts. Tiger. Yeah, like
6:43
really strong control. Yeah, I mean
6:46
that Sat. You know, that's it. That's a great one,
6:48
But you're also doing stuff like fish kids detection, and
6:50
all of that usual you know, cool stuff he can
6:52
do once you're in the browser. Yeah.
6:54
Obsolete. The some really cool attacks like I'm Evil
6:56
James has these is a big popular one. The
6:59
people talking about this will save Evil V and
7:01
see we run of the Nc session. Saw the
7:03
browser and fish people that way and basically allows
7:05
you to still. An essay tokens and
7:07
session tokens and Isis things as well so
7:10
won't attack they so sufficient cats running saw
7:12
the browser and block those far less back
7:14
to where Pixie can percent she is Sam
7:16
We saw. And he can access to
7:18
every was a D. Stuff like can claim
7:20
site detection too can actually observes as someone
7:23
logs into an application. we take a fingerprint
7:25
of the outs of a legit and alpha
7:27
know that looks like and we cannot detect
7:29
and block when our slight variations of that's
7:31
that's really interesting is this attackers coming are
7:34
inclined like an important page and snap or
7:36
no idea here whenever we can see that
7:38
that is a potential fishing attempt to much
7:40
more generic whites but it also gives is
7:42
much more generic detection around. The. Fishing
7:44
shows because if you're using some like Evil Jinx
7:47
and you're relying as the at Me page three
7:49
a frame on I Die and Modifies Asylum and
7:51
we can pick up more generically as well. Yep,
7:54
yep it's now. You gotta tell everyone about the
7:56
stuff you doing with their head or injection in
7:59
Oct as cassettes. cool too. Yeah,
8:02
so session theft detection this is. Obviously
8:04
if you're in a position then where
8:07
you've locked down the credentials you can't get access to
8:09
the next thing that attackers are going to do is
8:11
just directly steal the session token and once you've got
8:13
that you can relay that against the applications and you
8:15
can gain control. This is a massive problem. So
8:18
what we do is just a really simple again
8:20
technique, always the simple ones that work, and
8:23
the browser extension will actually
8:25
effectively inject a one-time token
8:27
into the header of
8:30
an HTTP request. So as an
8:32
employee authenticates we inject the one-time
8:34
token into the browser and
8:36
then that token then appears inside the IDP
8:38
logs. So you can see them in your
8:40
Okta or Microsoft 365 logs. What
8:43
you can then do is use the sim,
8:45
look through the logs and you basically just
8:47
look for two matching
8:49
session IDs from two different requests
8:52
where one doesn't have our token. So effectively it's
8:54
like a the browser extension
8:56
is doing like a stamp of approval to say
8:58
this is an official session that came from an
9:00
employee. If you then discover one that doesn't have
9:03
that it's clearly session hijacking. Yeah,
9:05
it's funny man like just talking to you about
9:07
this it reminds me a little of like
9:09
and I know it's a completely different product set,
9:11
different problem set and everything but like
9:14
when I first started talking to Ireland and people would
9:16
be like oh an enterprise browser that sounds
9:18
dumb and it's dumb until you actually think about what you
9:20
can do with it and like this is the same sort
9:22
of thing right like a browser
9:24
extension for security that sounds stupid until you
9:26
think about literally like the million ways that
9:28
you could use it to make life less
9:31
miserable. Yeah 100% and that's
9:33
the thing attacks are moving inside the browser if
9:35
you do a phishing attack that's inside the browser
9:37
and so actually moving inside the
9:39
browser makes a ton of sense and you start
9:41
to see you start to see people doing things
9:43
like you know you haven't done anything
9:45
like TLS interception to try and get into the
9:47
stream between the browser and the application why not
9:50
just move inside the browser and do it directly
9:52
inside there so yeah it's really effective it's a
9:54
very really interesting area. Well and Especially
9:57
when you look at the the average log.
10:00
Except coming out of an Id pay isn't
10:02
really that illuminated. Yeah. I
10:04
mean so we we do do integrations back with
10:06
I D P's and pull those and as wild
10:08
thus eliminating one second for me to compare it to
10:10
what I'm saying no is on there aren't like they're
10:12
not all that than us. Yeah.
10:15
I think there's a couple of issues. There's it.
10:17
Is A says egg Agree plight Scott Spider
10:19
Any the others, they tend to go directly
10:22
to the Rdp. And. So if
10:24
you're in a position where you go,
10:26
use the esophagus and compromises a year
10:28
at a privileged I don't see straight
10:30
away. Negative. Going to start turning
10:33
off different logs to hide what they're doing.
10:35
This if you're just relying on. T.
10:37
I D p Logs it's you're relying on the
10:39
logs from a compromise device and say you're not
10:42
going to see everything you can a blind it
10:44
said. Another reason moving into the browser is kind
10:46
of kind of interesting. So what? Some people are
10:48
using our. Extension. For is
10:50
exactly that. You. Can stream back
10:52
every logan of and the happens inside the
10:54
browser. back to sin and so if there
10:57
is is a malicious of and like saw
10:59
you can actually corridor back and say wow
11:01
this as and like disabling logs didn't come
11:03
from college him employees browser, it came from
11:05
somewhere else as you can sort of pick
11:08
up that kind of. Activity
11:10
as well. Yeah. No,
11:12
you know, be spoken about the ah,
11:14
the detection response. Let's talk about the
11:16
more proactive preventative stuff, because yet, is
11:18
it Again, there's a lot you can
11:20
do once you start collecting the sort
11:23
of information from browsers. Yes,
11:25
If you're thinking about stuffing identity attacks
11:27
and you're looking to defend your high
11:30
density infrastructure is t pause rise reactive.
11:32
We just spoken about the response but
11:34
then as a practice pace and actually
11:36
doing hardening am so we all of
11:38
us bundled together in a single a
11:40
single product sale on a proactive side.
11:43
We. observe identities as there being created
11:45
or use and browser extension because it
11:48
can observe network traffic weaknesses hammond is
11:50
an identity is behind family behind i
11:52
d c or says passwords organ ah
11:54
we can then observe and actually see
11:57
do they hit d m a say
11:59
prompts one FA method they're using, is it
12:01
phishable, and all that stuff gets reported back up
12:03
to a dashboard. We can then see
12:05
if there's stuff like whether it's vulnerable to cred stuffing,
12:07
password reuse, and just general things like whether that password's
12:10
been leaked as part of a prior breach, and a
12:12
ton of stuff like that as well. So
12:14
what you end up with in the dashboard is just this
12:16
full graph of, okay, this is the percentage of apps
12:18
that are off SSO, these are the ones
12:21
that are on SSO, and then people can actually
12:23
use to move those over onto
12:25
SSO themselves. So
12:27
yeah, we do a lot of stuff around that. That
12:29
obviously helps you build out a really good app inventory, so you
12:31
can see everything everyone's logging into and putting that data in as
12:33
well, there's a bit of a freebie in there. And
12:36
then we do access enforcement, so you can
12:38
actually start to say which apps people are
12:40
allowed to access, and you can actually put
12:43
out block screens to stop people from gaining
12:45
access to particular applications. Yeah,
12:47
this ain't a Dropbox place, buddy. What
12:49
are you doing? Get the hell out of here. Yeah,
12:52
one of the really popular use cases that people
12:54
have been using it for is things like, there's
12:56
been a big craze around chat GPT or whatever,
12:58
and so you can
13:00
actually drop a banner- And pasting corporate documents
13:02
into them and asking for them to be
13:04
summarized, basically. Exactly that,
13:06
yeah. So you can show a banner
13:08
inside the screen, inside the browser, and
13:11
so when an employee goes to visit the login or sign-up
13:13
page to one of those applications, you can just drop a
13:15
banner across the top of the app, just reminding people and
13:17
saying, hey, you can use this
13:20
application, but please
13:22
don't put company data in here, and
13:24
here's our GenIO policy, as more of a reminder.
13:27
And you can actually tier that up to get more
13:29
aggressive if you want to, and make it a full
13:31
block screen, so, nope, you can't access this at all.
13:34
All right, Adam Bateman, push security,
13:37
killer pitch, man. I've got to
13:39
say, very cool stuff, really enjoyed
13:41
that. Great to talk to you again, and
13:43
we'll be doing it again soon, I'm sure. Thanks very
13:45
much, man. That was
13:48
Adam Bateman of Push Security
13:50
there, and you can find
13:52
them at pushsecurity.com. Our
13:54
second Snake Oiler today is Knock Knock, and I'm
13:57
pleased to say Risky Biz is actually a Knock
13:59
Knock user. user. So
14:01
regular listeners would have heard me say a bunch
14:03
of times that what we really need to
14:06
deal with a bunch of the threats that
14:08
are plaguing enterprises lately is a product that
14:10
we can plumb through to our IDPs that
14:12
can do dynamic firewalling. So think
14:14
of something like RDP. Wouldn't
14:16
it be great if you could dynamically
14:18
IP restrict it to users based on
14:20
their authentication status? So if someone tries
14:22
to hit that port, it's closed, but
14:24
if they're logged in via their IDP,
14:27
it's magically open. You know, would this
14:29
be a useful thing to put in front of
14:31
Confluence or Citrix or all the other
14:33
horrible enterprise crapware that's hanging off your
14:35
perimeter, gathering flies? You know,
14:37
your custom apps? Yes,
14:40
basically, yes, a very useful thing. So
14:42
Dave Kempe from Knock Knock has built
14:44
exactly this solution. So yeah, Knock Knock
14:46
handles that plumbing for you from the
14:48
IDP out to firewalls and again a
14:51
disclosure I'm in discussions with Knock Knock
14:53
to be an advisor to them as
14:55
well. But without further delay,
14:57
here is Dave Kempe talking all about Knock
14:59
Knock. Yeah,
15:25
I mean, I think about this
15:27
and I think about the problems that it solves and
15:30
there's kind of two product categories that it bumps up
15:32
against, right? One is the, you know, these sort of
15:34
access gateways into production environments, right, which are designed to
15:36
sort of ring fence prod. You
15:40
know, that's one area where you could do this
15:42
instead. I mean, you might not get
15:44
the centralized logging and all of that sort of stuff,
15:46
you know, with this, but you can do that. Like
15:49
If you want to put SSH behind this, you absolutely can.. The
15:51
other area... Ssh.of
16:00
a success whatever. The other area where it
16:02
makes sense is in places where people might
16:04
install an identity aware proxy, but they can
16:07
be simply because and even once you get
16:09
them up sometimes the origin is often left
16:11
exposed so you need to do supply willing
16:13
there anyway. it's this just seems like it
16:15
gets you the same thing but a lot
16:17
easier right? So is that is that. Typically
16:19
where people us is that how customers are
16:21
thinking about this as as sort of substitutes
16:24
for those two things. Yeah,
16:26
absolutely so they'd lodge benefit is
16:29
it because of be sort of
16:31
distributed and age based approach when
16:33
can have us on have unlimited
16:35
flexibility and what we can integrate
16:37
with your favorite web server Apache
16:39
Engine X, Ha, Profit applications, Wordpress
16:41
or whatever it might be, Databases,
16:43
Ssh, Firewalls, you paper devices, these
16:45
things can all be integrated with
16:47
and then and what typically happens
16:49
is that a custom as a
16:51
particular use case. the have an
16:53
old website that they need to.
16:56
In lockdown the have a copy of conference that
16:58
shouldn't be on the internet but still may pick
17:00
from outside to access it Though the people they
17:02
contemplate a Vpn to those people they may be
17:04
ever other problems. Getting too So
17:06
they pick one thing, they get deployed it
17:08
and they realize wait a minute. We can
17:10
use this for all sorts of other stuff
17:12
that we were previously using other solutions for.
17:14
because the simple and pragmatic approach ends up
17:17
being. Easy to understand, easy to
17:19
and for to roll out that uses. Low
17:22
barrier to entry for users and it becomes
17:24
bigger and bigger and bigger. Yeah, Yeah.
17:26
Hundred Percent. I mean, like as I said at the
17:28
intro, like this is the sort of thing the kind
17:31
of feels like a half isolation and then he guy
17:33
will hang on. It's gonna actually achieve what we needed
17:35
to achieve and we can put it here here. Here
17:37
are their their that's and Us? That's what happened to
17:39
us when we looked at it is we started realizing
17:41
all of the different places we could use. Yeah.
17:44
Absolutely hundred percent. And I think
17:46
typically it. Part. Of the
17:49
journey customers will need to go on
17:51
is this mindset approach of looking at
17:53
their system from the outside, understanding that
17:56
attack surface and then going well. Wait
17:58
a minute if we just. Sort of
18:00
luck these things down. What else do we
18:02
need to do like an elastic? The are
18:05
actually get this kind of moment where it's
18:07
like well can it be that simple sentences
18:09
success. Can I sleep at nights? Hopefully in
18:11
on an assumption to solve Evolve management problem
18:14
but a kind of mitigates a lot of
18:16
right sir. One example that you know when
18:18
I was talking about this before you'd even
18:20
announced the product. Try I didn't know you
18:23
guys with with building this was something like
18:25
you know you for the gates or you
18:27
Citrix gear at the edge of your network
18:29
you. Can absolutely use his to restrict access
18:31
to those things so that even if I
18:34
have er die in them, no one can
18:36
touch them. And. Unless they're an authentic. I did
18:38
use. Ah, Two percent. So
18:40
our Citrix is a good example. The attack
18:42
of that is some. Giant. It
18:45
has had a whole series of
18:47
vary widely publicized vulnerabilities so of
18:49
of why not just completely block
18:51
it absolutely until people someone in
18:53
a simple gateway can allow it.
18:55
and I'd. We.
18:57
Have customers were. That's definitely their
19:00
plan and and what? The guys
19:02
with implementation phase of that now
19:05
decentralize authentication, the Isis oh, integration
19:07
and then opening a portal you
19:09
know let people actually access? Excellent
19:12
continue on is actually. In.
19:14
A reasonably easy for users to manage. they they
19:16
pick click here they click their than their own
19:18
it has it's not it's money and asked a
19:21
question that scenario like whereas the Firewall the you
19:23
actually instrumental five or on the Citrix boxers the
19:25
something usually in front of. It. Yeah.
19:28
We're We're We're We're We're generally have
19:30
a reverse proxy in front of the
19:33
Citrix virtual house. So Citrix.my company.com is
19:35
actually connected to her of his se
19:37
terminated at a proxy that then back
19:39
and into the situation as scalar, environmental,
19:42
whatever my base and not Doc is
19:44
controlling and a seal on that reverse
19:46
proxy yet? nice, nice and I believe.
19:48
Also like this is a really hilarious
19:50
example but you've got a customer at
19:53
the moment who is setting it up
19:55
so that the fireball on there for
19:57
a net. Device. is
19:59
actually going to control access to
20:02
its own VPN ports,
20:04
right? So they're actually using Knock Knock
20:06
to instrument a firewall on the thing,
20:08
which is quite hilarious. We're
20:11
adding a feature to firewalls that
20:13
doesn't exist in many cases. Which
20:15
is SSO integration. Exactly.
20:18
So we're bolting this feature on and
20:21
Knock Knock Agent is able to
20:23
dynamically add and remove people from
20:25
firewall objects. And
20:29
the feature doesn't exist. Firewall vendors
20:32
will only be incentivized to add the feature
20:34
for their stack. They won't be incentivized to
20:36
add a set of
20:38
tools and typically people don't just have
20:40
one vendor. They have many different vendors
20:42
and virtual hosts and you know, okay
20:44
they've got a firewall that needs this
20:46
feature. But then after that they've got virtual hosts that
20:48
they just visit, they've got websites and all these other
20:50
kind of things that need this. So
20:52
Knock Knock allows them to do all of those things with
20:55
the one tool set and might look
20:57
simple but then allows all these extra integrations
20:59
to be from the one place. Now
21:01
from a user experience it's pretty straightforward right?
21:04
Which is if they want to open up
21:06
these ports, all they need to do is
21:08
be authenticated, load a browser tab
21:10
and hit a Knock Knock URL which will
21:12
then spit out a list of all of
21:14
the stuff they can access. And you know,
21:16
by through the process of actually hitting that
21:18
page, you know, that's how Knock Knock collects
21:20
their IP and makes the necessary changes to
21:22
grant people access, right? That's correct.
21:25
It's a straightforward approach.
21:28
The source address is updated
21:31
in the back end of your choosing and
21:33
then the access is allowed for a period of
21:35
time, a timer starts and the
21:37
SSO integration or any other, we've
21:40
got, we support SSO, local users and LDAP and
21:42
we add two-factor authentication
21:45
on top of those legacy
21:47
authentication systems. For SSO
21:49
we outsource that MFA to
21:51
the SSO provider and
21:54
then groups are provided by that, groups are mapped
21:56
to ACLs and different groups of users
21:58
are given access to different results. resources
22:01
depending on which groups are in and the way
22:03
they go. So from a user's point of view,
22:05
they literally will click a button and
22:07
a firewall will open because that button authenticates into
22:09
their SO provider. They've already logged in and away
22:12
we go. And, you know, I mean, it's one-click
22:14
firewalling. I don't know if someone
22:16
has a patent on that, Amazon, hopefully they don't,
22:18
but it's
22:21
a one-click operation and then you're on.
22:24
That could be simpler. So people,
22:27
I mean, I know it's early days, right? But what are people
22:29
mostly applying this to so far? Legacy
22:33
websites, confluence. Yeah,
22:36
it's not legacy, but hey, it's. Well, but I
22:38
mean, you could throw this at like your file
22:41
transfer appliance. You could throw this, which would get
22:43
tricky when you've got unauthenticated users who need to
22:45
do stuff or whatever. But that's just one example.
22:47
You can throw it at your payroll system, for
22:49
example. Those things are just ready to get owned.
22:51
Right. Like I had a chat with a guy
22:54
from Kroll a while ago who's predicting they're the
22:56
next big category of systems that are going to
22:58
get mass owned on the Internet. And I think
23:00
he's probably right. But all of those creaky web
23:02
applications, you can lock them up pretty good. Yeah,
23:05
absolutely. And file transfer is actually definitely
23:08
one that we have a number of
23:10
customers pursuing, sorry, not pursuing, rolled out
23:12
with. And there are
23:14
ways you can get around having, you
23:17
know, sharing links work and all those
23:19
things from a reverse proxy
23:21
URL matching point of view. The
23:23
ACLs can don't just
23:25
have to be I can get in or not. They can be
23:27
I can do certain things with
23:29
it with it with an adequately featured reverse
23:32
proxy like HA proxy. You can even block
23:34
HTTP verbs. You know, we've turned web pages
23:36
read only for certain people, you know,
23:38
just block, you know, a GET request
23:40
or a POST request, however you want it to work. So
23:43
you can be a fan of it more nuanced about that.
23:45
You can obviously have URL matching and other things and
23:48
away you go. So it doesn't have to
23:51
be all or nothing either. Yeah.
23:53
And do you expect people to start throwing at a stuff
23:55
like SSH? We already
23:57
have the traditional the traditional thing within.
24:00
SSH is maybe like restricted to an ASN or
24:02
whatever, but this is so much better. Absolutely.
24:04
We already have that one of our large
24:06
customers, Massive Australian Telco uses that
24:09
for SSH jump box access over the internet.
24:11
They have, you know, roving teams of network
24:13
engineers rolling in things around the world and
24:16
this is the way they've chosen to do
24:18
that and it works great. They've got SSH
24:20
restricted to knock knock and then the SSH
24:22
has 2FA on it and they use that
24:24
as a bastion host and jump on from
24:27
there and they find that's a fantastic mix
24:30
of usability and flexibility for their tool
24:32
set. Yeah, and it's not like
24:34
you need to VPN an SSH connection. Exactly. That's
24:37
my brain a little. It's already encrypted,
24:39
it's already strongly authenticated, but you just don't want to
24:41
sit it on the internet. Now just
24:43
quickly, I want to talk about the history of the
24:46
product because it does have an interesting history. It was
24:48
initially developed, I believe, for the broadcast industry as a
24:50
way for broadcasters to
24:52
make video streams available when, you
24:55
know, VPNs
24:57
might introduce latency and sort of
24:59
problems and whatever. Often it's a
25:01
fire hose of UDP, right? So
25:04
you created this product
25:06
initially to allow broadcasters
25:08
to offer, you know,
25:10
streaming video just
25:13
over the raw internet in
25:16
a way that was sort of IP restricted and
25:18
put at least some guardrails around that content. Yeah,
25:21
that's absolutely correct and this is not for
25:23
consumer use, this is for back end production
25:25
purposes. Yeah, yeah. This is when you got
25:27
a field crew who's got to get some
25:29
video back to head office, right? Exactly.
25:32
They have low ability to modify the environment they
25:34
turn up to, they turn up to a racetrack
25:36
or a sports stadium and they
25:38
have to deal with the equipment they have. They
25:41
need to get the job done quickly, they need the
25:43
video to be low latency so they can add audio
25:45
to it so that you can then broadcast it and
25:47
Knock Knock was a perfect fit for that and we've
25:49
had it rolled out for many years in that
25:52
environment and our original installation is actually still
25:54
going strong to this day. The
25:56
product has evolved significantly since that
25:58
original time. And our background
26:01
in the next firewalling and web application
26:03
hosting for some twenty five years is
26:05
has created that necessity and as they
26:07
say you know necessities the mother of
26:09
invention and we have refined the product
26:12
over many years rolled it
26:14
out into a full featured product
26:16
ready for market and those
26:18
customers will be upgraded to that to the
26:20
new version within the presence of doing that
26:23
now so you know the. The
26:25
origin story is very much one born
26:28
out of necessity
26:30
where the users
26:32
of the application are necessarily your stuff
26:34
they may be vendors or they may
26:36
even be customers to the barrier to
26:39
entry has to be. Pretty
26:41
low you have no way of dictating
26:43
how that might work and another example
26:45
for the original customers is in hospitals.
26:47
They have a lot of manages they
26:49
go to a hospital the environment restricted
26:51
they want to be able to get
26:53
to the remote access environment of the
26:55
specialist but that outside the hospital network
26:57
and they but they can't modify the
26:59
hospital computers so he doesn't allow for.
27:02
Even admin rights so that the specialist
27:04
is able to do his consultations from
27:06
the hospital environment using their computers with
27:09
minimal. Interaction yet that machine
27:11
so two things real quick cuz we're running out
27:13
of time first of all you mentioned agents before
27:16
i presume their agents that actually run on the
27:18
boxes that are doing the acl like so that
27:20
that's either going to be running on a firewall
27:22
or running on a proxy whatever that's the agent
27:24
they're not for the users correct. That's right agents
27:27
are back end devices that update acl on the
27:30
target machine just wanted to confirm that for
27:32
everybody listening and they run adjacent to whatever
27:34
it is you want to modify. But we
27:36
should say also just before we leave that
27:38
not not is still pretty new right like
27:40
there are still a few rough edges on
27:42
it like i think we need to be
27:44
realistic inside that right. Yeah i
27:46
think that's fair enough where we're active
27:48
development we recently added internationalization support that's
27:50
about to be rolled out we picked
27:53
up a number of European customers and
27:55
we realize the translations very helpful for
27:57
users. We
27:59
have a. aggressive roadmap to add features.
28:02
But yes, we're a small startup that
28:04
is for product that
28:06
we feel is mature and ready for market. However,
28:09
we're keen to hear from our customers, keen to
28:11
get it rolled out, keen to get it used
28:13
in their environments. There's no shame
28:16
in it, Dave. You're an early stage startup. There's
28:18
no shame in it. We're getting it done, mate.
28:20
We're getting it done. All right, Dave Kempe. Fabulous
28:24
to talk to you. So happy to finally get
28:26
this interview out. I'm absolutely stoked
28:28
to be working with you and yeah, to the
28:30
moon. Let's go. Thanks, Patrick.
28:33
Love your work. That was Dave Kempe
28:36
there from Knock Knock and that is
28:38
spelled K-N-O-C, K-N-O-C. And
28:41
yeah, pretty easy to find once you get the spelling right.
28:43
Our third and final snake oiler today
28:46
is iVerify. iVerify was originally spun up
28:48
by Trail of Bits but has since
28:50
graduated into being a fully independent company.
28:54
It's a mobile security platform that can run
28:56
with or without MDM and it
28:58
does useful stuff.
29:00
As you'll hear, they're really presenting this
29:02
thing as being like EDR for mobile.
29:05
It can find bad stuff. They do
29:07
legit threat hunting. I spoke
29:09
with Danny Rogers and Rocky Cole from iVerify about
29:11
their platform and here's what they had to
29:13
say. And the first voice you hear is Danny.
29:16
It used to be that you would buy an
29:18
iPhone out of the box and you can consider
29:21
it secure unless you were, say, some super
29:23
high level terrorist fugitive. Unless you're Osama
29:26
bin Laden, you can basically consider this
29:28
phone to be secure and
29:30
that can all change in the
29:32
last few years with the rise
29:35
of this mercenary commercialized spyware that
29:37
now anyone with a 50 grand
29:39
could rent the capability to pop
29:41
an iPhone and
29:43
all of a sudden you had to think
29:45
about that as an uncontrolled risk. So the
29:49
base technology within iVerify became a
29:51
really great platform to build out
29:54
what we're considering kind of the first
29:56
real true mobile threat hunting company that's
29:59
focused on this. more advanced threat? Essentially
30:02
what mobile
30:06
security problem has just gotten more
30:25
dire since the last time we checked in on iVerify. Let me just give you a couple of interesting data
30:27
points. I don't know if you guys saw these two reports a couple weeks ago, one from Kaspersky and
30:29
one from Google. Kaspersky said that about 40% of attacks these days are mobile attacks. Now that's driven largely
30:31
by adware but a big piece of that is credential harvesting as well. And there were these series
30:33
of reports from Meta and Kaspersky. And
30:36
Google that emerged a
30:39
couple weeks back too. And Google said that
30:41
about 80% of zero days they
30:43
caught in 2023 were related
30:45
to commercial spyware vendors and about half
30:47
of all the zero days they found
30:49
were related to mobile spyware on both
30:51
Android and iOS. And I live and
30:54
breathe mobile security for a living these
30:56
days but those numbers were frankly astonishing
30:59
to me. And these data points
31:01
to me suggest that
31:04
essentially mobile is where
31:06
desktop was about 15 years ago
31:08
which is to say about everyone
31:11
was using antivirus software of some
31:13
kind but their computers were somehow
31:15
always infected anyway. And
31:17
the adversaries fundamentally had the upper hand and
31:20
could just attack faster than the
31:22
vendors could repel them and the problem
31:24
demanded a fresh approach and
31:26
you know that approach looked
31:28
a lot like crowd strike and a
31:30
lot less like traditional antivirus
31:32
and so to answer your question. What
31:35
we're trying to do is apply some of
31:37
those same historical lessons to mobile.
31:39
So what I verify is today is it's
31:41
a mobile threat hunting platform that
31:44
offers a mobile EDR service
31:46
that combines deep iOS and
31:48
Android access automated
31:50
detections and then expert analysis to
31:52
scale advanced threat detection while
31:55
staying true to our roots
31:57
as a company that puts privacy at the center of the
31:59
network. Everything we do, I can see
32:01
you mentioned that. Now it's about deep
32:03
access and instrumentation basically. And you know,
32:06
pulling telemetry and logs offer. You know
32:08
of Android and Ios devices? That's hard.right
32:10
Because I O S is notoriously or
32:12
pipe sir. how on earth are actually
32:14
able to instrument and I phone in
32:16
a way that's actually gonna tell you
32:18
when there's an attacker messing with. A. Secret
32:22
thought as he says a little bit by
32:25
bit know is that we've death dustbin. The
32:27
big development work that we've done as our
32:29
own company is is take that basic knowledge
32:31
in. Build. The threat hunting capability,
32:33
which is essentially kind of. Product.
32:36
Tithing Mobile Friendly. So so you're
32:38
using external tools for example, to
32:40
the. Turret. A rapidly poll
32:42
forensic data it all off the
32:45
operating system. To. To build
32:47
heuristics to to pool data from.
32:49
From. Kind of our our collection
32:51
of have come naturally occurring honeypot like.
32:54
One of any things stood out to me
32:56
when I joined is just how. Widely.
32:59
Adopted interested this tool is among the frontline
33:01
folks are the folks are some most in
33:03
the cross hairs of this and the most
33:05
in mans threats. And. So that
33:07
gave us an opportunity to work collaboratively with
33:09
that community. To. To gather data
33:12
and to build a sort of collective the sense
33:14
that if we all shared and pull data. And
33:17
this is not content to be clear
33:19
like we're not pulling them. you know,
33:21
text messages and images and emails right?
33:23
Was not pulling as as operating system
33:25
met a dealer and process information and
33:27
things like that somehow If I guess
33:29
my question still, how are you getting
33:31
that when Apple takes really deliberate steps
33:33
to stop applications from being able to
33:35
do that on I O S. And
33:38
he without getting into that that the
33:40
details. The. Know if leads us to
33:42
get into different it's that elsewhere. Well and with
33:44
not is not that I it is, there's there's
33:46
There's some of the secret sauce that we have
33:49
in terms of how he acts of said you
33:51
know saw that is using the same Apple interfaces
33:53
that exist and on they were doing anything particularly
33:55
magic or particularly like we're not. We're not exploiting
33:57
anything when I do any you're not supposed to
33:59
do. Where. Did you the a lot
34:01
of the existing Apple interfaces but the really is
34:03
more around product eyes and raised around. The.
34:06
Open. There are already mobile friendly tools that you
34:08
can download and Vt is a great tool, but
34:10
it's. It's. Big and cumbersome and you
34:12
have to have a lot of tech savvy so giving
34:14
that to like. A you know a
34:16
human rights activist on the front lines in
34:19
Central Asia isn't is a non starter right?
34:21
whereas of we can build a product I
34:23
certain that that requires him to quit Two
34:25
or three buttons and and all the data
34:27
gets extracted and pooled and analyzed automatically. That's
34:30
that's going to result in a lot more daily
34:32
been on in. I I one hundred percent see
34:34
why you said previously. It's like you know if
34:36
you had to sum up the pitch, it's like
34:39
crowd strikes on mobile phones right? Like I have
34:41
played I absolutely cannot arm and you know we
34:43
we do obviously need something like that's Ah, The
34:45
question becomes are like have you actually caught stuff.
34:48
Ah, You know about commercial spyware
34:50
in the wild with results. Oh
34:53
yes specific yes very very First thing
34:55
we did with cats the latest copy
34:57
of Pegasus which we have in which
34:59
will be presenting a black at Asia
35:01
very soon as an die and and
35:03
but we've also that I think that
35:05
the real story though as as we've
35:07
deployed this across you know. Everything.
35:10
From Think Tanks Enterprises. We've.
35:12
Caught a lot more stuff to mint and Iraq
35:14
you have stories of of have some of our
35:16
customers catching all kinds of like. You. Know
35:19
they're not as sexy but they're just as
35:21
valuable and of information for and for enterprises
35:23
in terms of those identify risk risk profile.
35:26
Yeah, I mean here's one story that says
35:28
that's frankly horrifying. I think if you're a
35:31
society we have a customers are called him
35:33
a large and us a large defense contractor.
35:35
We had a detection the other day. That.
35:38
Years ago of a malicious application
35:40
running running on an Android phone
35:42
and we looked into it and
35:44
essentially the application. Looks. Like
35:46
overly that it was left there by a
35:48
large telecom. a large carrier when you dig
35:50
a little. When you dig a little deeper,
35:52
you know. We found out that the it's
35:54
the Same app is running on about three hundred
35:57
devices in the Enterprise. And.
35:59
i know that what it wanted Is this stuff called? It's
36:01
the interface crap. It's bloatware kind of thing.
36:03
Bloatware, yeah. No, no, there's a
36:05
specific one. Anyway, I saw one of
36:07
the As-Enough people do a talk on
36:09
it like 10 years ago and it
36:11
was horrifying. Yeah, well it's pretending to
36:13
be like basically or it is or
36:15
is pretending to be like a demo
36:17
application that has, I mean when you
36:19
dive into it, it essentially has spyware-like
36:21
capabilities. It's certainly persistent and it's on
36:23
about 300 devices floating around in this
36:26
company's fleet. But the interesting part,
36:29
these phones were sold to them by
36:31
their supplier as brand new phones out
36:33
of the box. So someone,
36:35
there's either a supply chain vulnerability
36:37
where someone's going around harvesting demo
36:39
devices from a large carrier, shipping
36:41
them overseas and selling them as
36:44
new and they
36:46
have these essentially
36:48
quasi-malicious applications that are sitting there waiting
36:50
to be a backdoor for someone. Or
36:52
the telco ordered more demo phones than
36:54
they needed and somehow they got packaged
36:56
up. Something like
36:58
that I just think looks like
37:00
a stone-cold mistake somewhere. Whatever
37:03
it is, the point is that for
37:05
starters it was wild because it was a
37:09
carrier application for
37:11
a carrier that didn't exist in that country. It was
37:13
like, it was a US carrier on a phone that
37:15
they had bought and only ever used in the UK.
37:18
It was like, what is this carrier even doing here? It doesn't exist here. But
37:22
when we found the original malicious
37:24
app, then they scanned the rest of
37:26
their devices and found it on 300
37:28
other phones and realized that they'd been
37:30
conned by their own mobile phone vendor
37:32
and then just created this huge gaping
37:35
hole in their mobile security posture. These
37:37
company owned devices. When
37:40
you start to look under the hood,
37:42
suddenly you see the wild west comes
37:44
to mobile devices. We found employees running
37:46
jailbroken phones. Which
37:48
employees are being stalked by their exes. You
37:51
just find all kinds of stuff
37:54
that you would never have thought of
37:56
as the original risk. I
37:59
think that's a real story. I mean, yes, we
38:01
found Pegasus, but we've also found all these
38:03
other kind of, you know, different kinds
38:05
of vulnerabilities that we never expected to find. Yeah,
38:07
and I imagine there's like a lot of a
38:09
lot of crappy consumer apps with really bad SDKs
38:11
and stuff. Do you alert on that stuff as
38:13
well? Yeah, I mean it
38:15
depends. I mean, you know, no, no, we'll
38:17
never claim to have a hundred percent coverage
38:19
But certainly like malicious apps on Android we
38:21
cover, you know, gel breaks on iPhones We're
38:23
just all kinds of different things that can
38:25
be vulnerable and we're adding to that list
38:27
constantly, too So look
38:30
another question I guess is which
38:32
verticals Is this
38:34
I mean you mentioned a defense contractor that is
38:37
utterly unsurprising to me that the types of
38:39
organizations that would be buying This are
38:41
the ones that are concerned by You
38:44
know nation-level threats, you know
38:46
intelligent trying to prevent things like intelligence collection
38:49
More so than crime ransomware BEC that sort
38:51
of stuff. Is that about right? I
38:54
think there's two categories because because we we
38:56
have this advanced detection capability We have this
38:58
threat hunting capability So, you know
39:00
anywhere where someone's particularly worried about
39:02
their threat profile, right? As you said,
39:04
right you know that defense and
39:06
government adjacent right space industry that kind
39:09
of stuff Also cryptocurrency
39:11
kind of you know people that whole industry.
39:13
They I mean they keep huge amounts of
39:15
money on their phones. Yeah So
39:18
so anywhere that's a particularly juicy target
39:20
from either a you know Economic or
39:23
a counter espionage perspective or whatnot The
39:26
but remember I verify does come with from
39:28
these sort of privacy routes privacy first routes,
39:30
right? And so there's a whole another category
39:33
of folks who don't Who
39:36
say like I need so as you kind of
39:38
said at the outset, right? I need some sort
39:40
of mobile security posture, but I don't want
39:42
full-blown MDM because say I have you know 5,000
39:45
employees be YOD. We need something to make
39:47
sure that they're all doing some basic level
39:49
of security hygiene But they'll never let us
39:51
put you know Profiles management profiles on
39:53
their phones or you know, MDM is just too
39:55
creepy or whatever it is I mean, there are
39:58
plenty of places where we deploy alongside and But
40:00
there are also plenty of places where we're used to
40:03
achieve a basic security posture like like I
40:05
was I was a user So so so
40:07
what you're saying is it's in life and
40:09
death cases and also compliance Well,
40:12
it's it's compliance where you
40:14
care about like where you care about privacy
40:17
or you care about your employees feeling comfortable
40:20
On their own personal devices. Yeah, that's what need
40:22
is actually in the overlap that is really interesting
40:24
Like there's some well, you can do
40:26
this so you don't have to do MDM I
40:28
mean, I don't even think it's about caring about
40:30
your employees. It's just that MDM is a giant
40:33
pain in the you know What yeah, you hear
40:35
that a lot Do that we were talking to
40:37
we were talking to someone the other day who
40:39
manages really large political campaigns in the United States
40:41
And he was essentially Railing
40:43
against the very large I won't name them But
40:45
the very one of the biggest MDM's out there
40:47
if not the biggest you can read between the
40:49
lines and figure out who it is He
40:52
was essentially, you know saying I need a PhD in
40:54
order to just figure out how to how to configure
40:56
it so that it doesn't Break my enterprise. Yeah,
40:58
right. So there's this there's these there's it's this
41:01
dual opportunity of There are
41:03
CISOs out there who think that MDM's
41:05
a road trust between their office and
41:07
their enterprise and they'd rather
41:09
spend their political capital on something like two-factor
41:11
authentication, which I think is totally fair and
41:14
And then there's this kind of other You
41:17
know, there's this other aspect of it of operational
41:19
efficiency, which is people they want mobile endpoint security
41:22
But they also don't want to have to get
41:24
a PhD or hire a solution
41:26
engineer in order to implement it All
41:29
right, Danny Rogers rocky Cole. Thank you so much for
41:32
joining me to talk through the latest with I verify
41:34
I wish you all the best with it. Thank
41:36
you very much pleasure to be here. Yeah. Thanks for
41:38
having us Oh That
41:41
was rocky Cole and Danny Rogers from I verify
41:43
there and you can find them at I verify
41:46
I owe and that is it for this edition of
41:48
the Snake Oilers podcast. I do. Hope You enjoyed it
41:51
I'll be back soon enough with more risky biz for
41:53
you all. But Until then I've been Patrick.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More