Hello and welcome to the Wednesday, March 25th, 2006 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu bachelor's degree program in applied cyber security.

Well, in diaries today, just one quick diary about detecting IPKVMs.

I've spoken and written about these IPKVMs a couple times in the past.

This was a little bit inspired by some news coverage that the North Koreans that are getting hired here in the U.S. as IT help are often using IPKDMs to then connect the laptops that these companies are sending to U.S. addresses.

So they're using it basically as a remote access tool. And one of the

reasons they're using IPKBMs is that you don't have to install any software, which of course

makes them a bit more difficult to detect. So I looked at some of the detection options with

USB, in particular the Saipid nano-KBM that I tested, has a USB device that's outright called Cypeat Nano-KVM.

For the Pi-KVM, that's the other device I tested. It's a tiny little bit more difficult in the sense that the USB devices are a little bit more

generic in their strings. However, there's also an HTML interface that emulates a monitor,

and monitors are sending extended display identification data, and that lists as identifier and

model name Pi KVM for the Pi KVM.

Now, of course, attackers can adjust it,

but there's certainly something that you may want to look for.

For the Pi KVM, actually, I believe there's a simple configuration file

where you can adjust some of these strings.

And next we do have a little bit of lengthy story, a supply chain story in part.

It's a long story because I've been neglecting some of these supply chain stories lately.

Well, I'm kind of a bit bored of them, to be honest.

You know, there's sort of one NPM, Pi Pi, GitHub repo that gets compromised after the other.

...