Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Friday, May
0:02
12th, 2023 edition of the Sandstone and Stormcast. My
0:08
name is Johannes Ulrich and I
0:10
am recording from Jacksonville, Florida.
0:14
I wrote a quick diary
0:16
today about how to geolocate
0:18
addresses or really better some of the difficulties
0:21
around geolocating addresses.
0:24
There is of course a simple and
0:26
easy method. You just plug
0:29
it in any of a number of different
0:31
websites that will spit
0:33
out the geolocation for
0:35
you of this address. But
0:37
the problem is that many
0:40
of the databases that this geolocation
0:42
relies on are not
0:44
necessarily 100% up to date. And
0:46
also there are a couple of notoriously
0:49
difficult cases like for
0:52
example mobile phones which are
0:54
becoming a bigger and bigger
0:57
issue. And then also satellite
0:59
connections of course that are difficult. But that's not
1:01
the only problem here. Also
1:04
ISPs tend to sometimes move
1:07
IP addresses around from one
1:09
geographic region to another depending
1:11
on where they need IP addresses
1:14
and the databases that are being
1:16
used for geolocation aren't
1:19
always up to date. A
1:21
couple other solutions that I point out here is
1:23
a couple other ideas on confirming
1:25
geolocation. The one that I probably like
1:27
the most is TraceRoute because
1:30
that kind of tells you what the upstream ISPs
1:32
are and such how the data is
1:35
being routed to the particular IP address.
1:38
And that can at least be a reasonable
1:40
good confirmation that the data
1:42
that you got from the database which is often
1:45
based on who is data is
1:47
somewhat accurate. If you have any ideas
1:50
or any difficult to look
1:52
up IP addresses well let
1:54
me know. And also I
1:57
used a little example here of an IP
1:59
address. isn't really terribly difficult
2:02
to geolocate but I'm
2:04
actually still not 100% sure about
2:06
the country that that IP
2:08
address is located in.
2:11
And well supply chain attacks are
2:13
just not going away. Researchers
2:16
from Trend Micro presented at
2:18
Black Hat Asia about
2:20
mobile phones that come brainstalled
2:23
with malware. In the past
2:25
we have often talked about and particularly
2:28
in the Android world about sort of free
2:31
applications being installed
2:33
on cheaper phones that are
2:35
at least dubious. This
2:37
one is more or
2:39
less outright malicious where
2:41
attackers are actually infiltrating
2:44
companies that are manufacturing
2:46
these phones and then installing
2:49
malware at the factory.
2:52
Trend Micro identified over 80
2:55
different plugins and
2:57
it's sort of your standard crime bear.
3:00
One for example I think is kind of interesting it allows
3:02
the attacker then to rent the
3:05
phone with five minutes at
3:07
a time, two other criminals
3:10
and then there's of course your standard
3:13
spy bear, keystroke loggers
3:15
and all the other good stuff that we sort
3:17
of expect from malicious software.
3:21
Trend Micro identified about 8.9 million
3:24
infected devices. This may not really
3:27
be all that big of a number if
3:29
you compare it to the billions of
3:31
actually produced Android
3:33
phones. On the other hand this
3:36
number is probably just part
3:39
of the infected population that
3:41
was actually identified in Trend
3:43
Micro's telemetry.
3:45
And again this doesn't sort of affect
3:47
your big brand name devices
3:50
really more sort of the cheaper low-end
3:52
devices with that also
3:55
geographies like Eastern Europe
3:57
and Asia where these phones
3:59
are
3:59
more common tend to be more likely
4:02
to be infected.
4:04
And then I want to at least quickly mention
4:06
the breach of Tragos.
4:09
Tragos, one of the leading
4:12
ICS security firms, had
4:14
had a breach. Nothing super serious
4:17
but two reasons I want to mention it. First
4:19
of all, to congratulate them on
4:22
being so open about this
4:24
event. And then secondly, to focus
4:26
on one aspect of this
4:28
breach, the root cause
4:31
appeared to be a new hire,
4:33
someone that actually wasn't sort of fully
4:36
onboarded yet to the company. These
4:39
new hires, that's always sort of a risky
4:42
user group. I've seen,
4:44
for example, new hires being targeted after
4:47
they mentioned that
4:49
they got hired on LinkedIn. This
4:51
is not something that you can always avoid.
4:53
In this particular case, for example, I believe it
4:55
was a salesperson. They usually
4:58
have to announce who they work for. That's
5:00
after all sort of part of their
5:02
job. But you definitely
5:04
need to sort of get some controls
5:06
around this sort of sign
5:09
in process. How do you hand credentials
5:11
to new hires, in particular, if
5:14
you are working for a mostly remote
5:17
organization?
5:19
An early February Ruckus
5:22
patched a vulnerability in their
5:24
wireless device. It was one of those typical
5:27
IoT style web application
5:29
vulnerabilities. Pretty straightforward to exploit.
5:32
Well, Fortinet is now reporting that
5:35
the Entroyo botnet,
5:38
if I pronounce this correctly, is taking
5:40
advantage of this vulnerability.
5:43
It's a smaller botnet. It's not
5:45
sort of yet another Mirai derivative.
5:48
It does a little bit
5:49
different things around the SOX protocol.
5:51
But definitely make sure that your
5:54
Ruckus equipment is up to
5:56
date. And
5:57
well, that's it for today. Thanks. Thanks
6:00
again for listening. If there's
6:02
anything I can do better, let me know. Please
6:04
leave good reviews with
6:07
your favorite podcast website. If
6:10
you do think I do a good job, and
6:13
finally please subscribe and thanks,
6:16
and talk to you again on Monday.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More