SANS Stormcast Wednesday, April 23rd: More xorsearch Updates; DKIM Replay Attack; SSL.com Vulnerability Fixed
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 23 April 2025
⏱️ 6 minutes
🧾️ Download transcript
Summary
xorsearch.py: Ad Hoc YARA Rules
Adhoc YARA rules allow for easy searches using command line arguments without having to write complete YARA rules for simple use cases like string and regex searches
https://isc.sans.edu/diary/xorsearch.py%3A%20%22Ad%20Hoc%20YARA%20Rules%22/31856
Google Spoofed via DKIM Replay Attack
DKIM replay attacks are a known issue where the attacker re-uses a prior DKIM signature. This will work as long as the headers signed by the signature are unchanged. Recently, this attack has been successful against Google.
https://easydmarc.com/blog/google-spoofed-via-dkim-replay-attack-a-technical-breakdown/
SSL.com E-Mail Validation Bug
SSL.com did not properly verify which domain a particular email address is authorized to receive certificates for. This could have been exploited against webmail providers.
https://bugzilla.mozilla.org/show_bug.cgi?id=1961406
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Wednesday, April 23rd, 2025 edition of the Sandslanded Storm Center's Stormcast. |
| 0:09.1 | My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. |
| 0:13.9 | And then we got yet another diary by DDA about the improvement to XOR search. |
| 0:19.5 | So the last improvement was the ability to use YARA rule, which of course |
| 0:24.0 | also allows regular expressions. Now, in this diary, DTIA talks about how to use what he calls |
| 0:31.2 | ad hoc Yara rules. Usually Yara rules are written in a file and they span multiple lines but there are things that |
| 0:40.0 | you often want to do in these yara rules like simple things like look for regular expression |
| 0:44.5 | look for a string so what these ad hoc yara rules are these are yara rules in command line |
| 0:53.1 | arguments that are essentially sort of abbreviations. |
| 0:56.9 | So instead of spelling out the entire yarrow roll, you just tell it, I would like to use a |
| 1:01.7 | reckless expression. |
| 1:02.6 | Here's the regular expression. |
| 1:03.6 | I would like to use a static string and the like. |
| 1:06.2 | And that'll make it easier to use these yarrow rolls. |
| 1:10.7 | In particular, if you're sort of just searching around, it's not necessarily. that'll make it easier to use these yarrow rules. |
| 1:13.6 | In particular, if you're sort of just searching around, |
| 1:18.8 | it's not necessarily some yar rules that you would like to, for example, |
| 1:22.0 | maintain as a standard configuration file. |
| 1:24.8 | And then some security news from a couple days ago that I haven't had a chance to cover yet, and it involves |
| 1:29.8 | Decim, the email anti-spam standard. So, DeKim adds a cryptographic signature header. However, |
| 1:38.6 | that cryptographic signature only covers select headers, typically the from the subject, maybe the two header. |
| 1:48.2 | This is what's abused here in this particular attack. The email being sent here claims to be |
... |
Transcript will be available on the free plan in 18 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.