meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Monday, March 16th 2020

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

News, Tech News

4.9754 Ratings

🗓️ 16 March 2020

⏱️ 7 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Incremental Malicious PDFs; VPN Limits; Capturing Runts; Cooiethief; SANS Woring from Home Deployment Kit

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Monday, March 16th, 2020 edition of the Sansard Storms, Stormcast.

0:07.0

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

0:12.6

Well, DDI came across an interesting PDF, and if you know anything about DDI, you probably know what's coming next.

0:19.2

He's going to use some Python scripts to take

0:23.0

the PDF apart. What was kind of interesting about this PDF was that it used incremental updates.

0:30.4

In PDFs, when you make a change to the PDF, the change can actually be recorded as an incremental

0:36.5

update. So when you're retrieving the PDF and look at the viewer, you're seeing the new version of the PDF.

0:44.5

But when you're looking at the actual source of the PDF, you're seeing the original PDF and then an appendix essentially with the modification.

0:53.2

This is typically not what a Malware author wants,

0:56.6

because if the original PDF remains unchanged, then of course any anti-malivar signature

1:03.1

and so will probably still recognize the original PDF. Also, in this case, because the attacker

1:10.3

apparently did this a few times,

1:13.6

we sort of get a nice change history of various attacks, various campaigns, that essentially

1:19.9

used the same document with some minor changes. Same also applies to the metadata of the document, so we exactly know the timestamps,

1:32.1

for example, when the PDF was modified. Well, it's actually sort of interesting about the

1:38.2

timestamp was that it used UTC time zone of minus eight hours, which turns out to be the Pitcairn islands that are in this time zone.

1:50.4

And this island is famous for being apparently the island where the bounty mutineers stranded.

1:57.1

So I guess mutineering no longer really pays the bills, so they're switching now to attacking with PDFs versus bullets and cannons.

2:08.4

And one issue that keeps coming up with the COVID-19 crisis going on is VPN access, of course.

2:15.7

Everybody's trying to work from home, trying to do so securely,

2:19.2

and to use VPN to connect back to company resources is the standard way of sort of solving

2:25.5

that security challenge. There's one problem with this, that VPNs have a limited capacity.

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2026.