Hello, welcome to the Thursday, June 21st, 2018 edition of the Sancton Storm Center's Stormcast. My name is Johannes Ulrich. And today I'm recording from Denver, Colorado. Fishing sites protected by TLS certificates pretty much is becoming the norm. Now, the latest wave I've seen was fishing for Netflix accounts.

Now, Netflix accounts are certainly not that terribly valuable. I've looked around and saw

them being offered for like 20 cents to 50 cents, but still, these Netflix fishing links that I received lately pretty much all led to

websites that were protected by a TLS certificate. I guess attackers are hoping that this gives

them a little bit more credibility. In this particular case, this actually worked a little bit

against the attackers.

Whenever you do have a TLS certificate issued by one of the major certificate authorities,

the certificate is being published in certificate transparency logs,

and they're pretty easy to search.

There's also search stream. A tool

allows you to just see these certificates as they're being issued, as they're being added to these logs.

So the result is that it's actually pretty easy to find these fishing sites. And it looks like

someone is already taking advantage of it.

I found these websites to be marked as malicious, for example, in Google's safe browsing tool

very quickly. If you are running a website that is targeted by fishing, then it's certainly

worthwhile to look at these logs and search for

keywords that match your brand. And OpenBSD, the operating system that is known for prioritizing

security in its design, has decided to turn off support for hyperthreading by default.

Hyperthreading allows an operating system to run multiple processes on one physical CPU core.

One physical CPU core essentially looks like multiple CPU cores with hyper threading enabled.

But what this means is that different processes with different security contacts could use the same hardware,

which then could lead to leaks from caches within that hardware.

...