Hello, welcome to the Tuesday, October 22nd, 2019 edition of the Santernut Storms, Stormcast. My name is Johannes Ulrich.

Entertainment recording from Santa Monica, California.

Actually, just earlier today, I gave a talk here that in part covered DNS over TLS.

So very fitting that Jim took a look at recent scans against Port TCP 853.

Port 853, of course, is the DNS over TLS port, usually using UDP, not so much TCP,

but still this could be an attempt for attackers

to enumerate possible DNS over TLS resolvers, possibly for denial of service attacks.

Now what isn't really clear is if these servers could be used similar to normal DNS recursive

resolvers because typically in order to use DNS over TLS, you first need to establish the

TLS connection, which does require a couple of packets going forth and back, so spoofing

isn't really as trivial as in your standard

UDP-based DNS without TLS.

So it's a little bit open-ended here, not sure what's happening with these scans, whether

it's just curiosity or researchers.

If you have any insight, please let us know.

And then today we have a couple of stories actually that relate to issues in security vulnerabilities,

in security tools. First, a couple of VPN providers apparently got breached. First of all, NordVPN, but in addition to

NordVPN, also Thorgard and possibly Viking VPN, were compromised according to a number

of tweets and posts to 8chan.

The evidence that was presented here are mostly TLS secret keys that were apparently

collected from these affected services.

NordVPN did issue a statement confirming the attack, stating that this was due to an insecure server administration tool

...