ISC StormCast for Monday, November 13th 2017
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 13 November 2017
⏱️ 7 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Monday, November 13th, 2017 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich and I am recording from Jacksonville, Florida. |
| 0:12.7 | Xavier this weekend had a nice diary introducing a trick to learn more about certificates installed in Windows. |
| 0:21.6 | Turns out with PowerShell, you have a virtual device cert colon that essentially leads to the certificate |
| 0:30.2 | store and can be easily used to enumerate all trusted route certificates. |
| 0:35.4 | The reason this is important is that we had it happen several times, |
| 0:40.5 | usually a couple times a year, where malware and sometimes actually also intentionally installed |
| 0:46.4 | software like drivers do install additional route certificates. And then of course, an attacker |
| 0:53.3 | could use these certificates to sign additional certificates. And then of course, an attacker could use these certificates to sign additional |
| 0:57.3 | certificates that your operating system will trust. So taking stock of these root certificates |
| 1:04.3 | occasionally certainly makes sense. Personally, I'm not a big fan of removing any certificates that are installed by the operating system by default. |
| 1:14.3 | What you're risking there is that your users will get warning messages if they visit legitimate sites. |
| 1:21.0 | On the other hand, that's a real good trick that was provided in one of the comments. |
| 1:25.8 | You can also monitor this passively. For example, Pro |
| 1:30.1 | extracts all certificates, it sees an SL traffic, and then you can easily review who sign |
| 1:36.6 | these certificates, who were the certificate authorities, and look for anomalies here. And Google published |
| 1:42.3 | an interesting study showing how Google accounts are hijacked. |
| 1:47.8 | Well, it should really be a big surprise. There's sort of three ways how this is done. |
| 1:52.9 | First of all, if details about an account are being leaked in another breach and the user |
| 1:59.1 | did reuse passwords, that's one reason. The most successful, |
| 2:04.6 | the most important way, however, appears to be fishing. I was a little bit surprised about the success |
| 2:10.6 | rate. They're stating that 12 to 25% of fishing in key logger attacks yield a valid password. I'm not 100% sure how they |
| 2:20.0 | counted that if this is only among people that actually responded to the fishing scam, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.