LESLEY CARHART
Cronyism does nothing for cybersecurity. Politics do nothing for cybersecurity.
And we're playing a very real game of defending our infrastructure against hostile countries and criminal organizations and terrorist organizations.
And it's not the time to be playing favorites and letting people go because you're angry at how they look or something or what their politics are. We need this organization.
The whole world needs this organization to be competent.
Unknown
Smashing Security, Episode 469: What Your Oura Ring Won't Tell You, with Graham Cluley and special guest Lesley Carhart. Hello, hello, and welcome to Smashing Security, Episode 469.
My name's Graham Cluley.
LESLEY CARHART
And I'm Lesley Carhart, and I'm so chuffed to be back.
GRAHAM CLULEY
It's lovely to have you back, Lesley. And of course, we know you from the world of cybersecurity, but you're much more than that, aren't you?
Because one of the things, I don't know how many people know this, but you are actively into martial arts.
LESLEY CARHART
I am. Obviously moving to another country has set me back quite a lot. My joy is teaching kids.
I love teaching middle schoolers to primary students, and I was very fortunate to find a place that would take me to teach in Australia.
So, getting back into their style of teaching and hopefully onto new and interesting competitions and challenges and gradings.
GRAHAM CLULEY
And the particular martial arts you're into, taekwondo, isn't it? Or is there more than that?
LESLEY CARHART
I have a black belt in taekwondo, as one who wants to make any kind of income doing martial arts has to. And my love is tang soo do and tang soo tao, the older Korean martial arts.
GRAHAM CLULEY
Aha. This is a complete mystery to me, I must admit. So I don't know if it's really crass of me to suggest you're not just a keyboard ninja then.
Is it ninjas who do those martial arts? I don't know. You see, I'm just embarrassing myself now.
LESLEY CARHART
Ninjas have their own martial art, actually. I don't know if it's a real martial art, but I don't want to get in that argument with anybody.
So we're going to just say it's a real martial art called ninjutsu, and they do their own thing.
And no, I will never be a fantastic action hero fighting the bad guys with my fists, but I do love teaching kids and coaching kids.
It gives me a lot of joy in life to teach little people how to hit things and yell loudly.
GRAHAM CLULEY
Yeah, I bet the kids absolutely love that. Well, thank you for joining us today.
We won't be talking too much about martial arts during the course of this podcast, but we will be tapping your brain for cybersecurity advice and wisdom.
Before we kick off, let's thank this week's wonderful sponsors, Expo, Opswat, and Vanta. We'll be hearing about them more later on in the podcast. This week on Smashing Security.
We won't be talking about how a 23-year-old Canadian man has been charged with running HimWolf, fast-spreading IoT botnet that enslaved millions of devices for DDoS attacks.
You'll hear no discussion of how more than 700 legitimate websites have been compromised by a critical vulnerability in the Ghost CMS to launch a click-fix malware campaign.
And we won't even mention how hackers have breached and leaked sensitive documents from a Russian group exposing details of disinformation campaigns designed to stir hate towards migrants and support far-right political groups.
Lesley, what are you going to be talking about this week?
LESLEY CARHART
One of the interesting privacy topics that I keep seeing coming up is wearables.
Wearables for kids, wearables for adults, wearables for fitness and for health and for location tracking. And they always end up in catastrophe, so I've got another one.
GRAHAM CLULEY
And I'm gonna be talking about America's cyber defense agency, which had one job and, well, just how well do you think that they did it?
Plus, don't miss our featured interview with Benny Czarny of Ops SWAT about his new book, Cybersecurity Upside Down.
All this and much more coming up on this episode of Smashing Security.
JOE
This episode is supported by Ops SWAT.
GRAHAM CLULEY
Joe, here's a question for you. What if the entire cybersecurity industry has been doing it wrong?
JOE
The entire industry? That's a bit of a stretch, isn't it?
GRAHAM CLULEY
Well, that's the argument Benny Czarny makes in his new book, Cybersecurity Upside Down.
Benny is the founder and CEO of Ops SWAT, and he spent more than two decades protecting critical infrastructure, you know, nuclear facilities, defense networks, energy grids, the stuff that quite literally keeps the lights on.
JOE
Okay, so what's his big idea?
GRAHAM CLULEY
Well, he says the industry is obsessed with detecting threats. But detection can never be perfect. One dodgy file slips through and your network is toast.
JOE
I like toast. So what's the alternative?
JOE
No, to detecting threats.
GRAHAM CLULEY
Oh, well, how about not even trying to spot the malware? Instead, take files apart, throw away anything that isn't strictly needed, and rebuild a clean version from the safe bits.
The user gets a sanitized working document. The malware ends up in the bin.
JOE
But hang on, who decides what's safe?
GRAHAM CLULEY
That's the clever part. You do. Macros might be allowed for your automation team, but stripped out for finance. JavaScript ripped out of every PDF everywhere.
EXIF data scrubbed from images leaving HR. It's not an on-off switch. It's a policy that you can tune to your business.
So even a brand new attack no one's ever seen before doesn't survive the rebuild. Exactly. There's nothing to detect because it's already gone.
Whether you're a security pro, an executive, or just someone who wants to understand what's really going on in cybersecurity, Cybersecurity Upside Down is technical enough for the experts, but also accessible enough for the rest of us.
Go and grab your copy right now at smashingsecurity.com/upsidedown.
JOE
And thanks to Ops SWAT for supporting the show.
GRAHAM CLULEY
Now, chums, CISA, the Cybersecurity and Infrastructure Security Agency. They are, of course, the US government body.
Their entire reason for existence is to keep the country's critical infrastructure safe from hackers. So they're publishing advisories. They are preaching patching.
You know, they're good at this cyber stuff, right? Or rather, they should be good at this cyber stuff, you'd say.
And yet it's recently come to light that a contractor working for CISA, someone who had admin access to the agency's code platform, created a public GitHub profile.
And there's nothing wrong with creating a public GitHub profile. That's perfectly acceptable. I suppose it rather depends on what you put in it.
And this profile, which I say was public, visible to you and me as well as everybody else on the internet, including the Russians and the Chinese and the North Koreans and the Belgians, you know, take your pick.
He named this GitHub profile Private Caesar. Now, this may surprise some of you listening, but putting private in something's name does not make it private, does it?
LESLEY CARHART
Makes me want to search all of GitHub for the word private, actually.
GRAHAM CLULEY
Yes, exactly. Ctrl+F and let's look for the word private. Let's see what we can find there.
I mean, it's a bit like calling your pet dog well-behaved and then watching it eat the postman. You know, just giving something a name does not necessarily decide its nature.
And inside this public GitHub profile were, sure enough, credentials, private credentials, credentials which shouldn't have been stored publicly, and they were in plain text, and they were the credentials for dozens of internal CISA systems.
There were keys to privileged Amazon GovCloud accounts. That's the locked-down, extra-secure government cloud.
Well, it's not locked down and extra secure, is it, if you're handing out the credentials left, right, and center?
And some of the file names which were up there as well, they were a bit of a giveaway. For instance, there was a spreadsheet of usernames and passwords.
Now, they didn't call that spreadsheet, you know, awful barfel gloop.xls or something like that. Instead, what they called it was AWS Workplace Firefox Passwords.csv.
At this point, Lesley, are you weeping into your coffee?
LESLEY CARHART
I am, not just because of the technical implications or the immediate incident response implications of this, but because CISA is so important, not just to America and critical infrastructure and the defense of water and power and trains.
They've become integral to the whole world. They're trusted advisors for a ton of different friendly countries in critical infrastructure.
And if they're not setting a good example and they're not doing things right, which means, well, we know they've lost a ton of really good talent over the last two years.
LESLEY CARHART
It's a bad sign for everyone because everybody's been leaning on them for a long time and not everybody has entirely independent programs them and their advisories yet.
So bad for everyone. It's just disheartening all around.
GRAHAM CLULEY
It is disheartening. It is depressing. So we got a plaintext spreadsheet, a CSV file containing these passwords and usernames. There was another one called Important AWS Tokens.
The sheer fact that they named the file Important AWS Tokens means, you know, they thought it was important enough to warrant mentioning that in the file name, but they didn't think it was so important that they should be careful as to where it was put, but it was placed somewhere publicly.
Now, GitHub of course has this feature which is designed to act as a safety net if accidents like this happen, 'cause we all accept, you know, human error can occur and you can copy something or you can forget to take your credential out of a piece of code or accidentally upload something.
So GitHub has this feature which if you publish a secret key to a public repository, it goes, whoa, whoa, whoa, you know, hang on, what are you doing here?
Did you really mean to do that? That's an alarm that's there to save you from yourself. But this particular contractor switched off that feature.
They consciously went into the settings and turned it off, which meant that government credentials were available on the open internet. You do a lot of incident response.
I mean, that's one of your areas, isn't it? You're the person who gets called when a disaster occurs.
When you walk into an organization and find someone's quietly switched off a safety tool like that, is that unusual?
LESLEY CARHART
In the space that I work in, in critical infrastructure, not so much.
There's different expectations though, depending on the size and the resourcing and the government ties to an organization.
LESLEY CARHART
Things are pretty bad out there. And I'd say the world has, it's just felt like everything has been getting more cartoonishly dumb or cartoonishly evil over the last few years.
And this is just a prime example of really, really, you did that.
But I've seen people solve remote access — they demanded remote access, but they put the modem on an egg timer so people couldn't turn it on too long.
I mean, people do really crazy things to make their lives easier.
And I see it all the time, but again, there is an expectation of responsibility from the organization that is supposed to be responsible for everybody else's standards and infrastructure.
GRAHAM CLULEY
Yes, that's it. I mean, that's the thing to reiterate here. We're not just talking about any organization.
This is the one which is setting the standards, which is telling other people what they need to do to keep their security top-notch, to prevent compromise, to prevent data breaches, to prevent these sort of snafus happening.
But it appears situation normal, all fucked up, is the norm for them as well, as well as the rest of the world.
LESLEY CARHART
We really can't ignore how many people they've let go though.
They've had marvelous leaders, they've had a lot of amazing talent, and a lot of those people have been removed through blanket cuts, not necessarily even targeted cuts, but then targeted cuts based on things other than their technical aptitude.
Cronyism does nothing for cybersecurity. Politics do nothing for cybersecurity.
And we're playing a very real game of defending our infrastructure against hostile countries and criminal organizations and terrorist organizations.
And yeah, it is not the time to be playing favorites and letting people go because you're angry at how they look or something or what their politics are.
The whole world needs this organization to be competent.
GRAHAM CLULEY
Absolutely. So this isn't just about protecting America. You're quite correct. This is about protecting all of us.
And you're quite right to point out CISA has lost something like a third of its workforce and nearly all of its senior leadership in recent times.
LESLEY CARHART
Do that to your own company. Do that to your own organization and see what happens.
Lay off a third of your IT team, including their senior leadership, and see how you stumble along for a while.
I'm sure there's still really good people there who are desperately trying to keep things running and keep the lights on.
And I don't want to mock them or laugh at them, but oh my God, the cartoonishly evil or cartoonishly stupid things can't be happening.
GRAHAM CLULEY
Yeah. And you know, it's hard to run a tight ship when half the crew is gone, right?
When there's no one there to replace the batteries in the smoke alarm, or when you are now doing the job of 5 different people.
And you're so overworked, you're trying to block all the holes, you're trying to keep everything afloat as hard as you can because you want to do a good job, but you simply don't have the resources or you don't have the expertise or your team has been decimated for reasons which frankly make no sense at all in terms of security.
So I very much sympathize with CISA here.
Obviously this contractor did make an error, a terrible error, but maybe it's understandable in some ways that it didn't get spotted sooner. I'm not sure.
LESLEY CARHART
It had a lot of implications that are very scary, and this should be a wake-up call for everybody, especially other countries that are leaning heavily on CISA.
GRAHAM CLULEY
So the person who initially spotted this was a researcher at GitGuardian, and their initial reaction to it was, well, it must be a fake. You know, this can't be true.
Surely this hasn't happened. But they've since described it as what they described as the worst leak they'd seen in their career.
Anyway, CISA was told about the problem, and to their credit, they took down the repo fairly quickly. And you'd think that'd be sorted.
LESLEY CARHART
Not as quickly as we would've all hoped. Not all of them went down simultaneously, but yeah, I mean, there was a response there, which is good.
GRAHAM CLULEY
Yeah, because what they didn't do was they didn't change the keys that contained inside it. So, they sort of pulled it down, but the exposed keys still worked.
I mean, how hard is it realistically to rotate a credential when you don't fully know everything it touches? It's not necessarily easy to do, is it?
LESLEY CARHART
It's not easy.
And if you don't have a good plan for that, if you don't have a good incident response plan and the people who were the keepers of the institutional knowledge are all gone, that's an easy thing to miss in the complexity of recovery from an incident.
GRAHAM CLULEY
And one of the worrying things was that this could have impacted CISA's own software supply chain, you know, where they build their own code, because if someone was able to get in and place something poisonous in there, then that could have ended up within, you know, a backdoor could have been baked into their code, everything that they ship automatically for who knows how long without getting spotted.
LESLEY CARHART
We don't know. We don't know. And they have to assume breach now. They have to assume everything's compromised and validated.
GRAHAM CLULEY
So their official line is there's no indication that any sensitive data was compromised, you know, which is a fairly standard kind of spiel you get from the press release, isn't it?
But you know, that doesn't mean it wasn't compromised. It means we haven't seen any proof that it has been, which is a very, very different thing indeed. Congress is upset.
They want answers.
I think you've actually already highlighted a very important question, which is what has been happening at CISA in terms of personnel and expertise being fired or let go, or people not being recruited, and why has that happened?
So the truth is you can't fully fix these kind of problems with tech.
You know, CISA could have set a policy that stopped staff and contractors disabling the GitHub scanner, which looks for those credentials, and they probably should have done that.
But nothing on earth stops a contractor going home and opening his own GitHub account and syncing work between the two places for their own convenience.
LESLEY CARHART
Just to give you an example of how crazy critical infrastructure is getting, over the last few years, every contractor, every vendor has wanted to install remote access into critical infrastructure industrial environment.
And the levels of shadow IT that we're seeing in supply chain access into critical infrastructure environments just so that people can do their job and do updates and support things remotely and all the expectations that grew out of COVID might be worse than you think out there.
And people are trying really hard to fix those problems. But, you know, I see this and yeah, it's really bad. Again, cartoonishly stupid mistake. Sorry, it is a stupid mistake.
It's not that shocking to me because of the things I see in things like water treatment and electric and, you know, manufacturing and oil and gas on a regular basis.
It's a tough problem to secure critical infrastructure. But again, the expectation in terms of a government cybersecurity agency is a lot higher.
GRAHAM CLULEY
And there have been cases in the past.
I mean, you're talking about these sort of water systems, for instance, of those sort of systems being hacked via the remote access, you know, because people have the ability to log in from home effectively.
I think there was one famous case where this guy who was working remotely at the waterworks actually saw his mouse moving on the screen and it wasn't him.
And he thought, my PC has been hacked and what on earth is this person going to do?
LESLEY CARHART
Yeah, I think you're absolutely right. It's not a technical fix. That's a cultural thing.
As long as there's— you try to control things only with tech and AI and things like that, somebody is always going to find a way around to make their life easier, to make things simpler, to access from home.
It's always going to happen. That's a cultural thing you have to fix through good management and good leadership and good culture.
GRAHAM CLULEY
Good culture. And also, everyone's working under such pressure these days. Everyone is being expected to do more. Maybe your colleagues have been made redundant.
You're desperate to keep your job.
And so it's understandable you might try and find shortcuts in order to do your job more effectively, whether it's using AI, whether it's accessing systems from home, whether it's setting up crafty little routines, which maybe the IT team wouldn't necessarily endorse, but you're doing it because you just think, well, I've just got to do my job.
And then you end up in a real security pickle.
GRAHAM CLULEY
And don't keep your passwords in the spreadsheet, right?
LESLEY CARHART
I have low standards. The bar is hell in incident response. But yeah, if you could not keep your passwords in plain text in a spreadsheet, that'd be great.
GRAHAM CLULEY
That'd be great.
JOE
This episode of Smashing Security is supported by Xpow.
GRAHAM CLULEY
Joe, let me ask you something. If attackers are using AI to find vulnerabilities faster than ever, what do you reckon defenders should be doing?
JOE
Running around like headless chickens in a blind panic?
GRAHAM CLULEY
Well, I guess that's one option, but a better one might be to fight fire with fire.
Security teams these days are expected to test more apps more often and somehow not slow down development. It's an impossible ask.
JOE
So things end up shipping with holes in them, I guess.
GRAHAM CLULEY
Yeah, pentesting is one of the best ways to find real risks, but most teams simply don't have the time, the budget, or the people to test as much as they need to.
And that's where today's sponsor comes in—Xpow.
JOE
Okay, I'll bite. What does Xpow actually do?
GRAHAM CLULEY
Well, it's an autonomous offense security platform that helps security teams scale. What does that mean in English, Graham?
It means Xpow doesn't just wave its arms around pointing at theoretical issues.
It safely launches tests like an actual attacker would, works out what's genuinely exploitable, and then hands your team reproducible proof so you know exactly what needs fixing.
JOE
So instead of waiting weeks for a traditional pen test, Xpow can deliver full expert-level testing continuously.
GRAHAM CLULEY
And here's the coolest part. It was built by the team behind GitHub Copilot and trained with elite offensive security experts.
It's made for the AI era where defenders need speed, depth and proof.
JOE
Where do people go to find out more?
GRAHAM CLULEY
All you gotta do is head over to Xpow.com. That's X-P-O-W.com to start a pen test today. And thanks to Xpow for supporting the show.
Lesley, what are you gonna talk to us about this week?
LESLEY CARHART
So the inimitable Zach Whittaker has been putting out some really interesting articles on the Oura health and fitness trackers. They're the rings.
I think they sell a number of different devices now, but they're best known for the rings. The rings you wear that do things like body mass calculations and fitness tracking.
And they're very popular. They're supposed to be quite accurate.
And they got a lot of attention a few months back because they signed a contract with the US Department of Defense, a massive contract.
They're a huge customer of theirs to do military fitness tracking and health tracking.
And so that raised a lot of false headlines like they were sending data directly to Palantir and things like that, which there's really no evidence of— it's more of the ethical considerations of this company that's selling a bunch of stuff to defense organizations.
But what Zach found— his wife has one of these trackers.
And when all this came up, he started looking to see what data they could potentially be actually leaking or what data was insecure.
Because we've had problems for years with fitness trackers and health trackers and location trackers for kids, for adults, for everybody.
Everybody loves wearing wearables these days to track everything that they do in their sleep, when they're awake, when they're exercising, their health.
And we know in the case of kids where they are, if they're safe at school, things like that.
And everybody's started wearing these things and they transmit immense data about your location, your health, your fitness, your activity, what you're doing every day, when you're active, when you're not active, when you're sitting at your desk, when you're walking around.
And that's sensitive for very obvious reasons.
Of course, there's a multitude of threat models where somebody wants to know when you're home and if you're healthy, if you're asleep, if you're awake, what health problems you have from a medical perspective.
Everybody from your insurers wanting to know that in the US and for-profit healthcare to a malicious person wanting to know where your kid is.
So it's been a problem for the last 10, 20 years since wearables started becoming a thing. But now we're looking at this Oura Ring and Zach did this amazing security research.
He's a journalist, but he does security research and he took a look at the communications out at the Oura and they're not all encrypted.
There's unencrypted data being sent from the Oura Rings. So really interesting set of articles that he's been running through, just doing more and more research on the Oura.
And it's just such a cyclical thing of us coming back to— yeah, everybody's putting on these trackers and they've got really cool Instagram and TikTok campaigns.
And the bottom line of his most recent article though is he reached out to Oura.
He actually, as a journalist, he reached out to them and he asked them how many requests are you getting from the government and law enforcement for data from these fitness trackers that's unencrypted?
And they gave kind of a boilerplate response. They said, we receive infrequent requests from the government. Infrequent. They have 5 million users something like that right now.
And they said they push back when requests are invalid, overbroad, or inconsistent with our commitment to protect our members' privacies.
Now, of course, Zach did the good journalist thing and pushed back and said, yes, other companies are giving out metrics about how many requests they get from law enforcement a month, a year, et cetera.
Can you give us some general statistics? And basically the answer is, we don't know how to provide those yet in a secure way, so we aren't going to be able to give you those.
So, yeah, good stuff, right? So it brings us back to that conversation of we all love fitness trackers, we all love being healthy and knowing how we're sleeping and things.
GRAHAM CLULEY
I definitely like to have that data too, but be very conscious of the actual technical security policy controls and the actual legal policy controls on the devices that you're wearing all the time and what devices you're sharing that data with and if it's secure.
GRAHAM CLULEY
Yes, it's interesting that they say that they don't have a way of securely relying information to the journalists regarding the nature of some of the requests which they received.
But they seem to have no technical challenges when it comes to actually gathering the data.
LESLEY CARHART
That's what they do. They gather data in an unencrypted fashion.
I'll read you the exact statement was, "we are actively evaluating how to share aggregate data in a way that maintains security and does not introduce risk to our members." And Zach comments after that, "it's been 8 months, dear reader." And I'm like, oh well, I was looking at them.
They looked kind of neat and I'm very much of a tech fitness nerd, and so I've noped out on those, not buying one of those now.
GRAHAM CLULEY
Well, we've got time right now to chat about one of our sponsors this week, Vanta.
JOE
Oh yes, my favorites. What do they do again?
GRAHAM CLULEY
They stop you running your entire security program out of a spreadsheet, Joe.
JOE
That seems aimed at me personally, Graham.
GRAHAM CLULEY
Well, it is a little bit, yes, but you know how most companies have to prove they're secure to customers or auditors or regulators, and the whole thing involves chasing down evidence, filling in questionnaires and forms, updating the same spreadsheet cells over and over again?
JOE
Over and over again. It sounds utterly soul-destroying.
GRAHAM CLULEY
Yeah, well, Vanta automates all of that.
GRAHAM CLULEY
Well, their trust management platform keeps a continuous eye on your systems. It pulls everything into one place and keeps you audit ready around the clock.
So no more staring at the ceiling at 2 AM wondering whether you've got the right controls in place or whether one of your suppliers has been breached.
JOE
The stuff of nightmares.
GRAHAM CLULEY
Yeah, it would be, wouldn't it?
But this Vanta solution uses AI as well, and it's the useful kind, flagging risks, collecting evidence, slotting into the tools your team already uses so you move faster, scale without the headaches, and perhaps actually get some sleep.
JOE
Go to vanta.com/smashing to find out more. That's vanta.com/smashing. And thanks to Vanta for supporting the show.
GRAHAM CLULEY
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
LESLEY CARHART
Pick of the Week. Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Well, my pick of the week this week is not security related.
My pick of the week is something that I was doing over the weekend because I left beautiful Oxfordshire, thought, no, I've had enough of all this.
I'm gonna go down to the west of the country. I'm going to go to the city of Bristol because they were having a street art and graffiti festival. It is called Upfest.
It is Europe's largest street art and graffiti festival, and it takes place in the south part of the city of Bristol in an area called Bedminster. And it's wonderful.
Hundreds of artists descend on this corner of the city.
They've got their spray cans, they've got their ladders, they've got a bit of scaffolding, they've got a ridiculous amount of talent, and they just transform the place.
They are painting on the sides of buildings, shop shutters, walls, even the local tobacco factory. All of it becomes a canvas.
And over the course of just a couple of weekends, everything just turns into the most astounding pieces of art. Banksy came from Bristol.
I don't know if people around the world know that. Banksy, very famous artist here in the UK. I think he's done a lot of work elsewhere as well.
LESLEY CARHART
I've been trying very hard to not find out who he is.
I know it got leaked recently, and I've purposefully not read articles and not gone on social media, 'cause I don't wanna know who Banksy is.
GRAHAM CLULEY
Part of his shtick is that he is a man of mystery and who might he really be? And various media organizations have tried to out him. Just let him be. Just let him be.
Anyway, he comes from Bristol and there is this really strong street art community in Bristol.
And the thing I loved about Upfest was, well, one of the things is it's completely free. You don't buy a ticket, you just wander around the streets.
Watching the artists at work on their scaffolding or on their little, what are they called? You know, team that— now I'm gonna have to, how am I gonna edit this?
I've got to the age where I can't remember what a crane, a crane. That's what they're on. They're on the little crane. I was just doing the motions anyway.
And within the space of a few days, the entire neighbourhood looks different from how it looked to the beginning. So it's been running for a couple of weeks.
I think it's running until the end of this week as well. And there's live music, there's street food, everyone's good-natured, it costs nothing, and the art is tremendous.
If you can't make it to Bristol, go to upfest.co.uk and you can see some images of some of the art which is going on there.
But I have to say, if I lived down there, I'd want someone to come and paint something on the side of my house, some enormous mural, because I just think it just livens up the city.
LESLEY CARHART
You need to come visit Melbourne because it's one of the street art capitals of the world. There's even laneways where you're just allowed to paint.
There's no wall out here in the laneway behind my apartment that isn't covered in graffiti and street art and chaos. So incredibly safe city. I feel very safe walking around.
You can leave your phone on the bar at the pub, but if you leave anything out there, your bike will get stolen and whatever is left outside will get drawn on. You would love it.
It's just so great.
GRAHAM CLULEY
I have actually once been to Melbourne and I have to say I loved it because of the street art.
There was a particular couple of roads, I can't remember the names or the area, where there were all these independent shops and boho cafes, and it was all cool.
And I just thought, this place is brilliant. I loved it. So that is a bit like what Upfest was like. I love it. Lesley, what's your pick of the week?
LESLEY CARHART
I thought it was fun just from a nostalgia perspective.
It's such a doom-scrolling year and everything is doom and gloom, but for a fun nostalgic story, Hackaday released an article today actually about how magnets are causing a problem with electronics again.
We've gotten to this era of forensics, and of course I work in digital forensics, and it's a response where, well, for a long time you had to be so careful when you were working on computers, you were collecting hard drives to not get a magnet near anything 'cause it would destroy evidence.
You would corrupt the computer, you'd crash the computer, blue screen it, whatever. And that was a big concern, especially when we had CRT monitors that you had to dig out.
You had magnets all over the place and then you had things that you couldn't come near a magnet.
And that was a big part of computer support and working on things is your screwdriver magnetic and what are you touching with it?
But that hasn't been a problem for a while since we've switched to solid state everything, but it's becoming a problem again.
So magnetic fields actually now cause problems with things like the cameras on smartphones.
So Hackaday went through the disclaimers and the safety notes for several phones and the modern iPhone, there's a warning about carelessly touching attaching magnetic accessories to the phone.
And of course, everything on smartphones today is magnets. You have your PopSockets and your magnetic cases and everything for your car and things. And there's a warning.
It says the optical image stabilization and closed-loop autofocus on the cameras are actually magnetic position sensor-based.
They use magnetic position sensors to focus the cameras, 'cause now you've got all those cameras on your phones.
And if you put a magnet in the wrong place around them, it'll screw the cameras up.
So it's just a fun moment of nostalgia, back to the '90s for me of we have to start thinking about magnets again because we've come full circle and now our analog camera components inside our digital cameras and our digital smartphones can be impacted by magnets again.
And that's interesting, isn't it?
GRAHAM CLULEY
Because so many people, of course, are attaching their phone to their car mount, for instance, with magnets, you see.
LESLEY CARHART
Yeah, I bet you didn't know that it could actually mess up the focus of your camera. It's in the fine print.
It took Hackaday, a researcher at Hackaday, going through the fine print to find this disclaimer and understand the context of the problem they can cause.
So it's a really good article on Hackaday, and it talks about exactly how these assemblies and actuators inside the camera can be damaged or disrupted by bringing a magnet near them.
So watch where you're plugging your magnets to the back of your phone.
GRAHAM CLULEY
Sounds like a good pick of the week. Thank you very much. Well, we've got another guest today, and that is Benny Czarny.
Benny's the founder and CEO of Opswat, a cybersecurity company started back in 2002. And now has over 1,000 staff across 25 countries. Benny Czarny, welcome to Smashing Security.
It's great to have you here.
BENNY CZARNY
Graham, thanks for having me. It's a real pleasure.
GRAHAM CLULEY
Now, Cybersecurity Upside Down, that's the name of your new book. What does that actually mean? Why have you got that title?
BENNY CZARNY
Well, cybersecurity spent decades trying to detect threats faster, detect malware, detect intrusion, detect AI, detect alerts. However, the breaches just continue everywhere.
And the problem is that detection, at least how I see it, is becoming useless. And we need to take the model upside down and to replace detection with file regeneration.
GRAHAM CLULEY
So are you saying that after, I don't know, 30 years of antivirus and EDR and things like that, that's all been a wrong turn that we've been taking?
BENNY CZARNY
Well, I mean, I'm still thinking that, yeah, there is a place for antivirus. There's still a place for firewall. There's still a place for detection-based technology.
However, the model is in many cases wrong and the industry could look entirely different.
GRAHAM CLULEY
Take me back to when you first started doubting this approach of just detecting malware.
I gather from reading your book that at one point you were running 30 anti-malware engines through your multi-scanning product, and it still couldn't quite get the reliability that you wanted.
What did that tell you about the current state of affairs?
BENNY CZARNY
I was actually researching cybersecurity threats, and one of my conclusions is a lot of the cybersecurity threats occur just because of the issue that the antiviruses are failing to predict whether a file is malicious or not.
And then one of the ideas was to create a firewall of data, and then to create a really amazing firewall of data that pretty much intercepts all of the file flow to your organization through file download, file upload through USBs, through email, through everything.
I'll be able to intercept all of that and be able to multi-scan all of the file flow with more than 30 different antivirus engines.
I estimate that the efficacy of a single AV to detect threat in a file is around 50%, with two would be 75%, with three 87.5%, and so on.
So if one with 30, I should have expected 99.99%. That's what I expected. Sounds reasonable. What do you think?
GRAHAM CLULEY
It sounds like a thing to try, at least. So how close did it get?
BENNY CZARNY
It sounds complex. How would you take 30 different antivirus and build a system that scans content fast with 30 different antivirus engines and make it commercial and make it live?
That's a journey, right?
GRAHAM CLULEY
That's a challenge. Yeah.
BENNY CZARNY
But what hit me is that after we released that, we didn't get 99.99. We got 99.92 to 99.94.
GRAHAM CLULEY
Not as good as you were after.
BENNY CZARNY
What do you think? Is that good enough?
GRAHAM CLULEY
Not when you have thousands and thousands of pieces of malware out there and you're maybe scanning millions of files.
For all of that effort, you would expect a higher performance, wouldn't you? And I suppose this is what's led you to this thing called CDR.
And CDR, this is Content Disarm and Reconstruction. Can you explain that?
BENNY CZARNY
By the way, I really prefer the term data sanitization. I mean, I call it CDR because Gartner called it CDR, so I have to call it CDR. Because I mean, data sanitization is cleaner.
Also, you can use it as a verb, say I sanitize something. CDR also alludes that you need to detect the content.
Content disarm, so alludes that you need to detect the content and disarm. Data sanitization is much more deterministic because you sanitize the data.
It's a better definition of what the technology really does.
GRAHAM CLULEY
So this is where you're looking at the Word documents, the PDF files, and in plain English, what are you doing to keep malware threats out? What is data sanitization doing?
BENNY CZARNY
So it's very simple. You assume the file is malicious. Your operating assumption, Graham, you assume that the file is malicious. All of the files are malicious.
You know, your JPEG, your videos, your movies, your images, your PDFs, everything.
So when you regenerate a new file that looks exactly like the files that you expect to get, just because you regenerate it yourself, you know it's safe because you regenerate it in a safe environment that complies to a data structure that you just regenerated.
GRAHAM CLULEY
So say my auntie is working in an office somewhere. She receives a Word document from maybe somebody she doesn't know.
What are you doing to that Word document before, I guess, she opens it on her computer?
BENNY CZARNY
Let's maybe take even a simpler approach. Let's talk about a JPEG, maybe an image. An image is simpler. So let's say that someone is sending her an image.
And so what happens is that she's not going to actually open the original image being sent to her.
The system will take this JPEG, this image, will identify, oh, this is an image, and then parse through this image and then actually look at what's the content.
Actually, an image as a JPEG has 6 different pointers, go and take the data file and then create a new image that looks exactly like the original image. Have the exact same size.
If it's going to be, let's say, half a megabyte, it's going to look half a megabyte, it will look exactly the same.
However, it will not be the original image that was sent to your auntie.
It will be a new image that the system generated that will be clean of malware and buffer overflows and stenography.
And we know it because the system generated it because, you know, we know how a JPEG file structure looks. And that's the essence here.
So we assume there is malware, the regeneration pretty much is gonna be clean because of this assumption.
GRAHAM CLULEY
So you are doing this on all images which are coming in? Right. So this isn't a utility which is cleaning a file. You are rebuilding it from scratch.
And there's a great story you tell in the book about how back in, I think it's 2018 or something.
You and your wife are watching TV and there's a show called Homeland on, and someone in the show downloads a JPEG. And it turns out to be ransomware.
And well, maybe you can tell me the story.
BENNY CZARNY
First, it's a true story. It was Carrie from Homeland, by the way, great show, Homeland. And it was, I think it was season 8. And she said it can't be real. And she's very familiar.
She works at OpsWorks and also she's designing some kiosks and some components. And she says it can't be real that an image also has this capability.
And I was beating myself with a stick. How come? I mean, JPEG, there are actually several very known buffer overflows related to JPEG.
BENNY CZARNY
That have been known to actually to carry malware to organizations. So yes, JPEG could be malicious. Video file could be malicious.
And that's not the only reason I decided to go and write the book. However, it was a catalyst.
GRAHAM CLULEY
And I remember there have been vulnerabilities found on Android operating system, for instance, isn't there?
The way it handles, or different apps on some mobile devices parse particular data file formats, and then exploits can happen as a consequence.
BENNY CZARNY
So definitely on Android, you have that on Android. You have that also on Microsoft, that's on a bunch of Microsoft operating systems. You have JPEG issues.
And also in the book, whenever you ask me about the file formats that deliberately, I think it's easier to start with a simple file format such as a JPEG or a BMP or even a video file, not that as simple as it sounds, though I still call it a category as simple.
And then whenever you go to a Word document or anything that, I call it a complex file format.
And also in the book, I go about it, it's why it's complex, because it contains simple file format.
And so you need to also understand how to kind of recursively kind of sometimes build more complex file formats and how the systems and the CDR actually doing it as well.
And also I go over in the book in terms of kind of, okay, the risks in simple file formats, in complex file formats, what you can do about it. And also what CDR can do for you.
GRAHAM CLULEY
Now, we've spoken about it being used against JPEGs. You've just mentioned Word documents.
There are situations though, where a Word document will have completely benign macros in it, for instance, where they do actually serve a purpose.
So is it that you're gonna wipe out the macros for everybody inside the organization? Does everyone end up with neutered data files as a consequence? Not necessarily.
BENNY CZARNY
I mean, the CDR is not a true or false, not a yes or no. It's not antivirus technology, you turn it on and it's malware or not malware. CDR requires configuration.
And for example, if you go to the Word document, you need to decide, okay, are these scripts allowed or not allowed? Are these macros allowed or not allowed?
Are these links allowed or not allowed? And you can have it in configuration. Whenever you go to organizations, in some cases you have allowed scripts and not allowed scripts. Yeah.
And you'll be surprised. Found that many scripts that are permitted in large organizations in Word or Excel or PDFs, only a few.
And actually most of the scripts that organizations face are mainly malware.
So it's very easy to just identify what are the only ones, the macros and the scripts that are allowed in specific organization, and then just kind of pretty much block everything else.
It's easier to go on the whitelist, not on the blacklist.
GRAHAM CLULEY
Well, we've talked about a handful of different file formats, but it must be the case that your product handles a really wide, I mean, how many file formats do you handle?
How many can you sanitize?
BENNY CZARNY
How many file formats do you think exist, Graham?
GRAHAM CLULEY
I have no idea, Benny, you tell me. Yeah, give me a guess. I'm going to say 304.
BENNY CZARNY
More than 10,000.
BENNY CZARNY
We don't support that many. We support only several hundreds. I mean, the most common ones. Yes. Or there are more than 10,000 file formats.
By the way, some of the challenges we ran into with file formats are the versions. I mean, I'll give you an example. PDF has 9 different versions, right?
And every time you have a new version, then you need to make sure that the sanitization is applying to different versions of this technology.
So that's something that also is, you need to take into consideration.
GRAHAM CLULEY
And you've got to keep on top of this as new file formats come out or as the companies which have the popular file formats come out with new versions, you've got to handle those new iterations and new features, which maybe they're putting into the file formats.
You must be dying for the days when everything was an ASCII text file.
BENNY CZARNY
Yeah, we do a lot there. Obviously we leverage a lot of generative AI to do that. We have lots of backend tools. We also have our own defined language to go and do that.
So we do a lot too.
GRAHAM CLULEY
It's a lot of fun to develop this technology, a lot of IP behind.
Now, of course, the threat landscape has changed enormously since you were watching that episode of Homeland back in 2018, and not least because of artificial intelligence.
Why does this approach matter even more now in the age of AI?
BENNY CZARNY
So AI actually making everything so much faster because the malware is being created faster, it mutate faster, and we discover vulnerability faster.
The social engineering is done faster.
Also scaling the attacks is done better with actually with very much with little cost and defenders are actually still working in still in the same reactive model.
Let's detect the threat. Let's kind of apply another. So see, so what can you do now?
And with this technology, especially when you apply it on files, whenever you're operating assumption that all of the file flow to your organization is malicious, it's extremely deterministic to prevent any threat, which includes AI-borne threats.
I give you examples.
A couple of months ago, hackers used Anthropic and uploaded malware to Anthropic, and actually Anthropic released that to better the malware, to create a, a polyforming malware based on Anthropic.
So think about that. You upload malware to Anthropic and asking Anthropic to — Anthropic is a very protected model.
Anthropic actually spit back Word documents and PDFs that are infected with malware to pretty much penetrate and create malware models.
Actually, Anthropic was very fast to react and close that gap.
However, think about hundreds and thousands of other LLM models you can actually download offline that hackers remove the protections from and now leveraging that to create other zero-day, FileBorne threats to other organizations.
GRAHAM CLULEY
It really has democratized cybercrime, hasn't it?
It's given this incredible tool to cybercriminals to develop new malware, to rewrite existing code, and to generate threats at a rate which we haven't seen before.
BENNY CZARNY
The second thing that CDR can help you with generative AI is to protect the LLM data lakes.
So another challenge that you have is that if your data lake is infected with malware, then anything you have in the data lake is gonna be aggregated by the LLM.
So you want to just make sure that anything entering there is also the same issue. And so anything into the data lake is being CDR'd as well.
And that's another thing that I would at least strongly recommend.
GRAHAM CLULEY
So. Now you spend a chunk of the book addressing directly, I suppose, regulators and policymakers. What's the message you would want them to take away from Cybersecurity Upside Down?
BENNY CZARNY
First, read it, and number two, apply it.
I mean, I spent actually reading many of the compliance mandates and also working with CEOs and CISOs trying to decrypt those and apply those.
And many policies are not specific, unfortunately. And also many of them are not applying CDR. At least domestically and also in the UK, Graham, not enough.
I've seen a few countries that has decent CDR executive orders that are somewhat decent, though I haven't seen enough move and push globally this technology deserves, or at least I believe deserves.
And it's very easy to add, by the way. It's very, very easy to add. And I think that a part of that is ignorance and education. And I'm hoping this book will help. And think about it.
If you go to GDPR or PCI DSS, or you go to HIPAA, or you go to NERC CIP, or you ask different governments to add a simple executive order to add CDR to data flow for critical infrastructure and other organizations really matters for these countries, it could decrease the attack surface dramatically.
And if they are listening to this podcast, I'll send them a free copy if they're interested again. I mean, we're not the only CDR vendor out there.
However, if it's going to help them, not a problem. Sometimes governments, you know, they're finding their challenge to spend $20 on a book, I'll send it to them.
And because the value is real and the benefit is real and the ROI of this technology, and by the way, this is chapter 5, is real and effective.
I'm a strong believer in that and otherwise I wouldn't be here. And I mean, we have more than 2,000 customers leveraging that, using that. And I'm seeing this technology in action.
I regret that it's not applied and documented in compliance as it should.
GRAHAM CLULEY
Well, we're nearly out of time, so let me just ask you one big question.
Any listeners who are listening to this right now, what would you take them to take away from this conversation or indeed from the book?
BENNY CZARNY
So question your detection. I mean, whenever you look at your antivirus or anything or AI-based antivirus to predict whether a file is malicious or not, definitely question that.
The efficacy you see on antivirus is mainly about protecting a device, not predicting whether a file is infected or not.
If you're looking to truly prevent cybersecurity threats, really consider to take your model upside down and to regenerate the files. It's not as hard as you believe it is.
And you can gain a lot by that, especially if you're looking to prevent AI-born threats.
GRAHAM CLULEY
Well, if anyone's interest has been piqued by this conversation, they can go and grab a copy of Cybersecurity Upside Down by Benny Czarny.
All you've got to do is go to smashingsecurity.com/upsidedown and that will take you to the right webpage. Benny Czarny, it's been a fascinating conversation.
Thank you very much for joining us today on Smashing Security.
BENNY CZARNY
Thanks for having me.
GRAHAM CLULEY
Well, that just about wraps up the show for this week. Thank you so much, Lesley Carhart, for joining us. I really appreciate you giving your time.
I'm sure lots of listeners would love to find out what you're up to and follow you online. What is the best way to do that?
LESLEY CARHART
I am terminally online on every platform except for X under the handle Hacks, the number 4 pancakes. That's Hacks 4 pancakes.
I have a blog, I do mentoring, I speak all over the place. I want to speak at your conference. Reach out and sign up for time with me for a mentorship.
GRAHAM CLULEY
And of course, I'm on social media as well. You can find me, Graham Cluley, on LinkedIn, or you can follow Smashing Security on Bluesky or Mastodon and all the usual places.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps, such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, and the entire back catalog of 469-ish episodes, check out smashingsecurity.com. Until next time, cheerio, bye-bye. Bye.
You've been listening to Smashing Security with me, Graham Cluley, and I'm ever so grateful to Lesley Carhart for joining us this week.
And this episode sponsors Expo Vanta and Ops SWAT, and also to the following fine folks who are members of Smashing Security Plus.
So I'm going to thank Butterfly, who has floated into our Patreon community and to Pete Smith, who appears to be the owner of an incredibly straightforward name for one of our supporters, I have to say.
Also huge thanks to Stephen Castle, Nigel Scott, Darryl Green, Richard Van Liesum, still the most aristocratic sounding name on the list, Richard Anand, Bash0ra, they've replaced a vowel with a zero and we can respect that.
Rich, and the Green Girl, who remains as enigmatic as ever.
These are just a few members of Smashing Security Plus, which means that those people get their episodes ad-free, and they also get them earlier than the general public, and they can have their names pulled out at random at the end of the show to be mercilessly mocked.
If that sounds the kind of thing that you'd enjoy, why don't you join Smashing Security Plus? Plus as well.
Just head over to smashingsecurity.com/plus for all of the details and you can become a patron too.
Now you can also support the show in plenty of other ways which don't cost a penny.
You can like, you can subscribe, you can leave a 5-star review, and you can tell your friends about the show. Recommend it to them. Go on, spread the word.
Every little bit helps and I really do appreciate it. Well, thank you for tuning in and I hope that you'll join me again next week. Until then, cheerio, bye-bye.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.