Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Thursday
0:02
May Second Two Thousand Twenty Four
0:04
edition of this Sansom at Stomps
0:07
On It's Storm cast my name's
0:09
Your Harness Already and Ram recording
0:11
from Jacksonville, Florida. Geek
0:13
a little binary that pass have
0:16
been pestering a his honey pot.
0:18
The and will it was uploaded
0:20
via the Calorie Party honey Pot
0:22
which simulates a. Open. Tell
0:24
lead and as each server. Sort.
0:27
Of run of the mill. Adidas Ancient,
0:29
interesting, kind of fed that
0:31
the good just uploaded it
0:33
to the assembly line as
0:35
sandbox in order to extract
0:37
some indicates of compromise. You
0:39
have to be really careful
0:41
here with the in because
0:43
of compromise because the once
0:45
extracted here are definitely not
0:47
a militias sites. For example,
0:49
as often Eight Eight Eight
0:51
Eight, the Google Dns server
0:53
is one of the Ip
0:55
addresses this melbourne connects to
0:57
in order. To check internet connectivity
1:00
it also apparently is a down
1:02
or like back reports here for
1:04
a lip see also a very
1:07
common public euro like be just
1:09
as a connectivity check Saw a
1:11
don't just blindly use these indicators
1:13
of compromise the are often just
1:16
to spite us Melbourne as a
1:18
connectivity check and they're using benign
1:20
well connected to and there won't
1:23
be easy websites that are often
1:25
up and opensaf also interesting here
1:27
and other public. Dns Server: They're
1:29
using a Hundred and Fourteen Hundred and
1:32
Fourteen Hundred Fourteen Hundred and Fourteen So
1:34
four times, Hundred and fourteen A that
1:36
appears to be operated by a Chinese
1:39
company of works well for me here
1:41
even though it does not look to
1:43
be any cast the this Ip address
1:45
calling to trace route and does actually
1:48
appear to connect a to a china
1:50
maybe author of the malware is using
1:52
this in case eight, eight, eight eight
1:55
or so it's not reachable and of
1:57
course that may happen. inside china
2:02
And Maciej Párquez, a
2:04
researcher from Poland,
2:06
did write a blog post with
2:09
some of the risks of Amazon's
2:12
S3 billing. This is sometimes
2:14
called a denial of wallet
2:17
attacks, some is also denial of wallet
2:19
amplification attack. Nothing fundamentally
2:22
new has been discussed before.
2:24
For example, in February, there
2:26
was an article by Ben
2:28
Liefeld discussing a similar
2:30
issue. There are a
2:32
couple of problems with AWS S3
2:35
billing. One is that
2:37
you're being billed for requests
2:40
that fail. So in the example
2:42
that Maciej here discussed, in this
2:44
case it was just put requests
2:47
to an S3 bucket that failed.
2:50
There were hundreds of thousands
2:52
of them which then quickly
2:55
accumulated thousands of dollars in
2:57
S3 charges. The
3:00
other problem that sometimes shows up here is
3:02
range requests. Someone
3:05
is requesting a partial file
3:07
from your server. You
3:09
may still be billed for the
3:11
entire file, even if only a
3:13
small part of the file was
3:15
actually requested. And worse, an attacker
3:17
can then just disrupt, because you
3:19
stop the transfer and you'll
3:22
still be billed, which of course then
3:24
enables an attacker to send
3:26
multiple new requests. And that's
3:28
sort of your classic kind
3:30
of amplification attack, which is
3:32
sort of where that denial
3:34
of wallet amplification attack term
3:36
comes from. Not really
3:38
much you can do about this
3:40
other than try to hide the
3:42
name of your S3 bucket, which
3:44
of course may or may not
3:46
work, depending on your application. And
3:50
apparently the implementation of the
3:52
alternative app stores in Europe
3:54
is causing a little bit
3:56
of a privacy issue here
3:58
for iOS users. users in
4:00
Europe. The problem is that
4:06
websites are able to embed a button that will link
4:08
to the respective alternative app store. Now
4:11
in order to avoid some accidental
4:14
redirects there is a user interaction
4:16
required that's why it's implemented as
4:18
a button so user has to
4:20
interact with the button. Of course
4:23
a malicious developer could always
4:25
make this button look like something
4:27
else that you may be willing
4:30
to click on. But the
4:32
problem here is not necessarily just that
4:34
you may then be tricked into downloading
4:36
some malicious software it's that
4:38
whenever you click the button you will
4:41
actually transmit a unique
4:44
authentication token. That token
4:46
is derived for each
4:49
device uniquely.
4:51
It's also uniquely to a particular
4:53
app store but what could happen
4:56
now is that if
4:58
various websites collude like they
5:00
all put the same ad
5:02
on their website this
5:05
button could then be used to basically
5:07
link different visitors together to
5:10
be the same device if
5:12
all these buttons are originating from the
5:14
same app store and doesn't even look
5:16
like actually need a full functioning app
5:19
store you just need to collect the
5:21
URL and the data that's being submitted whenever
5:24
you click that button. Overall really
5:27
well just yet another way how
5:30
advertisers may be able to
5:32
track users. And
5:35
then as the AI
5:37
vulnerability of the day
5:39
there is a critical
5:41
vulnerability in BentoML allowing
5:43
for code execution so
5:46
double check if you're using BentoML to
5:48
better understand what the risks are and
5:51
how to protect yourself. Pro
5:53
of concept code has already
5:55
been published for this vulnerability.
6:00
it for today and
6:03
sorry for publishing yesterday's podcast a
6:05
little bit late. We may actually
6:07
it up in some platforms with
6:10
Thursday May 2nd podcast as a
6:13
result so sorry for the confusion.
6:15
If you haven't taken a look
6:17
yet at our Sansfire
6:19
lineup in July currently I count
6:21
three of our handlers teaching classes
6:24
there may be more I'll have
6:26
to double check again but the
6:28
Xavier Boyan and myself were
6:30
teaching class so hope to see some
6:32
of you there in person these class
6:35
are offered in person as
6:37
well as of course online but
6:39
we got some special things planned
6:41
sort of for the in-person part
6:43
so may want to check that
6:45
out and thanks and and talk
6:47
to you again tomorrow
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More