ISC StormCast for Tuesday, January 22nd 2019
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 22 January 2019
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Tuesday, January 22nd, 2019 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. |
| 0:13.8 | You know, I love it if our readers pay attention and watch their logs and send us interesting entries that they may find. |
| 0:22.4 | Latest example came from Vinny and Didi wrote it up earlier today. |
| 0:28.3 | And what's sort of interesting about this? |
| 0:30.1 | Well, actually a couple things are interesting here. |
| 0:32.9 | First of all, the get request uses an IP address in the host header and in the get request |
| 0:39.6 | itself that does not match the IP address of Venni's server. |
| 0:45.3 | Now this is often used to sort of test for open proxies. |
| 0:50.3 | What makes it a little bit odd is that the end of the URL is what looks like a random string. |
| 0:58.0 | Now, Vinny just manually forwarded this request to the IP address. |
| 1:03.0 | It apparently was intended to go to, and what he got back was yet another random string. |
| 1:10.0 | But this string actually has a little bit structure to it. There are 32. And what he got back was, well, yet another random string. |
| 1:10.8 | But this string actually has a little bit structure to it. |
| 1:13.6 | There are 32 hexade-simal characters and then a base 64 encoded part. |
| 1:20.2 | The base 64 encoded part does decode to an AS-256 encrypted string, at least based on the first six bytes of that string, |
| 1:33.0 | that indicate that it was encrypted using GPG, and yes, using a symmetric cipher AES-256. |
| 1:41.3 | So it could still be a sort of fancier proxy detection system. Often they just try to access Bing |
| 1:49.3 | or another large public site. Maybe they're trying to evade some honeypots here. But if you have |
| 1:55.6 | any insights, please let us know. And if you are operating a DNS server or if you're owning a domain February 1st is going to become an important day, also known as DNS Flag Day. |
| 2:13.6 | Now what's happening is that over the years, DNS has undergone some substantial changes. |
| 2:20.3 | And, well, as so often, not everybody sort of has kept up with these changes, which let the designers of DNS software to implement a number of workaround, which in turn has made DNS slower over the years. So |
| 2:37.5 | February 1st, many of these workarounds will be removed from popular DNS implementations and |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.