Hello, welcome to the Tuesday, June 30th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

The DA today is going over a brief a little bit.

A really neat feature that was added in Sysmon version 11.10, which was just released a few days ago, that allows you to log alternate data streams.

Now alternate data streams, yes, they have been used in the past by attackers to hide data, but they often also contain quite useful data. And the alternate

data stream that D.D.E. was looking at here is Sone Identifier. If Microsoft Edge is downloading

a file from a website, it will add this alternate data stream with additional information

where the file came from. So if you find a suspicious file on a system of course, that's

always interesting or also to log where your users are downloading files from in order

to, for example, look for suspicious downloads.

And if you are a Palo Alto Networks customer, you probably already got a call from your sales

rep last week about this new vulnerability that was announced by Palo Alto today. A patch was made available

late last week, and this is one of those things you really, really need to patch quickly.

It does affect you if you're using SAML for authentication with your Apollo Alto devices, including,

for example, for your global protect VPNs.

The problem here is really more configuration issue and well how PanOS dealt with that.

If you enabled SAML authentication and you disabled the validate identity provider

certificate check, then you are vulnerable to anybody essentially logging in to your system.

This is really sort of a very fundamental SAML problem.

With SAML, of course, you're relying on an identity provider to make sure a user is authenticated to, for example, connect to a VPN in

this case. Now, for your VPN concentrator here, your Global Protect Gateway, it needs to verify that this signature

...