ISC StormCast for Friday, January 6th 2017
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 6 January 2017
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, January 6th, 2017 edition of the Sandcent, Stormcent, Stormcast. My name is |
| 0:08.0 | Johannes Ulrich, and today I'm recording from Jacksonville, Florida. Earlier this week, the registra |
| 0:15.1 | that is hosting Google's Brazilian domain, Google.com.com.B.R. apparently was compromised, and Google's Brazilian domain, Google.com.B.R apparently was compromised and Google's name |
| 0:24.4 | servers were pointed to a different destination. With that, the attacker, of course, had full |
| 0:31.3 | control over all Google.com.com.B.R. DNS entries, MX records, and the like, and could change them at will. |
| 0:40.7 | Now, they also changed the TTL, the time to live, to 24 hours. So if during the half hour window, |
| 0:47.2 | when the malicious DNS servers were active, you requested an IP address from that domain, You would then cash it for a full day before |
| 0:58.3 | it would expire and you would only then look up the correct IP address after Google fixed the |
| 1:05.8 | problem. This does keep happening to some of Google's foreign properties we had, I think, two years ago. |
| 1:12.9 | The Malaysian domain was, if I remember correctly, at least compromised twice. |
| 1:18.4 | All of this is not really within the control of Google, because for some of these country-level |
| 1:24.3 | domains, actually other companies are running the name servers, |
| 1:29.4 | and with that, of course, they don't really have any effect on how those name servers of the |
| 1:35.8 | registrars that are hosting these country level domains are managed. |
| 1:41.6 | Now, Renato Marino did create a real crate right up about this particular issue |
| 1:46.9 | with lots of details like the IP address and such that were involved in this particular attack. |
| 1:53.1 | He himself resides in Brazil so he had sort of a first person view of this particular event. |
| 2:00.2 | As far as everybody else's domain goes, you really |
| 2:03.8 | have to monitor your domains, make sure they're not being altered. This was sort of the most |
| 2:10.2 | obvious change in Hacker could make. We have seen, of course, in the past, when NetHacker would, |
| 2:15.4 | for example, just change MX records or add |
| 2:19.2 | additional host names in order to use them in targeted fishing attacks. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.