SANS Internet Storm Center Stormcast: April 8, 2025 Edition on Cybersecurity
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
In this April 8, 2025 edition of the SANS Internet Storm Center Stormcast podcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses several crucial topics in cybersecurity. The first point discussed is the XOR search tool by DDA, a famous Python script that allows brute-forcing various XOR parameters to determine if certain strings are present in a file. The tool assumes the file is encrypted with a particular bit value and tries all 255 possible values to see if any of the outputs contain a specific string.
This allows decoding the file by identifying the correct key. A question raised in class was whether XOR search could also search for regular expressions. The quick answer is no, but DDA offers a workaround for this limitation. By using a specific mode of XOR search, it is possible to extract all printable strings for each XOR value and then apply a regular expression to this list of strings. DDA is currently working on a version of XOR search that will officially support regular expressions, but this feature is not yet available.
Another topic covered is the Model Context protocol, a standard for defining interfaces between AI models and tools like code editors. Although it may seem alarming to allow an AI model to control a code editor, this practice is common in the field of AI. However, Invariant Labs has identified several vulnerabilities related to this protocol, including supply chain issues with dependencies. For example, the description of a tool may be incomplete, or the tool may change after being approved, leading to malicious behaviors.
These vulnerabilities are not surprising and are similar to those encountered with various package managers and libraries. Google has also introduced a privacy improvement in Google Chrome, fixing a 20-year-old issue related to the color of visited links. Previously, sites could check if a link had been visited by using cascading style sheets to adjust the color of links. This allowed a malicious site to determine part of the user's browsing history. The new Chrome update applies the "visited" color only if the link was clicked on the same site, thus partitioning the browsing history by origin.
This means each site has its own history list, improving privacy without affecting usability. In conclusion, this edition of the podcast covers a variety of topics ranging from file decoding tools to AI protocol vulnerabilities and web browser privacy improvements. This information is crucial for cybersecurity professionals and developers looking to protect their systems and users from emerging threats.