Hello, welcome to the Thursday, August 16th, 2018 edition of the Sandcent Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Neat diary today from Brad about more mal-spam that includes encrypted office documents, so the user has to enter a password,

then the user has to enable macros in order to get infected with the latest Hermes ransomware.

Always amazing the loops that users will jump through in order to get themselves infected

if they typically have a hard time following

instructions like this for good. Now aside from that students in class always ask how can they

get more packet captures in order to sharpen their analyst skills. Well, this is one of these opportunities.

Brad, whenever he writes about malware,

he also links to a full P-cap of the particular infection.

So you can go through it, you can recover the malware

and really sort of work out how it all happened.

It looks like as a follow-up to last week's segment smack denial of service vulnerability

in the TCP reassembly code for Linux, we now sort of have the IP equivalent, an IP

defragmentation or IP fragmentation reassembly vulnerability. It also leads

to a denial of service. Almost as interesting as the patch for this vulnerability is a second

issue that's being patched in the IP stack, and that's overlapping fragments. With this patch,

Linux will no longer process overlapping fragments. Instead, it will just drop them as it probably

should have done sort of for the last 40 years. Now, interestingly, in the patch note,

it does say that they still have to do the same

thing to prevent denial of service issue in IPV6. Not sure if that already has been done or if this

is still something in the pipeline. As far as overlapping fragments go, they have been dropped by IPV6 stacks for

...