Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Tuesday, June 4th, 2020,
0:02
4th edition of the Sands & Stomp Center's Stormcast.
0:08
My name is Johannes Ulrich and
0:10
today I'm recording from Jacksonville, Florida.
0:14
One of the amazing things
0:16
about Wireshark is not just
0:18
that it can analyze and
0:20
capture packets but also the
0:22
huge number of different protocols
0:24
it is able to dissect.
0:26
No matter how many protocols the
0:29
creators of Wireshark are adding, of
0:31
course, there are always more protocols
0:33
out there and you
0:35
may run into a case where
0:38
Wireshark doesn't support a particular protocol
0:40
that you're interested in. Well, DDA
0:42
today has a great diary
0:44
walking you through how to
0:47
create your own packet dissectors
0:50
for protocols like this in
0:52
Lua. The demo
0:54
that DDA has includes also a
0:56
video showing you how to do
0:58
it. Does cover protocols
1:01
with fixed length. So it's a
1:03
little bit simpler protocols like no
1:06
flexible links, no sort of length fields that
1:08
you didn't have to analyze and make decisions
1:10
based on. But still something
1:13
that's quite common and
1:15
useful in the particular example
1:17
that DDA is
1:19
using for the diary that
1:22
he is looking at a
1:24
protocol used to update firmware.
1:27
The dissector is of course downloadable
1:29
so you can take a look
1:31
at the Lua script but also
1:33
there is a video walking you
1:35
through and the real goal here
1:37
is to help you write your
1:39
own Lua script to analyze some
1:41
custom or a little bit odd
1:44
protocol. Insecurity
1:47
researcher Sam Curry did
1:49
publish a blog post
1:51
with severe vulnerabilities in
1:53
an API the cable
1:55
modem provider Cox is
1:57
using in order to
2:00
manage its customers' modems.
2:03
The investigation was originally
2:05
inspired or started after
2:08
Sam believed that their
2:11
cable modem was compromised.
2:13
Now there is no real proof
2:16
that the compromised cable modem
2:18
and these API leaks are
2:22
related to each other but
2:24
it's certainly possible. Cox has
2:26
confirmed the weakness in the
2:28
API but has stated that
2:31
these weaknesses as far
2:33
as they can tell based on
2:35
their logs have not been exploited.
2:37
Either way it sort of is
2:40
a good reminder to be very
2:42
of any ISP provided
2:44
equipment. Quite often ISPs
2:46
are quite conservative with firmware
2:48
updates because any firmware update
2:51
of course may mean that
2:53
percentage of devices are not going
2:56
to reboot and are
2:58
basically leading to unhappy customers
3:00
and the support calls. On
3:02
the other hand if you do
3:05
use your own modem in particular
3:07
in the cable modem world typically
3:10
the provider will
3:12
flash their own firmware
3:15
on the device so it's not
3:17
that you're in any better shape
3:19
if you rent a modem from
3:21
the provider or if you are
3:23
providing your own modem. Probably
3:25
the best advice here is treat
3:28
the modem as just that a
3:30
modem, put them in bridge mode,
3:32
disable any additional features in particular
3:35
Wi-Fi access points that are
3:37
part of the modem then connect
3:39
it to your own secure device,
3:42
your own firewall and treat everything
3:44
outside of that firewall as
3:47
hostile. Insofar as you
3:49
don't trust the ISP's equipment
3:51
or equipment like a modem
3:53
that they control even if
3:56
you own it. summary
4:00
of some recent reports of
4:03
malicious answers in
4:05
stack overflow. Originally I believe
4:07
this was found by Sonatype
4:10
who reported it but
4:12
the problem here is not
4:14
innocent bad answers and we
4:17
of course had that often
4:19
covered before where answers do
4:21
include vulnerabilities like for example
4:23
SQL injection flaws. What we're
4:25
talking here about is where
4:27
an answer suggests an outright
4:30
malicious package for example as
4:32
a solution to a particular
4:34
problem in order to
4:36
just a trick the victim
4:38
into installing that malicious piece
4:40
of software. And
4:43
for a recently patched war
4:45
on a billion Atlassian Confluence
4:47
data center and server we
4:50
now have a proof of
4:52
concept and additional details. Sonic
4:55
wall wrote up a detailed
4:57
post with more details regarding
4:59
war on a billion CVE
5:03
2024 21683 so better
5:05
get that patched. Well
5:08
and that's it for today
5:11
thanks for listening thanks for
5:13
subscribing we're available on YouTube
5:15
we're available for Amazon Alexa
5:17
and actually could do some
5:20
reviews there someone did confuse
5:22
the Stormcast with a better
5:24
report and didn't like the
5:26
content so thanks and talk
5:29
to you again tomorrow bye
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More