Hello, welcome to the Monday, September 24th, 2018 edition of the Sansingot Storm Center's

Stormcast. My name is Johannes Ulrich. And today I'm recording from Nevada, Las Vegas.

Well, we got some interesting diaries to start out with. The first one actually is based on a report

we got originally from a reader.

The reader noticed that his firewall, of all things, was doing DNS lockups for malicious domain names.

So he was suspecting that the firewall may be compromised.

What actually happened was that this firewall loaded a block list of domains to which it was supposed to block connections. But well, firewalls don't really block connections to host names. They block connections to IP addresses. So in order to do its job, the firewall had to look up the IP addresses associated with these

host names in order to be able to block them. Well, in the end, a false positive but an interesting

one. Of course, if your firewall is actually more an HTTP proxy, then it will actually filter

host names and not just IP addresses.

And the second diary was from Manuel.

Manuel looked at some mobile applications and one in particular that actually used users'

fingerprints to authenticate.

Now, if you do that, there are a couple different ways to do it.

You could use the APIs that your mobile

device offers and use the built-in fingerprint reader. That usually doesn't send any information

to the actual other side. It just authenticated the user locally on the phone. In this case,

however, the fingerprint image, which was actually sent to the remote API.

Problem here, that connection wasn't properly protected.

Man in the middle was possible.

If you're using TLS between APIs, then what you really have to do is some form of certificate

pinning or verifying that the certificate was signed by the proper certificate

...