Hello and welcome to the Wednesday, September 6, 2020, 23 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from London, England.

Jesse is continuing his analysis of data collected by our honeypots, this time looking at the usernames collected from our Telnet and S-H

honeypots. No huge surprise here that the big focus is on route and administrative accounts

with about half of the attempts targeting route.

There is one interesting anomaly, and that's a username of 345 GS-5662D34, with the same password that makes up about 1% of attempts and ranks as number 6.

Nothing really well known with this username and password combination.

It could just be an attempt to actually identify honeypots that often are allowing

logins with whatever username and password the attacker uses.

So using a username and password combination that's highly unlikely to be used by anybody,

the attacker may go hunting for honeypots.

And I've got an interesting blog post by New Zealand security company Pulse Security

looking at vulnerabilities in fully disk encrypted Linux setups.

Now, the particular setup they're looking here, and part which makes it kind of vulnerable,

is that the setups they looked into are actually automatically able to boot up.

That, of course, requires access to the passphrase used to unlock the encrypted disk partition

in order to secure the passphrase.

It is stored in TPM, and then during the boot-up, TPM is used to unlock the disk,

and later the operating system is booted from this disk.

The problem that's being exploited here is that there is a small window of opportunity between the disk being unlocked and the operating system fully being booted.

This is also enabled due to a sort of

fallback option here where a user is able to enter a passphrase in case, for example,

the boot fails. In order to exploit this small window vulnerability, the researchers did create a little USB keyboard,

...