Hello, welcome to the Friday, November 18th, 2016 edition of the Sandtonet Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Xavier had an interesting example today about how you have to be careful when you are investigating an

incident, because the bad guys sometimes take specific countermeasures

in order to prevent someone from, for example, finding a manipulated web page.

In this particular case, the attacker left behind a large blacklist of IP addresses, user agents,

and the like that were not shown the fishing site that Xavier was looking at in this case.

This can be particular problematic if you come across a site like this.

You do notify, for example, the ISP hosting it, but then the ISP cannot verify the existence of the fishing site

because the ISP's investigative team is misled by these countermeasures.

So if you're investigating a site like this, it's always good to have sort of an uninterpretable

DSL or cable modem connection that you can use

in order to visit these sites from a safe and isolated system, of course. This will make it

more difficult for the attacker to figure out who is actually investigating them. And of course,

it will also protect your own network

if you access sites like this from an isolated system.

Drive by downloads is mostly something Windows users are concerned about, but well, they're no longer

really alone, turns out.

If you're running Google Chrome on Fedora, you're

also subject to a fairly simple drive-by download attack. In this particular case, Chrome will

automatically download files to the user's desktop without any confirmation. Now, this in itself

wouldn't execute code, but Fedora has a tracker

...