0:00

Hello and welcome to the Friday June 14th, 2020,

0:02

4th edition of the Sans and its Storms and

0:07

Us Stormcast. My name is Johannes

0:09

Ulrich and today I'm recording from

0:11

Jacksonville, Florida. And

0:14

today we got a guest diary

0:16

by Kayla Reed, one of our

0:18

Sans.edu undergraduate interns and well, at

0:20

this time, it's one of my

0:22

favorite topics, command line, kung fu.

0:25

In particular, in this case, JQ. JQ,

0:27

if you aren't familiar with it, I

0:29

hope you are. It's all

0:32

about parsing JSON. Now, over

0:34

the last couple of years,

0:36

I personally changed most of

0:38

my logging to JSON just

0:40

because it's flexibility and because

0:42

of the availability of tools

0:45

like JQ, Elasticsearch, and

0:47

others. Learning JQ,

0:49

learning how to filter, how

0:52

to extract data from JSON

0:54

data is certainly worthwhile. And

0:57

Kayla provides a great

0:59

introduction here in how to use

1:01

this very versatile tool. There are

1:04

a couple similar tools around there,

1:06

JQ still seems to be the

1:08

most widely used one. And

1:12

I guess we may have a

1:14

new trend kind of developing and

1:17

that's after Microsoft patch Tuesday, we

1:19

got Microsoft proof of concept Thursday.

1:22

We do have a blog

1:24

post by Morphy sec talking

1:26

a little bit more about

1:29

the critical outlook vulnerability being

1:31

patched. Yes, I call it

1:33

critical Microsoft called it important with a CFS

1:35

score of 7.7. The reason I call it

1:39

critical is that according to Morphy

1:41

sec, this vulnerability allows

1:44

an attacker to execute

1:46

arbitrary code on the

1:48

victim system just by

1:50

previewing an email. Now,

1:52

according to Microsoft's classification,

1:54

previewing the email does

1:57

imply some interaction with the

1:59

email. which does make exploitation

2:02

less likely and does require user

2:04

interaction, which is why this is

2:06

not a critical vulnerability

2:08

anymore. Luckily, Morphesec did

2:10

not drop an outright proof of

2:13

concept and they'll give us a

2:15

bit more time here and they

2:17

promise more details at DEFCON. And

2:21

talking about Outlook, Microsoft also

2:23

announced that even personal accounts

2:26

will no longer be able

2:28

to use basic authentication with

2:31

Outlook, basic authentication here in

2:33

Microsoft's language, meaning username and

2:36

password. Instead, you need to

2:39

use what Microsoft calls

2:41

modern authentication, which basically

2:44

is multi-factor authentication, smart

2:46

card, certificate-based authentication, or

2:49

some third-party SAML identity

2:51

provider. This also, of

2:53

course, means that some older clients

2:56

may no longer be able to

2:58

connect with Outlook. Essentially, what you'll

3:00

usually see is where the client

3:03

that supports modern authentication is that

3:05

you no longer just enter username

3:07

and password in some kind of

3:09

configuration dialogue in your email client.

3:12

Instead, the email

3:14

client will direct you to

3:16

the Microsoft webpage, ask you

3:18

to log in, and then

3:20

there will be a token

3:23

returned to Outlook that is

3:25

then saved in Outlook

3:28

and may be used for

3:30

authentication. Of course, they may

3:32

expire occasionally, which means that

3:34

you may have to repeat

3:36

that login process ever so

3:39

often. I already

3:41

mentioned a couple times in

3:43

the last few weeks about the dangers of

3:46

loading machine learning models

3:49

from unknown sources or

3:51

sources where the provenance

3:54

of the particular model may

3:56

not quite be that clear.

3:58

The problem is that many

4:00

of these machine learning models are

4:03

exchanged as a pickle file which

4:05

is really just a Python code

4:07

and researchers are now waking up

4:10

to the idea idea that this

4:12

is a great exploit vector latest

4:14

example is Trail of Bits has

4:17

a nice blog post out where

4:19

they're introducing what they're calling a

4:21

sleepy pickle attack but

4:24

the idea is that you're

4:26

able to modify these pickle

4:28

files you're able to add

4:30

additional functionality you're able to

4:32

change the weights in the

4:34

machine learning model that is

4:36

being transmitted here so in

4:38

short you're able to cause

4:40

all kinds of havoc but

4:42

by all means go ahead

4:44

your boss will be

4:46

much happier if you show some

4:48

machine learning quickly security you can

4:51

always add that later well

4:54

and that's it for today

4:56

hope to see some of

4:58

you at Sansfire it's about

5:00

a month out now

5:03

next week I'll be traveling

5:05

somewhat there will likely be

5:07

no podcast on

5:09

Wednesday and Thursday I'll have

5:11

to see how exactly the

5:13

travel schedule works out

5:16

here but so far Wednesday Thursday

5:18

looks like no podcast should still

5:20

be able to put one out

5:22

Monday Tuesday and Friday

5:25

that's it for today thanks for listening

5:28

and talk to you again on Monday

5:31

bye