0:00

Hello and welcome to the Friday, May

0:02

12th, 2023 edition of the Sandstone and Stormcast. My

0:08

name is Johannes Ulrich and I

0:10

am recording from Jacksonville, Florida.

0:14

I wrote a quick diary

0:16

today about how to geolocate

0:18

addresses or really better some of the difficulties

0:21

around geolocating addresses.

0:24

There is of course a simple and

0:26

easy method. You just plug

0:29

it in any of a number of different

0:31

websites that will spit

0:33

out the geolocation for

0:35

you of this address. But

0:37

the problem is that many

0:40

of the databases that this geolocation

0:42

relies on are not

0:44

necessarily 100% up to date. And

0:46

also there are a couple of notoriously

0:49

difficult cases like for

0:52

example mobile phones which are

0:54

becoming a bigger and bigger

0:57

issue. And then also satellite

0:59

connections of course that are difficult. But that's not

1:01

the only problem here. Also

1:04

ISPs tend to sometimes move

1:07

IP addresses around from one

1:09

geographic region to another depending

1:11

on where they need IP addresses

1:14

and the databases that are being

1:16

used for geolocation aren't

1:19

always up to date. A

1:21

couple other solutions that I point out here is

1:23

a couple other ideas on confirming

1:25

geolocation. The one that I probably like

1:27

the most is TraceRoute because

1:30

that kind of tells you what the upstream ISPs

1:32

are and such how the data is

1:35

being routed to the particular IP address.

1:38

And that can at least be a reasonable

1:40

good confirmation that the data

1:42

that you got from the database which is often

1:45

based on who is data is

1:47

somewhat accurate. If you have any ideas

1:50

or any difficult to look

1:52

up IP addresses well let

1:54

me know. And also I

1:57

used a little example here of an IP

1:59

address. isn't really terribly difficult

2:02

to geolocate but I'm

2:04

actually still not 100% sure about

2:06

the country that that IP

2:08

address is located in.

2:11

And well supply chain attacks are

2:13

just not going away. Researchers

2:16

from Trend Micro presented at

2:18

Black Hat Asia about

2:20

mobile phones that come brainstalled

2:23

with malware. In the past

2:25

we have often talked about and particularly

2:28

in the Android world about sort of free

2:31

applications being installed

2:33

on cheaper phones that are

2:35

at least dubious. This

2:37

one is more or

2:39

less outright malicious where

2:41

attackers are actually infiltrating

2:44

companies that are manufacturing

2:46

these phones and then installing

2:49

malware at the factory.

2:52

Trend Micro identified over 80

2:55

different plugins and

2:57

it's sort of your standard crime bear.

3:00

One for example I think is kind of interesting it allows

3:02

the attacker then to rent the

3:05

phone with five minutes at

3:07

a time, two other criminals

3:10

and then there's of course your standard

3:13

spy bear, keystroke loggers

3:15

and all the other good stuff that we sort

3:17

of expect from malicious software.

3:21

Trend Micro identified about 8.9 million

3:24

infected devices. This may not really

3:27

be all that big of a number if

3:29

you compare it to the billions of

3:31

actually produced Android

3:33

phones. On the other hand this

3:36

number is probably just part

3:39

of the infected population that

3:41

was actually identified in Trend

3:43

Micro's telemetry.

3:45

And again this doesn't sort of affect

3:47

your big brand name devices

3:50

really more sort of the cheaper low-end

3:52

devices with that also

3:55

geographies like Eastern Europe

3:57

and Asia where these phones

3:59

are

3:59

more common tend to be more likely

4:02

to be infected.

4:04

And then I want to at least quickly mention

4:06

the breach of Tragos.

4:09

Tragos, one of the leading

4:12

ICS security firms, had

4:14

had a breach. Nothing super serious

4:17

but two reasons I want to mention it. First

4:19

of all, to congratulate them on

4:22

being so open about this

4:24

event. And then secondly, to focus

4:26

on one aspect of this

4:28

breach, the root cause

4:31

appeared to be a new hire,

4:33

someone that actually wasn't sort of fully

4:36

onboarded yet to the company. These

4:39

new hires, that's always sort of a risky

4:42

user group. I've seen,

4:44

for example, new hires being targeted after

4:47

they mentioned that

4:49

they got hired on LinkedIn. This

4:51

is not something that you can always avoid.

4:53

In this particular case, for example, I believe it

4:55

was a salesperson. They usually

4:58

have to announce who they work for. That's

5:00

after all sort of part of their

5:02

job. But you definitely

5:04

need to sort of get some controls

5:06

around this sort of sign

5:09

in process. How do you hand credentials

5:11

to new hires, in particular, if

5:14

you are working for a mostly remote

5:17

organization?

5:19

An early February Ruckus

5:22

patched a vulnerability in their

5:24

wireless device. It was one of those typical

5:27

IoT style web application

5:29

vulnerabilities. Pretty straightforward to exploit.

5:32

Well, Fortinet is now reporting that

5:35

the Entroyo botnet,

5:38

if I pronounce this correctly, is taking

5:40

advantage of this vulnerability.

5:43

It's a smaller botnet. It's not

5:45

sort of yet another Mirai derivative.

5:48

It does a little bit

5:49

different things around the SOX protocol.

5:51

But definitely make sure that your

5:54

Ruckus equipment is up to

5:56

date. And

5:57

well, that's it for today. Thanks. Thanks

6:00

again for listening. If there's

6:02

anything I can do better, let me know. Please

6:04

leave good reviews with

6:07

your favorite podcast website. If

6:10

you do think I do a good job, and

6:13

finally please subscribe and thanks,

6:16

and talk to you again on Monday.