0:00

Hello and welcome to the Tuesday, June 4th, 2020,

0:02

4th edition of the Sands & Stomp Center's Stormcast.

0:08

My name is Johannes Ulrich and

0:10

today I'm recording from Jacksonville, Florida.

0:14

One of the amazing things

0:16

about Wireshark is not just

0:18

that it can analyze and

0:20

capture packets but also the

0:22

huge number of different protocols

0:24

it is able to dissect.

0:26

No matter how many protocols the

0:29

creators of Wireshark are adding, of

0:31

course, there are always more protocols

0:33

out there and you

0:35

may run into a case where

0:38

Wireshark doesn't support a particular protocol

0:40

that you're interested in. Well, DDA

0:42

today has a great diary

0:44

walking you through how to

0:47

create your own packet dissectors

0:50

for protocols like this in

0:52

Lua. The demo

0:54

that DDA has includes also a

0:56

video showing you how to do

0:58

it. Does cover protocols

1:01

with fixed length. So it's a

1:03

little bit simpler protocols like no

1:06

flexible links, no sort of length fields that

1:08

you didn't have to analyze and make decisions

1:10

based on. But still something

1:13

that's quite common and

1:15

useful in the particular example

1:17

that DDA is

1:19

using for the diary that

1:22

he is looking at a

1:24

protocol used to update firmware.

1:27

The dissector is of course downloadable

1:29

so you can take a look

1:31

at the Lua script but also

1:33

there is a video walking you

1:35

through and the real goal here

1:37

is to help you write your

1:39

own Lua script to analyze some

1:41

custom or a little bit odd

1:44

protocol. Insecurity

1:47

researcher Sam Curry did

1:49

publish a blog post

1:51

with severe vulnerabilities in

1:53

an API the cable

1:55

modem provider Cox is

1:57

using in order to

2:00

manage its customers' modems.

2:03

The investigation was originally

2:05

inspired or started after

2:08

Sam believed that their

2:11

cable modem was compromised.

2:13

Now there is no real proof

2:16

that the compromised cable modem

2:18

and these API leaks are

2:22

related to each other but

2:24

it's certainly possible. Cox has

2:26

confirmed the weakness in the

2:28

API but has stated that

2:31

these weaknesses as far

2:33

as they can tell based on

2:35

their logs have not been exploited.

2:37

Either way it sort of is

2:40

a good reminder to be very

2:42

of any ISP provided

2:44

equipment. Quite often ISPs

2:46

are quite conservative with firmware

2:48

updates because any firmware update

2:51

of course may mean that

2:53

percentage of devices are not going

2:56

to reboot and are

2:58

basically leading to unhappy customers

3:00

and the support calls. On

3:02

the other hand if you do

3:05

use your own modem in particular

3:07

in the cable modem world typically

3:10

the provider will

3:12

flash their own firmware

3:15

on the device so it's not

3:17

that you're in any better shape

3:19

if you rent a modem from

3:21

the provider or if you are

3:23

providing your own modem. Probably

3:25

the best advice here is treat

3:28

the modem as just that a

3:30

modem, put them in bridge mode,

3:32

disable any additional features in particular

3:35

Wi-Fi access points that are

3:37

part of the modem then connect

3:39

it to your own secure device,

3:42

your own firewall and treat everything

3:44

outside of that firewall as

3:47

hostile. Insofar as you

3:49

don't trust the ISP's equipment

3:51

or equipment like a modem

3:53

that they control even if

3:56

you own it. summary

4:00

of some recent reports of

4:03

malicious answers in

4:05

stack overflow. Originally I believe

4:07

this was found by Sonatype

4:10

who reported it but

4:12

the problem here is not

4:14

innocent bad answers and we

4:17

of course had that often

4:19

covered before where answers do

4:21

include vulnerabilities like for example

4:23

SQL injection flaws. What we're

4:25

talking here about is where

4:27

an answer suggests an outright

4:30

malicious package for example as

4:32

a solution to a particular

4:34

problem in order to

4:36

just a trick the victim

4:38

into installing that malicious piece

4:40

of software. And

4:43

for a recently patched war

4:45

on a billion Atlassian Confluence

4:47

data center and server we

4:50

now have a proof of

4:52

concept and additional details. Sonic

4:55

wall wrote up a detailed

4:57

post with more details regarding

4:59

war on a billion CVE

5:03

2024 21683 so better

5:05

get that patched. Well

5:08

and that's it for today

5:11

thanks for listening thanks for

5:13

subscribing we're available on YouTube

5:15

we're available for Amazon Alexa

5:17

and actually could do some

5:20

reviews there someone did confuse

5:22

the Stormcast with a better

5:24

report and didn't like the

5:26

content so thanks and talk

5:29

to you again tomorrow bye