17 May 2023: Security and the Cloud

Famous white hat telecoms hacker Karsten Nohl is our guest for an episode that focuses on the security risks created by migrating telcos and many other businesses on to the cloud. The use of standard cloud technologies like containers can deliver great efficiency and cost savings but they also mean that a hacker who discovers one vulnerability may be able to cause far more harm as a consequence.

Karsten has a track record of discovering and demonstrating unexpected vulnerabilities in GSM and RFID systems. He is the Managing Director and Chief Scientist of his Berlin-based consultancy and think tank, Security Research Labs. Karsten also has experience working as a telecoms CISO for leading Asian operators Jio and Axiata.

Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

Transcript (auto-generated)

Hello, this is episode 10 of the Communications Risk Show, and I'm your host, Eric Priezkalns.
Every Wednesday, we talk to risk experts from around the world of electronic communications
streaming live, so you can also join the conversation submitting questions and observations as we
go along. Now asking the question is super simple. Just type your message into the window
immediately beneath the streaming window on our website at tv.commsrisk.com. Messages
are anonymous, so include your name if you want me to read it out. The show is also streamed
live on LinkedIn. A member of our team is keeping an eye on comments posted over there,
so we'll try to respond to those too. We'll read out as many of your questions and observations
as time permits. Today, we're going to be talking about security and the cloud with
Karsten Nohl. He's the founder and chief scientist at Security Research Labs, sometime interim
CCO at CISO at such telcos as Axiata and Jio. And a lot of you will remember him from such
white hat hacking exploits as showing how to crack GSM encryption in 20 seconds and
using SMS messages to crack SIM cards. We'll be talking to Karsten about the vulnerabilities
he's found in cloud containers and what this means for telcos and for other businesses
who run their operations in the cloud. But first, allow me to introduce my co-presenters,
Ed Finegold and Lee Scargall. Ed joins us from Chicago. He's an author, analyst and
strategic advisor to tech and telecoms businesses. Lee joins us from Bahrain. His career has
seen him switch between executive management and consulting for a wide variety of coms
providers around the Middle East, Europe, Caribbean and Asia. Good day to you both,
Ed and Lee. Today's first topical topic to pick into your brains and see how you respond.
I think I'm really controversial on this. I'm looking for lots of comments from the
audience on this too, because I know some people get very wound up by this topic. Malaysia,
again, we talked about Malaysia last week. We're going to talk about Malaysia again this
week. Malaysian banks are now stopping the use of SMS for two-factor authentication for
financial transactions. Following from last week, last week we talked about Malaysian
telcos blocking any SMS with a URL in it. Now let's talk about Bank Negara Malaysia,
the country's central bank, ordering all the banks to stop authenticating users using one-time
passwords by SMS. Now this slipped a little bit under our radar because the governor of
the central bank, Shamsaia Maud Younis, announced this change back in September 2022. This is
before the big fuss when Elon Musk was saying that he was going to stop using two-factor
authentication via SMS, and we saw what a response that generator would run. So actually,
the Malaysian central bank was ahead of the game on this particular point of switching
off SMS, but they allowed the banks quite a lot of time to exercise the change. But
now banks like Standard Chartered have stopped supporting SMS for two-factor authentication.
They're forcing their users to use token-based authentication via apps on the customer's
phone. The new policy also sets a strict limit where only one mobile phone or other device
can be used for authenticating each user. So to you, Lee, straightforward question.
Do you agree with the policy of the central bank of Malaysia?
Yeah, I do agree with it, Eric. Right. It'd be difficult for me not to, because I've been
saying for a long time now that OTPs via SMS, it's just unsafe, right? They're prone to
all kinds of exploits, right, such as social engineering, SIM swaps, IMSI catches, and
then you've got all the vulnerabilities in SS7. So I hope that banks and regulators are
taking note of this, and they do the same, because, you know, this has been a long time
coming. But at last, we finally got some leadership from Malaysia.
Well, it causes a lot of controversy, this topic, so it's interesting that you and I
are in complete agreement on this one. I'll just play devil's advocate a little bit. What
about the people who don't have a smartphone, Lee?
Well, maybe online banking isn't for them.
All right, Ed, I'll bring you in on this one. Smartphone penetration in Malaysia is 95%
per stats from Malaysia's comms regulator. That contrasts with 85% for smartphone penetration
in the USA per Pew Research. Yes, I'm sorry. I'm making another point about America again.
I'm sorry. Are countries who leapt ahead from landline infrastructure to mobile infrastructure,
are they the ones now driving forward the comms security debate? Because they're able
to do things that countries like the USA with more people relying upon landlines, more reliance
upon traditional banking services, are they now effectively falling behind because they
can't make changes like this because it will affect too many people?
You changed the question on me, which is totally fine because I can think on my feet a little
bit.
It's the same question just phrased differently.
So, no, I think you make a good point that you have a situation here with, especially
the US banking system, US banks, telecoms, bearing a lot of legacy, and also I think
tending to bend to political will, where if a very small percentage of users might be
marginalized as a result of a move like that, it becomes the center of the debate. That's
kind of a separate discussion. I just think that's kind of a silly way that the US tends
to react to things.
So, I think that's part of why you're maybe seeing someone like a country like Malaysia
able to take such decisive action on this. But I'm going to push back at you a little
bit on some of your assumption here, because I think some of the numbers might be incorrect.
And I think that what I took away from the question was the idea that the US is somehow
behind and I don't want you to divide us because we are all in this problem together. And I'm
going to explain why. So, folks, I took some notes here because I knew that this was a
tough one coming up and I have some data to share.
So, first of all, your data from Pew, I think was wrong. That looks like a postpaid stat
to me. And I have other data from a study I've worked on recently that looked at 14,000
people around the world, a thousand people in the US. And the numbers that we're getting
back are more like 92% of Americans with a mobile device, because that can include prepaid
as well.
So, Pew's numbers are a little bit off.
But it was smartphone. It was simply smartphones, specifically smartphones.
Well, Malaysia is 94% versus 92%. So, they're pretty close from a mobility perspective.
However, if we talk about banking, we're talking about two very different environments.
Let's talk about credit cards. USA, 76%. Malaysia, 54%. So, to me, that speaks to the difference
in maturity and the difference in the progress that you're talking about. And I think it
actually speaks to the leapfrog effect that you're talking about a little bit, that you
have a market that didn't get quite as deeply entrenched in something as credit cards and
was able to leap forward to digital perhaps a little bit more quickly. So, that works.
Bank accounts, USA, 91%. Malaysia, 87%. Personal bank accounts, pretty similar.
Savings accounts, this one I found comical. This is funny. Malaysia, 86%. USA, 69%. Suggesting
the Malaysians are a little bit more savings conscious, perhaps. And they have fewer credit
cards. So, perhaps they're a little more conscious of these issues.
Now, here's ones that really pay off. Real-time payments. In Malaysia, 92% of people in Malaysia
have sent a real-time payment via something like, I'm not sure if they are in Malaysia
in the US, it would be something like Zelle or Cash App or Venmo, something along those
lines. In the USA, it's 81%. So, there's a pretty big gap from a digital adoption point
of view. But interestingly, when asked about how many of them experienced in our real-time
payment scam, 19% Malaysia, 17% USA, pretty similar.
So, after going through this whole rigmarole, my point is that regardless, we're all suffering
the same problem. We're all suffering the same root problem, going back to what Lee
was saying was, a lot of the root of this is SMS. A lot of the root of this is phone
numbers. So, even though we have these differences in the markets and these differences in maturity,
it still comes back to basically about 20% of people suffering these scams. The end result
is kind of the same.
Okay. I'll ask a different question now.
USA isn't any worse or better. There you go.
I'll ask a different question now. Now that you're blowing my hypothesis out, we'll water
with your stats. All right. I'll ask a different question now. My impression, and I don't think
my impression is wrong here, is that Asian countries like Malaysia are way ahead on being
able to adopt and implement policies like this. And that these policies are not even
up for debate in countries like the USA and the UK. Let's throw them into... It's not
even up for debate. You wouldn't even be able to start the conversation to adopt that policy.
So whereas you've got somebody who is a top banker, great experience, the governor of
the Central Bank of Malaysia forging ahead, it's impossible to imagine the equivalent
in the USA, the UK, a lot of Western countries doing something like this because of the backlash.
Oh my gosh, we won't be able to cope. How could we possibly cope if we don't have messages
sent by SMS? Why? Why is there a difference then? And I'll ask Lee first to let him have
a go, see if there is a reason, an explanation, because he might say it's because we're rubbish
in the West. I don't know. What do you think, Lee? You've been all over the world. Why are
countries like Asia so far ahead?
I honestly don't know, Eric. I really don't know the answer to that.
All right, fair answer. Ed, why is the West so far behind?
So again, this is probably coming from some ignorance and people will disagree with me,
but I think that in my experience, at least in the US, the political type discussions
tend to get taken over by the extreme. And the extreme in this case is we have to defend
the fuzzy wuzzy, right? So we saw it in the robocalling argument. And so I'm agreeing
with you here, Eric, that I think if we were going to see regulatory action of the type
we saw in Malaysia and the US, you would have seen it around robocalling. But instead, what
we saw around robocalling was, well, wait, we have to protect all of these potentially
legitimate uses of robocalling. And let's parse out all those little minority instances
and use that as a reason not to take action against the big bad wolf, so to speak. And
it's just that attitude. And I don't know why it's different in Malaysia, but I see
that attitude in the US and I don't think it's productive.
Also a comment here from one day, Oluwatomi. He says, who looks after the seniors that
are not technologically savvy, a very American way of putting it, seniors, the frustration
of lost devices. I personally think this will not be a reality anytime soon. Some good percentage
of folks would be cut off from service. I don't really agree. I don't really agree with
you one day. I have to say, I think when you force change to happen, people adapt quickly.
And there's no reason why all the people can't adapt to. I actually think if you put all
the people in an environment where they get access to information, they're called the
silver surfers in certain parts of the world. Actually, when you look at the data, the silver
surfers, the older people, they can very quickly adopt all sorts of advanced services delivered
online if they're given access and they're given some information resources about them.
It's as simple as that. Give them access, give them information resources, make it cost
effective to do it. That's a big factor. People don't want to change if they can keep on doing
the same thing in the same way, or if change is going to cost them money. If you make it
cheaper to change, they'll change. So I think there will be resistance to moving away from
SMS for two-factor authentication because people are used to it. And there's a little
bit of inconvenience in downloading an app on your phone. But if there was some financial
backing behind it, if, say, you started charging people for receiving those SMSs, they'd change
pretty quick, sharp towards using an app. You'd have like a year at most where people
would be downloading the app and then everybody would be fine. So that's my point of view.
But we have to move forward in the debate. Sorry, guys, I know there's plenty more we
can say about this. Keep on sending your comments. Now, here's a message from our serious sponsors,
Blue Jump. When thinking about testing calls and other
needs on networks, it's worth keeping in mind the sheer variety of objectives to be fulfilled
using testing. You could have Blue Jump perform a thorough audit of the roaming service provided
by partner networks in key locations. Auditing your roaming partners means you're not just
trusting that your customers be able to connect to services whilst away from home. You could
obtain a fresh perspective on how your services are perceived by customers. That means using
Blue Jump's facilities to conduct tests to reflect what real people do when they use
their phones. Or if you're worried about the various forms of bypass fraud including
SIM boxes, refiling, low TT bypass, then you can use Blue Jump's extensive international
deployment of devices to originate test events on the networks and observe they're routed
around the world in a manner you expected before it terminates on your network. Popularity
of why means telcos need to do more than ever to ensure traffic is routed correctly and
termination fees have been levied as they should. Blue Jump can execute a risk based
testing program where you are focusing on the routes and countries when there's the
greatest risk your telco will be exploited. Now buying your own equipment and setting
your locations in the country is not cheap. It's much more cost effective to have Blue
Jump use their test anywhere crowd to have test conduction on their behalf using their
automated equipment. Their test infrastructure includes the latest Android test devices deployed
globally. Blue Jump works on behalf of telcos, governments, software businesses, all sorts
of companies, harnessing the power of real phone devices that can make calls, send messages,
transfer data, stream entertainment, any of the things that real people do with phones
every day and thus perfectly emulate the customer's journey. They also support the latest innovations
like eSIMs and satellite connections. So in summary, the automation of testing by Blue
Jump spares your staff the laborious effort of manual tests. It also means you get results
more quickly, which can be especially important when seeking to identify where frauds occur.
And because of the way Blue Jump's technology works, you will be aware of the fraudsters,
but they won't be aware of your anti-fraud testing until you decide to take action. So
whether your focus is the customer's network experience, roaming costs, or the assurance
of interconnect routing, then you should call upon the experts at Blue Jump, the URL, blugem.com,
Blue Jump. So continuing the topical chat, French President Emmanuel Macron promises
an anti-scam block, a nationwide anti-scam block that's going to filter malicious links
from SMS messages and emails. In a message posted to LinkedIn from the French President's
official LinkedIn account last Wednesday at 7 a.m. French time, Macron made the following
promise and I apologize in advance for my terrible accent.
For those of you who don't speak French, that translates as we will build a barrier
against fraudulent SMS and email campaigns by preemptively filtering malicious links
with a bill that aims to secure and regulate the digital space. Ed, to you, do you believe
the French government knows something about blocking malicious links that the rest of
the world doesn't? If anybody was going to implement a filter to remove malicious links
from emails, wouldn't Google have done it by now already?
You know, Monsieur Macron, Mr. President, I love the idea. Please elaborate. I'd like
to know more. I don't think the French government knows anything special about this. And I did
find your reaction to it, just the way that you answered the question, to be funny because
yeah, if this was so easily solved, it would have been solved and it would have been solved
by the folks that know it best, like Google. I agree with you. But I thought about our
discussion last week about this idea of just not permitting any SMS links. And I'm not
even sure what my position was on it last week because I disagree with myself. I've
come around to it because I thought about what you said. And I thought about the idea
that, for example, if you put it in the physical world, you walk out to the mailbox to go pick
up your snail mail and how many times in my life if I wish the junk mail would just vanish,
all the junk mail that you don't want would just go away. I don't want to deal with it.
And it also creates risks of identity theft and all that sort of thing. So I'm taking
that same idea and putting it here. Yeah. And I think we should, Mr. President, let's
block them all. Block them all, Mr. President, please. Thank you.
Okay. So there's a vote from a crumb there, if you could vote in France. Lee, I got to
ask you this question. Of course, you've got connections to France. You've got family members,
French family members. This is another example. Is this another example of a politician promising
to do something about scams spread via SMS? Why are we getting all of these examples of
politicians cracking down, showing lots of leadership now? The first SMS was in 1992.
Why hasn't that happened earlier? Well, I think it's down, Eric, to the sheer
scale of fraud being committed online right now. I was actually reading on the UK government's
website that online fraud now accounts for 40% of all reported crime in the UK, and it
costs seven billion pound a year. Now, as for politicians, it seems like Macron and
Rishi Sunak, they've both been singing from the same song sheet because they've both just
announced new anti-fraud initiatives. So I went on the UK's government website just to
have a look at what some of these new measures were. And they're talking about banning SIM
farms, stopping CLI spoofing. So I guess that means we're going to be getting stairs shaken
soon at some point. And they also mentioned, this is quite interesting.
Hey, hey, hey, there's a public consultation first. Don't be joining the party that's announcing
this before it's actually decided yet. Sure. We have to follow due process, of course,
right? Now, the interesting thing here is they also say they're going to use UK's intelligence
agencies to disrupt fraudsters from overseas. Now, I don't know what they mean by disrupt,
but that's quite an interesting remark to make. And they were also going to say that
they're going to work with tech companies to allow people to report scams more easily.
So it all sounds good on paper, but there's no real mention of what they're going to do.
I think it's a load of talk. And I would back your assertion that it's big now. Yeah, well,
it didn't just suddenly get big. It wasn't like there was no fraud last year. And then
suddenly this year, all the frauds happened. The reason why fraud is massive is because
no one's been doing anything about it for a long time. So really the question is about
why are the politicians now thinking, I mean, yes, you could always make the argument because
it's big now, but why didn't they think it was big enough before? Is this just a little
bit of cheap window dressing? Look at me, says President Macron, my pension reforms
aren't going too well in France. Everything else is going very badly for me. I'm doing
terribly in the polls. I can't spend any money. I tell you what, I'll just talk about fraud.
Because if I talk about fraud, people won't notice that previously the amount of money
that was spent on fighting fraud was nothing. And now these enormous reforms will mean the
government will now spend next to nothing on fighting fraud. It's a great way of making
you sound yourself as though you're beefing yourself up because the plateau you started
with is so low, you need to spend hardly anything to do better. Isn't that the problem Lee?
But basically we're getting all excited because we go, whoa, like in the UK, 30 million pounds
is going to be spent on the successor to action fraud, the National Fraud Intelligence Gathering
Service where everybody dials in, well, 30 million pounds might sound like a lot of money,
except it's not. And also they're spending 30 million pounds on essentially replacing
the people who used to receive phone calls about fraud and then would take the written
transcript of what was said and scrunch it up in the bowl and throw it into the bin because
they were so useless. So 30 million pounds and improving on that, it's not much of an
improvement really. Is that not the problem? Ed, I'll come back to you on this one. Is
this not just cheap politics? Cheap politics, everybody says they're going to do something
as long as somebody else is paying the cost, the taxpayer isn't paying the cost, the government's
not taking it seriously, but politicians want to get a few votes cheaply.
Yeah, it's become part of the news cycle now. If you think of like, what are the topics
that are always in the cycle as if it's a big lazy season that you're spinning around,
coming to topic to topic and it's on there now firmly. And every once in a while, we're
going to come back to these fraud topics and we're going to talk about them and we're going
to act like we're doing something about them. And if I'm going to take any positive away
from it, it's like, hey, we're talking about it. People that can do something about it
have some awareness now that there's something to be done. And that's the best positive I
can take. But yeah, I mean, the cynic in me says, yeah, there's going to be a lot of talk.
And again, you come back to what we've been talking about with stir shaken, you know,
and you're going to spend a lot of money to come up with a solution that doesn't solve
the problem. Like is that to me, that's yeah, that's kind of what politicians are doing
here historically.
Well, this this case of Macron, they're going to have a special filter. Just do what the
Malaysians have just done. The Malaysians already told if you wanted to take dramatic
action, you want to do radical action. Boom. We're just not going to have any SMS messages
with Lincoln. Overnight, the problem is solved a little inconvenience. But if you're going
to say it's a huge problem, then why is the reaction to the huge problem always so modest
in comparison, it gets described as a crackdown. But there are countries that prepare to do
things and the Malaysians are showing us the example late, I pushed this back to you. Are
we not again in the West, a lot of talk, not a lot of trousers when it comes to taking
action.
But this this is difficult, because in the same press release, they did say to be fair,
they did say they were going to create 400 new jobs under the NCA. Right. So I think
they are, they're trying to do something. But I'm the same as with you, Eric, it's just
it's just here, right? I want to see I want, you know, let's sit down in six months or
next year. And let's review it. Has it got better? Yes or no? My personal opinion is
I don't think it will.
All right, thank you for that. We'll move keep moving forward. Let me take this opportunity
now for another one of our weekly features, the symmetry fact of the week and interesting
facts supplied by the team at symmetry solutions. Over the years, many professionals working
for comms fighters and the suppliers have approached me for advice about where to obtain
high quality training on revenue assurance and fraud management. I'm glad that they do
because I hate to see people wasting money on training provided by flim flam agents.
And so for many years, I've kept my recommendation simple, go to the most experienced practitioners
of revenue assurance and fraud management in real life, get your training from them.
That's why I've long recommended the services of Jeff Ebert for revenue assurance training,
and Colin Yates for anyone wanting a better understanding of fraud management. So it's
a funny coincidence that both men now work for symmetry solutions, as symmetry is head
of business assurance and head of fraud management respectively. Between them, they provide the
training to over 750 telecom professionals. Now they work together at symmetry, they have
a comprehensive syllabus which covers revenue assurance and fraud management at the introductory
intermediate and senior levels. That means they can easily tailor a training program
that focuses on your particular needs, no matter how specific or extensive they may
be. Colin and Jeff even provide mentoring to leaders of our FM teams who want a trusted
counselor who can give them independent advice. So wherever your training needs, turn to symmetry,
and they're uniquely experienced trainers at symmetry solutions.co.uk. There's so much
we have to fit in the show, we never find time, we've got to get past Nolan in a bit.
So we're not going to spend too long on the next segment, guys. But Lee, you identified
a really fascinating news story about a new iPhone feature that caused your concern. Do
you want to tell us some more?
Yeah, so this is something we spoke about on the show the other week, and this was concerning
voice authentication and synthetic cloning. Now, today, I was reading an article that
Apple, they're going to bring out a new feature in iOS 17, that actually allows voice cloning
in as little as 15 minutes, just by reading back some text prompts, right. So this live
speech feature is actually designed for people who have difficulty speaking, right. So they
just type in the words, and then it converts it to speech. And it's in the identical sound
to their voice now. So if you imagine this now, right, having a live speech feature on
a phone, right, of somebody's clone voice, it's just going to take fraud to a whole new
level.
And you know, you want to have people included, you want to see technology, get people included
and do things they can't do before. But for me, this is symptomatic of, we don't deal
with the risks, we don't anticipate risks until they've hit home. Ed, am I right? Am
I wrong? What's your feeling on this in terms of where are we always leaving it too late
to react to the risks? Shouldn't we be anticipating the danger of giving people on their phone
the ability to clone voices in just 15 minutes?
Yeah, absolutely. And, you know, I noted that the CEO, I guess, of OpenAI was in front of
the US Congress talking about, you know, what are potentially smart ways to regulate the
technology and what have you. And that's all well and good. But to your point, it's like,
or is it already too late? It might be too late. How long is that process going to take?
Two years? And then the cat's already out of the bag. So I think, yeah. And the last
thing too, you and I have talked about this a hundred times, the 737 MAX always comes
to mind as the ultimate example of like, when you rush these things without asking the right
questions and with political or economic pressure behind them, what happens? Things blow up,
you know, quite literally. So, yeah, I mean, it's...
I'm pro-business. I don't want to put barriers. I want governments putting barriers in the
way of doing business. Okay. I don't want everybody to have to like go to a committee
to get every new technology innovation approved, but Apple's got a track record here. And Apple
is obviously a more responsible business than many other smaller businesses that are out
there. Okay. We've seen it with the Apple tab already. Seemed like a good idea. You
attach this device, you touch this little thing to your objects, to your computer, whatever.
So if your computer's stolen, you know where it is. You know, if something else is stolen,
you know what it is. You can track it down. What happened? The creepiest people in the
world start attaching them to the bags of women that they want to stop, start attaching
it to cars and use it as a tracking device. And yes, Apple put in some, some countermeasures
to prevent it being abused. But nevertheless, there was a lot of abuse of these things and
very dangerous abuse. There could be people's lives at stake in terms of the misuse of the
Apple tab. Again, there seems to be... I don't want to put barriers in the way of business,
but there seems to be a reluctance to accept our society may lose more overall than sometimes
we're gaining with some of these technologies. What can we do now?
There may be a good reason for that barrier, right? In the sense that you're, if you look
at it from the perspective of, are we weaponizing everyone's phones? Lee, is that what this
is? From what you were saying, does that in a sense kind of weaponize everyone's phone?
And then isn't that a reason to what Eric was saying, to put a barrier in the way? I
feel like it is.
I agree, Ed. I think the way they're talking about within 15 minutes, just by saying a
couple of text prompts, and you can feed in anybody's voice into that, then within 15
minutes, that's it, you've cloned somebody's voice. And you've got a phone, it's on the
phone, you can contact anybody, you can impersonate anybody. And I think some of these risks have
just not really been thought through properly.
Yeah, look, nobody wants to see somebody who loses their voice, not have the ability to
communicate to their friends, their family, their loved ones, okay? But even for them,
there's a risk. You've lost your voice, there's now a clone of your voice on the phone. Well,
still, if somebody gets access to that phone, if somebody gets control of that phone, now
somebody can impersonate you. And you may not be in a position to fight back against
that abuse against you, because you are disadvantaged in being able to identify and speak and do
something about getting your right over your voice, which is now an electronic thing, back
again. So I do think we tend to rush ahead with these things. Anyway, quick comment here
from Hervé Andure. Malaysia's choice to block URLs is not optimal as they're pushing legitimate
use cases to other unregulated forms of communication. This is like the kind of argument if you do
something with SMS, ends up being with WhatsApp and the rest of them should we treat WhatsApp.
And we'll come back to that in a future episode. We've got to keep moving on. I've got to keep
moving on, guys. Before we bring on today's guest cast. And oh, here's another one of
our regular weekly features. Each week, Jeffery Ross of Core Authentication, Fraud Prevention
and Geolocation Specialists, One Root, takes us on a tour of the world as we overcome the
barriers to communicating with each other. This week's destination is England, oddly
enough, the place where I am. And having seen the video, it's obvious that Jeffery's opinion
of England has been badly influenced by one of our own team. Producer James, please roll
the VT.
Hey, everyone, from One Round, I'm Jeffery Ross, and this is The World in Your Phone.
Let's talk about England. A few countries have an unforgettable impact on the world's
history, but England is definitely one of them. The largest of the four nations under
the United Kingdom, England is known in popular culture for many things from the royal family,
William Shakespeare, Isaac Newton, to some of the world's most famous musicians, red
double decker buses, red phone boxes or phone booths, Harry Potter and the ever popular
show Bridgerton. But did you know that in 2022, some of the iconic red phone boxes were
retrofitted by Vodafone with updated technology to increase 4G coverage on busy urban streets?
This was done to improve both 4G and 5G coverage while the old 3G networks begin to be retired
this summer.
One of the more unknown yet interesting facts about England is that from 1066 to 1362, French
was the official language of England. Désolées englétaires.
Stamps were invented in England, and due to an old law that has never been updated, it's
technically considered treason to stick a stamp upside down. And six ravens must be
kept in the Tower of London due to an old tradition and superstition.
Be sure to subscribe to the One Route YouTube channel, where you can catch up and watch
the One Route Roundup, a show that spotlights individuals and companies making a positive
difference in the telecom industry.
One more fun fact is the town of Cleethorpes. In the 1820s, Cleethorpes was a must-go-to
destination as a health holiday resort with sea bathing and the taking of medicinal waters.
At one time, Cleethorpes was described as a bathing place for which it is highly eligible.
The air is pure and the scenery amazing with extensive views of the sea. I know if Cleethorpes
most definitely tops the bucket list of places to go for Eric. And now that Eric's fallen
out of his chair, I will say, Lee, back to you and more of this great communications
risk show. Cheers.
Do not believe a word that Jeffrey says. Do not believe a word that Jeffrey says. I know
you want to say something about Cleethorpes to defend its honor, Lee.
What I like about Cleethorpes, Eric, is it's full of ordinary people and we live in ordinary
houses and we just go day-to-day doing our ordinary things. We're not trying to be some
kind of Ponzi, southern cut-type village down south.
You talk about your servants now, not you, Lee, but never mind. We'll move forward. We'll
move forward by introducing today's guest. We're so glad to have him here with us. Karsten
Nohl. He's the founder and chief scientist at Security Research Labs. He served as chief
information security officer at a whole bunch of businesses around the world, including
Axiata in Malaysia and Jio in India. And the security findings he's had, he's reached over
the years, extraordinary, the ones that he's shared at Chaos Communication Congress and
Black Hat Conferences. We could go on and on and on listing what Karsten's done for
this industry. Tremendous, amazing contribution to this industry. We're so grateful for it.
Now, the subject of today's interview stems from a presentation Karsten gave last year
entitled Open RAN. 5G hacking just got a lot more interesting. The connection to telecom
is very obvious there, but the risks extend to other sectors too, because they concern
the use of cloud containers. Hello, Karsten. Thanks for joining us on the show today.
Hi, Eric. Good to be here today. So I referred to the presentation you gave
last year that was about the way you found vulnerabilities associated with the virtualization
of networks. So just to recap for the less technical members of the audience, the telecoms
industry is going through a process of replacing proprietary telecoms equipment with functions
that run on cloud servers on commodity hardware. It's an attractive proposition for telcos
because of the enormous cost savings. But you, Karsten, you showed how a hacker could
find a route to progressively subvert those functions on the cloud, leading to a series
of ills like reading private SMS messages, reaching all the telcos customer data, and
even tearing the network down. We can't go into too much detail, but for the audience
who are not aware of the research you did in that arena, can you succinctly explain
how a hacker would be able to get unauthorized access to these functions on the cloud?
Sure. Maybe before going into the insecurities, let's remind ourselves why certain changes
are afoot in the telecom industry. You already mentioned one of the two imperatives, which
is cost saving. There's certain technologies that if you introduce them, you save costs.
So it's inevitable that these technologies will be introduced just through market forces.
The other motivator are new use cases. Just with our 40 networks, we can't support use
cases like car to car communication, for instance. We need more distributed mobile networks,
lower latency, so we need to be present with core networks in more places. So both of these
imperatives lead to the adoption of generally two streams of technology. One is hardcore
virtualization. So not the virtualization of your good old days where you ran two or
three things as virtual machines on a few core networks. We're talking about for a country
like Germany, where I'm right now talking about 500 core networks for 5G, every single
one of them having multiple functional units so that you can have these very low latencies
within each region. If you have to administer thousands of functional units now in terms
of Docker containers, you need a very high level of virtualization. You also need a very
high level of automation. That's the second technology trend. So basically to save costs
and enable new use cases, you need virtualization and automation. Now for the hacker, that's
a field day because both of these introduce new attack surface and new vulnerabilities
often found in other industries already just new to telco. And so to your question, what's
the typical journey of a hacker into one of these more modern, cheaper to operate, enabling
new use cases, a mobile network, it's usually four steps that the hacker follows. First,
I identify some insecure part of infrastructure, like a test server or something forgotten
and those existed before. They usually locked away in what we call the demilitarized zone,
a DMZ. And these DMZs still exist today, but instead of having hardware firewalls, because
of that high level of virtualization, we're talking about software firewalls. Everything
lives in kind of the same Kubernetes environment. So there's a good chance that after you break
into one of these unimportant servers, you can escape from them and take over the Kubernetes
environment. So not necessarily the entire telco at this step, but you break out of your
little sandbox that the developer cuffed out for themselves. That first step is enabled
by the virtualization trend that we can't stop anymore. So we have to learn to live
with it. You're then in some kind of a development zone where different test systems are all
coexisting and you'll find a lot of what we call a CICD infrastructure, basically the
infrastructure that allows you to have automation. Instead of humans in the loop, you have all
kinds of scripts and they need to be changed all the time. So software trickles down through
these systems and mistakes are being made in all industries, but this being a new trend
in telco, of course, many more mistakes are made in telcos as new adopters. So you find
these entry points in these CICD pipelines, be it exposed source code repositories on
the internal network, weak credentials, APIs are probably the biggest problem, hundreds
of APIs, some of them tests, some of them production, but all of them reachable from
that little foothold. So the second trend, the automation allows hackers to go their
second step. So now we're somewhere in a more interesting place in a mobile network and
still not in a production network, not in a telco network, but we're somewhere where
we can influence software that eventually trickles down into the telco network. And
that's the third step, basically just wait for your changes to be propagated into the
telco network. Now we're sitting in the telco network. Chances are, once again, you're kind
of a boring part, right? You don't always get lucky. You don't always get to hack the
domain controller. You're in some software that does something in a telco network. And
once again, you're breaking out of your virtualization, you're taking over this time the real telco
network. So really four steps that are all enabled by these trends, virtualization, automation,
and every single one of them, hard to prevent unless we want to stop the trends of building
cheaper networks and more automated networks, really hard to prevent mistakes from being
made, right? So the pressure really is on to detect these mistakes before the hackers
do and firefight all the time. That's why telco hacking has gotten a lot more interesting.
It's much more dynamic. It's much more tactical these days.
You say that with a little smile on your face because you're the guy who gets to play a
game. I'm finding the flaws in these cloud containers. You mentioned Kubernetes. So specifically
you identified some issues in terms of hackers being able to infiltrate Kubernetes containers.
They're one of the most popular form of container technology for the cloud.
Yeah, 100 percent. The scale of what can go wrong is very big.
I'm an old school risk manager. I like to think in terms of the scale and the probability
of what's happening here. And to some extent, you pointed out in your presentation that
it actually took you a lot longer to work through, to find and to identify some of the
vulnerabilities that you found. It took more work in practice, OK? So on the one hand,
it could be that there's more effort involved. And so the probability of being hacked may
be, and this is what I'll leave you to decide, maybe lower. But the scale, the potential
impact is higher. How do you put into words, it's very hard to put into words, but how
do you put into words the sense of the scale of the risk we're taking on and how much is
it to do with the probability versus the scale of what will happen when hackers, if hackers
get access to the cloud systems that are telcos running?
So telco networks have always had security issues. That's known hopefully. But by and
large, telco networks, when considered hacked infrastructures, we rarely hear that telcos
go down or go black because of hacking. With 5G, that is becoming more likely because there's
just many more moving paths where something can go wrong. So the surface of attack is
increasing dramatically and intentionally so. Like I said, in Germany, we're deploying
5G networks in 500 locations. So as compared to the maybe three or four core locations
we had for 4G, more than 100 times the attack surface, logically speaking. Networks, on
the other hand, maybe to say something positive for a change from hacker, networks become
a lot more resilient. So those 500 copies of the core, they're not being configured
manually. Just deployment scripts that can create as many as you want. So for instance,
somewhere is no concern at all for 5G network, at least not on a long-term basis. If somebody
encrypts your files, just rebuild everything from scratch. So we're becoming more resilient,
but we'll have to expect more short-lived outages.
That's fascinating. Next week's guest will be Patrick Donovan. He's a different kind
of security research to you. He spends his time analysing the security products on the
market and the businesses that supplies them and the factors that drive demand for those
products. He's going to be talking about one of the most important factors that's driving
demand, the threat posed by nation state actors. If we were to suppose a nation state with
effectively limitless resources decided to exploit the vulnerabilities you identified,
what objectives do you think that they would realistically set for themselves? What would
be the consequences? Would it be of a type that might be very sensitive in a country
like Germany, nationwide surveillance effectively? Or would it be the case that they'll be looking
to shut down communications? And as you say, maybe communications networks may be resilient,
but maybe shut down all communications at a certain point in time? What would you, if
let's put it another way, you were in charge of one of these nation state actors, what
do you think you could realistically achieve in terms of attacking a country's networks?
State sponsored criminals, they're certainly interested in two very different goals. One
is stealthy spying, so trying not to be detected and collect as much data as possible about
individuals or industry secrets. The other strategic objective is to take down critical
infrastructure. So be very loud and be very noticeable for as long as possible. With future
mobile networks, both of these change in nature, they don't necessarily become more likely,
at least not the spying. But we do put more X into the same basket by using these highly
automated infrastructures. So maybe let's start with the spying. I think what we basically
settled on as the message you will state after the Snowden revelations is still true. Spy
agencies can spy on everyone, just not at the same time. So with enough resources deployed,
a state will be able to spy on every individual through mobile networks, but not all individuals
in a mobile network all at the same time, because that would be too noticeable. And
I think that is still true in 5G. No matter how much insecurities we add, we also add
great opportunities for telemetry and security monitoring. So any wholesale abuse would be
noticed. And as a society and even as users, I think we can live in a world where states
can break into anybody's one account or 100, say, as long as it's not millions, because
those people likely to land on those lists that state-sponsored criminals want to hack
into, they hopefully know that, and they don't likely rely on the security of a mobile network.
Whereas the average user who does rely on the mobile network security, they don't land
on those lists. So we're in an OK equilibrium. That leaves the second hacking objective,
which of course is availability. And I, for one, I'm surprised how the cat and mouse game
pans out in Ukraine, for instance, where obviously there is a very capable cyber actor trying
to take down the mobile networks and other critical infrastructure. They sometimes succeed,
but mostly not. So if you deploy enough of the defense resources, cyber-wise, apparently
the battlefield is relatively equal. So while mobile networks are insecure, by default,
abuse can be detected relatively quickly when deploying enough resources. And because we're
worried about this availability issue more in geopolitical tense situations, as long
as we create these opportunities to collect telemetry and respond to abuse, I think that
too we are in an OK equilibrium. So I wouldn't worry too much about state-sponsored spying.
It's possible, we're never completely prevented, but states have limited resources too.
So are you more worried about criminal activity from organized crime then? Do you think that's
a more serious threat than the nation-state threat?
Yes, I am more concerned that ordinary citizens rely on mobile networks. For instance, for
the authentication to online services. So criminals are not really interested in what
you talk on the phone or what you write in text messages, that which you could hack in
the telco. They're interested in that one SMS that gives you access to your Google account.
When you say, I forgot my password, OK, please verify that it's really you. We sent you a
text message. Now the criminal has access to interesting information, Gmail, all the
other services. And as we've seen, telcos struggle a lot with SIM swapping. And whenever
there's any electronic means to get that same information without having to walk into a
local telephony shop, that's just prime target for abuse. So it's mostly the weaker members
of society that get victimized and not by governments, but by ordinary criminals.
Is this an area where if communications was encrypted end to end, that would address some
of these some of these risks for the ordinary user?
Yeah, I'm not going to advertise using, for instance, WhatsApp as a second factor authentication,
but I've seen it done. And I believe a company like Facebook can certainly deploy more security
resources into their ecosystem than the weakest out of how many? A thousand telcos. So on
balance, I feel like going with these hyperscalers for security is a better bet than to to guesstimate
what protection you can expect from the local network you're either a customer of or you're
currently roaming in. Right. So a lot of this is outside of your own control.
Interesting stuff. Ed, I want to bring you in on this now. The commercial realities here,
I wanted to ask you about that. Is it inevitable virtualization because of the cost savings
and therefore we're going to have to pump up and put in the appropriate level of security
resources to do it? Or might some businesses be resistant to virtualization because of
the risks being posed?
I mean, I think Carson makes a really good point that from an economics perspective,
the virtualization aspect of it seems inevitable. And it's one of those things where it's kind
of like with cars, where like, well, you can hold onto your gas car as long as you want,
but eventually you won't be able to get them anymore because you're only going to be able
to get electrics. And I think there's some market effect like that that'll end up occurring.
The sorry though, I've probably lost my train of thought now, Rick. So if you have to apologize.
Well, I'm just keen to get your feeling here on terms of the economics, you know, whether
we end up having to, whether we have to keep on moving forward, like sharks that have to
keep swimming going forward, or is there a possibility sometimes you freeze technology
rather than always doing the next thing you could do?
The question, here's what I see actually is now it's not so much whether virtualization
is happening, but where's it going to live, right? And so you're seeing a lot of these
questions and forgive me everyone for losing this thought a moment ago, but what I'm seeing
a lot of now, right, are these questions and a lot of practitioners writing articles about
the cost we thought we'd get about moving to the cloud really didn't happen that way.
We had these cost explosions. These are the steps we're taking to bring some stuff back
in house or to simplify some of our architectures, you know, to bring those costs down. So that's
where I tend to see, you know, a lot of those discussions. This is like out of house or
in-house and how are we architecting it? And are we using serverless or not? And there's
our microservices environment becoming too big so that the traffic is too hard to manage
as to those kinds of things. Interestingly, a lot of those add up to what Carson was talking
about though, right? Is that all those exposures, right? All the discrete microservices, all
the APIs. And one thing that also he made me thought of as we were going, talking about
the 5G spec, you're looking at the 5G standalone spec. There's a really interesting thing in
it called network exposure function, right? NEF. And what network exposure function in
concept does is basically take anything in the network, anything the network can do,
and you could define it, you know, individual as a service and expose it via an API. That
doesn't mean that you should do that with every single service in a 5G network, but
you know, the spec is made up so that you can. And so I think one of the questions that
comes up in Carson, I would hope that this is something you could probably consult the
folks on is look, when you go on implement this, how do you implement NEF in a secure
way? Even before you even implement it, how do you define what you're even going to expose
in a way that ended up being secure before we throw this out there? Right? So I mean,
I think there's a lot of yet unanswered questions around 5G security still to come, you know,
on this virtualization tree, right? It goes on and on and on like that. Again, forgive
me for losing that midway. Hopefully I got it back.
Just to add to that, this is the false mobile network generation. I don't know what happened
to 1G, but somehow is the false iteration that people are implementing over 30 years.
So that almost a decade goes into every single generation. And yet every single time it feels
rushed, every single time people put themselves under pressure to roll it out without spending
that six months time window to architect it well. And with 5G is no exception.
That's a great point. That's absolutely a great point. I want to bring you in here,
Lee as well here, because I don't know how much you can talk about the work you've done,
but you have done work of the type where you have advised nation states on the business
parameters, the reasons to move things to the cloud, the extent to which the country
might be rejuvenated and generate income for itself by seeking to be the host of clouds
of cloud service for other countries as well as itself. Is security a big topic that comes
up in that kind of cost benefit analysis or is it something that is treated as something
that they'll deal with when they need to deal with it?
So this is quite an interesting question, Eric. So usually I've been a big promoter
of the cloud and over here I can talk about Bahrain in particular. There's not many hyperscalers
over here right now. There is a big push to try and get more and more here. But we've
actually done the cost benefit analysis we've done is to put some bits of the IT domain
within the cloud is it's actually cheaper just to buy a server, put it in our own rack
and to manage it ourselves. Right. So I think over time that price per unit is going to
come down as more and more hyperscalers come here. I mean, Bahrain tends to be quite an
expensive market anyway. I know when you try and buy something from suppliers, they tend
to pump the price up quite a bit. So Bahrain is quite unique in that way if you compare
it to other countries around the world. One of the other factors, so apart from the cost
and benefit analysis, one of the one of the primary things around which is a main concern
for other countries is that transported data or having that data being sent overseas and
is and is held within within another country. Lots of concern about that and the security
around that.
Absolutely. Can't agree more about that. Karsten, let's bring it back to you here now. So we've
talked quite a bit here about telcos, which is great because a lot of people who watch
the show are interested in telcos and work for them. But this isn't just about telcos,
these problems you've identified. They're actually they really extend a lot into into
many other aspects of many of the critical businesses, many of the functions of society
that we need, including utilities, for example. What's your appraisal of the extent to which
the vulnerabilities you've identified could cause harm in other parts of society and other
sectors too? Are there critical utilities that come to the front of your mind where
you worry that maybe cloud security is inadequate?
Yes, spot on. Telco isn't the only industry where people like to enable future business
cases and save money. Turns out everybody wants that. Now, what puts telcos apart, I
think, is that in the telco world, we think in step changes from 3G to 4G to 5G. So there's
certain technology changes that are forced onto telcos. And like I said, it always feels
rushed. You have to be part of 5G if you want to stay relevant. You have very little time
to prepare. Certainly 4G didn't prepare you for that change. In all those industries that
I'm aware of, this is more a smooth transition where people say, let's let's dabble into
cloud, let's move some non-critical applications into cloud, let's learn, let's make mistakes,
low risk, possible high reward, and gain confidence, gain operational experience, find the right
partners, and then move more and more. There's never a step change. So the same problems
exist everywhere else, but the effect is much muted through the opportunities to explore
and gradually change. Now, having said that, of course, most of the large data leaks of
the last years were based on people using cloud technology wrong, like that level of
inexperience that everybody starts with. Whenever there's data sets, millions of health records
or financial records accidentally posted on the internet, it's always some kind of a cloud
environment. But that seems a tiny fraction of the data that is being moved into the cloud.
So most people seem to get it right most of the time. What of course also helps is being
able to use standardized services from Google, Amazon, and Microsoft, which is provide infrastructure
will provide most of the operating system and thereby solve many of the security and
security operations problems. You'd be hard pressed to find a provider, not just in Bahrain,
but in most places in the world, would be able to help you provide your telco cloud
infrastructure. So there you're becoming the Google or Amazon equivalent, but they have
20 years experience in that and you don't. So it's a step change that is multiplied by
you going deeper into this stack. So yes, other industries share the same problems,
but not to the same extent.
That's a great way of looking at it. I've got a comment here from one of the viewers,
Claudia Durkin, lovely to have you watching the show, Claudia. She says planting the fuse.
Great overview, Karsten. Inspecting virtualized containers is often ignored because it's not
on the asset inventory. So she's basically agreeing with you there. It's great to have
that. One thought that came to my mind during our conversation just then was the generations.
You talked about the gap between the generations and the things being rushed in terms of moving
forwards in the telecoms industry. It's not clear to me whether the gaps will start to
slow down a little bit now and whether there might be a slowing down because telcos have
been resisting a transition towards a valuation, which looks more like a utility company than
a tech company. So one could argue the need for always delivering something new is because
over all those decades we've been talking about, telco started off with valuations much
more like tech companies with a high PE ratio, the belief that it's going to be worth a lot
of money in future. We're going to onboard a lot of new customers. And so it didn't matter
if you were generating revenue now, whereas these days it's all about dividend yield.
You'd be paying out some dividends and generating lots of positive cash flow. And in that kind
of environment, it might lead to a slowing down more like businesses, like utilities,
because there's not the expectation from investors that there will always be something sexy and
new each year. Or it could be budgets will get slashed because it's all about cost control
and security could be put at risk.
Karsten, how much is there any truth in what I'm saying here as a guy who's been at C-level
in some big telcos and where would you say the balance lies? Is it that we might slow
down and be a bit safer or might we just be cutting more corners in future?
Providing just connectivity services certainly has become a commodity and regulators really
enforced that. Most countries have four or even five telcos competing for exactly the
same geographic footprint with exactly the same services. So obviously there's a race
to the bottom in terms of margin. What telcos of course have been trying to use economically
and not super successfully is the client relationship. Having seen somebody physical, at least knowing
where they live by virtue of having sent a SIM card there, that should be worth something
in a highly virtualized world. And it certainly was something for criminals who SIM swap you
and take over your identity and everything else is tied to that identity. But that linkage
all by itself hasn't enabled telcos yet to monetize enough to make up for that commoditization
pressure. They're trying again now. Axiata, where I worked a few years ago, I think is
a little bit ahead in the game of API-ifying everything. It's basically giving or selling
access to customer data, trying to balance economic opportunity because of course the
need for privacy of the customers. That seems, at least in some parts of the world, a very
viable strategy and to really distinguish yourself from everybody else who just has
connectivity. You have connectivity and insights into your customer. But somehow that is not
catching on to the same excitement that I had when I first saw it. And you guys would
be in a better position to comment on where the resilience or resistance rather comes
from. Lee, do you want to comment? Well, I'd say the resistance probably comes from the
regulators. Ed, do you agree? You don't really do much regulation in the USA, do you? Not
around privacy. Now, some of it though, too, though, I mean, I agree with Lee, but some
of it, and I actually just am wrapping up a report for the team forum about this. Some
of it is the platform model that a lot of telecoms don't see themselves as a platform
business, don't see themselves as a platform company, and it's not the foot that they put
forward first. That would be my guess. Well, we're running out of time, guys. So
one last quick question for your casting, because we really appreciate your time today.
We also want to know what you're going to be doing next. What is your current focus
of the research you're doing? What are the big security risks that you're thinking that
we all need to be thinking about next, and it's going to be interesting to you in the
immediate future? I'll tell you what I think you want to hear,
and then I'll tell you what I think you need to hear. I think that the big trend in terms
of change, it's certainly opening APIs to partners and to more and more and smaller,
smaller partners, until you're really opening APIs to anybody who wants to consume them.
Being in a similar situation as Facebook a few years ago, you remember Cambridge Analytica
and whatnot. So telcos are certainly running for economic pressure reasons in that direction.
And I'm sure lots of goodwill comes from it, but also lots of hacking comes from creating
new interfaces. Again, learning curve. On the path to secure system, there always lies an
insecure system, and we're entering that phase now. But I think that's the gradual change
and incremental hacking pressure. I think what you need to hear really is, continue
to focus on the basics or finally focus on the basics. There's these five processes that
have been in security forever, and telcos are just not good at them yet. There's patching,
there's hardening, there's identity management, there's segregation, and there's backups.
You get those five things right, you become highly unattractive to a hacker because they
find much weaker targets everywhere else. So please just don't worry about what changes.
Focus on what you already have on everything you could already be doing around those five
basic processes. The hacking pressure is certainly increasing, so just because you've gotten
away with it so far doesn't mean that's a guarantee for the future.
Very wise words. Thank you so much, Karsten. We really appreciate you having you on the
show today, and we look forward to hearing what you come up with next in terms of the
new vulnerabilities you find in the future. And maybe you'll join us for the second season
of this show as well. We'd love to have you back.
I'd be delighted, yeah. Thanks for having me.
Thank you so much, Karsten. Well, that's it. We're out of time. It's frustrating, this
show. There's so much we could talk about. We never seem to fit it all in. Ed Lee and
I will return next Wednesday. We'll be talking to Patrick Donegan of Hardin Stunts about
the threats posed to comms providers by nation state actors. Watch live on Wednesday, 24th
May at 11am US Eastern, 4pm UK, 8.30pm India. Save the show to your diary by clicking the
link from the Communications Risk Show website, because it's not literally possible to read
out every single timezone every single week. Or just make your life easy by subscribing
to the Communications Risk Show broadcast schedule and have every weekly show uploaded
to your diary automatically. And the good thing is, if you subscribe now, when we've
only got a few episodes left in this season, you'll be confident that you'll have all the
episodes for our next season added to your diary too, as soon as those episodes are scheduled.
Thanks again to today's guest, Karsten Nohl, Chief Scientist at Security Research Labs.
Thanks to my co-presenters, Ed Finegold and Lee Scargall, for their commitment to vigorous
debate and their steadfast refusal to be baited by my outrageous questions.
And last but certainly not least, our thanks to our wonderful production team. What a great
job they always do every week, James Greenley and Matthew Carter. You've been watching Episode
10 of the Communications Risk Show. I'm Eric Priezkalns. You'll find recordings of all our
past shows on our website, tv.commsrisk.com. Visit our main website, commsrisk.com, to
stay informed of the most important risk news and developments from all around the planet.
And check out the website of the Risk and Assurance Group, RAG, at RiskandAssuranceGroup.org
for lots of free services and advice for risk professionals, including the RAG4 Block Train
and RAGS Leakage Catalogs. Thanks for watching. We'll see you next Wednesday.