ISC StormCast for Wednesday, May 2nd 2018
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 2 May 2018
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Wednesday, May 2nd, 2019 edition of the Sandcent Storm Center's Stormcast. |
| 0:07.3 | My name is Johannes Ulrich and I'm recording from Jacksonville, Florida. |
| 0:11.7 | Usually when Xavier talks about malicious documents, he talks about analyzing these documents. |
| 0:17.6 | Well, he's taking a different spin in his last diary. In this case, he came across |
| 0:23.7 | a little Python script that will actually create malicious documents. All he had to do is search |
| 0:30.2 | pastebin, so no dark web involved in this particular exploit. So the lessons learned here, |
| 0:40.2 | first of all, probably not all that surprising. It's pretty easy to find these exploit generators for different office vulnerabilities. |
| 0:47.3 | Secondly, it can actually be quite useful to take a look at one of these generators in a controlled |
| 0:53.4 | environment in order to figure out how these exploits work and also take a look at one of these generators in a controlled environment in order to figure out |
| 0:55.6 | how these exploits work and also test your detection techniques. |
| 1:01.3 | And looks like domain fronting will be more difficult after Google and also Amazon did disable |
| 1:09.3 | domain fronting for their cloud infrastructures. So let me talk a little bit about domain fronting for their cloud infrastructures. |
| 1:12.6 | So let me talk a little bit about domain fronting because it has come up a few times over the last few months. |
| 1:18.6 | It's really a technique to obfuscate traffic. |
| 1:22.6 | To understand domain fronting, let me first talk a little bit about HTTP. If you're setting up an |
| 1:28.8 | HTTP connection to a web server, the connection itself is encrypted, but it's still possible |
| 1:35.0 | for an observer to see what side you connect to. First of all, you have to do a DNS lookup. |
| 1:41.0 | The DNS lookup is in the clear and can easily be intercepted. |
| 1:45.1 | Secondly, as part of the client hello message that you sent at the beginning of the |
| 1:50.0 | HTTP handshake, you are transmitting the host name in the clear. That's a feature called |
| 1:57.1 | server name indication. Now once you do have a TLS connection established, then you send the actual HTTP request |
| 2:04.9 | and that is of course encrypted. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.