meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Friday, March 29th 2019

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 28 March 2019

⏱️ 5 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Passive DNS; Incomplete Cisco RV320 Patch; TPLink Debug Port

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Friday, March 29th, 2019 edition of the Science and Internet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Madrid, Spain.

0:14.1

I keep saying one of the most useful log sources that you can get in your network that's actually also reasonably easy and cheap to get is DNS logs.

0:25.7

Now, typically you would get them from your DNS servers,

0:29.8

but either you don't run your own DNS server or you're having problems

0:33.7

enabling sufficient granular logging.

0:37.3

After all, doing full query logging can sometimes

0:39.7

be quite taxing on your name server. Also, if you're running Windows name servers, the log format

0:46.4

isn't that easily digested by your normal set of log analysis tools. So Xavier today has another option for you, and that is running your own passive DNS service.

1:01.3

Passive DNS service is essentially a sniffer that watches your network traffic for DNS queries and replies,

1:08.1

and then summarizes them, and with passive DNS, the tool that Xavier introduces

1:14.5

you here, you even have the option to create JSON formated output, which of course is ideal if you

1:20.9

then import the data into Elasticsearch in order to integrate it with your other security data.

1:28.1

The same of course is also true for Splunk, so that's the tool actually that Xavier is

1:33.2

discussing in his blog post. So take a look at his post if you are interested in any of the

1:39.8

details. And Cisco's small business routers RV320 are in the news again, and this time it's

1:49.6

certainly not good news. About a month ago, Cisco did patch a fairly simple web application

1:57.2

vulnerability in these routers that allowed remote code execution without authentication.

2:03.6

Well, it turns out that this patch was actually not a patch at all.

2:09.6

Instead, the only thing that the patch did was it did add a configuration option to the EngineX configuration. That's the web server running on these

2:19.5

routers that would block any user agent that contains curl. Of course, many proof of

2:25.8

concept exploits released for the vulnerability did use curl in order to launch the exploit,

2:32.1

but everybody, probably that listens to this podcast, knows it's

...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.