Hello, welcome to the Friday, June 26th, 2020 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

And a couple of you asked for recordings of the Tech Tuesday workshop.

Well, we are not recording these workshops because there are these breaks for exercises and such,

but what I'm doing instead is I'm recording the content of the workshop in three separate

videos.

Meet the first one live today that explains how to install the honeypot.

Was hoping to get the second one live today as well.

Well, if not today, then maybe tomorrow I'll make the two other videos live.

And those two other videos will go over how to use our data and also a video about a little bit

of the background of Internet Storm Center and D. Shield.

And yes, XIF data is back.

XIF data is comments and other associated data that you often find in image files.

Now, this type of data has been abused heavily in the past to smuggle data across

networks. The latest example was found by Malabites, and they found that favorite icon,

these FAF icon files that you often see displayed in your browser's toolbar are being used to actually

transmit code.

They found some credit card skimming JavaScript that by itself actually doesn't look all

that malicious.

At least you don't really know what it's doing, but it is loading a remote

Fav icon file, then parse it for XF data. And for example, the copyright field in the XF data

...