Hello, welcome to the Wednesday, December 23rd, 2020 edition of the Sands and it storms on us

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Savi did I put together an interesting diary looking at malware that actually uses the Wi-Fi network the user is connected to

in order to do geolocation. Now a lot of operating systems of course have sort of

build-in APIs that are using for example the PSSID of the local Wi-Fi network in

order to geolocation but often the user will be alerted

if this API is used. Instead here, it just essentially grabs the Mac address of the default gateway

and uses a website Milnikov.org, which is, looks like a hobby run website by Alexander Milnikov.

That's sort of where the name also comes from.

And the one thing that Xavier suggests is that you probably should kind of look out for hits to this particular host name

if this becomes more popular with Malder.

Of course, this could also be used to detect sandboxes and such,

where then the geolocation of the public IP address and the geolocation of the local Wi-Fi

network or network they're connected to are not matching up.

And back in June, we talked about the Trek IP stack, which is, well, one of those piece

of software that nobody

heard about, but everybody is using. This is an IP stack that you often find in embedded

devices, and there were a large number, about 30 different wall-on-a-lease that were found

in track IP. Well, once news like this comes out, of course, others start looking and we now have four different

new vulnerabilities that track patched in its IP stack.

The first one is actually not so many basic TCP IP protocol, but in the HTTP server component

that is included with Trekk, and this could cause a denial of service. Then two more

...