meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Friday, May 29th 2020

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 29 May 2020

⏱️ 19 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. USBFuzz; Saltstack vs. Cisco; SHA1 Even Deader; @sans_edu : Threat Actor Assessments

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Friday, May 29th, 2020 edition of the Sands and its Storm Center's Stormcast.

0:07.5

My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

0:13.3

Back when we were still meeting at conferences and handing each other USB drives, for example, with virtual machines for the glass.

0:22.9

There was always that little bit uneasy feeling that a little bit snickering about,

0:27.1

well, I have to plug this USB drive that you just gave me into my computer.

0:33.0

Can I trust it?

0:34.1

And of course you can trust USB drives that I give you, but what could possibly

0:40.3

happen? Now, back in the old days, of course, there were a lot of these sort of auto-run style

0:46.3

exploits where software would run as soon as you plug in a USB drive, but that has been less of a problem on a well-configured system.

0:57.2

Another issue, however, are various USB drivers that have to interact with the USB drive.

1:05.8

And a new tool USB fuss has looked at vulnerabilities in USB drivers that are included in operating systems.

1:16.0

And of course, they found quite a few of them. They discovered a total of 26 new vulnerabilities

1:23.0

across various operating systems, including Linux, which got 16 out of those 26, one buck

1:30.5

in free BSD 3 in Mac OS, and then the remainder is so distributed between Windows 8 and

1:38.6

Windows 10. Now, I didn't see when reading this any sort of direct remote code execution vulnerabilities, but there are some blue screen of deaths, there are some system freezes and such.

1:53.0

And whenever you have a denial of service like this created by a fuzzling tool, there could be a potential for code execution,

2:01.3

but of course these fassing tools often don't trigger the code execution,

2:05.5

but instead just a system crash.

2:09.4

Now, good news here, the bugs were reported to the respective operating system.

2:14.6

Many of them have been patched.

2:21.8

The USB fuss tool that was used to find these vulnerabilities will soon be open sourced, has not been open sourced yet, but the name

2:29.3

of the GitHub repository has already been announced. And of course, I'll add a link to the complete paper to the show notes.

...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.