Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Friday June 14th, 2020,
0:02
4th edition of the Sans and its Storms and
0:07
Us Stormcast. My name is Johannes
0:09
Ulrich and today I'm recording from
0:11
Jacksonville, Florida. And
0:14
today we got a guest diary
0:16
by Kayla Reed, one of our
0:18
Sans.edu undergraduate interns and well, at
0:20
this time, it's one of my
0:22
favorite topics, command line, kung fu.
0:25
In particular, in this case, JQ. JQ,
0:27
if you aren't familiar with it, I
0:29
hope you are. It's all
0:32
about parsing JSON. Now, over
0:34
the last couple of years,
0:36
I personally changed most of
0:38
my logging to JSON just
0:40
because it's flexibility and because
0:42
of the availability of tools
0:45
like JQ, Elasticsearch, and
0:47
others. Learning JQ,
0:49
learning how to filter, how
0:52
to extract data from JSON
0:54
data is certainly worthwhile. And
0:57
Kayla provides a great
0:59
introduction here in how to use
1:01
this very versatile tool. There are
1:04
a couple similar tools around there,
1:06
JQ still seems to be the
1:08
most widely used one. And
1:12
I guess we may have a
1:14
new trend kind of developing and
1:17
that's after Microsoft patch Tuesday, we
1:19
got Microsoft proof of concept Thursday.
1:22
We do have a blog
1:24
post by Morphy sec talking
1:26
a little bit more about
1:29
the critical outlook vulnerability being
1:31
patched. Yes, I call it
1:33
critical Microsoft called it important with a CFS
1:35
score of 7.7. The reason I call it
1:39
critical is that according to Morphy
1:41
sec, this vulnerability allows
1:44
an attacker to execute
1:46
arbitrary code on the
1:48
victim system just by
1:50
previewing an email. Now,
1:52
according to Microsoft's classification,
1:54
previewing the email does
1:57
imply some interaction with the
1:59
email. which does make exploitation
2:02
less likely and does require user
2:04
interaction, which is why this is
2:06
not a critical vulnerability
2:08
anymore. Luckily, Morphesec did
2:10
not drop an outright proof of
2:13
concept and they'll give us a
2:15
bit more time here and they
2:17
promise more details at DEFCON. And
2:21
talking about Outlook, Microsoft also
2:23
announced that even personal accounts
2:26
will no longer be able
2:28
to use basic authentication with
2:31
Outlook, basic authentication here in
2:33
Microsoft's language, meaning username and
2:36
password. Instead, you need to
2:39
use what Microsoft calls
2:41
modern authentication, which basically
2:44
is multi-factor authentication, smart
2:46
card, certificate-based authentication, or
2:49
some third-party SAML identity
2:51
provider. This also, of
2:53
course, means that some older clients
2:56
may no longer be able to
2:58
connect with Outlook. Essentially, what you'll
3:00
usually see is where the client
3:03
that supports modern authentication is that
3:05
you no longer just enter username
3:07
and password in some kind of
3:09
configuration dialogue in your email client.
3:12
Instead, the email
3:14
client will direct you to
3:16
the Microsoft webpage, ask you
3:18
to log in, and then
3:20
there will be a token
3:23
returned to Outlook that is
3:25
then saved in Outlook
3:28
and may be used for
3:30
authentication. Of course, they may
3:32
expire occasionally, which means that
3:34
you may have to repeat
3:36
that login process ever so
3:39
often. I already
3:41
mentioned a couple times in
3:43
the last few weeks about the dangers of
3:46
loading machine learning models
3:49
from unknown sources or
3:51
sources where the provenance
3:54
of the particular model may
3:56
not quite be that clear.
3:58
The problem is that many
4:00
of these machine learning models are
4:03
exchanged as a pickle file which
4:05
is really just a Python code
4:07
and researchers are now waking up
4:10
to the idea idea that this
4:12
is a great exploit vector latest
4:14
example is Trail of Bits has
4:17
a nice blog post out where
4:19
they're introducing what they're calling a
4:21
sleepy pickle attack but
4:24
the idea is that you're
4:26
able to modify these pickle
4:28
files you're able to add
4:30
additional functionality you're able to
4:32
change the weights in the
4:34
machine learning model that is
4:36
being transmitted here so in
4:38
short you're able to cause
4:40
all kinds of havoc but
4:42
by all means go ahead
4:44
your boss will be
4:46
much happier if you show some
4:48
machine learning quickly security you can
4:51
always add that later well
4:54
and that's it for today
4:56
hope to see some of
4:58
you at Sansfire it's about
5:00
a month out now
5:03
next week I'll be traveling
5:05
somewhat there will likely be
5:07
no podcast on
5:09
Wednesday and Thursday I'll have
5:11
to see how exactly the
5:13
travel schedule works out
5:16
here but so far Wednesday Thursday
5:18
looks like no podcast should still
5:20
be able to put one out
5:22
Monday Tuesday and Friday
5:25
that's it for today thanks for listening
5:28
and talk to you again on Monday
5:31
bye
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More