Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
All right. So despite being connected to a monstrously gigantic battery, my mevo ran out um part way through the broadcast. So, uh quick little flip and here we are back with an alternative uh source um off the iphone direct.
Uh should be easier, please. Hopefully. Um let me just adjust the picture here. Uh huh. No, I don't want weird emojis all good. Ok. So, um as I was saying, uh just to restart real quick, uh I am coming to you live from San Francisco.
I'm out here for the RS A USA conference. Um We kicked off with a pre day yesterday. Um Myself and Andrew Hay from Leo Security. We hosted a full day seminar focused on ransomware and destructive attacks.
We had a great lineup of speakers from the associate uh district Attorney General. Um All the way to a special guest appearance uh by Malware tech blog who actually was the one who sunk hole the uh wanna Cry Domain um and ran into some legal trouble um for it.
Um But uh it was a great day. Lots of great talks. I'm gonna wrap that up in a separate video that I'll post here on social. Um What I want to dive into this morning um is actually what's happening with Telegram in uh Russia.
So Telegram is a secure end to end encrypted messaging service. Um I'm not sure where it ranks with the um current options for end to end encrypted uh services. Uh The eff is about to if they haven't already updated their scorecard for encrypted services.
Um So you can get a uh uh idea of what the vulnerabilities and the challenges are um within that organization um or within that um choice um within that ecosystem. Um But at the end of the day, uh um they have gotten telegram has gotten in trouble with the Russian government and the Russian government has banned that service within that country.
Um Now, that's a whole different um discussion as far as whether that's uh you know, the ups and downs of banning specific services in countries. Um And things like that, that's not what I'm going to dive into today.
What I wanted to talk about real quick was actually one of the methods when this escalated. So we had the Russian government saying Telegram should not be available to our users within the country. Telegram uh were actually sorry with the Russian government asking for access to um co conversations happening on Telegram.
Telegram said, no. Russian government said, ok, you're not gonna be available to uh provide service to our citizens. Um And then they banned uh the service as it was configured. Telegram made some adjustments to the technical delivery of their service.
Um And they mainly, what they did was they started a route um conversations through Aws and through uh the Google cloud platform, right? So they went to a cloud provider and they set up a bunch of systems and they started routing traffic through there.
Interestingly enough, um the uh Russian uh government has taken the, um, step to then ban, uh, millions of IP addresses associated to Aws and associated with GCP. Now, um, Aws has a github repo um, and an API call where you can actually get the latest, um, set of IP addresses they're using for all their services.
Um, same with Google and obviously you can't have, um, a cloud service without having a number of things on those IP S. Um, so it's, um, a dynamic IP assignment. Um, those IP S are recycled quite quickly.
Um, and why I wanted to talk about this wasn't so much the nation state angle. It wasn't the banning of encrypted services angle. Um, but it was the, um, defensive mechanism of actually trying to ban a service based on the IP.
It's coming in in this day and age. That is a very crude tool to use. But unfortunately, it's only the only one that a lot of folks have available to them. Um, what ends up happening now is as we're seeing from the fallout reported in the tech news right now is a whole bunch of collateral damage has happened in the Russian ban.
So we're seeing the fact that there is, um, uh, other services that were running in Aws and in GCP that are no longer available in the country because they've been banned by being a part of these IP blocks.
Um, and that's really where this sort of, the crude analogy comes in. It's not a scalpel, it's very much a blunt, you know, sledgehammer instead. Um In this day and age, we need to move our security up the stack.
So you need to be doing if you're trying to prevent your organization from reaching this particular service or you're trying to defend yourself against the D OS attack or you're just like, no matter what you're trying to defend yourself against if it includes banning access um from external entities into your network.
Um IP address is probably not going to cut it anymore. We know um that some IP addresses have uh more um tend towards a more negative association. Um However, uh they do get reused and they do get recycled.
So if you ban an IP address, there's uh you're potentially cutting off your users from a chunk of the net that there's not the intended consequence. Um You need to move up the stack to a domain name.
So the domain name is what we're used to typing into our browsers, you know, something like github.com as opposed to 1.2 0.3 0.4. Um, because 1.2 0.3 0.4 points to github today. Just an example. Um, it's not actually the IP address, it could point to my bad service.com tomorrow and then back to somebody else's good service uh dot com the day after that.
Um, it's no longer accurate enough. We need to move up the stack and that's sort of a continuing theme in security. I'm sure I'll be talking about it the rest of the week. Um is that you, you know, we need to be more accurate and we need to be more data driven and we need to be more um flexible.
Uh We can't just do these crude things of just cutting off, um you know, essentially cutting off a limb. Um gonna be interesting to see how this falls out. Um especially uh given that, that uh cutting off legitimate services could frustrate a lot of users and have that push back against that ban in Russia.
But in general, you need to make sure that you can't uh just block by IP but that you can move up the snack and be more accurate and be blocking by domain um or better yet by sessions um harder to do.
Um but not impossible to do. We've had the technology for years. It's just a question of deploying it and making it effective. Um You can always hit me up online marknca of course, I don't have the graphic overlay even though I'm trying to point to it.
Um talk to me in the comments below. I'm gonna be at RS A all week. Um I think it's gonna be a really interesting conference. It really starts off today with some of the keynotes and the sessions and the expo halls open and all that.
Um I will have a summary video up soon about uh the ransomware uh summit yesterday because it was fantastic and there's some slide decks available for those of you that didn't attend. Um Hope you're having a great day.
I believe it's Tuesday. I always get thrown off when I'm in different time zones. Um I hope to talk to you soon and we'll see you tomorrow.
