New Stormcast Episode Highlights Cybersecurity Updates and Vulnerabilities

In the April 23, 2025 edition of the Stormcast from Sanset Storm Center, Johannes Ullrich, recording from Jacksonville, Florida, addresses several crucial topics in cybersecurity. The first item on the agenda is an update to the DDA diary regarding improvements to XOR search. The most notable recent enhancement was the integration of Yara rules, which also allow the use of regular expressions. DDA now introduces the concept of ad hoc Yara rules. Unlike traditional Yara rules, which are written in files and span multiple lines, ad hoc Yara rules are abbreviations used directly in command-line arguments. This simplifies the use of Yara rules for simple tasks such as searching for strings or regular expressions, without the need to create complex configuration files. Another important topic discussed by Johannes is a recent attack involving DKIM, the anti-spam standard for emails. DKIM adds a cryptographic signature to email headers, but this signature only covers certain specific headers, such as the "From" or "Subject" fields. Attackers exploit this limitation by taking a legitimate email from Google, copying the signature and some verified headers, and adding them to their own malicious email. This digital signature replay technique is a common problem in cryptography. Johannes suggests that adding variations to the "Subject" field, such as including the recipient's name, could make this attack more difficult to execute. He emphasizes that DKIM is not designed to fully authenticate an email, but rather to combat spam, and it does not replace methods like SMIME or PGP, which verify the entire email, including the message body. Johannes also discusses issues faced by certification authorities, including SSL.com. A logical error in their system allowed users to request certificates for domains they did not actually control. By adding a special DNS record to a domain, users could obtain certificates not only for that domain but also for other domains associated with their email address. This led to the issuance of certificates for webmail provider domains, making them vulnerable to "man-in-the-middle" attacks. SSL.com identified 11 instances where certificates were issued using this flawed logic, although it is not clear if all these instances were malicious. In conclusion, this edition of the Stormcast highlights crucial technical vulnerabilities and improvements in the field of cybersecurity. Ad hoc Yara rules simplify XOR searches, while DKIM attacks and certification authority errors underscore the importance of vigilance and robust security measures. For more details, refer to Easy Demark's blog post and analyses from SSL.com.