Hello and welcome to the Thursday, January 18th, 2018 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

A lot of malicious emails luckily do get caught in spam filters before the user ever gets to see them.

Now, a few years ago, I remember one organization where they actually had a major breach because a user went into their spam folder and retrieved an email that turned out to be malicious.

Now, Brad found an interesting email in his spam filter.

In this particular case, one of the interesting artifacts here was that the email, in

addition to a malicious vert document, also included prior correspondence.

So this looks like one part of that conversation was infected, and then the malware, as it often do is spreads

to other people that were in contact with that person, but in this case also included prior

messages to make their email more plausible.

Well, still got caught in the spam filter.

If the user would have opened the document, then of course

they would have been in trouble in particular if they enabled macros invert. Brad is going

through the actual malware here. He doesn't share the actual email message in this case because

it did include personal communications

between those two individuals but all the malware and such of course including hashes and

various connection IP addresses and certificates are part of his diary. Probably everybody listening

to this podcast has replaced a USB key at some point.

And hopefully it wasn't an important one, but there are now several manufacturers that offer

various varieties of secure USB keys, some of them with biometric or pin lock sort of built into the key.

Question is always, how secure are these keys really?

And there was a good talk last August that Black had about how to audit these keys.

...