Hello, welcome to the Friday, May 7, 2021 edition of the Sands and the Storms and StormCast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Daniel today wrote another diary about Asia's blob storage.

Now, in the past, Daniel has already written about exposed blob storage and how it's

often being abused, just like a good old Amazon AWS S3 storage. But lately, Daniel did spot an uptick

in brute forcing of these blob names. And one thing he looked at is, well, how does that hacker know if a blob exists or doesn't

exist and turns out there is the good old difference in error messages, where you get a

different error message back if a blob does exist or if it doesn't exist. Well, on the defensive side,

still a good idea to not have public accessible blobs deployed, but Microsoft also has now

a specific alert. It's still labeled as a preview and anonymous scan of public storage containers.

You can enable that in the Asia Security Center and it will not just alert you that someone is

scanning for blobs, but will also give you a list of terms that were used like, for example, blog or accounting and the like,

that the attacker used to prudeforce the blob's name. And if you're using an Android phone,

chances are that the system on a chip, the CPU essentially, inside the phone, is made by Qualcomm.

Now, Qualcomm, in order to communicate within its modem that is actually responsible for the cellular connectivity,

and to communicate also between components on this system on a chip, they're using something

called the Qualcomm Mobile Station, Modem interface, or short QMI.

QMI is a proprietary protocol, but a checkpoint went ahead to reverse engineer it, and surprise,

it found only one vulnerability.

Now the protocol itself use a lot of these time length value-based messages, of course,

known for calculating length wrong and such.

...