Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | iHeartRadio

Voted "Best Cybersecurity Podcast" in the 2021 Cybersecurity Excellence Awards
Cyber Security Excellence Awards 2021

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 29

Helpful or Harmful? The Microsoft Exchange Server Hack and FBI Cleanup with Josh Lospinoso

EPISODE SUMMARY

The FBI removed backdoors on hundreds of private Microsoft Exchange servers after discovering the zero-day vulnerabilities, only to inform the owners after the fact. Should law enforcement be cleaning up on their way out? For this episode, we’re joined by Josh Lospinoso, CEO and co-founder of Shift5, to discuss the government’s role in private-sector cybersecurity.

powered by Sounder

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist at Thycotic
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Speaker at conferences globally
mm

Mike Gruen

  • Cybrary VP of Engineering / CISO
  • Manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture
  • 20+ years of experience developing and overseeing the implementation of complex, secure, and scalable software solutions and products
  • Previously served as VP of Engineering and VP of Product & Platform at RedOwl
  • B.S. in Computer Science from the University of Maryland at College Park

Joseph Carson:
Hello, everyone. Welcome to another episode of 401 Access Denied. I'm really excited for another fantastic fun discussion today. This is probably the one that many people are going to be really interested in.

Joseph Carson:
And my name is Joseph Carson, Chief Security Scientist at Thycotic, based in Tallinn, Estonia. And, of course, it's an award-winning podcast, you'd say. So we're really excited to have the award for the podcast. And I'm again joined with my cohost, Mike. So, Mike, do you want to give us updates into what we're expecting for the theme today?

Mike Gruen:
Yeah, definitely. I'm Mike Gruen, VP of Engineering and CISO at Cybrary, based out of DC. Today's topic is a definite spicy one, about law enforcement, and whether or not there's overreach, and what they're able to do.

Mike Gruen:
Today, we're joined by Josh Lospinoso, frequent flyer on the podcast, and definitely somebody who's helped us get that award. So, Josh, why don't you give a brief introduction, and then we can just dig right in. Because I think it will be a hot topic.

Josh Lospinoso:
Yeah. No, dang. By the way, what are the status levels for frequent flyer on 401? Do I get a comfy chair, free drinks?

Mike Gruen:
I think the share of Slack channel...

Josh Lospinoso:
Ah, gotcha. Okay. Fair enough, fair enough. Yeah, Josh Lospinoso, I'm the founder CEO of Shift5 at Fleet Data Company in DC.

Mike Gruen:
Way to undersell it.

Josh Lospinoso:
So, yeah, it's great to be back. Thank you for having me.

Joseph Carson:
Absolutely, it's awesome to have you here. And this is a topic that ... Anyway, it's been going on since the start of the year. And it all started with the exchange server vulnerabilities, that the attacking group HAFNIUM basically went and exploited many of these vulnerabilities around the world. And basically installed a bunch of web shells, that give them access to those servers.

Joseph Carson:
And one of the things that they really ... Microsoft released a patch, and people started cleaning up. But, for months, the last few months, there's been a number of those companies who were victims, that have went basically ... And have done nothing to fix it, have not removed it. And those web shells still existed. And, recently, the FBI decided to take a much more proactive approach, and then gained a court order, or a warrant, to be able to go into those exposed companies and start removing the web shells.

Joseph Carson:
So there's a big question here, around social media, and the news picked up on this, but was it overreach? Were they doing the right thing. And, for me, I guess, I don't know, Mike and Josh, what your thoughts are. I waited and took a backseat. And I wanted to gather my thoughts on this. I know my initial thoughts on the privacy and overreach, but I wanted to step back and just take a real understanding of ... This is always this question about doing good, versus is your good intentions, or was your good intentions something that potentially overreached, or went into a gray area.

Joseph Carson:
So interested, Josh, what has your been initial thoughts, and has it changed over the time that this has been circulating?

Josh Lospinoso:
Yeah, I mean, I think it's really good framing, Joe. My framework for this is that there has to be some just really extraordinary circumstances for the federal government to be violating the privacy of a private entity, or to use force to get into something that they don't otherwise have permission to get into.

Josh Lospinoso:
And, for me, I immediately thought of this incident back in 2017. I remember the Mirai Botnet, which was basically this really ... The S in IOT is for security, right? These terrible devices that just have all these vulnerabilities, somebody wrote a botnet to go and basically collect these IOT devices. And, in doing so, actually created an existential threat to the internet and its ability to function. Because, even though these devices are like these tiny little whatever, you can generate such massive volumes of traffic, by telling them to like focus it on a particular domain or server.

Josh Lospinoso:
And, because of that, some vigilante out there wrote a piece of malware, where it was basically using the same techniques as Mirai, that the X replaced the payload with something that would wipe the device and render it inert, with the thought being, "Hey, I know that this is certainly a violation of computer fraud and abuse act. There's no question about it. But because this botnet created such a threat to the functioning of the internet, and to the community, that ends justify the means."

Josh Lospinoso:
So, to my mind, when I saw the FBI doing that, that was the framework I was thinking about is like, "Well, is this an existential threat to the companies that have been hacked, or to the community at large, that would justify the FBI taking such extraordinary means?" And I don't know that it was, to be totally ... I mean, where I fall on that is I don't think that the FBI was warranted, well, literally not warranted. But it wasn't a warranted action, to be doing what they did.

Mike Gruen:
I mean, I think the important part for me, if I can hop in, and I don't know if we covered it really well enough, is the notification aspect. It's not like the FBI was trying to get in touch, trying to get in touch, and trying to get touch, and this was the ... Or maybe they were. Maybe we don't know. Maybe that wasn't reported. But the fact is they went in, and it's notification after the fact.

Mike Gruen:
I think that, to me, is a big problem. That's part of the bigger problem, is it's one thing to try and get in touch with the owners of these things, and tell them they need to deal with it, versus going in and fixing it. That's a big aspect.

Mike Gruen:
And then the framework under which ... What are they allowed to do, once they're in a network? And we talked about this right before we started recording. I don't want to come home to a note from the local police department, that says, "Oh, Hey, we saw that your back door was broken. So we went in and we fixed it, and it's locked up now. And while we were here, we didn't find anything else, but ya know.""

Joseph Carson:
"We had a cup of coffee, and we raided your fridge."

Josh Lospinoso:
But this brings up a really good point, Mike, which is-

Mike Gruen:
Or, "Your 14 year-old son is smoking weed, so please bring him down to the police department."

Josh Lospinoso:
Exactly. Now, this is exactly where it's like, Okay, well, it is very debatable whether the FBI overstepped its bounds, in using a warrantless approach to getting into these servers. I think all three of us probably ... I don't want to put words in your mouth. But all the three of us probably think that was a big overstepping of some important boundaries.

Josh Lospinoso:
Now, suppose they were warranted in doing it, right? Now you've got a whole can of worms. What happens if they go in there and they find evidence of a crime?

Mike Gruen:
If you have nothing to hide, then why are you worried?

Joseph Carson:
Well, one of the most famous statements of all-time.

Joseph Carson:
I just read 1984 again. So just brought back some memories. But wanted to kind of take a step back, and I was just reading and seeing what was happening. And I completely agree with you, Josh. And there's a big question of gray area here. And when you think about even what ethical hackers, and penetrations, and security researchers do as well, they tend to get into that gray area as well, when they're actually doing vulnerability testing, and finding, and exploiting, in order to do the good thing.

Joseph Carson:
But, in many cases, they notify the vendors. They notify, and they give them time in order to fix it. There's that disclosure rate, in order to saying, "Here's the time that ... Basically, we'll give you, whatever, 30 days, 60 days, 90 days in order to fix it. And if you don't, we're going to come back, and we're going to notify the world."

Joseph Carson:
And I really loved ... It was Yabut Malik who posted basically what was happening. He posted a tweet, which was about ... It's basically his bathroom window was a bit broken, and he wouldn't mind if the local law enforcement at some point would come in with a screwdriver and close the lock. And that was his interpretation of what was happening here, is that it's basically like law enforcement coming into your home, as you said, Mike, finding something was broken, the door was open, the window was broken, whatever it might be, and they're fixing it from the inside.

Joseph Carson:
The whole question for me, after thinking about it, I think the intention, and I think the deed was in the right kind of motive. But, for me, it set back, and I saw ... One is lack of oversight. I always say that the whole lack of oversight is the big issue here.

Joseph Carson:
And the second part is that not only lack of oversight, but also that is this the right agency to be doing that? Is that the right people that, one, is investigating criminal activities? But, at the same time, should there be agency for securing things that are not there for investigating criminal activities, they're there as part of the cleanup? So the question comes down to, should the same agency who's doing these cleanup be the same one that's also investigating crimes?

Mike Gruen:
And I think actually on that, I think just keeping it in those real terms, if an EMT or the ambulance comes into my house to rescue me, because I'm having a heart attack, there's no searching. There's no whatever. If they find stuff, because they're trying to figure out what did I take or whatever, it's still all outside the bounds of law enforcement. Because it is not a law enforcement agency.

Mike Gruen:
And, yeah, I agree. Maybe if it was a different agency, maybe if we had a different group that was responsible for health and human services of networks and stuff, or computers, or whatever, maybe that's the way. But I don't trust law enforcement to be able to ... They just can't. Their mission is to enforce the law. It just puts them in a weird position. I'm sure Josh has some thoughts.

Joseph Carson:
But it's the notification. It's the notification and transparency which is the problem that I think we have with this, that it's not notifying. We don't know. There's been no transparency into what exactly the details are. And also giving people time to fix it, giving the organizations their own opportunity to do the right thing. And then also did they leave a note behind, saying, "You're welcome."

Mike Gruen:
I think that's the reason we're finding out about it, is because in the articles that I read, there was definitely notification, but it was all after the fact.

Joseph Carson:
Yeah.

Josh Lospinoso:
Right. Yeah. I mean, it's an interesting ... I keep coming back to this, but it's an interesting issue. This is an Outlook server, which, when you think about it, the FBI is doing investigations of organizations, the emails are almost always the smoking gun in these things, right? I mean, you think about Enron, you think about ...

Josh Lospinoso:
Even I was reading the other day about a Under Armour pulling forward revenue stuff, the SEC slammed them. Because so much of our legal code is about what was your mentality when you committed this offense? And your emails that are ... People still don't realize that emails are postcards, not envelopes, and even more so when the FBI is sitting on the Outlook server.

Josh Lospinoso:
So I feel like that is such a crucial pulse point for an investigation. And the fact that the FBI, without a warrant, gained access to these critical points of what could be an investigation into criminal activity, how many hundreds, thousands of servers. What happens now, if one of these companies is implicated in a crime in the next 18 months? Can they say now, "Hey, the evidence that you obtained was illegally obtained," and now they're absolved of any crimes? You just opened up a huge can of worms. I don't know how that works.

Joseph Carson:
Potentially, even could have actually made ... Many existing investigations could have actually been deemed inadmissible in court now. Potentially, they could come back and use that as the evidence was planted, or that this was something that the attackers have went in and actually planted it themselves. So it's always that who had the hands on the keyboard? And when you've basically got the security as open, you could actually make it that somebody else didn't or actually did the crime.

Josh Lospinoso:
Yeah, exactly. And then where does this line of ... And I hate slippery slope and all. But where does this line of thinking end? I mean, as private citizen, suppose there's some wormable vulnerability. This has been happening for a decade. I mean, the first one was the Melissa Virus, if I remember correctly. The FBI was involved in rolling that up as well, right?

Josh Lospinoso:
So they have a history of setting precedence around doing the investigations for these sorts of cyber crimes, like building worms and stuff. Suppose someone figures out a wormable exploit for an iPhone, or for a MacBook. Now, all of a sudden, does the FBI have the ability to remotely access millions of American citizens' devices? I don't know. We've sort of opened the door to that being a possibility. That makes me very uncomfortable.

Mike Gruen:
Well, right. I don't know if this is what you ... But the idea that law enforcement is also using the same vulnerabilities that the attackers are using to gain access, that also makes me nervous, just in and of itself. Forget about what their intent was, the precedent of what is the legal framework under which they can break the law, in order to gain access to a network.

Joseph Carson:
Are they going to start patching our systems for us as well? I mean, are they going to take on the responsibility of securing them even further? So there's two methods of doing this. One, you take the responsibility and the action to do it, or basically you work with the legal aspect of things, to make sure that people have the accountability and responsibility to do it themselves.

Joseph Carson:
And that's the difference. I mean, we look at a lot of compliance and regulations that's coming. In EU, you've got GDPR, which is really that enforcement, if you don't do it, you'll get a penalty for not. So for companies in the EU that actually don't pass those systems, and don't close up the hole, they could be exposed to GDPR fines.

Mike Gruen:
Right. Well, what's funny is that whole fine thing was one of ... The first time I read the article, one of the things that came in my mind was, in the US and other jurisdictions, if you go to a gas station and run in to pay or do whatever, but leave your car unlocked, you can come out to a ticket in the hundreds of dollars, or $25 or whatever, right?

Mike Gruen:
Law enforcement was there saying, "Hey, we have a law that says, you're supposed to lock your door, to keep it from getting stolen. And you didn't do that." They didn't come in and lock the car for me. They didn't open the doors. And I think it's that same thing of law enforcement's role is to enforce laws. If it's fines or notifications or whatever, that's 100%. It's where they start going in that's problematic.

Josh Lospinoso:
I think that's exactly right, Mike. And, Joe, an interesting permutation of your thought is ... Well, Mike made an observation that basically math and computer science don't care if you're the police. Right? And so we build secure systems. They are secure against forced entry, no matter who you are. They don't care. We talked in a previous episode on Cybrary podcast, Mike, about back doors, but a fallacious argument that is ... Or errant kind of engineering endeavor.

Josh Lospinoso:
And so basically what you're left with is, if you are a law enforcement or defense function, you have to use the exact same tools, techniques, and tactics as an attacker, a criminal. And it really is just intent, right? So now you've got this interesting problem. Because if you are a law enforcement agency that's well-funded, and you need to gain access into devices that are increasingly more and more secure, you're going to be doing exploit development and vulnerability research, just like, 30 years ago, criminals were doing.

Josh Lospinoso:
So now suppose you find remote code execution in all modern versions of Windows, for example. What do you do with that? You've just found an issue that could potentially cripple the internet and have reverberations to the economy, right? Do you hold onto that and use that as a special access tool? When you do use that, are you exposing the world's problems? Because we're increasingly instrumenting our networks. And if some incident responders go back and they're like, "Oh my God, look at this as a problem," for example, hypothetically, in the RDP stack or something of a Windows bot.

Josh Lospinoso:
Totally separate topic. When we saw EternalBlue, for example, come out, people were attaching crypto malware to those payloads, right? And so how do you as an organization, as a law enforcement organization, balance the risk that you're putting the world at, with the tools that you're developing, versus your need for forced entry when you need to do it?

Mike Gruen:
Well, I would even argue not even the tools that you're developing, but you now have the knowledge. Forget about whether or not you have the tool and you're keeping it in your back pocket, you now have the knowledge that someone else could develop the same exact tool.

Mike Gruen:
And we know so much of this is state sponsored actors and others, who are just as well funded, or criminal organizations that are just as well funded as these law enforcement, to believe that no one else has discovered the same vulnerabilities, or isn't capable of eventually discovering them, is also a problem. So where's your responsible disclosure in that? You found a vulnerability. Aren't you obligated to notify the manufacturer or the ...

Joseph Carson:
Yeah. So, for me, when we look at this, I think that, law enforcement, what they should have been doing is notifying regulators for those companies, if they were failing ... For example, if it was financial, maybe they're failing PCI as a result of this. If it was a government agency, maybe it's compliance failure with a NIST framework. All of those things, there should have been a legal avenue. And this always gets into when we talk about ... Josh, you were missing any of it. But creating malicious tools and weapons.

Joseph Carson:
I will say that one thing that I thought a few years ago ... It was quite interesting. There was a whole discussion around encryption, around the use of VPN and end-to-end encryption. And one thing that was really interesting was a lot of countries around the world were looking at banning these tools, banning the use of them for certain areas. And it was getting into that that fundamentally is creating an unsecure world, where we're really looking to make it much more secure, and making it much more difficult for the criminals.

Joseph Carson:
But I thought it was interesting, because Russia did take a different stance. What they did was they actually made the use of it for illegal activities illegal, which I think is the right approach. I thought, actually, it was one thing that they did was ... There's many tools out there that can be used for good or bad, but if you use it for the illegal intentions, then that's what basically is the criminal activity. Not just having it, and not just using it, it's the illegal actions.

Joseph Carson:
And I think this is really where it gets into, is that I think this direction we're going to is that you either have to make sure that you fundamentally create the right framework, the right direction. Because, right now, it's a big gray area. And I get scared when we go into gray areas, because it could either go to the extreme, meaning that privacy is gone. We're actually getting to a point where privacy is on a thin line right now. And it's actions like these that really start to dissolve it even further.

Joseph Carson:
And that's where I'm afraid often. That's why I always get scared that there's no oversight. There's some type of oversight that represents the citizens, to make sure that the agencies, when they're doing these actions ... For example, let's say they did go in to remove the web shell, that any things, any tools, any information, anything that was gathered at that point, basically is completely erased and destroyed, that there's nothing that's retained. We don't know that. Because there is no oversight. We don't know what else was done.

Mike Gruen:
But you're not going to be able to-

Joseph Carson:
We don't know how long they had access.

Mike Gruen:
I mean, the fact is you're not going to be able to erase somebody's mind, right? So there's always the possibility that someone saw something. Now they know, "Hey, we can't use any of this as evidence, the stuff that we gathered illegally." I mean, I've watched enough TV cop drama shows, to know that clearly this happens, where they know there's evidence of a crime that they can't use, and they find some other way to try and get ... Well, we know there's a crime going on, so let's go ahead and figure out how we can investigate this under a legal framework.

Mike Gruen:
But I think all three of us are ... It's a very one-sided conversation, right? There's nobody here trying to argue law enforcement's perspective on this or whatever. So, for one second, I'd like to maybe play devil's advocate, right? So, notification, it takes a long time. In the meantime, all of these guys are still vulnerable. Let's say the situation is what's happening between Russia and the Ukraine, or what's happened in the past, where things are happening at a very fast rate. You have a state sponsored actor going after another country, and all of their infrastructure, and the rest of it. Is their time to act or notify? Or is it law enforcement?

Mike Gruen:
Is it such a fast moving environment that it justifies, "No, we're just going to go in and we're going to take care of this problem for you. We're going to let you know we did this. Because if we wait for you to do it, 30 days, 90 days, whatever, it's too late. You guys are going to be exploited." So, from that perspective, I'm curious what you guys think. I mean, I still have my thoughts.

Josh Lospinoso:
Yeah. I think, when I try to think about the other side of this issue, the only analogies are always awful in cyber security. But I think about something like termites. Okay? So bear with me here. So the only situation where this sort of violating a person's right to privacy and property is justified, to my mind, is when there's a community effect that outweighs the person's entitlement to that privacy, if that makes sense. And people are going to disagree on where that flashpoint is.

Josh Lospinoso:
But what I think is, say you've got a neighborhood, and half of the houses have this horrible termite infection. Right? But, for whatever reason, the owners aren't there, or they can't afford the termite extermination, and all that kind of stuff. The municipal government decides, "Well, you know what? We're going to tent all these houses and kill the termites. Because what's going to happen is they're going to spread. And then we're going to have a huge problem, with massive amounts of property damage. You're putting your neighbors at risk, by not dealing with this issue in your house. And so we're going to take matters into our own hands."

Josh Lospinoso:
Right? That's the kind of nuance that I think these things, they get a little mushy. So the question is just, to my mind, "How much were these vulnerable Outlook servers putting others at risk?"

Mike Gruen:
I mean, I think maybe a more ... Because I think even termites such a slow moving thing, right? Let's say there's a mob. Let's say there's some sort of protest out of control in some city, and people are running amuck, right? What is law enforcement's ability to defend private businesses? And can they board up windows to help protect property loss? Or I don't know. So maybe that's a-

Josh Lospinoso:
Or enter into a private property, where a crime is being committed not by the owner of the property, but by somebody else.

Mike Gruen:
Where a crime is being committed, I mean, that's a different problem, right? We have, I think, laws around if they ... But if there's a mob coming down the street, and they see that there's a building that doesn't have boarded up windows, they see that there's a jewelry store that's unsecured, and they know this mob might get there, what can law enforcement do? Are they allowed to enter that jewelry store, and try and patch things up before the criminals get there?

Josh Lospinoso:
This is actually a really interesting philosophical point. So do you think there's a difference in the act, that these two scenarios, of the FBI going in on a server that is actively exploited, there's a web shell on it. They know it's there.

Mike Gruen:
Well, that's true.

Josh Lospinoso:
So they know, they see the traffic coming off. They know that these things are compromised. Going on, doing remediation, and then patching the machine, is one course.

Josh Lospinoso:
And then another one, which is, "Hey, the FBI or whoever is scanning the internet, or they're using showdown or whatever. And they've noticed that, based on the fingerprinting, those Outlook servers have a vulnerable version." And without any evidence that they're currently exploited, beyond the fact that they're vulnerable, going in and then exploiting the server, patching it, and coming off. Are those two different situations?

Mike Gruen:
That's right. I forgot that they were actually already compromised. Yeah. I mean, if the police are going down the street and they see a robbery in progress, they don't have to wait for a warrant to go in. That's a view.

Joseph Carson:
But, Josh, I agree with your point though, is that, for me, there's a big difference though. There's a difference between ... It's the impact. I think that's it. This was not a worm. This was not something that was spreading. It's something that people manually went in, did the exploit, and put in the web shell, and gained remote access. And it was not something that was spreading further and further, unless basically the attackers continue to, of course, exploit the vulnerable servers.

Joseph Carson:
It's not like a ransomware that basically, all of a sudden, just started spreading and spreading and spreading and spreading, and you had to find a way to stop it. Just like you mentioned, I like the example with the termites, is because that's something that it will continue to infect other companies. This was something that was much more of a static scenario. Does it mean that ...

Mike Gruen:
But there was a crime in front of us.

Joseph Carson:
... you're going to patch everything?

Mike Gruen:
But it was a crime. I mean, they saw that it was exploited. They saw that there was a web shell. I mean, I know where I stand. And I don't think it makes that much of a difference to me. I think that there's still the notification, right? I think there's still more that they should have done.

Mike Gruen:
I think that there's a difference between somebody with a gun in a jewelry store, where there's potential whatever, versus other types of ... I think law enforcement sees crimes in progress all the time, that are a little more slow moving or a little less urgent to deal with. And they probably don't use the same tactics. And none of us are in that framework, that really know what those laws and lines are.

Mike Gruen:
But my guess is I still think it was a little bit of an overstep. But there is something to be said for there was some sort of criminal activity in progress, that they were potentially investigating.

Josh Lospinoso:
Yeah. And then you know what happens? I mean, it just opens up so many interesting questions, as probably like what ... I imagine first-year law students think of these stupid hypothetical situations. But what if the police go into jewelry store where there's an act of robbery, and they find a meth lab in the back that's completely unrelated to that. It's a robbery. What do you do about that? It's really complicated.

Joseph Carson:
But even a compliance and legal perspective, is let's say all of a sudden I fail an audit. I'm like, "Well, I was expecting the FBI to patch that server. They patched the other one for me, why not this one?" I mean, it opens a whole thing, a mess, that we basically...

Josh Lospinoso:
That's a good point.

Joseph Carson:
Yeah. I'm not expecting ... They did the last one. Why should I patch any more? I'm going to focus my resources in somewhere else, because the FBI is going to do it for me. That's the issue. And where's the balance? Who makes the selection? These things should have been something ... I always say it's the legal aspect, which is basically what influences people's actions.

Joseph Carson:
And this is really where it gets into, is that it should have been something that, if it's an opt-in, do you want us to come in and do it for you? No, this is a choice. If you don't, we're going to report you to basically audit compliance, who you're going to come back with a major fine. That really, for me, I think is the process, and the right way of doing it, is basically making sure that there is a framework that actually is consistent and scalable, that will actually work in the future. This just opened up a huge amount of questions for the industry, about what happens next?

Mike Gruen:
Yeah. And I think that the notion of opting in gives you more opportunity to say, "Yes, if there's active X point, I want you to come in. If it's just something that you've noticed where I'm vulnerable, I want you to use my responsible disclosure program, that I set up specifically for this, and go ahead and notify me." And then that's the other thing, is how does law enforcement disrupt that whole notion? And what's their role and responsibility in there? And what's the impact? But yeah.

Joseph Carson:
I even remember years ago, this was during my time at Symantec, we had a product that was called DeepSight, and it was part of the GIN network. And, ultimately, DeepSight was that you did an audit on the company, in regards to the attacks was attacking that company.

Joseph Carson:
But when we actually ran the DeepSight, quite a few times you'd find out that those companies actually had ongoing attacks coming out of the organizations, because they had compromised machines within, and they were attacking other companies. So you'd actually go and say, "Hey, here's what's attacking you, but here's also compromised machines in your network, which is attacking these other companies. What would you like to do about it?"

Joseph Carson:
IS this going to be the same? Is it now going to go even further, that it's not just about companies who are being exploited and have web shells in their exchange servers, to even companies is doing D OS attacks on others? Are they going to clean up the internet? I mean, is that their agenda and goal?

Joseph Carson:
Because it would appear that the motive was is that they're going to start cleaning up the internet. What's the bigger picture here? And I think that's the big question that we really have to get answers to. What is the role in the future of the security of the internet?

Josh Lospinoso:
I think it's totally right, Joe. And, what I think about, again, going back to this community framework, because there's almost an American tradition that we have a right to be idiots. And so if you're going to do something that's terrible for you, but it doesn't affect anyone else, generally speaking, we're okay with that. Sorry, this is kind of an American centric perspective, I think, for better or worse.

Josh Lospinoso:
But the moment that what you're doing starts affecting other people, as evidenced by you sort of being ... I'm thinking about masks in public, for example...

Mike Gruen:
I think we're all thinking about masks in public, which is...

Josh Lospinoso:
Yeah, this is still an actively debated battleground, but just bear with me here for a second. I mean, I think that when a server is compromised, I think about two different populations of devices, and the people behind those devices that could be potentially affected by that compromise. Right? This is a terrible pun. I apologize. I know I was talking about termites, but now we're going to talk about NATS, without the G. Sorry.

Josh Lospinoso:
So things that are behind that firewall, things on the LAN now get exposed. So if you've got an Outlook server that was on a border, there was a possibility that somebody, if it's not configured properly, could get DMZ issues or whatever. Now someone can swim upstream and get into active directory, and start messing with devices that are on your network. So that's a whole mess. I think that's potentially, depending on the context, a little bit less of a concern. Because, ostensibly, that Outlook server is connected to a LAN that's related to the same legal entity. So I'm a little less concerned about that community issue there.

Josh Lospinoso:
Where it gets interesting is when you were talking about G, which is that server becomes a pivot point now. It becomes infrastructure for the attacker to then go on and attack more things. You might say, "Well, they're all connected to the same LAN. So what does it matter that you've now got an additional place to launch your attack?" Well, you ask any professional advanced persistent threat about how important that is, it's very important. That's infrastructure.

Josh Lospinoso:
So the infrastructure allows you to evade attempts to block traffic, as well as to mask your activity, so that you can continue to operate securely. And so the more infrastructure that someone accumulates, the more they can operate with impunity. And there really is an exponential effect. So I can see an argument there that, when you compromise more and more and more servers, it actually does, in some sense, have a community ramification, just playing devil's advocate a little bit.

Mike Gruen:
And I think also, on that, if I'm investigating a criminal organization that has branched out into these places, as opposed to ... So now I'm not dealing with the private entities, I'm dealing with the victims, right? But I'm investigating the criminal organization and investigating this. In investigating that criminal organization, I'm finding that they've accumulated this infrastructure all over the internet. What am I supposed to do? What's the victim's rights? How do I notify them? What should I patch? There's that stuff.

Mike Gruen:
I do think, back to the framework that Joe was talking about, while you're talking, Josh, I realized we do have things in place around what limitations we put on law enforcement. For example, if I'm driving without my seatbelt, I can get a ticket for that. And, for a long time, you could not get pulled over for not driving with a seatbelt, you could only get pulled over for some other infraction. And then if they saw that you weren't wearing a seatbelt, that was something in addition, right? They couldn't just pull you over just because they suspected that you weren't wearing a seatbelt. They couldn't pull you over just because they suspected this or that.

Mike Gruen:
And so I think that's where I want to see laws try and catch up. But I also know that laws will never catch up with technology, and that law enforcement ... We need better frameworks to guide law enforcement, such that we don't always need laws that are keeping up, but rather than just more intent oriented things, to try and keep them in check and in balance.

Josh Lospinoso:
Right. I think it's totally right. And I think the other thing, for us as security practitioners, is if we don't want the FBI and all these other organizations to get in our business, we need to make sure that we're building secure systems, and that we are building good processes to go back and patch things that we find. Because, ultimately, we wouldn't be talking about this problem, if the original issue didn't occur. I know that's a little bit of victim blaming, I guess.

Mike Gruen:
Yeah, but there's also ... I mean, they're eroding our trust in them, right? I mean, that's part of it, is I would love to have a much better working partnership with law enforcement, with regard to cybersecurity.

Josh Lospinoso:
But can't.

Mike Gruen:
Right. It's got to be this bi-directional thing. And by doing these types of things, you're eroding my trust in you. Right.

Joseph Carson:
That's always been my challenge as well. Everything, when you're working and cooperating with law enforcement, is always one directional information. Very little kind of comes back, or there's very little bi-directional communication, transparency, which erodes the trust.

Joseph Carson:
But what's very different in Europe though, is that trust is built, and you have to work together, and certain things that you can cooperate and collaborate on. I think, in the US though, is that what you do is you rely on the three pillars of government to provide oversight of each other.

Joseph Carson:
But I think this is where I see the issue, again, is that oversight there in this situation. Is Congress making sure that the agencies, and Department of Justice and everything, is actually covering and making sure that there is an oversight process?

Josh Lospinoso:
Well, the answer is no, because they didn't get warrants.

Joseph Carson:
Exactly.

Josh Lospinoso:
I mean, the judiciary is supposed to have oversight in this process.

Mike Gruen:
I mean, they got a court order, right?

Josh Lospinoso:
Oh, they got a court order. That's right. I'm sorry.

Mike Gruen:
They did go through the judiciary. They got a court order.

Josh Lospinoso:
That's right.

Joseph Carson:
It was Texas court order that they actually leveraged as part of this. And there was also another piece, is the knock on door scenario. I can't remember what it was. It was one of our previous guests was someone from the law enforcement side. They have the capability of going in and checking digital equipment, in certain circumstances, without having a warrant. I think there was certain situations there that it could do it. And I think the court order would give them that ability to carry out their activities.

Mike Gruen:
One of the issues though, in the US, is you have law enforcement at all these different levels. You have local law enforcement, you have state, you have federal, and then you also have jurisdiction shopping. Of course, if I'm the FBI, I know which court to go to, to get what I want. I'm not going to go to New York or California. I'm going to go to Texas.

Mike Gruen:
So, I mean, I think that's part of the problem as well, which is there's not enough happening at the top level, to govern everything all the way down. And we talked about in the last recorded, it's not yet published, but the idea that every law enforcement agency, local police, think that they're the sniper, that they're expert, that they're the whatever, and they should be able to .. So I'm worried about the trickle down effect. What does it mean if ... Can my state law enforcement agency use the same tactics that the FBI uses?

Mike Gruen:
And, trust me, I have a lot more faith in the FBI than I do as you go further and further down, because they have less and less funding, less and less capability. The resources are spread thinner and thinner. But yet they will use the same tactics. Law enforcement shares down. There's no problem. I mean, you can see it, because police are driving around in tanks.

Joseph Carson:
I also wonder as well, Josh, I don't know how many ... Because right after the whole vulnerability in the news, the zero-day, a bunch of security researcher peers of mine set up tons of honeypots. So the question is was the law enforcement actually patching honeypots? There's a big question as well. There's a lot of people actually set up honeypots, in order to capture and gather and see what's happening, so they can analyze the attackers, and understand their attack path and techniques, which is a common thing to do.

Mike Gruen:
Am I going to get fined for my ... Do I get fined for having a honeypot?

Joseph Carson:
It raises a big question. And so-

Mike Gruen:
The other side of it's true though, too. I mean, if you have a honeypot, and it gets compromised in some way, and it can be used as a reflector to attack the rest of the ... Again, I have the right to be an idiot, but once it starts impacting other people, maybe it's on me to say, "Okay, the honeypots that we should be running are only internal. We shouldn't be totally exposing this stuff. Because it can be used to attack other people."

Joseph Carson:
That's used for deception. You're using that for deception. Deception is a way to make sure. That's one technique from ... side of things, is that you want to make sure that when someone's poking a hole in your network, you want to try and get visibility.

Joseph Carson:
And when they poke a hole, it's typically from the public domain. So, therefore, you want to make sure that you're actually triggering your alarms, that will give you early detection ability, to make sure that someone's attempting to get through your door.

Mike Gruen:
Yeah, exactly. All I was suggesting was that maybe ... Not that it's a good thing, but at what point does it become I'm not allowed to actually have that early detection, I have to have it further down, where it's no longer early detection, it's like, "Oh, look, I've become compromised."

Joseph Carson:
As long as it's not doing it attack back. So here's when we did ... It was 10 plus years ago now. This was a post-Estonia 2007 attack. There's a project called Cyber Minds, which is about active honeypots attacking back. That was the gray area. As long as your honeypots are not causing damage to other people's property, it's kind of deemed as okay. You can have that kind of honeypots.

Mike Gruen:
Should those be called beehives?

Joseph Carson:
Yes, because it's the bees that come back and sting you when you disturb the pot. But, yeah, as long as the honeypots are not causing any downstream impact, then you can set them up.

Josh Lospinoso:
We should label this podcast cyber insects, or something like that, where you provide a remarkable amount of ...

Joseph Carson:
The cyber bees.

Josh Lospinoso:
Yeah, so-

Joseph Carson:
I mean, go ahead, Josh.

Josh Lospinoso:
So what you're saying, Joe, is I should expect to see an APT report on all of the FBI's tool kits and infrastructure that they use, to be patching these servers. I hope they didn't reuse that toolkit.

Joseph Carson:
Exactly. But it drags up a whole fundamental thing, is that I think this needs to be brought in the open, and have a real discussion in the industry. And I think we can only provide from a security perspective expertise in this. And definitely having law enforcement in would it be fantastic to get their view, what was the intentions. And even somebody from a legal perspective, and even getting other security researchers, to really get into that gray area a bit more to understand.

Joseph Carson:
But really, for me, it was always that it's ... We'll have law enforcement to do it, and it's okay for them, and they didn't need to go through the legal process. What happens, is it going back to your Mirai Botnet? Is it okay for citizens to do this as well? What happens if citizens start going around and using the web shells, and going passenger service for you? Where's the legal boundaries here? And that's, I think, where we really need to make sure.

Joseph Carson:
It's a big discussion we had years ago, hearing somebody around the defensive versus offensive capabilities as well. We've had the discussion before, around when you have basically a cyber attack, citizens should not be attacking back. They should basically be helping defend, and provide resiliency, and provide capability, and making sure that you're able to continue operating. You'll have certain agencies, government officials, who can do the offensive side. Maybe they bring in contractors, or whatever it might be.

Joseph Carson:
But I think this really gets into the same as that, where the citizens decide to go back and start breaking these machines, and start patching people's servers. Is that okay? Where are the boundaries here? And I think that's really it.

Mike Gruen:
And if you're in Florida or Texas, I think it's okay to shoot them, I think.

Joseph Carson:
Oh, but only if they're in your bedroom. If they're in your bedroom ... Well, I don't know, states...

Mike Gruen:
No, it depends a little bit on property, but we won't get into all that.

Joseph Carson:
So it depends where your exchange server is. I guess if it's in your home, or upstairs in your bedroom, then it's a threat to your family.

Mike Gruen:
But, no, I mean, there are interesting ... I mean, there is precedent around that type of stuff, about at what point are you allowed to "fight back", and what's a legitimate use of your own force, and blah, blah, blah. But, I mean, I don't want to go down that path.

Mike Gruen:
I just think, in talking about all of this, I think the real problem area isn't us on the cybersecurity side, educating and doing what we need to do. I think where everything dies, at least in the United States, is in Congress. And that's where all the stuff, and trying to get ... These are very complex issues. And forget about security. And we've talked about it, with regards to government back doors into stuff, and so and so forth. In every case, it's getting Congresspeople to understand this at a level that they can actually legislate effectively.

Mike Gruen:
And, luckily, we have people like Lindsey Graham, who really get it. He doesn't. And that's where I get so frustrated, is just watching C-span, I'm the person who does, and watching these debates, and just knowing that they clearly don't understand the implications of what they're trying to legislate. They just don't get it.

Joseph Carson:
Do you need a Cyber Congress? Do you need a Cyber Congress that is specifically there for digital? Digital security.

Mike Gruen:
Right. And we've talked about it too. And it need to happen at more of a global level. It needs to be who, it needs to be the world, some sort of much larger ... Because, at the US level, it doesn't matter. Because if there's some government that's in whatever, that's not going to enforce the laws ... You look at all the attacks that come out of India, local law enforcement doesn't do much to punish the criminals in India.

Mike Gruen:
But they're attacking US citizens. It's just so difficult of an area. And that's where I think everything sort of ... We can talk about all day long, but until it's this global problem, and there's no global defense force.

Joseph Carson:
Yeah. I think, at least I mentioned previously, that at least the new White House statement that came out did actually talk about the new funding around cyber, that they did talk about a cooperative, a transparency global effort, that no country can deal with this themselves as well.

Joseph Carson:
So I think that maybe we do need a cyber type of Interpol as well, and that we could go even beyond, as an international corporation to work in these. Because, again, it also gets into were some of these companies multinational? Were they based in headquarters in other countries? It just happened that these exchange servers were based in the US. So I think absolutely.

Joseph Carson:
So, Josh, just any final thoughts, if the FBI ... I'm pretty sure, somebody in the FBI, they will probably listen to this call already anyway. So when they do listen to the live podcast, what would you recommend, a future direction, from a summarizing this up. Because we're definitely not going to solve it here. And I think this is a bigger debate.

Joseph Carson:
And I think absolutely, Mike, Congress, this needs to be ... Congress needs to be brought up to speed in how to deal with this. Because we've seen a lot of unknowledgeable people in Congress, that don't know really how to ask the right questions.

Joseph Carson:
And I think this is always about asking the right questions, will help you find the direction and solutions. So, Josh, any recommendations or pointers, or where we should be looking for the future to solve, or to at least come up with possible recommendations?

Josh Lospinoso:
Yeah. I mean, well, from a cybersecurity professional perspective, to me, this just is a reminder that if we don't clean up after ourselves, the government's going to do it for us. And none of us want that. So it's just a reminder for us to have more resolve to take control of these systems, our own systems, secure them, build security into the products that we're putting into the market.

Josh Lospinoso:
And, look, I spent a lot of time in the government, and I understand, by and large, the vast majority of folks that work for the federal government have really good intent. And they're really just trying to do their job, which is to try to keep folks safe and secure. Right?

Josh Lospinoso:
I think there's a bit of messaging that could have been better here on this. And maybe this is a variation in the security community, but, to my mind, when you take an overt action like this, that really pushes the boundaries, you need to make a clear and compelling case that this is an exigent circumstance, that there is something about this particular incident that is so beyond normal, and puts people at such a greater risk, that you acknowledge that you're really stepping some boundaries here, and that this is a special circumstance, and you broadcast that wildly.

Josh Lospinoso:
Otherwise, people like us are going to freak out and say, "Look, is this the new normal?" And rightly so. I mean, we guard our freedoms and liberties, I think, for good reason.

Joseph Carson:
Absolutely. I completely agree. I think this is really a communication issue, in probably the most aspect of it. So, Mike, any final thoughts? Have we changed your opinion? Or has it just reinforced?

Mike Gruen:
I mean, I think opinions evolve. I think, at the end of it, no, nothing from my perspective. My general opinion about law enforcement and their role in all of this hasn't changed dramatically. But, again, I agree. I think it's a communication problem, first and foremost. I think there's things that even courts could be doing. I would love to see more specialization, whether it's having resources available to the courts. When these warrants come up, who's making this decision? Who does the judge turn to figure out what's the right course of action? Is this an actual existential threat? Or is this something that the other side is just blowing out of proportion? And how do we figure all that out?

Mike Gruen:
And I'm hopeful, similar that we're seeing in other parts of the country with regard to law enforcement, and partnerships with health services and others, so that when they're responding to what's not actually a criminal activity, there may be bringing a social worker along or whatever. I would just love to see that expand more for all these different types of nuanced things, where it's not law enforcement's specialization. And I'm sort of optimistic that we'll get there, probably not as quickly as I'd like. But yeah, I agree, it's the communication.

Joseph Carson:
Great communication is the foremost issue that I think resulted here. And I think we all agree that the intentions and motives were in the right places. It just could have done with a bit more, let's say, diplomatic methods, as I would say it.

Joseph Carson:
But absolutely, Josh, it's been fantastic having you on the show again. Hopefully working to get you back on again soon, because it's always a fun and educational conversation for me, as always.

Josh Lospinoso:
I would love it. Yeah. Maybe we'll talk about hacking back.

Joseph Carson:
Yeah, hacking back is always the edgy, edgy conversation, that one. But absolutely. So, for the audience, I hope this has been interesting. Hope we're getting you up-to-date in what's been happening in recent news and trends. Hopefully, if anyone in the FBI or Congress is listening, we'd love to have the discussion with you as well. So do reach out to us, if you'd like to have that conversation.

Joseph Carson:
Again, thanks for listening in. Check us out, 401 Access Denied, every two weeks. We're just trying to keep you up to date, keep you educated, and keeping you basically on trend and hopefully safe and secure, as much as we possibly can. So, again, thank you. All the best, take care, and goodbye.