This week on the podcast, we cover Coinbase's recent filing with the SEC that described an insider threat event that led to a ransomware extortion. After that, we dive into Signal and other secure messaging apps, how they protect communications, and how other apps can undermine those protections.
View Transcript
Marc Laliberte 0:00
Hey everyone, welcome back to the 443 security simplified. I'm your host, Marc Laliberte, and joining me again today is Corey
Corey Nachreiner 0:08
autocomplete, adding people to my chat. Nachreiner is tab auto complete. Never hurt anybody.
Marc Laliberte 0:15
No, no one at all. On today's episode, we've got two stories for you. We'll start with a review of coin bases, latest form, 8k filing the Security Exchange Commission, which, oh, I promise you
Corey Nachreiner 0:28
great. I bet it's full of really good news for Coinbase.
Marc Laliberte 0:32
I promise it's more exciting than what you might expect from a a form, a PC. But after that, we will talk all about the signal messaging story that's been bubbling up for the last two months, some cyber attacks that have occurred from third party applications used with it, and really what it means for data security, communication security, and US national security with that. Let's go ahead and text our way in. Yeah,
Corey Nachreiner 1:02
put all your things on telemessage. Marc
Marc Laliberte 1:11
So Corey, first off, welcome back.
Corey Nachreiner 1:15
It's been a while. Yeah, you've had some great shows, though, with Adam and others.
Marc Laliberte 1:19
Yeah, it has been a while. Hopefully your your work travel and your vacation. Travel was nice.
Corey Nachreiner 1:25
It was it was busy. Vacation was fun. I think you and I are both starting up again soon though, so we'll see if we have any road podcasts.
Marc Laliberte 1:34
100% so let's jump in this week though. So I guess, real quick last week, I had, like you mentioned Ryan Estes from our the WatchGuard threat labon to talk all things ransomware. Super interesting. He's our ransomware expert, but one of the things he mentioned during that episode that we talked about for a bit is that ransomware operators are increasingly shifting away from encrypting files and instead focusing just on stealing data and then threatening to leak it for the extortion demands, and just a couple days after we recorded that episode, Coinbase, the big US cryptocurrency exchange, published a form 8k with the Security and Exchange Commission, which is a required form Filing for publicly traded companies when they become aware of a security incident that could have a quote, material impact on their finances. So in the filing, they described a story where, on May 11, they received an email from a threat actor claiming to have obtained data, including customer account information and some limited internal documentation, and this threat actor demanded payment in exchange for not leaking the data. So a traditional, or I guess, newer, traditional ransomware attack, but in this case, they didn't actually encrypt anything in Coinbase as networks, because they never actually had direct access to Coinbase as networks. Instead, Coinbase traced this back to a series of incidents that they responded to in previous months where the threat actor paid multiple contractors and employees that were working in support roles outside of the United States to collect information from internal systems that those support members had access to just for their normal job duties, and then hand it off to the attacker, which they then turned around and tried to extort Coinbase to not leak the information and their filing, Coinbase says that their security team detected these instances of data access without business need and immediately terminated the personnel and that all the affected customers were notified at the time. But if something like what 70,000 customers is that the right number were impacted by this one,
Corey Nachreiner 3:59
just a bit, I think, a meaningful
Marc Laliberte 4:02
chunk of customers, in this case, the data included, like the usual stuff, names, addresses, whatever that also had massed social security numbers, mass bank account numbers, pictures of government IDs, because when you open a cryptocurrency account, you have to prove your identity by uploading a driver's license or a passport, transaction history and then some other corporate data in their filing, Coinbase said quote, to the extent any eligible retail customers previously sent funds to the threat actor. As a direct result of this incident, Coinbase intends to voluntarily reimburse them after it completes its review to confirm the facts. Also, the company is also in the process of opening a new Support Hub in the United States, taking and taking other measures to harden its defenses to prevent this type of incident, and they believe that the expected expenses will be in the range. Of 180 million to $400 million that covers right now, just remediation costs and the voluntary customer reimbursements related to the incident. They said that after a further review of the potential losses, indemnification claims and potential recoveries, it could meaningfully increase or decrease that estimate too. That's a massive amount of money from if you
Corey Nachreiner 5:28
run a cryptocurrency coin and you have an insider thread, but yeah, that is a massive amount of money. Do you think cryptocurrency is now fintech? Do there or do we need to consider them financial services and have all the same regulations so that this crap doesn't happen to the Porsche monks who invest in it? Oh, wait.
Marc Laliberte 5:52
Can hear the sarcasm oozing out of your voice, but I absolutely do think they need to be considered FinTech and have a lot of the same regulations apply to them because they are period, like it's, it's money moving around, and massive amounts of money in this case. But like, so it wasn't like they directly stole, you know, cryptocurrency from these folks, but a lot of that information can be used for, still, identity theft, opening up other accounts, like we often see attackers buy stolen government identification so that they can use that to open accounts with like AWS or Azure in order to spin up infrastructure for like their own attacks later on. Because, for example, when when someone from like China, a nation state threat actor, goes to hack an organization in the United States. It doesn't, you know, they don't just hack you from China. They go use infrastructure in the United States to go after you. But either way, pretty insane amounts of damages from that,
Corey Nachreiner 7:00
yeah, big deal. I definitely think, I mean, insider threats are something to worry about. We like this is just one where it could be just normal employees, but maybe low paid enough, and, you know, being targeted of people kind of asking them to do stuff. But we also saw no before in other companies that are accidentally hiring fake people, people that are using like deep fake technology and setting up in corporations in the United States, even though they're somewhere else to to get a job. But what do you think about all this insider threat, whether it's luring your actual insiders or accidentally hiring the wrong person, which should
Marc Laliberte 7:42
honestly partner scare the Jesus out of me, because it is a genuine risk these days. And I think, like you just said, like aI powered deep fakes just like, supercharge this. It's a threat where now you can even have an interview with someone they may look and sound like someone in the region you're trying to hire, where in reality, they're somewhere completely different, and that makes it even more difficult to spot them with what used to be like a relatively easy check. Just get them on a video call and see if they actually are someone within the region that speaks the language you're expecting. But
Corey Nachreiner 8:20
this is me, but we live in a Zeitgeist in society right now where I think there's a lot of attention between the the richest people, the corporations themselves, and some of the lower paid people. So I I wonder if, even if it is your own people, if, if they are feeling the pain, if they will be more hopefully, people have ethics, regardless of what they make. But can they be enticed to do something they shouldn't because they're they're not feeling happy or engaged at work, and they realize a huge difference in, you know, what they get paid as someone who does something, and what the board or other people get paid.
Marc Laliberte 9:02
Yeah, but this is where, like, you can use some technical controls to try and spot some of this activity, like things that monitor user behavior. Like, to give the WatchGuard example, like threat sync plus SAS smart alerts can catch some of these anomaly based activities, of like, high data access rates within a Microsoft 365, or
Corey Nachreiner 9:23
two, maybe with some of the you know, data exfiltration events that could happen if an insider was doing something nasty. Yeah,
Marc Laliberte 9:30
this is absolutely where, like, anomaly detection really shines, where you know what your users, what your folks in different roles typically do. You know their access patterns you know when they're supposed to be working, and if suddenly you start seeing a bunch of data being siphoned off at two in the morning, local time for them, or just a huge amount of data that they normally don't have on any given day, like that, is a major red flag that needs to be investigated. I
Corey Nachreiner 9:58
would say this could. Also be a good reason to have a MSP handle security for you, and specifically adopt something like a managed detection response service like for us, we're lucky marc, right? We're a big enough organization, and security is our lifeblood that we have a soc. We have tools, not only our own, but others to monitor all these logs. We're always gathering and to pay attention to them for anomalies. But I feel like a lot of small businesses never even look at the logs. They have all these security controls doing stuff for them, but they set them up, kind of forget about them, and hopefully they're logging, but the logs are probably just a forensic backup for when something happens, not something they're looking at all the time. And that's not like a I'm not pooping on small companies. It's just they don't have the time or resources or people to pay attention. But that's why we believe for that market in MSPs and things like MDR services, where your partner can actually do 24/7, monitoring of your logs using the tools you have. So I agree with you, anomaly detection and actually paying attention to security is an important part, but I feel like a lot of small businesses consider security fire and forget. You know, set up controls that block things, but they don't really, necessarily always have the resource to pay attention every single day. You should be paying attention and seeing what happens in longs to find those anomalies in some dashboard every single day. And if you can't find someone to do it for you, it can be cost effective, outsourced. And
Marc Laliberte 11:39
part of that, like, if we're going down that tangent, is even paying attention isn't always enough, like you need to understand what you're actually seeing. Like, there's a story that, like Scott Williamson, our kind of king of MDR, used to always tell that really stood out to me, where there was an end customer. They had everything turned on. They were actually monitoring, like their WatchGuard, epdr, in this case, there any protection sitting there blocking, like, Mimikatz execution over and over on an endpoint for the course of like a month, and they just said, Oh, look, there it is doing its job. It's blocking these threats without, like, putting two and two together.
Corey Nachreiner 12:16
Who is a spawning Mimikatz and why is that happening? I should go look into it, even if it's exactly, exactly,
Marc Laliberte 12:22
and in this case, the that end user ended up still getting nailed by an attack, because ultimately, the attacker found, I think it was like an Excel spreadsheet, like something as dumb as that, with credentials to disable endpoint protection, like we've got anti tamper, but there's admin overrides available for it if you turn that on. This case, the attacker found that eventually, because they were on the network for so long, because no one investigated, and they were ultimately able to succeed, whereas if you had someone that first, Mimikatz execution is a major red flag
Corey Nachreiner 12:55
in the company. Like even if you think you have a red team tester, go find them and ask them, so that, you know, I feel like that's true of a lot of things. I may not be as real world as Scott's actual sock situations with customers, but like, if you see 20 IPS alerts in a short amount of time, Oh, great. Our product is working well. But guess what? Someone is also scanning for vulnerabilities, and just because at block 20 doesn't mean that it didn't not block the 21st which happens to be some new zero day or a relatively new thing that doesn't have a signature. So I'm with you, don't just look at all the nice block messages if you see something repeatedly happening and you don't know why you need a team to go investigate, or you need, you need a service to go and investigate for you. Yeah, 100%
Marc Laliberte 13:47
so either way, like it seems like insider threats are definitely a new, not a new frontier, but a growing frontier for cyber attack, especially for ransomware operators. And don't rely on your data backups to save you from ransomware, because they're going to just steal your data and try and get after you that way. So interesting takeaways from that, that Coinbase incident and filing. So moving on now to the next major thing, I guess the last, because this is going to take a bit of time that I wanted to talk about, is a, I don't know, a bit of a interesting story with major cybersecurity and just data security implications and national security implications. It's been brewing for the last couple of months, and to start us off, like give some context that last month, in early April, news broke that officials and the highest ranks of the US federal government were using the messaging platform signal to communicate in group chats that sometimes included classified information. We later found out that the now former US National Security Advisor Mike waltz accidentally added a reporter from the athletic the Atlantic to a group chat with other officials discussing a military. Operations against the Houthis group in Yemen towards the end of the month, seemingly having not learned any lessons, reporters noticed in a picture taken during a White House Cabinet meeting that Mike waltz was checking text messages in an app called telemessage. So we'll talk more in detail on it in a bit. But telemessage, it's a third party messaging app that works with secure messaging providers like signal telegram and WhatsApp to support archiving chat messages, and so we can assume that they were using this to try and support federal communications archival laws. But in the last three weeks since that picture was taken, we saw exactly what signal app they were using. Man, the wheels have just like fallen off, where just last week, 410 gigabytes of stolen data was made available to researchers and reporters on the website Distributed Denial of secrets that was stolen from telemessages. This is a website that archives and publishes hacked and leaked documents in the public interest, they say. And we'll get into some more of that in a bit too. But I wanted to spend, like the last bit of this episode to talk about just secure messaging apps in general, like signal, WhatsApp, Telegram, how telemessage fits into it, and then just general communication security practices for sensitive communications, whether it's classified information at the highest level or just business discussions that you still want to secure in A day to day level for most of our listeners. But I guess like to start with Corey, you are, like a bit of an expert on this, or at least you've been following some of one of the founders for a very long time on this. Do you want to talk first about, like, what is signal and Where'd it come from? What does it do? Absolutely,
Corey Nachreiner 16:57
well, signal is basically like you kind of said, an open source secure, encrypted messaging app, so you can compare it to Facebook Messenger, WhatsApp, Telegram, but it's specifically one that was created with security in mind. And you mentioned, I follow this person, but I think one of our favorite kind of SSL TLS researchers who really pays attention to encryption and has found vulnerabilities, even things like some of the early man in the middle attacks on weaker SSL encryptions, Moxie, Marlin, Spike. So he was originally making an app that was called red phone, and he was kind of trying to create a encrypted voice calling app. You know, signal by the way, it's mostly used for instant messaging, but it can do voice calls, video calls. It can send notes, images, all the media you're used to in any messenger app nowadays, but its key thing is end to end encryption. In either case, moxy Marlinspike started it, and to be honest, I do consider it is one of the more secure consumer or prosumer apps out there. I think it does a good job of security. He started with red phone, if I remember right, Twitter bought them, and also wanted Mr. Marlinspike, kind of to help them improve their security, too. But he eventually left, and I think he started a organization called Open whisper systems, and him and other, you know, partners, then turned that into the tech secure now signal protocol, which is now this signal app. So really just end to end encryption for messaging. And frankly, I use it a lot when I go to DEF CON, if I'm trying to find secure messaging, I have some friends I talk to every day in signal. I do think it's really good for consumers. I will say, though, like we'll get into should you use it for something truly secure, like government? Use this at the end of the day, is a public, open source app that that does connect to other servers that are aren't in your control. So I may not suggest this for government work, but it is a relatively great app for users, and we both, of course, really respect Moxie, yeah. But
Marc Laliberte 19:15
like, ultimately, signal uses servers that are owned and controlled by the the signal Foundation, which gets its funding from a lot of different sources, yeah, but centralized, but that end to end encryption you mentioned, it does mean that, like compromising a signal server generally means you can't just immediately get access to the unencrypted messages. Like the signal protocol takes care of the key exchange and authentication of different users. If you're in a chat like me and Corey, and suddenly corey's account uses a different key, It even displays a warning, indicating that either Corey reinstalled it on his phone, or maybe he's under attack, or I'm under attack. But like the communications are generally safe from a compromise of signals infrastructure. In fact, when you see. Like unencrypted chat messages in a courtroom that came from signal, it's usually because they got a hold of, like one of the chat participants cell phones their devices, not because they got them directly from signal. But even then, like these are servers under signals control that the traffic is traversing in this case, and an application that is open source and very much consumer focused and not national intelligence focused. So the next piece of this puzzle, though, is the specific app that the that you at the White House, like staff were using, is one called telemessage signal, where it's a clone of the signal app made by a company called telemessage, which is originally an Israeli company that was just recently acquired by another company out of Portland, Oregon, called Smarsh, which Smarsh is one of the more interesting names I've seen for an organization, but we'll keep going. It works almost exactly the same way that the original signal app does, like end to end encryption from text message app to text message app, but it also allows the user to archive copies of all of their messages to user controlled destinations like Microsoft, 365 or over, SMTP to a mail server or an SFTP server too. But there's several discrepancies, and I'm gonna go ahead and say it just lies in how telemessage advertises the archiving services. Like for example, they claim the messages are end to end encrypted between the telemessage signal app and the archiving destination. They also claim that the app sends these encrypted messages to their archive servicer, or their archive service first, which then looks up the archive plan and then immediately forwards them to the user's archive destination, deleting them from that interim Archive Server in the middle. But security engineer and journalist Michael Lee actually decompiled the Android application and published an analysis in early May that disproves all of these claims. Like, first off, when you use the Microsoft 365 integration, even as described in Microsoft's own documentation folder for this, it's a poll from that archive server into your Microsoft tenant on a push and that poll only happens once a day, which means these messages hang out on telemessages Archive Server for up to 24 hours before they're retrieved and then hopefully deleted off that server. And second, they are not in an end to end encrypted. They're actually just in plain text, hanging out on that server while the app does use HTTPS to communicate with the Archive Server. So the connection is encrypted. The messages themselves are sent as just raw JSON formatted payloads of plain text and showing everything from the recipients, the the actual chat content, like the messages, and then metadata around those messages too. So not end to end, encrypted, potentially
Corey Nachreiner 23:05
marketing, though, by the way, why do they suggest all like, I just think that's insane. If you're like, what's the point of doing the liability? And frankly, if you can do it securely, and that's what your market wants, why why make all these claims, and then you find out you're not really encrypting anything. It's plain text on your servers, they've
Marc Laliberte 23:26
been around for years. They've been getting away with it for years. So I imagine that's why shortcuts, fake it till you make it.
Corey Nachreiner 23:34
But it's like this kind of thing always comes out now that we have security researchers,
Marc Laliberte 23:40
I agree ethics and your security claims are important, because it will always come back and bite you at the worst possible time. So before we get into like, the actual data breaches that happened earlier in May, let's talk about some of the regulations that govern cloud services that handle classified information. So the US federal government, they use a lot of custom built applications, like they'll go get Raytheon to go build them some custom app that defense department uses that only the federal government has access to. But they also they recognize the value in using other widely used services, like AWS is an amazing public cloud platform with a lot of scalability built into it, but so if the federal government must use it, there's a specific set of requirements that a very special version of AWS has to meet in order for them to use it, like maintaining confidentiality, integrity and availability of classified information or just federal data in general, is really important. So they've got like, one program called FedRAMP, the Federal risk and authorization Management Program, which is a standardized program for security assessment, authorization and monitoring of services that federal agencies use. Basically, it's designed to make sure a there's a minimum security requirement in. Standards followed, and it lets service providers like AWS, for example, go through like one assessment, really ongoing assessments annually, in most cases, but one assessment, one agency, and now any federal agency can use that service.
Corey Nachreiner 25:14
By the way, I'm sure you'll get into some of the requirements of FedRAMP, but isn't it basically, I mean to use a cloud service, the organization that provides it has to kind of that. They have to make a separate cloud service just for the government like it. It's essentially tenanting off a private cloud for use for FedRAMP so we can get all AWS. But among other security requirements, it's not part of the same data that most AWS customers go through. Yeah,
Marc Laliberte 25:43
there's three different impact levels. They call them low, medium and high, and medium and high do require, like dedicated tenants for those federal agency services, systems that handle classified information are assessed at that high impact level. For example, there are strict requirements they follow, NIST 853 the controls defined in there for the actual cybersecurity for it, it's all audited regularly and monitored. There's a lot that goes into this. It's a very expensive process to become FedRAMP certified, which is why you don't see every organization jumping at it, but it is mandatory for all federal agencies in the cloud services that they use in order to transmit or process federal data, including communications. So up beyond FedRAMP, like the US, Department of Defense has their own standard as well too. They call it impact levels. There's il five for example, which is for securing and handling things that handle just unclassified information that's still mission critical. There's il six, which is a standard for handling classified information, like military operations against the Houthis in Yemen and tactical planning. Il six requires air gapped physical separation from unclassified systems, air gap from the rest of the public Internet, encryption using authorized and approved algorithms in transit and at rest and dedicated government only infrastructure. You're on mute Corey, but I think you're saying, Wow, that's insane and very different from what we were just talking about. I was just thinking,
Corey Nachreiner 27:20
Oh, wow, il six is for handling Houthis, and it requires all that stuff. So I guess telling your friends and a journalist about when the attack is going to happen on signal is probably not a good idea, no. And so neither signal or telemessage have received either FedRAMP or il six authorization telemessage, for obvious reasons. All the messages go through that and send out the note saying you should not be using signal. And yes, people did, interesting. All
Marc Laliberte 27:49
of the messages go through that same archive.telemessage.com, server. So the our US, federal employees using it, are co mingled on the same infrastructure as Corey and I using it if we decide, surprising to me,
Corey Nachreiner 28:02
I thought using be really, really good at national security. I mean, they do drink a lot and are on the news. They must be good,
Marc Laliberte 28:10
yep. Anyways, so for the actual hack on May 4 and again on May 5, there were credible reports that telemessage was compromised, with attackers making off with even plain text chat messages from one or more of their servers. They provided evidence, including chat messages. It's
Corey Nachreiner 28:30
like you don't even need to accidentally add a journalist to it exactly.
Marc Laliberte 28:35
They provided evidence, including chat messages from other firms that use telemessage, including Coinbase, again, poor. Coinbase is in the news twice in one week. To be clear, Coinbase did put out a statement saying no customer information was compromised in this. It was just employee to employee communications that appeared to have been breached as a part of this. But in response to that news, on May 6, I think it was telemessage actually suspended all of their services. They took all their stuff offline, and you'll understand in just a second why they had to do that. Funny enough, they also removed a blog post on their website that described how they created their service, specifically with archiving US government communications as a primary use case. That blog post is now gone off their website, but with telemessage spending their services, that original journalist slash security engineer Michael Lee, published the details about the vulnerability that led to the breach in a Wired article on May 18, And in this article, he described his communications with the threat actor, where they describe their thought process, and it's pretty damning. So to quote it, he goes, by the way I show this video
Corey Nachreiner 29:52
reminds me that I only have a wired subscription if I'm in Apple news. So unfortunately, I don't see the whole article for. Our
Marc Laliberte 30:00
viewers, wow. So a couple of quotes from the article that are interesting. So first off, this is the threat actor talking that he was communicating with. He says, I first looked at the admin panel, which is secure.telemessage.com, and notice they were hashing passwords using MD five on the client side. Wow. Like
Corey Nachreiner 30:19
I didn't even get to MD five, and I'm like, why the heck is he looking at the admin panel? Could that be exposed to the internet as a whole, or did he find some way to it before we even get to MD five, being used for hashing? This
Marc Laliberte 30:33
is presumably how, like telemessage customers interact and manage their archive setups. Yeah. Thanks. But so when you go to log into it, it hashes your password locally, which totally negates, like, all of the benefits of hashing a password, that hash is now effectively the password it can save the database crack it
Corey Nachreiner 30:53
exactly, which would be low barrier anyways, because it's 75 Yep,
Marc Laliberte 30:59
the password itself was transmitted to the server as a part of the URL path, instead of being in the message body, meaning anything along the way, that logs the URLs you visit, logs your user credentials. Now to this, don't worry,
Corey Nachreiner 31:12
it's HTTPS. Oh, wait a second, the URL. Oops, oopsie.
Marc Laliberte 31:18
Exactly. He then the threat actor. Then said the weak password hashing and the fact that telemessage, their site was programmed using JSP, which is an early 2000s era technology for creating apps in Java, gave the attacker the impression that their security must be poor. And he
Corey Nachreiner 31:36
decided, I think I would come come the same takeaway, Mr. Threat actor.
Marc Laliberte 31:41
So he loaded up a tool called Ferox Buster, which is a tool for a new enumerating resources that are not referenced in a web application but are still accessible by an attacker. It's basically it goes through and like brute forces common web endpoints depending on the the application it's written on, like JSP in this case, and helps find potentially sensitive ones that aren't like directly linked within the website. He also used a Ferris Buster on archive.telemessage.com and found a URL ending in slash, heap dump. So when you access this URL, the server responds with a Java heap dump, which is about 150 megabyte file containing a snapshot of the server's memory at the moment that that URL was low, which means it Yeah, anything that it was processing in its memory at that time, or even recently, that hadn't been zeroed out the memory or reallocated would be in that heaped up. This includes text messages that it was processing credentials, that was processing private keys. It was processing, they ended up scraping that 410 gigabytes of heap dumps and providing them to distributed denial of secrets, which anyone, any researcher or journalist, can go download right now that so that, anyway, you
Corey Nachreiner 33:00
can, while we're talking about Go download. Feroxbuster is also a GitHub project. So if you're a aspiring red teamer or a current red teamer, you can go grab it if you haven't played with it yourself.
Marc Laliberte 33:11
Yeah. So that heap dump endpoint, it's a feature of Spring Boot, which is that open source framework for creating Java applications, these JSP applications, their own document points out how sensitive the information is and that developers need to take careful consideration about when they expose that endpoint. There's also articles posted every single month. It feels like from Cloud security companies like Wiz, for example, I found one where they point out like this is one of the most common misconfigurations in Java based web applications is exposing this heap dump endpoint.
Corey Nachreiner 33:46
By the way, I'm not showing articles when I flash through is this is the actual Distributed Denial of secret site where you can currently actively download this file if you're curious. So, not so secret anymore. No,
Marc Laliberte 34:02
I saw when I was looking at like sources for the story to talk about. I came across a post on the Hacker News website, and one of the commenters had something, a comment that I that really resonated with me, like so discussing telemessage, this like fork of signal to add these capabilities. He said, can you imagine co opting a trusted and secure and free bit of software and just making it worse at seemingly every turn, and then charging money for it? It's insane. Yeah.
Corey Nachreiner 34:34
So work, open his fork signal and f it up.
Marc Laliberte 34:39
Yeah. So this is, like, exactly why we have data protection regulations for government and really sensitive communications where, like, the reality is, you know, protecting sensitive communications is important, and end to end, encryption is important. Like, even if you just, like, gave them the benefit of the doubt that they're using. Signal, because signal itself is a secure, currently secure way of communicating. Like, okay, you know it's wrong. They shouldn't be using consumer things for this, but adding in, like, trying to use this third party application to archive the data, all while violating like FedRAMP and the aisle systems for classified information like this is exactly why these things are in place. Is to protect people that don't know what they're doing from shooting themselves in the foot with insecure software and insecure services that ultimately puts in the US, like our national security at risk. But like, this could happen around the world. Anyone could have been using these applications and had all of their communications compromised by these stupid heap dumps that were anyone on the internet could go pull from the server until it was taken offline. It's nuts. But like, on the business side, like Corey, we started this with you and I both like signal. We think it's a great service. Yeah, it's great for securing communications between people, especially in like a high threat environment like DEF CON and the wireless networks there. But when you're using tools like this, you have to be mindful of the third party tools that you might be inclined to install alongside, and that goes beyond like messaging apps. Like many applications you use will have third party tools or integrations that provide, you know, additional functionality on top of it. But those can sometimes, like, undermine the security of the original application you were trying to do, like, undermine the security entire browser extensions
Corey Nachreiner 36:32
and a really good browser, for example. Yeah,
Marc Laliberte 36:37
exactly. Browser extensions is another one, so I don't know. It feels like this is exactly why we had these, these rules in place, and they didn't learn the lesson from the first time, and now it's completely shooting them in the foot again. And hopefully, like our government, learns from this, hopefully businesses learn from using third party tools and just validate and vet what you're actually using and making sure you you're actually like, I don't know, adhering to the regulations that you fall under.
Corey Nachreiner 37:17
Defense for a country like the US you know, don't add your best friends and everyone you know to a a chat about war.
Marc Laliberte 37:28
Yeah, 100% if
Corey Nachreiner 37:30
it's a consumer app that doesn't have Fed ramp protection,
Marc Laliberte 37:35
yes, oh man. But either way, like again, we still support signal. Maybe steer clear of telemessage if they ever come back. Though, I don't think there's a good way to fundamentally secure, something that takes your end to end encrypted messages and ships them off to a server that they control. Hey, everyone, thanks again for listening. As always, if you enjoyed today's episode, don't forget to rate, review and subscribe. If you have any questions on today's topics or suggestions for free sure episode topics, you can reach out to us on blue sky. I'm at it's marc.me. Corey is at secadept. Dot, blue sky, dot, whatever. We're both also on Instagram at WatchGuard underscore technologies, someone take corey's emojis and on Tiktok
Unknown Speaker 38:21
yet, no
Marc Laliberte 38:23
not. Thanks again for listening, and you will hear from us next week.
