Hello and welcome to the Friday, December 9th, 2020 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from San Francisco, California.

Rob's diary today looks for a difference, not the logs that you actually have, but the logs that you are missing.

The incident that Rob is talking about is an outage in a firewall, and well, the challenge here was

figuring out basically how much logs are we missing, when did the outage start, when did the end,

basically, when was there no logging

from that particular device. Part of the challenge was the volume of logs, of course,

that you had to deal with. So what better than to create a little script in order to identify

the gap in the logs and also identify how long it lasted.

Rob is going over this particular problem and then presenting the little script that he ended up using

that worked in this particular case to nicely identify the missed time gap and also give them hints

about what actually happened here.

And the Google Threat Analysis Team has an interesting blog post with details regarding an

Internet Explorer Saturday that was used in late October.

In late October, due to overcrowding at an outdoor Halloween event,

a large number of people were actually killed and injured,

and this particular malicious work document used this incident as a lure

in order to trick people into opening the document,

which then rendered HTML,

and well, HTML in office is rendered using Internet Explorer, which then triggered this at the time unknown vulnerability. Google reported this vulnerability to Microsoft and Microsoft fixed it pretty quickly

in the November update. So more details now about the vulnerability and also about this particular

malicious document and how it worked from Google's threat analysis group. And don't have the skills to write your own malware,

...