meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Monday, June 11th 2018

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

News, Tech News

4.9754 Ratings

🗓️ 11 June 2018

⏱️ 6 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Microsoft Paper: Device Security; Finding Deserialization Bugs With Freddy;

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Monday, June 11th, 2018 edition of the Santernut Storm Center's Stormcast. My name is Johannes Ulrich,

0:08.2

and I'm recording from Jacksonville, Florida. During this podcast, I often complain about vulnerabilities in devices.

0:17.8

And of course, the Internet of Things is a huge topic these days. Microsoft is weighing in

0:23.9

with an interesting paper that they entitled the seven properties of highly secure devices.

0:31.5

It really describes seven common sense technologies that you should use if you do code for devices. Now I think it's a

0:41.5

little bit focused on probably the higher-end devices like mobile phones and the like, but

0:47.5

pretty much everything they are proposing does also apply to little things like famously IT cameras and the like. I in particular

0:57.8

like hardware-based route of trust where you do have sort of an enclave to store secrets

1:04.3

in also certificate-based authentication and the ability to update automatically.

1:11.4

The last one, the failure reporting, some people may take a little bit of exception on.

1:16.2

What they're suggesting here is that devices should report software failures back to the manufacturer.

1:25.2

Microsoft, of course, does that for a long time in Windows where they're collecting

1:29.4

sort of debug reports if software fails on a PC. But of course, with the PC, the user has the

1:37.2

option to intercept these reports and not send them. So I think this is a real good paper and if you're not a developer,

1:46.6

if you're not developing for devices, then this is certainly something to consider if you

1:52.1

are purchasing devices in bulk and something to talk with your vendor about.

1:58.5

Another hot topic recently, decerellization and has been kind of tricky to find

2:04.8

deserilization vulnerabilities in the past given that there weren't really any great tools for it.

2:10.2

Well the NCC group now came up with the extension for the BIRP suite that targets deserilization vulnerabilities. They are calling it

2:20.7

Freddy. Freddie comes with 35 modules and 88 different remote code execution payloads that allow you

2:29.1

to look for these deserilization vulnerabilities in dot net or in Java.

2:36.2

And cryptojacking certainly has been one of the big stories this year so far.

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2026.