Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:04
Hey everyone and welcome to see was
0:06
the Risky Business I'm Adam Wallow This
0:09
week's episode is brought to you by
0:11
trail of bits who do office really
0:13
proper interesting security researcher Tom talk to
0:16
their cod and Guido this weekend on
0:18
the channel and as usual with that
0:20
guy like whenever you listen to him
0:22
talk you come away with bunch of
0:25
interesting questions and interesting ideas and the
0:27
that's what of it she feeling in
0:29
your brain which is always a good
0:31
sign that when it comes to a
0:34
new and. Interesting security stuff.
0:37
Speaking of top, I don't I'm yeah
0:39
good and I'm here. You I'm doing
0:41
don't wear, I'm up at so this
0:43
week for the news that a you
0:46
wrote up a report that came out
0:48
of google mandy and looking into. The.
0:51
Tory S. G are you hacking group said
0:53
when and that been I've been around for
0:56
so long that was like there's literally a
0:58
book by and Greenberg A Paths and Web
1:00
Am. So what's Mandy and got to say
1:02
about to know what they've been up to
1:05
and you know there? have there been very
1:07
busy I suppose lately there was too interesting
1:09
things in this report. One was that. Mandy.
1:12
And. Portrays. San Worm
1:14
as a proliferation risk and the
1:16
idea here is that they were
1:18
risk just because they do all
1:21
sorts of wild and crazy things
1:23
that basically inspire other hostile actors.
1:25
So I thought that was interesting
1:27
in. In. That cyber proliferation
1:29
is different from conventional weapons or
1:31
nuclear where it's the technology, all
1:33
the parts or the designs or
1:35
the intellectual property. And for these
1:37
kind of cyber operations it's just
1:40
it can be as as little
1:42
as just the idea of doing
1:44
this thing that fact the idea
1:46
of going after the power grid
1:48
and Ukraine which was often made
1:50
it pretty pretty early on. like
1:52
that's from to a bunch of
1:54
able to think about crime, infrastructure
1:56
security right? So yeah it's it's
1:58
idea proliferation. Yeah. And in
2:00
the second, Thing was that
2:02
they. Stepped. Through House
2:05
and Worm has operated during
2:07
the Russian invasion of Ukraine
2:09
so that got a timeline
2:11
of it's activities. How with
2:13
Initially started off with some.
2:16
Pretty. Spectacular destructive operations
2:18
particularly, but. There.
2:21
There are action to
2:23
disrupt. Our. Ukrainian
2:25
military satellite communications by that attacking
2:27
the K I at network. And
2:30
then there was a series of.
2:33
Disruptive. Viper Operations
2:35
around the same time as the
2:37
invasion. The kind of period of.
2:40
Rebuilding. And regaining access.
2:42
More destructive operations. And
2:44
then they've. Towards. The
2:46
light a pop. as last year
2:48
or so. Pivoted. Term
2:50
more espionage operations and so this
2:53
is interesting for people who are
2:55
trying to figure out. What's.
2:57
The role of cyber operations
2:59
in Warfare. Where's the. You
3:02
know where do they fit in? Had
3:04
of I play with other conventional military
3:07
activities. And so one
3:09
way of looking at best is that. Same
3:11
womb has just been learning by
3:14
doing and it's is gradually kind
3:16
of settled on more espionage operations.
3:18
So the report actually talks about
3:21
Albay providing. Excellent
3:23
tactical support the military efforts
3:25
in the field so ext
3:28
helping to extract telegram signal
3:30
messages from mobile devices. And
3:33
also interestingly targeting the drone
3:36
supply and logistics networks. And.is
3:40
felt like very. Ah,
3:43
The type of things that somewhere
3:45
like an essay or with thought
3:48
command would not get involved in.
3:50
Buses a competent military would say
3:52
we're going to capture. Mobile
3:55
devices on the battlefield and we're going
3:57
to have some. Ah well
3:59
thought out. Proceeds from the get
4:01
go to do forensics and incorporate
4:03
that and ingested and it's still
4:06
very much to me Like Sandworms
4:08
is just the group. In.
4:10
The Russian military that never says
4:13
no because I was someone says
4:15
ah, we've got mobile phones. Who's
4:17
who's gonna deal with this. Who
4:20
knows our computer Yeah yeah, some.
4:23
With that they'll discuss yes we'll deal
4:25
with it. Ah we've got a satellite
4:27
network the be want you disrupt can
4:29
you do that? Yes with summoned to
4:31
be honest sounds like a pretty fun
4:33
led by a syringe. We sit around
4:35
during born hacking work and my gifts
4:37
having interesting and strains requirements were you
4:39
have to go build what you need
4:41
to do it. That's
4:44
probably quite rewarding works, but in
4:46
us as they like it, it's
4:48
It's quite a different approach. Them
4:50
block fi imagine it's like. Inside,
4:53
Five Eyes and Western Militaries And
4:55
how we think about both such
4:57
things as well, I think about
4:59
it. Does he have turf wars
5:02
that I kind of arranged before
5:04
the conventional war? So you know
5:06
who's responsible for this? So ah,
5:08
you know, maybe an essay is
5:10
responsible for. You. Know forensics of
5:12
mobile devices from the battlefield but that
5:14
would be sorted out well before for
5:17
actual invasion occurred like he he would
5:19
have this. Bureaucratic. Fight
5:21
beforehand and people to sort it
5:23
out where that feels very much
5:25
like sandworms like to saying yes
5:27
after the fact because no one
5:29
thought about it before. so it
5:31
it it nights maybe I'm reading
5:33
t they see but it felt
5:35
a bit like a i'm a
5:37
sort of reactive never say no
5:39
approach and that that kind of
5:41
to me has. I'm.
5:44
is is interesting in the way
5:46
that sam when does so many
5:48
things so they do espionage they
5:51
do destructive they do information operations
5:53
and in a western context you'd
5:56
have organizations going well that's not
5:58
our role that some else's
6:00
role we specialize in
6:03
this and you'd have
6:05
different authorities that actually
6:08
delineate who does what.
6:10
So I just thought that was a very
6:13
different way of operating and because it's so
6:17
expansive or audacious like
6:19
that's why
6:21
it possibly gives
6:24
other actors ideas about what to
6:26
do or how to behave. Yeah
6:28
I mean certainly not Petcher was
6:30
a pretty stunning you know
6:32
I mean when that when that went down like
6:34
that was a pretty stunning thing to watch unfurl
6:36
and then also you know watching it go off
6:38
the rails so quickly and turn
6:40
into you know into a global thing compared to
6:43
something like Stuxnet which went off the rails in
6:45
a very kind of slow motion you know
6:47
long presumably lots of turf was
6:50
involved process as that escaped
6:52
from from where it was meant to be so
6:54
it's definitely interesting comparing and contrasting those and I
6:56
know when you
6:58
and Grak have been talking through on
7:01
the Between Two Nerds podcast talking through how
7:04
cyber has been used in the Ukrainian
7:06
conflict it's just been
7:08
really interesting you know seeing our
7:10
understanding you know start to
7:12
you know become a bit more well-rounded
7:14
because before the situation in Ukraine really
7:16
kicked off we were all you know
7:19
sitting there expecting maybe some you know
7:21
cyber pearl hubba all things we've been
7:23
promised for so long that then you
7:26
know as you said vice that great
7:28
example of an interesting attack but ultimately
7:30
you know not that effective
7:32
in terms of you know making
7:34
their initial invasion of Ukraine go
7:36
well and you know I
7:38
do wonder you know because the proliferation goes
7:40
like both down into you know criminal groups
7:42
but also to other countries where we can
7:44
look at it and see how
7:46
they've reacted and you know were
7:49
there were their lessons
7:52
like is it too soon to start drawing
7:54
lessons from Ukraine and the way Russia has
7:56
you know done the cyber there or are
7:58
we still you know a couple years out
8:00
from learning stuff? I
8:02
think it's never too soon because
8:05
like the, and
8:07
I say that because you don't
8:09
want to just wait and wait
8:12
and wait before making a decision and
8:14
doing something. And so I think that
8:17
in this case there's lots
8:19
of countries that are thinking about what's the
8:21
role for cyber operations.
8:24
So a couple of things are clear that cyber
8:27
operations are just
8:29
another part of warfare. Right,
8:32
so the entire time Sandworm
8:35
has been involved in the war,
8:37
it's not irrelevant
8:40
to a war. So that's the first
8:43
thing. The other thing is that those
8:45
cyber operations started years and years before
8:47
the war. So it's a regular part
8:49
of how countries I guess
8:52
compete with each other even in
8:55
peacetime. So if
8:57
you're not paying attention even in
8:59
peacetime you're behind the April. So
9:02
you need something. And
9:04
then I think having
9:07
a good espionage capability is a
9:09
must have. Right, that's the first
9:11
thing you would do. And then
9:13
there's still a question about how
9:16
much can you expect from an offensive
9:19
capability. So to me so far what
9:21
we've learned is that there was the
9:23
potential for some of those destructive actions
9:25
to have a significant
9:28
impact. And so
9:30
all countries I think have to be exploring
9:33
what do we do in this space, how far
9:35
do we go and it seems to me you
9:37
should be making some investments but
9:39
not betting the house on
9:42
that kind of operation
9:45
making a huge difference in the war. That
9:50
makes sense and I think the
9:52
Ukraine conflict has also been really interesting in
9:54
seeing how resilient Ukraine has been at weathering
9:57
some of those destructive attacks and
9:59
having banks or telcos, you
10:02
know, having all their computers wiped and all the other
10:04
things that have happened to them. And
10:07
by and large they've recovered pretty quickly.
10:09
And, you know, you look at the the
10:13
Chinese pre-positioning, you know, with the volatile phone that
10:15
we've seen the US, you know, making quite a
10:17
lot of noise about. And part
10:19
of you wonders, part of me wonders, you
10:22
know, like do we think
10:24
that all of that work is going to have
10:26
been effective? Or have, you know, the
10:28
US blunted the effectiveness of that?
10:30
And indeed, even if they didn't,
10:33
you know, is the
10:35
US actually resilient enough to
10:37
weather the sorts of things that have
10:39
happened in Ukraine? Can you imagine, you
10:42
know, Verizon being RMed off
10:44
the internet in the same way that some
10:46
of the telcos in Ukraine have been? You
10:48
know, that's a, you know, we
10:51
can look at this conflict and look at things that San
10:54
Werm and Ukraine have been doing. But there's, you know,
10:56
the how recovery works, I
10:59
think, has also been really, really interesting.
11:01
Yeah, I think, you
11:03
know, I fall prey to
11:05
the fascination of offensive cyber
11:07
activities. But I think you're right that
11:10
the actual resilience is probably the most
11:12
important thing to take out of the
11:14
war. That rather
11:16
than focusing on an offensive capability,
11:18
you should probably focus on internal
11:21
resilience. Yeah,
11:24
but certainly a very broadly applicable thing
11:26
to have, you know, being able to deal
11:28
with disasters, even if they're natural disasters, not
11:30
necessarily, you know, human
11:33
caused ones. But I'm thinking
11:35
when I, you know, in my pen testing
11:37
time, you know, when we'd sit around
11:39
and talk through with the customer, like, here are
11:41
the things we could have done, how long, you
11:43
know, how long do you think it would take
11:45
you to recover from? And the
11:48
kind of estimates we would get From,
11:51
we can delete your backups, and we
11:53
can encrypt the files or whatever it
11:55
is, turn off your VMware cluster, you
11:57
know, all of those estimates were. Month
12:00
we see the Ukraine turn around,
12:02
recovery and-to switch here they will
12:05
set case of a telco getting
12:07
pretty badly. Done. Over and
12:09
the Ceo later came out
12:11
and said that if. The.
12:14
Russians had been able to go one step
12:16
further. It. Would have taken months,
12:18
but they'd. They'd stop them
12:20
before. I can't remember what that next
12:22
step was. I think it was wiping
12:24
a whole lot of like thousands of
12:26
devices that were close to college in
12:29
the networks the field. Yes, given either
12:31
you have to roll, traffic gets slayer.
12:33
Yeah, yeah, so I mean there's an
12:35
element of of luck there as well.
12:37
I'm. I
12:39
think you need both. he need
12:41
preparation the end of little bit
12:43
of luck or do you make
12:45
your own lock or something like
12:47
that? If your arm bet that
12:49
I think you're totally right. Like,
12:51
Resilience is useful all the time
12:53
for all sorts of reasons. Having
12:56
a top notch offensive cyber capabilities
12:58
is useful in a very small
13:00
sliver of scenarios that hopefully never
13:02
have enjoyed. Anyway, yeah, hopefully hopefully.
13:04
Ah, so one of the other
13:06
things he wrote about this week
13:08
was a section. Seventy two of
13:10
Pfizer being reauthorized are in the
13:12
United States, but we all hear
13:14
it. Risky with Africa pretty. Property.
13:17
Out of a section zebra to put some
13:19
pants coverage and we've had to talk about
13:21
it so often over the years so I
13:24
was thinking the perhaps we could talk about
13:26
not six and seven attempts at one of
13:28
the other things the talked about this week
13:31
though I was this kind of academic study
13:33
the trying to arrive at a fuck up
13:35
a cyber will cybercrime index here. this conversation
13:37
about air about resilience and learning lessons from
13:40
what's been happening to other people of this
13:42
also seemed interesting in the same way as
13:44
a a tell us about this about the
13:46
studied. Gaze I The study
13:49
is really trying to answer
13:51
the question which countries are
13:53
home to most to the
13:55
most cyber criminals. And course.
13:58
I'm black. Cybersecurity
14:00
Cyber crime is avast field and
14:02
so it. It to
14:04
be dope. Cybercrime. Into.
14:08
Five different. Different.
14:10
Play call them threats. So
14:12
this kind of the country
14:14
that is best at making
14:16
technical products or services, The
14:19
country that posts the most
14:21
attack and extortion taught cybercriminals,
14:23
the country, the Us daughter
14:25
and identity theft scams and
14:27
cashing out money laundering I'm
14:29
and the way they did
14:31
this is they basically got
14:33
together. A selection of
14:35
experts. From around the
14:37
world and so. Ah,
14:40
I take steps to make sure
14:42
that they're not two anglo centric
14:44
that got global coverage. They make
14:47
sure or tackle these. take steps
14:49
to try and get. Credible.
14:51
Experts and then I just basically gave him
14:53
a survey. And so what
14:55
I thought was interesting is that. Some.
14:58
of the index matches what
15:00
was in my head so.
15:03
No. Surprise Russia and Ukraine.
15:06
First. I'm
15:08
at. But it was a
15:10
surprise to me to see
15:12
China ranked third overall And
15:14
so the context this was
15:16
a crime. Are. Index
15:19
and not a street sponsored index.
15:21
So. If you if
15:24
it's state sponsored of you know
15:26
John is probably one or two
15:28
rights but I. Don't.
15:30
Hear a lot about Chinese
15:33
cybercriminals and side. To
15:35
me, What? this? Index is
15:37
saying is that. I.
15:39
Read: a lot of English language reporting
15:41
on cyber crime. Is it? it is.
15:43
And I'm missing out on a whole
15:45
lot of Chinese language. Either
15:47
because it's not reported. I mean, The.
15:50
Prc is notorious for it's since
15:52
ship. Or
15:55
it's make it not making it
15:58
into english language and tear. But
16:00
I. Don't. I can search for
16:02
and read about when the the stuff
16:05
without them like a pig book series
16:07
chemicals into the appetizer and in Myanmar
16:09
and so on. Like I remember being
16:11
surprised at the scale of that. I'm
16:13
in. The fact that that
16:16
was targeting a lot of victims in
16:18
China was was interesting because we haven't
16:20
really? Yeah, I don't recall seeing. Cybercrime.
16:23
Targeting. A Chinese audience?
16:25
A much better cause. why would I
16:27
write scan address of that's what? What
16:30
is interesting as is that we do
16:32
have very different perspectives. Yeah, and we
16:34
I used to, you know, Nigerian scamming.
16:36
Big thing because we experienced the appearance
16:38
and I don't know like were Nigeria
16:40
ranks in this particular study but in
16:42
terms of mindshare Nigerian in a for
16:44
nine scammers were pretty early early market
16:47
leader a month. But yeah it's interesting
16:49
to see it on a more globally
16:51
even perspective on this kind of him
16:53
because I you say we'd. We do
16:55
have a Euro centric box. Yeah
16:57
yeah so we're to answer your
17:00
question in specific Nigeria ranked five
17:02
but it was to basically because
17:04
it was top of scam is
17:06
on other things like I'm. It.
17:08
Seemed like such. Dividing it into
17:11
different aspects is useful because he
17:13
my can say look and Nigeria's
17:15
the top scamming nation and then
17:17
it was actually. India.
17:20
And. They gonna and South Africa. And
17:22
that fact that kind of makes
17:24
sense. that sort of feels right
17:26
of got a lot of Indian
17:28
scams by lithographic armed force. A
17:30
proclamation? yeah, makes sense. Yeah, I'm
17:33
now. The thing that. Really
17:36
surprise me is that the Uk
17:38
actually comes first when it came
17:40
to money laundering and testing am.
17:42
Now that makes sense because London
17:44
is such a financial hub games
17:46
but it is absolutely not what
17:48
I would have thought based on
17:50
the side a crime. Reporting.
17:52
that i read you know my we expect
17:54
that thread to go to casinos in macau
17:56
or something like that but now like i
17:58
guess it makes sense that financial
18:01
hub is where
18:03
financial stuff happens. So yeah. Yeah, yeah. And
18:05
so to me, that's the kind
18:07
of value in this kind of index is that
18:09
it makes you take a
18:12
second look and think, well, the UK
18:14
is actually a country that would be
18:18
motivated to, I
18:20
guess the word would be cracked down on this sort of thing once
18:24
it realises that it's a problem. Yeah.
18:26
And so just pointing out that it's a
18:28
potential problem, like I'm like
18:31
no index like this is perfect because
18:33
it's just kind of a
18:35
sampling of people. A
18:37
lot of fingers in the air. That's right.
18:40
Yeah. And at the very least, it
18:42
should make regulators in the UK have
18:44
a deeper look. You
18:46
know, what's the wider people
18:48
think this? What is, is there a
18:50
loophole that's being exploited? What can
18:52
we do about it? And maybe
18:55
there's nothing there because it
18:57
is an index made up of experts,
18:59
but I think it forces you to
19:02
ask the question that demands a
19:04
second look. And then it's also useful for things
19:06
like capacity building, you
19:08
know, what would
19:11
you like to teach a country? So
19:14
for example, Brazil, Brazil
19:17
comes actually relatively high in
19:19
terms of countries that are
19:22
homes for the technology that's
19:24
used in malware. And
19:26
so Brazil seems like a country where you could get
19:28
some traction teaching police
19:31
forces there how to prosecute
19:33
those kinds of crimes. And
19:36
so it allows you to tailor your
19:38
efforts in different countries to the problems
19:40
that exist or that
19:42
we believe exist in that country. If
19:45
you're thinking about where to spend money
19:47
or where to invest effort in tackling
19:49
cybercrime at its source, it's a useful
19:51
resource that you should have a look
19:53
at. All right, well, excellent.
19:55
Thank you for bringing it to everyone's attention. And
19:58
thank you for talking to us. to be
20:00
today. Pat will be back next week so you're
20:02
probably chatting to him. But yes, everyone, I hope
20:04
you've enjoyed the show and have a read of
20:07
Tom's newsletter. Thanks very much, Tom. Thanks,
20:09
Adam.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More