Security Conversations

Three Buddy Problem - Episode 14: The buddies are back together for a discussion on Juan’s LABScon keynote and mental health realities, Microsoft rewriting the Windows Recall security architecture, a new CVSS 9.9 Linux CUPS flaw, Kaspersky's controversial transition to Ultra AV, and the intelligence operations surrounding exploding pagers in Lebanon.

(This episode is dedicated to the memory of Jeff Wade from Solis, who was an important part of the LABScon family.)

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• The Consolation of Threat Intel (JAG-S LABScon keynote)
• LABScon - Security Research in Real Time
• Windows Recall gets major security makeover
• David Weston on Windows Recall security reboot
• Critical Linux CUPS remote code execution
• How Israel Built Exploding Pagers — How Israel Built a Modern-Day Trojan Horse: Exploding Pagers
• Apple Suddenly Drops NSO Group Spyware Lawsuit
• CrowdStrike Overhauls Testing and Rollout Procedures
• Microsoft Redesigning EDR Vendor Access to Windows Kernel - SecurityWeek
• Kaspersky Sparks Outrage as UltraAV Takes Over Systems Without Consent
• Transcript (unedited, AI-generated)

Three Buddy Problem - Episode 13: This is a special edition of the show, featuring Juan Andres Guerrero-Saade's full keynote day remarks at LABScon2024. In this talk, Juanito addresses the current state of the threat intelligence industry, expressing a need for a difficult conversation about its direction and purpose. He discusses feelings of disenfranchisement among professionals, the void in meaningful work, and the importance of reclaiming control and value in cybersecurity. Juan emphasizes the need for researchers, journalists, and even VCs, to be the change to reinvigorate the industry and ensure its relevance and impact.

Cast: Juan Andres Guerrero-Saade (SentinelLabs). Costin Raiu and Ryan Naraine are listening to this episode.

Links:

• LABScon 2024
• J. A. Guerrero-Saade on Twitter

Three Buddy Problem - Episode 12: Gabriel Bernadett-Shapiro joins the show for an extended conversation on artificial intelligence and cybersecurity. We discuss the hype around OpenAI's new o1 model, AI chain-of-thought reasoning and security use-cases, pervasive chatbots and privacy concerns, and the ongoing debate between open source and closed source AI models.

Cast: Gabriel Bernadett-Shapiro , Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek).

Links:

• Transcript
• Gabe Bernadett-Shapiro at the Alperovitch Institute
• Introducing OpenAI o1
• OpenAI's o1 model 'cheated' on an impossible test
• OpenAI o1 System Card
• Learning to Reason with LLMs
• LABScon 2024 Full Agenda

Three Buddy Problem - Episode 11: Russia's notorious GRU Unit 29155 (previously tied to assassinations, poisonings and coup attempts) now blamed for destructive cyberattacks for sabotage; FBI and DOJ take down 'Doppelganger' network spreading Russian propaganda; CISA's budget, staff, advisories and YARA rules; Influence Operations 2.0; prolific Chinese hackers and global bug-disclosure implications; North Korean hacking capabilities and 0day expertise.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh), Ryan Naraine (SecurityWeek)

Links:

• Transcript (unedited)
• CISA advisory on GRU Unit 29155 — Russian Military Cyber Actors Target US and Global Critical Infrastructure
• Russian Military Unit Tied to Assassinations Caught Doing Cyber Sabotage
• Doppelganger takedown
• U.S. says Russian bots, RT operatives interfere in elections
• Outsized Impact of a Few Chinese Hackers
• Korean zero-day discovery
• North Korea caught exploiting Chromium zero-day
• #LABScon24 Agenda

Three Buddy Problem - Episode 10: Top stories this week -- Volt Typhoon zero-day exploitation of Versa Director servers, Chinese APT building botnets with EOL routers, the gap in security solutions for network devices and appliances, Russia's APT29 (Midnight Blizzard) caught reusing exploits from NSO Group and Intellexa, Microsoft’s upcoming Windows endpoint security summit in response to the CrowdStrike incident, and the arrest of Telegram’s Pavel Durov in France. Plus, the NSA is launching a podcast.

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

Links:

• Transcript (unedited)
• China's Volt Typhoon Exploiting Zero-Day in Servers Used by ISPs, MSPs
• Versa Director Zero-Day Exploitation - Black Lotus Labs
• CVE-2024-39717 – Versa Director Dangerous File Type Upload Vulnerability
• Google TAG: APT29 using same exploits as Intellexa, NSO Group
• Russia's APT29 Reusing Exploits From Spyware Merchants
• Official Pavel Durov charges (PDF)
• WSJ: Pavel Durov's iPhone was hacked by France, UAE
• Microsoft Calls EDR Summit
• NSA to Launch ‘No Such Podcast’
• LABScon 2024 Speakers
• APT29 / Midnight Blizzard

Three Buddy Problem - Episode 9: On this episode, we look at the hacking scene in Taiwan, the sad state of visibility into big malware campaigns, the absence of APTs linked to the prolific MIVD Dutch intelligence agency, the blurring lines between big ransomware heists and nation-state actors caught using ransomware as a tool for sabotage and misattribution.

Plus, Chinese mobile OS vendor Xiaoimi caught disabling parts of its infrastructure -- including its global app store -- to thwart Pwn2Own contestants; and news of an addition to the LABScon 2024 keynote stage.

Hosts: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh), Ryan Naraine (SecurityWeek)

Links:

• WSJ: The Real Story of the Nord Stream Pipeline Sabotage
• MIVD - The Little Spy Agency That Can
• Iran behind Trump campaign hack
• Xiaomi Caught Patching, Unpatching Pwn2Own RCE Vuln
• Dakota Cary on Xiaomi Pwn2Own patch shenanigans
• Transcript (unedited)
• Territorial Dispute by Boldi

Three Buddy Problem - Episode 8: This week’s show digs into Microsoft’s in-the-wild zero-day woes, Patch Tuesday and the absence of IOCs, a wormable Windows TCP/IP flaw that the Chinese government knew about for months, Iran’s aggressive hacking US election targets, CrowdStrike v Qihoo360 and major problems with APT naming conventions.

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

Links:

• Episode 8 Transcript
• Six Windows Zero-Days Being Actively Exploited
• CVE-2024-38063 - Windows Ping of Death
• Wormable TCP/IP flaw known to China — Chinese researcher Xiao Wei of Cyber KunLun said he discovered the vulnerability “several months ago.”
• Google TAG: Iran steps hacking against Israel, U.S.
• Microsoft report on Iran election hacking
• Qihoo claims CrowdStrike bug exploitable
• CrowdStrike root cause analysis
• LABScon - Speakers 2024

Three Buddy Problem - Episode 7: In this episode, we try to close the book on the CrowdStrike Windows BSOD story, Microsoft VP David Weston’s technical documentation and issues around kernel access and OS resilience. We also discuss Binarly’s PKFail research, secure boot bypasses, Dan Geer and tech monoculture, software vendor liability issues and the need for inspectability in security mechanisms.

The conversation explores cyber angles to train service disruptions in Paris, the history of cyber operations targeting the Olympics, the lack of public acknowledgment and attribution of cyber operations by Western intelligence agencies, and the importance of transparency and case studies in understanding and discussing cyber operations.

Hosts: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh), Ryan Naraine (SecurityWeek)

Links:

• Episode Transcript
• Microsoft VP David Weston on CrowdStrike issue
• Delta seeking damages from CrowdStrike, Microsoft
• Wealthy Russian With Kremlin Ties Gets 9 Years in Prison for Hacking and Insider Trading Scheme
• Industroyer
• Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
• LABScon Speakers
• Livestream from DEFCON 32

Three Buddy Problem - Episode 6: As the dust settles on the CrowdStrike incident that blue-screened 8.5 million Windows computers worldwide, we dig into CrowdStrike’s preliminary incident report, the lack of transparency in the update process and the need for more robust testing and validation. We also discuss Microsoft's responsibility to avoid infinite BSOD loops, risks of deploying EDR agents on critical systems, and how an EU settlement is being blamed for EDR vendors having access to the Windows kernel.

Other topics on the show include Mandiant's attribution capabilities, North Korea’s gov-backed hacking teams launching ransomware on hospitals, KnowBe4 hiring a fake North Korean IT worker, and new developments in the NSO Group surveillance-ware lawsuit.

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

Links:

• Episode transcript (Unedited, AI-generated)
• Official CrowdStrike preliminary post-mortem
• Microsoft VP David Weston on CrowdStrike outage
• Microsoft VP John Cable on the path forward
• Matt Suiche: Bob and Alice in Kernel-land
• Re-learning Lessons from the CrowdStrike Outage
• Ep5: CrowdStrike's faulty update
• Mandiant Report on North Korea's APT45
• CISA Advisory on North Korea APT45
• KnowBe4 Hires North Korean Fake IT Worker
• Israel’s attempt to sway NSO/WhatsApp spyware case

Three Buddy Problem - Episode 5: Hot off the press, we dive into the news of the CrowdStrike software update that caused blue screens on computers worldwide, the resulting chaos and potential connections to the Microsoft 365 outage, the fragility of modern computing and the risks of new software paradigms.

We also discuss the AT&T mega-breach and the ransom paid to delete the stolen data; the challenges of ransomware and the uncertainty surrounding the deletion of stolen data; the FBI gaining access to a password-protected phone, the prices for zero-click exploits; and the resurgence of APT 41 with expanding targets.

Plus, some news on upcoming keynote speakers at LabsCon 2024.

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

Links:

• Transcript (AI-generated, unedited)
• CrowdStrike Statement on Falcon Content Update for Windows Hosts
• Microsoft-CrowdStrike blackout FAQ
• Bad CrowdStrike Update Linked to Major IT Outages Worldwide
• CrowdStrike CEO George Kurtz statement on Twitter
• AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records
• T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their Security Is Awful’
• LABScon 2024 Speakers