Hello and welcome to the Friday, September 12, 2025
edition of the SANS Internet Storm Centers Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu undergraduate certificate program in
cybersecurity fundamentals. Today's diary is an update
from Guy about the DShield SIEM that Guy maintains and
actually he created it as well. One of the great things
about running a honeypot is awareness about all the
attacks that your network may be exposed to. This SIEM
provides you with a real pretty graphical user
interface summarizing the attacks that are hitting your
honeypot and allowing you to eventually dig into the data
more easily without having to break out your command line
skills. And just the visualization itself is pretty
nice and also provides quite a bit of value, I think, in
particular to better understand how the attacks are
breaking down. There is geographic maps that you can
look at. There are various sort of port statistics and
such that are being summarized here. Now, the nice thing
about this SIEM is that it's actually entirely inside
Docker containers and that makes it really easy to
update. You essentially just remove the old Docker
containers and then create new ones and you are up to date.
So if you're using this tool, well, take a look at it. If
you're not using it, well, take a look at it and see if
you like it. It does require a little bit more processing
power than you usually have, like on the basic Raspberry
Pis. But if you are running your honeypot inside a virtual
machine or on a little bit of more powerful system, it'll
certainly work. It uses ELK, Elasticsearch, Logstash,
Kibana, and those familiar with these tools will
recognize also the overall UI that is presented by this
SIEM. And yes, it's becoming sort of a recurring theme here
that we have government agencies. Today, it's the
Australian government's signals directorate noticing
an increase in attacks against SonicWall SSL VPNs. They're
linking it to an older last year's vulnerability. The big
problem with all of these compromises is somewhat
twofold. First of all, of course, some devices still
aren't being patched. And the second one, that's a little
bit the more tricky one, is that devices are patched. But
at the time they were patched, they were already compromised.
The attackers either left back doors behind, they added
additional accounts, they stole credentials. So it's
really important if you're patching these devices, don't
just blindly patch. In particular, if this is not a
super new vulnerability, like it's maybe a month old or so,
assume compromise. Change credentials, change passwords,
change SSH keys, change seats for two-factor authentication.
And definitely do a quick review of what users are on
the system, any odd binaries. Without at least some
rudimentary incident response here, you're risking that the
device has already been compromised. And really
patching it is usually not going to evict the attacker.
And a number of researchers from the US and Europe have
collaborated to do a larger study on the use of keystroke
detection in JavaScript on various websites. What happens
here is that the websites include JavaScript that will
basically record any keystroke while you're using the site.
So even before you submit a particular form, the website
may receive anything that you type, including things that
you may then later delete before submitting a form. Now,
sometimes this kind of code is being added as more something
like a capture where they want to detect whether or not it's
actually a human typing the text. Sometimes sort of for
simple copy paste protection, which is an entire different
story. But of course, the big problem here is that let's say
you start typing your password by mistake into a username
field or such. And even before submitting that password,
well, that password has already been sent to the
respective websites. So there's a real privacy risk
here. As a little side note to this, had recently a student
here at sans.edu write a paper about some of these tracking
technologies, not just JavaScript based, but also
others like Canvas and such based and comparing malicious
and non malicious websites. And well, the sad truth is
that malicious and non malicious websites use exactly
the same techniques at exactly pretty much the same
prevalence. As a user, not much you can do to protect
yourself here. Sometimes interesting to sort of in your
developer tools, in your browser to observe the network
request. You can sometimes see what's happening there. But
just be aware that this is happening. Be careful how you
type, what you type and assume that anything that you type in
a particular website is being transmitted to the website,
even if you don't explicitly click submit. Well, and that's
it for today. Thanks again for listening. Thanks for
subscribing and liking this podcast. Did I miss a story
that I should have covered? Well, please send me links to
stories. Also, if you discovered something yourself,
if you wrote an interesting paper, always interested to
hear from authors, not so much from marketing departments
alike. But anyway, that's it for today. Thanks for
listening and talk to you again on Monday. Bye.
