This week on the podcast, we cover a video game that delivered malware through the Steam marketplace before diving into an analysis of a recent Palo Alto authentication bypass vulnerability. We end the podcast by covering the recent activity from the Department of Government Efficiency (DOGE) and the security impact to US federal agencies.
View Transcript
Marc Laliberte 0:00
Hey everyone, welcome back to the 443 security simplified. I'm your host, Marc Laliberte, and joining me today is
Corey Nachreiner 0:07
Corey death clock Doomsayer, Nachreiner
Marc Laliberte 0:10
Corey is in a bit of a mood today as we go into our topics, we're gonna start though with a discussion on a video game delivering malware through the Steam Marketplace.
Corey Nachreiner 0:22
Video games are fun, so this that your video game subject won't be depressing at all. It'd be fun, right?
Marc Laliberte 0:28
Yeah. Then we'll talk about a authentication bypass vulnerability and a popular network security appliance.
Corey Nachreiner 0:35
If it's not me, maybe that is fun. Yeah, exactly.
Marc Laliberte 0:39
And then we will end with a discussion on what the heck is Doge doing with cybersecurity in the US, federal government.
Corey Nachreiner 0:48
I can't find a silver lining on that one Marc. I can't
Marc Laliberte 0:51
No, not great. But with that, let's go ahead and break our way
Corey Nachreiner 0:58
in. That's what Doge is doing. I music.
Marc Laliberte 1:06
So let's start this week Corey, but something I first actually saw pop up in the r slash steam subreddit on Reddit just the other day, where last week valve, which is the owner of steam, the most popular video game distribution platform, sent out notifications to users that had installed and launched a game called pirate fi that the developer and they noted that the developer had uploaded builds to steam that contain suspected malware. There was a quote in there it said, you played pirate fi and then the build number on Steam while these builds were active. So it is most likely that these malicious files launched on your computer. They recommended, at a minimum, inspecting your system for newly installed software, but also considering reformatting your operating system, pausing real quick. So pirate fi, it took me a second to figure out, like, what the heck the name was even supposed to be. So they build themselves as a web three game. Which web three is code word for cryptocurrency mining and cryptocurrency enabling. So pi, I assume is like defi. So financial. In this case, I don't know. Maybe the name is actually practical, because pirate fire, they're stealing stuff off your computer. Kind of makes sense.
Corey Nachreiner 2:27
Does it actually involve pirates? I can't tell from the screenshots, but it certainly seems to be tropical, with ocean, but I don't see boats. It looked like a
Marc Laliberte 2:35
pretty generic RPG game kind of thing. The ones that have gotten very popular these days, with, I think arc kind of leading the way, and then a few others after that. But anyways, so the malware itself, yeah, when you launch the game, it unpacks a malware executable to the app data directory called just Howard dot exe. It's a basic info stealer. It steals like cookies off your computer. Some users posted steam reviews under the game, saying that after launching the game, their Roblox accounts had been drained. Their Microsoft account had been taken over. The type of stuff you would expect to see after an info stealer runs rampant on your computer. Other users noted they couldn't even launch the game because their anti malware protections were working, and they flagged it as malicious and blocked it from executing. But this actually took an interesting turn after the first time I saw the article, and when I went back, there was an update where it turns out the author, or at least someone associated with this pirate figa game, we're also on a telegram channel trying to solicit people to install the game, pretending that there was a in game chat moderator vacancy. They were going to pay 17 bucks an hour for basically saying, Hey, you want to make money playing games. Install this one, and we'll pay you to moderate our chat as another way to trick people into doing it. And the researcher, though, noted that the replies were all suspicious in that they were coming at a consistent speed. They would always get a reply almost exactly 21 seconds after sending a message. So they strongly suspected that this was like an artificial intelligence chat bot that they were communicating with here, which I think makes sense. Like, at this point, you can go download a whole bunch of open source, free, large language model programs you can turn into chat bots. Like, it's not like they had to hook up to chat GPT to do this kind of thing. Anyone can go take something without guardrails and start using it for malicious purposes now.
Corey Nachreiner 4:44
And a little aside, it doesn't maybe hit completely on our today's one. There's no evidence of this. It's just a current, you know, anecdote, or maybe educated guess based on the time for all these responses you see if you're watching our YouTube video. So. But we have pointed out how bad guys threat actors are using AI more and more, and this year, we have a prediction that they'll use it for the entire attack chain. So while this hasn't been proven by evidence yet, I actually probably agree with this person. It seems likely that this person's hypothesis is correct. So just more proof that AI is going to be used by both sides.
Marc Laliberte 5:25
I'm actually so I'm a little surprised that I've heard like malware being distributed from steam before. Obviously, like Apple and Google's App Stores are constant targets for this. I feel like with steam, it doesn't happen that often. And I'm actually a little surprised with that. Like, yes, I'm sure they do vetting for stuff that gets uploaded there before they distribute it. They probably at least run it through, like, virus total. They definitely don't have, like, humans reversing every single program uploaded to steam, though, and it feels like it should be a more popular avenue for distributing malware than it is. I agree.
Corey Nachreiner 6:01
And my question is, do we just not know about it, though? Marc, has it just not been analyzed? Is your like? Your theory? Is my theory? That probably is a more popular Avenue, and maybe no one's looked at it. That seems crazy, because steam is the biggest platform, but when I look at Apple and Google, it's happened to both of them. And I would say Apple probably has, I mean, both are automated, but Apple might have a few human gates. So to me, it's especially interesting when it gets past Apple's vetting. But it's happened so many times to play. And steam is the penultimate gaming platform for PC folks, so I don't know. I wish I knew more about how Valve did it. And to be honest, they're such a small company that owns this huge platform that has hundreds of 1000s of games, I see them more like a Google, where they might have automated things, but probably may not pay as much attention, even though I also, by the way, think steam folks are super savvy, like they probably understand threats very well, it's just the raw amount of data is, you know, is this a research subject that maybe, if some person dove in deeper, they might find a lot more on the Steam platform than we know about? Corey speculation, a couple
Marc Laliberte 7:15
100 grand to go buy every game on Steam for research purposes. Please.
Corey Nachreiner 7:19
Sounds fun. How much was this one? By the way, if I were a threat actor, this should be free. The ones that I would be worried about are the ones that are completely free because they want you to have it
Marc Laliberte 7:32
released free as a beta so, like pre launch thing, it
Corey Nachreiner 7:37
has since been, honestly, I don't think you need the budget. That's the manager in me, just go get all the free stuff and analyze it, especially the crappy looking shovelware that looks like it was put up quickly. And one author has many, many, if there's one author that pushes a lot of free shovelware, and they have many, many steam products, I suspect that's a good one to look at. Yeah,
Marc Laliberte 8:00
because I do like it feels like it's a great platform to do it, like I maybe I'm being generalizing or stereotyping, but based off past history, like gamers, as you would label them, are sometimes overly trusting in the stuff they install on their computers. Like, even going back to, like, let's say, the days of, you know, game shark plugging into your Game Boy, where it's literally something going in and modifying the code so that you can cheat within your game. That translates into PCs as well, too. People installing cheat packs, cheat codes, whatever, sometimes. I mean, also, since the the gaming population skews young, maybe they just don't know any better as well, too. So it feels like prime targets for this type of activity, because little kid with his mom's credit card hooked up to his Roblox account is still just as good of a target as like an adult that actually knows what they're doing. But either way, if you did happen to download and install pirate fly, Pirate fi, it's probably time to reformat your computer and start from scratch. Unfortunately,
Corey Nachreiner 9:05
hopefully, there's so many things on Steam, many people didn't encounter this. And other than the folks that go to certain telegram channels,
Marc Laliberte 9:12
they were saying in their telegram channel they had 7000 downloads. So it was a wasn't nothing, but, yeah, yeah, it's kind of nuts. Anyways, moving on the second topic so Palo Alto Networks just disclosed and patched a authentication bypass vulnerability and their network security appliances and specifically the management interface for them. This is CVE 2025, 0180, before we dive into it, like, how many vulnerabilities and management interfaces of network security appliances have we seen in the last 12 months? Like this isn't a throwing stones and glass houses. It's like this is clearly being targeted right now by absolutely and threat actors. Seems pretty clear. I. Second piece, how many people still have this crap exposed to the internet in a way where it's actually accessible to a the
Corey Nachreiner 10:06
management interface? You mean, yes, nginx is all over the internet and exposed on purpose, but the management interface better not be,
Marc Laliberte 10:13
oh, when I said crap, I meant Palo Alto devices, not their, uh, their architecture,
Corey Nachreiner 10:19
no. But seriously, go or fill in the competitor. I
Marc Laliberte 10:22
say that because I know the number is still way too high. Of folks that are just ignorant or they're trying to cut corners. And
Corey Nachreiner 10:29
I don't even think it's sometimes cutting quite I just think it's the easy button. I guess that is cutting corners technically, but they just don't security, unfortunately, is not high enough in some IT managers mind, and they just want the easy way to, you know, their pain is they get a call on the weekend from their boss or an executive at a company saying, blah, blah, blah is down. This back end is down, and our website isn't taking orders, and they just want to be able to fix it and go back to their weekend. So I understand why the problem happens. It's a mix of lazy or efficiency, depending on how you think about it, but there are plenty of secure ways to still allow you to do that from anywhere with minimal roadblocks, but very important roadblocks to attackers, exactly
Marc Laliberte 11:16
because, even vulnerabilities aside, like having something like this exposed to the internet is just asking for a like authentication attack against it, for example,
Corey Nachreiner 11:24
doesn't have to be, yeah, the VPNs are 90% of the time stolen credentials and no MFA. So it doesn't have to be like this where there's an actual big flaw. Yep,
Marc Laliberte 11:33
but in this case, this was a pretty interesting vulnerability, and we lucked out where researchers at asset note published their analysis of it alongside the disclosure. They were the ones that originally discovered it and disclosed it to Palo Alto. And it gets a little technical, but it's pretty interesting how they managed to find and exploit this issue. So most, let's call them like web applications, which includes management interfaces for appliances like the firebox that WatchGuard sells as well. Most of them use a pretty common web server application on the front end to kind of proxy requests onto other modules within the device, and it's usually going to be nginx or Apache, either the two most popular web server applications, usually you'll have that handle like the raw request. Let's call it. Call it from the the external user. It does something, maybe add some authentication, whatever, and then hands it off to an internal CGI or other application to do the actual work. And
Corey Nachreiner 12:36
by the way, I would also, I just may not be part of your point, but it even if it's not apache or nginx, it's probably one of many other open source web servers. Like most vendors are not going to write their own web server, so there's going to be some web server there or other web based framework that will have vulnerabilities beyond just the appliance itself or the product itself.
Marc Laliberte 13:00
And as you might suspect, they generally operate pretty similarly, like nginx versus Apache. They're doing something they're trying to proxy requests onto another application or server, but there are some differences in how they handle requests and how they process them, and so using them incorrectly or with added complexity can lead to some issues, and that's what happened here. So for Palo Alto, they don't just use nginx or Apache. They actually use both. So it starts a web request received by the management interface first goes to an nginx server, which adds a few specific headers in there, mostly around like setting the source IP of the request within a header, there's also an important one there called x dash pan so Palo Alto Networks, dash auth check which defaults to on, and this tells later applications in this like processing chain, that check to make sure that this request is authenticated if this header is set to on. Now,
Corey Nachreiner 13:58
right away, you wonder how easy it is for someone to set it to off without actually being authenticated. Exactly
Marc Laliberte 14:06
that definitely feels like a target. Now, not every single you don't want every single page or resource on a web server to require authentication. Like, for example, the user needs to be able to log in, which means the login page needs to be unauthenticated, but everything after that needs to be authenticated. By the way, Palo Alto Networks handles it if the page the request starts with unauth. So slash unauth, slash something else. It matches a rule in nginx that then sets that header to auth, meaning you don't need authentication to handle this one. So if you're an attacker, all you need to do is trick the server into thinking that your request path starts with an auth in order to get that header set to false. So let's continue down the processing chain, though. So nginx does that, it sets some headers, and then it hands it off to. Apache. Apache then renormalizes the request, and it reprocesses it, and it has a few different rewrite rules in there. So a very popular server side programming language that's used in Palo Alto but all over the internet, is PHP. Remember, last week we talked about asp.net, that's another server side programming language with PHP. These server scripts are usually a dot php file, like login, dot php or log out, dot php. But for your users, you typically don't want them to have to, like, type in website.com/login.php, you may not even want that extension on there at all, because it's it's ugly. It can also give up, like, what the server is doing behind the scenes. So you can include rewrite rules in Apache, where it says, If I get a request for login, dot php, strip off that PHP on the end before handing it to the like, actual server or relaying it back to the user, so that it can kind of hide that too. There's also some re rewrite rules built into the Palo Alto one specifically where if you access like hello dot HTML, or hello dot HTML, dot ABC, they both end up with the exact same file because of some of the rewrite rules in there. So basically, a request comes in for something. Nginx adds some headers, checks to see if it should be unauthenticated or not, hands it to Apache. Apache will do some rewrite rules, and if it does, end up rewriting the request path, it then process it, processes it again, and then finally hands it off to either the PHP CGI handler, basically the web application that's actually delivering stuff. Or if it's a static file, like a CSS file or JavaScript or an image, it'll just hand that off directly. But So before that last step of delivering the content, there's these kind of three steps that happens, the nginx request, a Apache request, and if that triggers a rewrite a second Apache request, and this is where some of that complexity starts to cause issues. So when processing a URL, Apache will try and normalize it. In the world of like Linux, it might help to know how you navigate around directories if you're not a Linux user, but if you're in, let's say like documents, and you type in a period, period slash, it'll make you go back one directory. That's kind of like the shorthand form for backing up whatever directory you're in. The same thing works when normalizing web requests, too. If you have a dot.in, there, it'll back up to find the file in a parent directory instead, most web servers have protections around this. That's like a super common way to do directory traversal, but there's interesting ways around it. So most URLs are actually encoded, meaning, instead of dot, dot, you'll get like, percent 25% 25 which is the URL encoding for a dot dot. Most web servers are smart enough to decode that before processing it too, which means you generally can't just send that in order to do a directory traversal. You can also double encode things, though. So a dot dot double encoded becomes percent, 25 to E. Percent, 25 to E this is where it gets a little more complicated, where you're really starting to get into different encoding for different characters in here. But so long story short, they found, the researchers found that if they requested a hello dot HTML, it's the same as requesting Hello percent 25 HTML, because one of the first things Apache does is it decodes that percent 25 into a dot and then looks up the file. Under normal circumstances, you shouldn't be able to double encode that and still get that file, like if you looked up hello percent, 25 to E HTML, Apache would decode it once it would end up with Hello, percent 25 HTML, which is not a valid it's not the file name, it would return to 404, because of this, like additional rewrite that was happening in there. The additional rewrite rules, Apache ended up double processing some of these URLs while the nginx server in the front was not and this deviation of how they were processing the requests coming through is how they found they could trick it into thinking it was going to an unauthenticated resource. So basically, if they used a path that started with slash unauth And then slash a doubled encoded period, period so percent, 25 to E, percent, 25 to E, and then a PHP file that's supposed to have authentication on it before you can access it. What happened behind the scenes is nginx would process it, see it starts with an auth and set that auth check header to false, or auth. It would then hand it to Apache. Apache would processes it, decode it once, apply its rewrite rules to it, and then run it through again and decode it a second time into that dot, dot, which when it normalized it, instead of being in the unauth directory, it would just go up to the root directory and then let you access that PHP file as it is so a pretty clever way of abusing this kind of weird interaction, these multiple layers and some of the complexity there to get a pretty basic directory traversal, which ultimately means an attacker could abuse this to execute any PHP script on the server that they wanted, and potentially then, let's say, execute a Create User PHP script, if it existed, and get themselves an account or a delete user and lock everyone else out of their account. The good news is it doesn't just give you, like, root level access or code execution on the actual device, but it does let you execute any protected resource that already exists on the device. Pretty interesting research. Yeah, cool. They said they feel
Corey Nachreiner 21:09
like the main takeaway is even if the individual products, I guess they both had vulnerabilities, but implement implementation of even secure processes as important as the processes themselves. I'm trying like, I won't give it a technical exam example, but it's the same in cryptography. You can have a very strong cryptography algorithm and then implement it in a way that exposes weakness. So it's definitely interesting seeing how this worked together with two different things.
Marc Laliberte 21:42
And I'd argue like this is a pretty complex way I'm saying for my ivory, mostly educated tower of software development, but this feels a pretty complex way of handling requests through multiple different engines. And anytime you add complexity to an application or a system, you're just, you're asking for a mistake, or some unexpected interaction in that within that complexity leading to a vulnerability, just like this one. So if, if you do happen to be a software developer, main takeaway for that is maybe try and simplify whatever you're working on a little bit and maybe just pick one web server application to serve up whatever you're you're developing, instead of relying on this daisy chain of two of them. It's interesting. I want, I'm curious what the architectural decision was to go with that. I have to imagine maybe they're in like a transition period from Apache to nginx, and, yeah, maybe there's modules around the old one or something. But good news is this was found. It's patched. If you do have one of these network devices, you should be able to update it immediately, and you're hopefully not exposing your management access to the internet, and thus already have it mitigated, as it is best
Corey Nachreiner 22:57
advice right there at the end.
Marc Laliberte 22:59
Yep. So moving on to the last topic. This one, I want to be a little more free form. I feel like it's been about a month now. Corey, and it's time for us to talk about the Ilana fent in the room. Ilana,
Corey Nachreiner 23:15
yes, there you go with the cool little puns, or whatever you call that fun combination,
Marc Laliberte 23:21
exactly. So try and keep this as unpolitical as possible, but there is a genuine like cybersecurity concern or incident that is right now, series of incidents maybe going on in the federal government,
Corey Nachreiner 23:37
I would say cybersecurity, privacy, which is part of security, in my opinion, and even normal security. And I think we've mentioned it once, because we mentioned the Treasury Department, but it really is blowing my mind. And like these, I can't help but let my political stuff leak out. But I want to start this by saying You and me are going to try to look at this completely, not politically, and I don't think it should be. Forget who the people are doing this, because if you have political beliefs, you may be pro or against them. I don't really care about that. I mean, I do, but for this topic, I don't. And forget about what the policies are that one side or another might implement. It's the how this is happening that I find deeply concerning. And I mean, we're talking about Doge, what does it stand for? The Department of Government, efficiency, efficiency. So the excuse is they're claiming they're trying to find fraud and abuse and and bad stuff in the government to get rid of the reality. I'm willing to bet there's a decent amount of that that exists, Oh, for sure, and in many different places, maybe not the ones. I mean, I would argue that maybe what they're picking doesn't have much to do with fraud, has more to do with their beliefs. But yes, I like if you were to. Doing this the right way. I think every side would agree that we want to get rid of unnecessary spending and any fraud or corruption in any business or country, for sure, but the way it's being done has people that I respect, even the Bruce Schneier, describing this as the biggest hack that we've ever seen in us is history. I think his quote was, in the span of just weeks, the US government has experienced what may be the most consequential security breach in its history. Is what Bruce Snyder says. So to talk about what happening, obviously we mentioned musk, we mentioned the Department of of government efficiency. But the issue is how they're doing what they're doing. They've gone into a number of different government departments now, and they claim they're going to go for it. They've done the Treasury. They've done a department that pays, you know, that is the Treasury. They've they've done departments that have to do with Dei, departments that give aid to foreign countries. But the big issue is somehow they have the power to walk into organizations which actually have very deep security rules. In some cases, you need to go through a skiff to even get in, and they've just bypassed them. The people that are doing this for Musk are largely very young people, including 19 year old high schoolers who have actual cyber security, including a lot of gray hat background, and they're gaining access to the most secure data in you know, whether it's your personal information as a citizen, including your your credit Card going to someone that's a leader of many private organizations, who's also openly talking to Russia and German Germany, despite the fact that there's a lot of rules that you shouldn't be sharing privately with those companies if you're working for the government. And my biggest thing with it is people that get this level of access to these organizations, forgetting even the legality, because they're controlled by Congress, you usually have to pass a background check just to be in part of the White House. You have to be somehow made an employee, which I do believe. You know, our president does have the power to pick some employees, but the background check has been skipped. The way they're doing, this has been skipped. All the people have not had background checks, security classification clearance, and yet we're somehow letting them go into our worst, our most important information, whether it's our private information or deeply national security related information for the country. So I just think it's a topic worth exploring, because I feel like if you're in cyber security, you care about the security specifically. I mean, to be honest, we finally accepted that cyber security is our industry, but the formal name for what we do is information security, and this breaks every single information security practice that our government has put into laws and standards. So So let's, I just think it deserves to be talked about.
Marc Laliberte 28:07
Let's take a stab at a security angle to start with. I think so. NIST, the National Institute of Standards and Technologies, publish a whole bunch of guidance around cybersecurity requirements, both for security and privacy controls, risk management, whatever. One of the main reasons they put out a lot of these documents is because these are actual requirements that federal government and federal agencies have to follow. Like the US government says we need a standard for how we do risk management, and they lean on NIST to go develop NIST 800 whatever the heck it is, we need a standard for security controls that go develop NIST 853 and these become the requirements that federal agencies, both federally and federal civilian agencies too, and even government contractors, have to follow with and so Within like NIST 853 for example, there are requirements around access controls, and this means that agencies must have a actual access control policy procedure that they follow. And I'm willing to bet that a lot of these actions are not following those procedures, so we're already violating some of the security requirements laid out by NIST for federal agencies. Same with maintaining effectively. I don't know what the right way to put this is the health and reliability of a system, and installing untested code onto it is most assuredly a violation of several NIST controls. One
Corey Nachreiner 29:40
of the other things that's being talked about, one of the things that's hard to talk about on this, is we. By we, I mean the general public does not have exact details of everything this group is doing. We have reports from the people who have worked at these organizations for years, sounding alarms. Yes, so I do think that is a very valid information, and I think it's very clear just to know they are breaking these rules, but we don't know exactly. So some of the things we're saying haven't been proven yet, but one of the things, I mean, you just mentioned any software or antivirus protections or everything, they have to be vetted, they have to be controlled and decided upon one of the things I hear these groups are doing is to just make it a pain in the butt to work for the government and make they want to install an obnoxious amount of monitoring tools on every government computer. And there is some level of tools on every computer, even in organizations that can pay attention to what you users do, by the way, even companies do that. But my understanding is they're installing key loggers rather than, you know, security software. Again, some of these teenagers have a history of gray hat hacking and introducing key logger like, let's just take a step back and say, Okay, we want to make sure organizations are efficient in getting the right thing from their their employees. Businesses have taken a stance that it's fair for us to monitor some of the activity on corporate computers to make sure the right thing is being done. But even if you take that putting like untested, unsanctioned key logger from a 19 year old kid who's not part of the government who hasn't passed security clearances, who has not paid any attention to NIST standards or government standards, that's like putting malware on government systems. And the bigger issue with this, I mentioned, it's hard for people to report on this because it's hard to get evidence, but one of the rules that almost every government agency has is transparency, tracking and public reporting of what's being done. A lot of governments have to document and make public every single thing they're doing. One of the things this organization has done is killed the institute, the institutes and their capability, and basically Trump is also given the power for them not to have to disclose what they're doing. In a recent news interview I saw just yesterday from the White House, when a reporter asked Elon Musk, what about the transparency of showing to the public what you're doing? His answer was, oh, I'm posting this all on x. We were the most transparent you can see everything I'm doing on x that's not a government sanction, like it's, it's, this is absurd. Is Now, this is absurd. It's, this is everything that has to do with breaking all the security controls and the vetting that's supposed to protect our government from corruption and allowing a personal, private party to break all those rules under the guise of government efficiency. So I don't understand why the cyber security community has not imploded more, other than obviously Bruce Schneier. Let's
Marc Laliberte 32:56
talk about the actual like. So like devil's advocate, they want to go in and hunt out stuff, and, yeah, you know, maybe they break some stuff. But, like, who cares, whatever. Like, what is the actual impact of some of this activity, though? Like, what are some of the risks that we're facing because of this, like, untested code or unauthorized access in the systems? I can think of one off the bat that, like your COVID blogger example, where obviously, they want to store that data somewhere. How do we know that the security for that storage mechanism has been vetted and validated, and that where the connection state
Corey Nachreiner 33:31
are they using? MFA? Yeah. And on top of this, remember, this is from a single private citizen, someone who has who's getting 10s of billions, if not hundreds of billions, in government contracts, who's targeting organizations that actually have questions and lawsuits about his company, who has all this information, not just about the government, but about you, who's To protect that data from misuse, especially if they're not telling you about the key logger, how it works, or have no actual need to report on their transparency because of a rule that someone that's not in Congress made. And by the way, Congress is the one that actually legally put all of these government institutes into into existence. It is actually their job to decide what is being spent or not spent. So that's not, I guess we shouldn't even care about the legal implications, because I care more about the security connotations, but that that key logger is a back door if it's bypassed all the government's checks on checking the tools you put on, and we've given it to control, to it to an organization that does not have NSA level security, let alone the background checks of a average FBI agent. So I and it's so much risk, it's insane amount of risk.
Marc Laliberte 34:56
NSA level security isn't exactly a. Uh, we've seen historically that isn't exactly Fort Knox, either
Corey Nachreiner 35:03
that's true. They have they have risk, or maybe it is Fort Knox, but they have weaknesses too. But I would argue 90% of the government doesn't even come close to NSA level security, and yet, they at least have standards and guidance that is being completely ignored. It makes zero cents, the
Marc Laliberte 35:21
availability portion of this too now. So one of the early accusations was installing untested code on effectively, the systems that process the trillions of dollars in payments from the federal government to employees and international bodies around the world. Like there is a genuine concern where this untested code at some point in the future, hits a bug and brings the whole thing down, and if suddenly the US, federal government is struggling to start paying stuff that can cause global implications,
Corey Nachreiner 35:52
unfortunately, and one thing has happened, and remember, who's who's the people pushing the buttons here, Again, this group says they're trying to find efficiencies, but they're not just trying to stop bad actions from happening. There's one organization that claimed that they were already given $8 million it was in their bank account of this institution, and because of doshas access to them, they had enough account data to simply remove, I think it was something like $8 million from the bank account of this organization. That's the kind like, if you have an organization that's doing some government purpose, maybe you think it doesn't matter, but some of these things are like providing oxygen to hospitals. And there's people that claim people have already died because a 70 year old, two year old lady wasn't able to get her oxygen. Don't know how to validate that right now, but either way, when an organization that's doing a job, whether you like it or not, suddenly has $8 million removed from the bank and the people that are pushing the buttons, we don't know. You know, they now have all of this data to do just that, from an organization that's supposed to be the most secured in the world, from a person that hasn't even passed a security check and works for private organizations.
Marc Laliberte 37:12
Yep. So what do we do about it? Corey,
Corey Nachreiner 37:17
man, I don't know. I think the cyber security industry needs to speak up. I don't care what your politics are. There are the right and wrong ways to get things done. You know, in efficiency government efficiency is actually something I think you could bring all sides to looking for. But just getting someone from the private industry who says, I'm going to go fast and break things, and I don't care who also actually has a history of using the data that he takes in ways that people don't appreciate. That's I think the cybersecurity industry needs to step up more and talk about this. I beyond that, there's not much we can do other than, I guess, vote and care and make your voice heard. But I it's my question is, what are the implications of this on all private industry like while I actually think sometimes private organizations are a little more secure about money, and sometimes governments get C's, we tend to follow the regulations that the government puts out like NIST. Like NIST is something comfort like, if that just doesn't matter. Now, does that mean cyber security is going to matter for not matter for everyone, and you're comfortable with the wild west where the best hacker wins? Yeah. Does it matter? I don't think FedRAMP is worth the paper it's written on anymore. You have all these lovely things you're trying to require vendors to do, and yet you've broken all of your own rules in the key Institute of the United States. So I personally think I want, if you're a company that sells to that level of government, FedRAMP is probably a good thing, even though it's an expensive and onerous regulation to get to there's a good reason for it, but now, when you see this happening, FedRAMP doesn't matter. You guys stop the joke of requiring FedRAMP. You obviously your leader does not care.
Marc Laliberte 39:16
Well, saves us time and money and opens up a whole other avenue of potential opportunities, right? But,
Corey Nachreiner 39:21
but my worry is, if we no longer care about security now, you and me have to fight every single emboldened hacker that thinks, hey, if I can get in, I have the right to do what I want. That
Marc Laliberte 39:33
is the, the last thing I wanted to touch on before we end this is this, some of this activity goes outside of, you know, mucking around in federal agencies and has actual direct cybersecurity implications too. Like CISA is obviously an organization that we talk about a lot on this podcast, partially because they put a lot out a lot of good, interesting analyzes. They put out a lot of good guidance for private sector organizations and the federal government organizations. Are responsible for securing they've been without a leader for almost two months now because one hasn't been nominated, and it's clearly not a priority for them. The FBI has had entire cybersecurity investigation forces shut down now as well, too, because they were investigating foreign meddling and things that folks disagree with these are all maybe they aren't going to have an impact tomorrow or the day after, but eventually it will come to a head when we're caught with our pants down and we have not had our defenses up to these
Corey Nachreiner 40:32
are highly skilled people that are hard to find. We talk so much about the cyber security brain drain, to find the person that actually has the expertise to work for the FBI and NSA, is willing to take a government paycheck, which might be even slightly different than a private paycheck, and show them that you just don't give a crap about them, even if you reverse this, how do you get the that back? Now the good news is I think those people are the ones leading the lawsuits. I will say we haven't. I don't want to get in the politics of this, but according to what I know about the Constitution and our law and the way we develop this country, this is all against the law, and it will go to the courts, and I bet you the majority of courts will say this is wrong to probably end up in the Supreme Court, and depending on your politics, we'll see what happens there. I may be a little cynical, but at least they are fighting back. And I think the rest of the people around regardless of your politics, if you care about I assume the side that elected leaders cares about national security, this is weakening our company, our country's security throughout the globe, and I think it's a very important topic, and I'm happy to know those same FBI cyber experts that may take smaller paychecks. They do it because they believe in the mission, so they will fight, but if they don't have other people fighting with them, I don't know if they will win. So I just hope the cybersecurity industry steps up.
Marc Laliberte 42:04
In the meantime, grab a bucket of popcorn, because I feel like this is only just the start of all the chaos. Yeah,
Corey Nachreiner 42:14
yeah. It depends on your your level of excitement of watching the world burn, but it will definitely be a show, so you might as well have some popcorn. I cannot wait until I can go retire off I'm sorry I'm letting my at some point. Yeah, my feelings come out. But I don't think this should be political. This is purely rational, logical, common sense. Secure. Secure things.
Marc Laliberte 42:41
Yep. Secure, secure things and, holy crap, maybe just stop letting folks come in and rummage around without any oversight. That sounds like a terrible plan.
Corey Nachreiner 42:53
Anyways, what's a more fun thing? There has to be some good news inside. There's been a lot of shutdowns so that, at least before they were all, you know, threatened to lose their jobs. The FBI has been shutting down more bad guys, so at least, yeah, that and goes off
Marc Laliberte 43:09
to them. I think we got rid of what an old.io and another like carding site. So yeah, let's end let's win Good job. Hopefully they don't just last tomorrow while they everyone, thanks again for listening. As always. If you enjoyed today's episode, don't forget to rate review and subscribe. If you have any questions on today's topics, suggestions for future episode topics. Or if you want to yell at us for talking bad about Elon Musk, you can find us on blue sky. I'm at it's Marc.me Corey is at secdep. Dot, blue sky, dot, social. We're also on Instagram at WatchGuard. Underscore technologies. Thanks again for listening, and you will hear from us next week.
Corey Nachreiner 43:53
And if you want to challenge us on why we're yelling at Elon Musk and tell me how Doge is doing good things for security, I challenge you to share that maybe I'll bring you on the podcast. I dare always ready for a fight.
