Hello and welcome to the Tuesday, October 10th, 2020,

edition of the Sansonet Stormsendors Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Who better to explain to you the intricacies of the SIP file format than DDA,

who has written tools to actually parse the format. One interesting

artifact that DDA is looking at today is that the minute in the timestamp sometimes exceeds

59 minutes. In the example that DDE here has, it's 63. Well, a pretty straightforward and simple

explanation here. It's actually kind of a good old-fashioned format here, a DOS time, DOS date.

What I sort of like about it a little bit with that sort of history in mind is how efficient it is in

that it doesn't just encode the minutes as let's say a string or such but actually as

five bits so two bytes are being split up to encode seconds minutes and, and hours, and that results in this a little bit

interesting parsing issue where you have five bits that are representing the minutes,

which can be used to encode the number 63, so it's certainly possible to create an invalid

timestamp here.

And what that results in is if you are using some GUI tools

in order to look at a zip file, that the modified time is just left empty.

So this could be used by an attacker to just sort of obscure the modified time.

It's not even displayed.

Not sure if that actually makes it more obvious that something is wrong with this particular file.

And let me have an update from Akamai regarding Magecard.

Remember, Magecard sort of put itself on the map by compromising

some companies that delivered JavaScript being included on many large webpages. Since then,

...