Hello, welcome to the Thursday, August 18th, 2016 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich and the I'm recording from Stockholm, Germany.

Tom today wrote a diary based on a tweet by an individual who goes by the handle of Packet Watcher.

The trick is pretty simple and helps you identify hosts that are

possibly infected with Malware. The issue here is that many sites that are sending Malware happen

to be behind Cloudflare as a way to either manage the load or protect their malicious service.

Now, if the malicious service is flying, then Cloudflare will just return a 5002 status code.

These status codes are somewhat unusual, so looking for 522 status codes being returned to hosts in your

network presents a good opportunity to find Malware infected hosts that tried to reach out and download

additional opponent Tom tried in his own network and got quite nice results doing so. Of course, if you

have full packet logs in addition, then you can also see what a particular URL was downloaded.

If all of this happened over HTTP, then of course you would never see the status code unless you're going proxy. So of course

you should be ready for a couple of false positives here but overall this appears to be a pretty

good signal to noise ratio indicator to find malicious or infected hosts on your network.

And if you are familiar with PGP, you probably know that in order to verify a public key,

you need that key's fingerprint.

Well, quite often users take a shortcut and they use what sometimes referred to as the PGP

user ID, which are the last four bytes of that fingerprint.

As it turns out, Nets not really new.

That was sort of discussed at length about five years ago.

PGP user IDs, well, there are some simple collisions and someone actually five years ago published

all possible 32-bit combinations there with their private and public keys. Just a couple

...