Hello, welcome to the Thursday, January 24th, 2019 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida.

It looks like I just can't let go of DNS. The Department of Homeland Security has issued an emergency directive today, requesting

that government agencies are double-checking their DNS settings. Now, this sounds along the

lines of something that I talked about a couple weeks ago. I mentioned that there was an attack in the Middle East

where DNS settings for domains were altered and as a result, users were redirected to malicious

sites. So what DHS is warning about actually sounds quite similar. They're talking about

credentials to DNS administrative

consoles being compromised and then used to modify DNS settings in particular for the mail

server and of course the name server. Like I mentioned back then, that's something you should

definitely pay attention to and something

you should have some monitoring in place in order to detect if anybody is tampering with

your domains. The tricky part to detect often is if someone added a new host name, that

can often be used for fishing, like someone adding login.mid.mydomain.com in order to then use this

in a more targeted fishing attack. Now, one of the more challenging aspects of now firewalling

is to properly restrict outbound traffic from clients.

And this hasn't gotten easier, of course,

with everybody moving to cloud services

and cloud services not necessarily using a fixed set

of IP addresses.

So a lot of organizations are whitelisting certain domains.

Well, it turns out that this may not be the safest thing to do.

...