Hello and welcome to the Friday, November 11, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Xavier today wrote about the difference between what he's calling observables and IOCs or indicators of compromise.

And the tool he's really using here, distinguish between the two is the hive.

The hive is an open source sort of threat intelligence platform.

It allows you to aggregate different feeds and add context to some of the data that you may observe,

these observables in your logs. And I've talked about this before and some of the threat

feeds that we offer here at the NITS storm center. Also, I always call them add color to your logs.

But the real issue here is that you essentially try to cut down on the noise

and you are trying to prioritize events that really matter. And that's really sort of what that

distinction is between an observable, which maybe just some random hit to your firewall,

doesn't really matter. And an indicator of compromise, something

that's actually validated and something that's linked to a specific threat.

And Google fixed an interesting lock screen bypass in Android with its latest monthly security update.

We had in the recent past some vulnerabilities in Android and iOS that allowed sort of a partial

lock screen bypass where you could see like recent messages or photos or the address book,

but this is actually a complete unlock of the phone. What is required here

is that you replace the SIM card in the phone with one that the attacker owns and knows

and then lock the pin for the SIM card, basically, enter the wrong pin three times, then if that happens, you have

the option to unlock your SIM card with a puck code. And well, once you enter the correct

puck code, of course, the attacker would know that for their own SIM card. The phone

...