Hello, welcome to the Thursday, October 11th, 2018 edition of the Science and the Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Honolulu, Hawaii.

WhatsApp fixed a critical vulnerability that was originally discovered by Natalie Silvanovich with Google's Project Zero. The vulnerability

was triggered by a malformed RTP packet and with trigger a heap memory corruption so code execution

would certainly be possible. However, the proof of concept exploit released would just crash the application.

To be affected by this vulnerability, a victim would have to accept a malicious call via

WhatsApp and then the ad hacker would use a patch similar to the one provided with the

proof of concept in order to inject these

malformed RTP packets. So remote code execution may be possible however the

current proof of concept exploit only triggers the denial of service. And

Salesforce released another neat library to fingerprint encrypted connections.

It's the hash library, I guess, is how you pronounce it, H-A-S-S-S-H, and as the name sort of implies, it fingerprints SSH.

The idea is similar to Salesforce's JA3 library that they already open sourced a while ago.

JA3 does profile SSL connections by looking at various artifacts in the SL or TLS handshake.

Now with the hash library, they essentially apply the same technique to the SSH handshake.

SSH has a number of different options, different crypto algorithms are supported and the like.

So essentially what it does is, it looks at the handshake, calculates a fingerprint of the request coming in from the client and then gives you this

fingerprint that should identify specific client software.

Now in my experience with JA3, the simplest way to use it is to use it as a plugin for

tool like pro and then you get a summary of all these fingerprints.

You can look for anomalies there.

You could also look for mismatches between the client identifier sent by a client

...