Clicky

The SolarWinds Hack, Clubhouse, Vulnerable Agora SDKs, Microsoft — Some Cybersecurity News You May Have Missed this Week – Futurum Tech Webcast
by Shelly Kramer | February 22, 2021

In this episode of the Futurum Tech Webcast, I’m joined by fellow analyst Fred McClimans to have a conversation about some cybersecurity news you may have missed during the week when unexpected weather across the south, horrifying power grid problems and beyond have captured the attention of the nation.

We started off by talking about Clubhouse, the current darling of social apps. In a nutshell, Clubhouse is an invitation only social audio app that lets users conduct real time conversations – or pop into rooms and listen to others having conversations. The app has reached 8 million downloads on the iOS and that, combined with a recent funding round that valued the startup at $1B, Clubhouse is in the news. Why mention Clubhouse and cybersecurity? Great question.

Clubhouse is powered by Agora, a $15+ billion firm that offers real time audio and video APIs. Agora was founded in 2012, went public last year and, according to at least one investor, Clubhouse was built in a week using Agora as part of its tech stack.

Our conversation around Clubhouse, Agora, and cybersecurity dug deeper. Agora is based in Shanghai, raising inevitable questions about Clubhouse’s vulnerability to government surveillance. Note that Clubhouse is already blocked in China, but users are getting around that by way of VPNs and the like — the Chinese are adept at getting around the great wall of its government. Other companies using Agora’s software include Bilibi, a $53Bn Chinese video-sharing app with 170M plus users and considered the nearest thing China has to YouTube, New Oriental Education, a $33B Chinese ed tech firm and Yalla, a $5.6 billion Chinese-owned app called the Clubhouse of the Middle East. Note the theme: Chinese connections to Agora.

So, Agora. And Chinese connections, and cybersecurity — that’s what our conversation today comes back to.

The Agora SDK Vulnerability

It was reported a few days ago that a severe security vulnerability in Agora’s SDK (software development kit) could have allowed an attacker to spy on ongoing private video and audio calls.

McAfee Advanced Threat Research reported that the flaw was found in Agora’s SDK used by dating apps like eHarmony, Plenty of Fish, MeetMe, and Skout. It was also found in healthcare apps like Talkspace, Practo, and Dr. First’s Backline.

Do yourself a favor, read this article from McAfee: Don’t Call Us, We’ll Call You: McAfee ATR Finds Vulnerability in Agora Video SDK

Fred and I talked about why this matters, including the fact that Agora’s SDKs are estimated to be embedded into mobile, web, and desktop apps across more than 1.7 billion devices globally.

Note that McAfee disclosed the flaw in April of 2020, and it took Agora seven months to release a new SDK to remediate the threat posed by the vulnerability. This weakness was the result of incomplete encryption and could have been used to launch man-in-the middle attacks and interpret communications between two parties.

Let’s see, Agora is used by dating sites and healthcare sites/companies — where there’s no dearth of personally identifiable information.

There is no evidence (yet) that this vulnerability was exploited, but it does underscore the need for security to be a foundational part of all applications.

Cybersecurity News and The SolarWinds Hack

Our cybersecurity conversation then shifted to the SolarWinds hack and news out of the White House.

The White House released updated figures on the number of companies and federal agencies it (so far) believes is impacted by the SolarWinds hack. As of today, that’s at 9 federal agencies and 100 private sector companies. Fred touched on Deputy National Security Advisor Anne Neuberger’s briefing and the news that although the hack remains considered of Russian origin, Neuberger said the hackers launched their attack from inside the US. You can find more on that briefing at MSN.

Some Good News Post SolarWinds Hack from Microsoft

We wrapped up our cybersecurity conversation with some good news post SolarWinds hack from Microsoft. You might recall that in December of 2020, early in the SolarWinds hacking story, it was discovered that threat actors had downloaded some Microsoft Exchange and Azure code repositories. Microsoft announced in a blog post on its Security Response Center published on Thursday that its internal investigation has concluded into the activity of the threat actor and that there was no evidence of access to production services or customer data. The investigation also found there were no indications that their systems at Microsoft were used to attack others.

All in all it was a great conversation and nice to catch up on some important cybersecurity news. You can grab the video of our conversation here:

or of course grab the audio on your favorite podcast app here:

And while you’re there, be sure and subscribe to our YouTube or Podcast channels so that you won’t miss an episode.

Disclaimer: The Futurum Tech Podcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.

Read more analysis from Futurum Research:

Qualcomm’s New Fixed Wireless Access Platform To Bring MmWave 5G Performance To The Network Edge In 2022 

Verizon Business Strengthens SD-WAN Proposition Through Cisco Alliance Expansion

Delta IBM Cloud Migration Partnership Takes Flight

Transcript:

Shelly Kramer: Hello and welcome to this episode of the Futurum Tech Webcast. I’m your host, Shelly Kramer, and I’m joined today by my colleague and fellow analyst, Fred McClimans. And we thought we would hop on LinkedIn and Twitter Live and talk a little bit about some cybersecurity news that you might have missed this week.

And we’re going to talk a little bit about the SolarWinds hack, we’re going to talk a little bit about Clubhouse, we’re going to talk about Agora.

And I’m sure Fred has something obscure in there that he’ll throw in because he always can be counted on for that. So hey, Fred, how are you today?

Fred McClimans: I’m doing well, Shelly. How are you?

Shelly Kramer: I’m great. I’m glad it’s Friday though. And we have a heat wave here in Kansas City, where I live. It’s 27 degrees, so it’s just a day we’re celebrating.

Fred McClimans: It is. I tell you, so we’re in not quite rural Virginia, but close. And this morning I got up, let the dogs out the door, and two big golden retrievers, they charge out like they always do, right off the steps, right across the lawn, paws going everywhere because it’s just a sheet of ice.

Shelly Kramer: Right. Yeah. Oh, I have a friend who lives in Maryland, in the Silver Springs area, and she said it’s just terribly icy. So we don’t have that right now, and you can keep that there as long as you’d like. So before we dive into this conversation, I do want to be sure and let you know that, in this conversation, we may talk about privately traded companies. We have opinions and lots of opinions on a number of different topics. This show is intended for information and educational and entertainment purposes only, and is not to be taken as investment advice.

So with that disclaimer out of the way, we’re going to start talking about Clubhouse a little bit, the current social network du jour. And so I can’t imagine that there’s anybody who’s watching or listening who doesn’t yet know about Clubhouse, but in case so, Clubhouse is an invitation-only social audio app, and it lets users connect in real time conversations. And they can also pop into rooms and listen to conversations that others are having. And I think the last number that I saw was that it’s at about 6 plus million users, and a recent funding round valued Clubhouse at about a billion. And so Clubhouse is in the news.

Now, how does this relate to cybersecurity? Fred and I have been talking a lot about Clubhouse, and actually, we’re going to do a separate show on what we see as perhaps an interesting future ahead for Clubhouse or something like Clubhouse. But today, we’re going to talk about cybersecurity as it relates to Clubhouse. And one of the things that is not talked about a lot is that Clubhouse is powered by Agora, and Agora is a $15 billion firm that offers real-time audio and video APIs.

And they have a lot of customers across the world. The company was founded in 2012, went public last year, and according to at least one investor, Clubhouse was built on Agora in the space of a week. That’s pretty quick. I think the last bit of information on Agora that I wanted to share before I throw it over to you, Fred, is that Agora is based in Shanghai, and that of course, raises questions about Clubhouse’s vulnerability to government surveillance because we do know that the Chinese government is incredibly good at surveillance.

And Clubhouse is already blocked in China. However, users in China are getting around that by way of using VPNs and the like. Other companies who are using Agora’s software, and there are many of them, include Bilibili, a $53 billion Chinese video sharing app, New Oriental Education, a $33 billion Chinese ed tech firm, and Yalla, a $5.6 billion app that’s being called the Clubhouse of the Middle East. So Agora and cybersecurity.

Fred McClimans: Yes.

Shelly Kramer: Let’s talk about that, Fred.

Fred McClimans: What a topic.

Shelly Kramer: What a topic.

Fred McClimans: It’s interesting. First, kind of stepping back, Agora is a publicly-traded company.

Shelly Kramer: Yes.

Fred McClimans: Valuation market cap now about $10 billion US.

Shelly Kramer: Yeah.

Fred McClimans: When you mentioned that Clubhouse is not available in China, that’s not to say that this technology isn’t used in China. It’s used extensively in China.

Shelly Kramer: Oh, absolutely.

Fred McClimans: I think the issue there is more one of just censorship and that firewall between Western apps and Chinese apps. But it’s interesting. When you look at this, and again, we have to say that this is allegedly built on the Agora platform, it’s not a big surprise that it would be Agora because they are one of those companies that just specializes in voice and video APIs.

Shelly Kramer: Right.

Fred McClimans: So essentially, if you think about the Clubhouse app, and to build an app like that, the initial beta or maybe even alpha proof of concept app that they built, yeah, I could see that taking a week. But they spent a lot more time, obviously, since then-

Shelly Kramer: Right.

Fred McClimans: … with this. But what Agora does is, if you think of an app like Clubhouse, you have your app in front of you, and you are going through your normal mechanics of using the app. You sign in. You register. There’s software on your phone, and then there’s also software back in Clubhouse’s servers, in the cloud. Well, when you communicate, that voice, or if it’s a video app, the video app, has to get somehow from your phone to their servers, and it’s the Agora API and the infrastructure that does that.

Shelly Kramer: Right.

Fred McClimans: So essentially, you’re transiting through their system to get to the other people that you’re communicating with. Now supposedly, here, what Agora can access is some of the unfiltered or unencrypted information about the identity of the user and the mechanics or the details of the room that they’re having a conversation in. So it doesn’t appear, at this point, based on some of the research that we’ve been reading and some of the speculation there, that they can actually get into the video itself.

Shelly Kramer: Right.

Fred McClimans: Kind of think of it like WhatsApp, with some end-to-end encryption for that portion of the communication stream. But just the fact that they are a firm based in China, that we’ve had ongoing issues with the Chinese government peering into businesses and having access to consumer and user data, is troubling in and of itself. And what really surprises me in all of this is that this is not the first time that we’ve seen something like this kind of come to light, the connection between an app and China, or a piece of technology in China.

Certainly, the whole issue with Huawei, over the past couple of years, with them potentially embedding backdoors into their tech, we know that there was a report this past November where a cybersecurity professional found backdoors in several Chinese routers that were being sold in the US, that they believed had been infected with malware and were capable of delivering information back to somebody.

So TikTok, another great example there, with the application itself coming from a Chinese firm, allegations of information being collected, and we know these apps collect a ton of information on users, and that information potentially being available to the Chinese government. So that’s not surprising. What’s surprising is that nobody seems to be learning any of these lessons and talking about this. They’re just kind of sweeping it under the rug. It’s almost a non-issue for most people, and I think that speaks volumes to our willingness to just throw our data out there for anybody.

Shelly Kramer: Yeah. Yeah, absolutely. And one of the reasons that Clubhouse and Agora made it onto our radar screen in a conversation about cybersecurity, I’m going to connect one more of the dots, is that it was reported, a few days ago, that there was a severe security vulnerability in Agora’s SDK, which is the software development kit. And that vulnerability could have allowed an attacker to spy on ongoing private conversations, video, and audio calls.

This was reported by McAfee Advanced Threat Research. They found the flaw, and the flaw was actually used by dating apps like eharmony, Plenty of Fish, MeetMe, and Scout. It was also found in healthcare apps, and the ones they specifically identified were Talkspace, Practo, and DrFirst’s Backline. So when you think about security vulnerabilities and dating apps and all of the personal information that we give dating apps and healthcare and all of the personal data that healthcare apps have on us, that makes it a little scary.

And one of the things that you and I talked about, Fred, earlier, when we were talking about this conversation, in advance of having it, was that Agora’s SDKs are estimated to be embedded into mobile, web, and desktop apps across more than 1.7 billion devices globally. So we’re using Agora’s SDKs probably daily, and we don’t know.

Fred McClimans: Sure. Yeah.

Shelly Kramer: And if you’re using Clubhouse, you’re using Agora’s SDK. So to be fair, and to wrap this up so that we can move on to our next topic, McAfee disclosed this flaw in April of 2020. Agora released a new SDK on December 17th, 2020, lots of months in between there, to remediate this threat. This weakness was a result of incomplete encryption and could have been used to launch man-in-the-middle attacks and interpret communications between two parties.

So we don’t have evidence yet that this vulnerability was exploited, but it existed, it was out there in the wild for a significant period of time, and it does really underscore, to your point, Fred, the importance of the need for security to be absolutely a foundational part of application development, of day-to-day operations, of threat investigation.

Fred McClimans: And equally important, user behavior. Whether you’re a business or an individual, user behavior, so important there. And I’ll tie an odd one, but one that we’ve mentioned a number of times, Elon Musk into this whole conversation because you have this app that’s still in beta, it’s invite-only, and earlier this week, Elon Musk tweets out to Vladimir Putin, President of Russia, saying, “Hey, join me on a Clubhouse chat.”

Shelly Kramer: Right.

Fred McClimans: And Russia responds, “Hey, we’re very interested in that.” Hasn’t happened yet.

Shelly Kramer: Right.

Fred McClimans: But just the fact that this is taking place over an unproven, potentially risky app, come on.

Shelly Kramer: It is, I think, worthy of bringing attention to.

Fred McClimans: It is.

Shelly Kramer: And that’s really what we’re doing here. So speaking of-

Fred McClimans: Yes, next up.

Shelly Kramer: … next ups. In cybersecurity news, we want to talk a little bit about the SolarWinds hack. And so the White House released, today, some updated figures on the number of companies and federal agencies it so far believes were impacted by this SolarWinds hack.

We’ve got 100 private sector companies, and we’ve got nine federal agencies. But there is some big news there, Fred. Tell us what that is.

Fred McClimans: Yeah. This was one of those items that, when I saw it, I thought, oh, this is going to get everybody’s attention.

Shelly Kramer: Right.

Fred McClimans: And because of the whole Robinhood congressional hearings and the snow storm, the weather, the power outages, it just kind of got lost. But what the White House is saying, Anne Neuberger, from the … I forget her title. She is the deputy head of cybersecurity.

Shelly Kramer: Yeah.

Fred McClimans: And I’m going to go back and check that in a minute because I know I’m wrong. She had a press conference in which she revealed that, while we still believe it was Russia behind the attack, itself, the origin of the attack into the SolarWinds software was from the US. So that originated on a device in the United States, kind of an attack from within, and that’s notable because when we think of cybersecurity, a lot of people have this impression that, well, if it’s Russia, that means that the data was tracked back to Russia.

Shelly Kramer: Right.

Fred McClimans: And that’s not what we’re talking about here at all. We’re talking about the techniques, the tools, the modus operandi of these organizations, the way they operate as one of the ways that we identify them, including the software that they use and the techniques and so forth.

But being inside, what that kind of reinforces, for me at least, is the fact that the edge of the network doesn’t really exist, that there is no edge. The edge is every device, everywhere, and we need to start thinking a little bit more about the fact that, just because we are in a country, that’s not a safe thing necessarily.

It’s like being within your organization, having a bad actor inside your organization. I wouldn’t quite call this an insider attack, but just the fact that we’ve identified now that it originated from a device in the US, I think that’s a very significant thing and something that a lot of businesses start to need to think about a bit.

Shelly Kramer: Yeah.

Fred McClimans: It’s not risk that necessarily comes from an overseas connection or an overseas source that you need to be looking for in your data stream. It’s a risk that could be coming from a device a block away at a Starbucks.

Shelly Kramer: Well, and what we know about threat actors, what we know about Russia, what we know about Chinese, what we know about Israeli … not Israeli. Who am I thinking of?

Fred McClimans: North Korea?

Shelly Kramer: North Korea.

Fred McClimans: Or Iran?

Shelly Kramer: Iran, yes.

Fred McClimans: North Korea? Iran. Oh, okay.

Shelly Kramer: That’s what I was thinking of, Iran. But what we know about that is a given is that they are incredibly patient, and that’s the path to success. And so these things, this SolarWinds hack happened a long time ago, in cybersecurity age I mean. And today, we think there’s 100 companies who have been impacted, and we don’t know what that number is going to be.

And you see things like, Fred, I know you’ll remember in the news, not that long ago, there was a water treatment facility that was compromised, and attackers tried to put … I can’t remember what the chemical compound was, but something that is used in the process, tried to-

Fred McClimans: Essentially lye. Yes.

Shelly Kramer: Yes.

Fred McClimans: Yeah, right.

Shelly Kramer: Which could have-

Fred McClimans: So they gained remote control of the computer and initiated changing the valve and the instructions to flood additional lye, which would have been incredibly toxic. That was discovered, fortunately, and stopped mid-process by the one individual-

Shelly Kramer: By one person.

Fred McClimans: … who’s responsible for cybersecurity for the entire operation.

Shelly Kramer: Right. So when you extrapolate out, oh, SolarWinds, why do we keep talking about that? We don’t know what we don’t know. Today, we know there’s nine government agencies. We know there’s 100 … And for every bit of information that is released on this, there are hundreds and hundreds of pieces of information that aren’t, and rightfully so.

But I think that when you stop and think about you look at what’s been happening in parts of Texas, this last week, with problems with their power grid and how that is affecting people’s lives, and not only in Texas, other States as well, but how that is totally upending people’s lives and, in some instances, causing loss of life.

And then when you think about things like all of our utilities, our water operations, all of those things that we rely on without giving a thought to, at any given time, and the dangerous to all of us if some of those are compromised. I mean, that is a really big deal, and I think that’s what-

Fred McClimans: It is.

Shelly Kramer: … yeah, that’s what I think about.

Fred McClimans: And Shelly, I’ll add a couple quick points on that. When you look at the type of cyber threats that we face, we can definitely group them into different buckets, different types of threat actors. You’ve got sort of the casual hacker, the typical … I’m trying to think of a good example, here, but the person that just wants to mess things up, the anarchist out there. Yeah, they might steal some data, but they get the thrill out of penetrating a system to prove I can do this.

Shelly Kramer: Right.

Fred McClimans: Then you’ve got those individuals that will do that, steal data on an individual basis, or maybe as part of an organized crime group, steal data and drop it out there. And in fact, we just found today that there was a 14 million Amazon, eBay account records, or 14 million individuals, that has now turned up online for sale.

But then you’ve got the state sponsored actor, and that state sponsored attack, that threat, that’s something that typically they get access to the system, and it’s six, 12 months before they start to do anything. There’s a learning process. There’s a listening process there. And those kind of attack-

Shelly Kramer: And they’re patient.

Fred McClimans: They’re very patient.

Shelly Kramer: They’re very patient.

Fred McClimans: And then the other thing is, look at what happened in Texas. I know we’ve been covering this, some of the other analysts, talking about the chip shortages that are out there from the Silicon providers, and the power and snow and ice issues in Texas actually just piling on top of that. Which is one of those situations where you have to start to think, do organizations have enough of a risk focus in their organization to actually sit down and make sure they have a good continuity of operations plan? Do they have a good restoration plan for when these type of … It’s not a black swan event, but it’s a gray swan event, that kind of shuts them down. So continuity of operations and tying risk and cyber altogether, for me, that’s a critical element.

Shelly Kramer: Well, and we know that some organizations are focused on that and that many are not. And we did some recent research in partnership with Dell, I think, and focused on cybersecurity, and we found in that research study that companies who used technology and had dashboards that allowed for constant, real-time access into their systems … Oh, I’m sorry. I’m so sorry.

Fred McClimans: That’s all right. We’re live.

Shelly Kramer: That’s Daniel calling me on WebEx. But companies who have that kind of view into what’s going on know that attacks are happening on a regular basis, and they know what they’re doing to combat them. Whereas people who don’t have a view into what’s happening truly think that they’re not at risk, and that’s really not the case at all.

Fred McClimans: Yeah. Yeah, that’s crazy. In fact, we’ll drop a link into this recording, into the comment section, later on that, but that was essentially one of the findings, where organizations that didn’t use dashboards were significantly more likely to say they had never been hacked within the past 12 months.

Shelly Kramer: Yeah, it was crazy.

Fred McClimans: Because they just didn’t know. It’s crazy. But yeah, that’s sort of a scary thing. Now, there was something with Microsoft related to the SolarWinds hack. Didn’t they update us-

Shelly Kramer: They did. It was actually good news. I think we wanted to wrap up our show with some good news. And in the early days of the SolarWinds hacking story, December of 2020, early days, it seems like that was yesterday, it was discovered that threat actors had downloaded some Microsoft Exchange and some Azure code repositories. And so of course, that would be a big negative, right?

Fred McClimans: Right.

Shelly Kramer: And Microsoft announced, in a blog post on its Security Response Center that published yesterday, that its internal investigation had wrapped up. They’d done an extensive internal investigation into this activity of the threat actor, and there was no evidence at all of access to production services or customer data. And the investigation also found that there were no indications that Microsoft systems were used to attack others. So I thought that was great news.

Fred McClimans: That is. That’s sort of the silver lining, to an extent here, that Microsoft has their act together internally. And I know they also participated in that initial discovery process. Once they realized there had been an attack out there, they worked very closely with SolarWinds and other organizations to figure out what’s the scope and the extent of this? So hats off to Microsoft for letting us know what’s going on there.

Shelly Kramer: Yeah. I think that’s great. Well, listen, Fred, it’s always a pleasure to hang out with you on a Friday afternoon or any afternoon.

Fred McClimans: Likewise, Shelly.

Shelly Kramer: But thanks for rounding up this cybersecurity news with me. And I think you and I are the two members of our team that are most cybersecurity freakishly focused, so it’s always great.

Fred McClimans: Freakishly focused.

Shelly Kramer: Fred, you and I could talk about this forever. So for anybody hanging out with us, thank you for that. We always appreciate having these conversations and sometimes just throwing them out there and seeing who comes to hang out with us, so that’s great. And with that, we’re going to be off, and we’ll see you again on another day.

Fred McClimans: Have a great weekend and wear a mask.

About the Author

A serial entrepreneur with a technology centric focus, Shelly has worked with some of the world’s largest brands to lead them into the digital space, embrace disruption, understand the reality of the connected customer, and help navigate the process of Digital Transformation. Read Full Bio.