New Cybersecurity Insights from SANS Internet Storm Center's Stormcast
In the April 29, 2025 edition of the SANS Internet Storm Center's Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, presents several interesting topics related to cybersecurity. The first topic discussed is a new Python tool developed by Mark Bagot, called "scrum dump." This tool is designed to extract and present data from the Windows resource usage monitor, which records resource usage by different software over the past 30 days. This feature is particularly useful for forensic investigations and incident response, as it allows checking which software was running, if they were using the network, and how much data they sent. Mark Bagot encourages users to provide feedback on the tool and offers a usage guide to help apply this tool in various investigations. Next, Johannes Ullrich discusses a new "prompt injection" technique in large language models, developed by Hidden Layer. This technique, called "policy puppetry," stands out for its universality, as it can be applied to multiple language models. Unlike previous techniques, which were specific to certain models and often patched, this method uses a combination of role-playing and XML snippets to confuse the model and bypass certain policy constraints. This approach mixes instructions and user data, making the correction of this vulnerability more complex. Another topic addressed is the return of the "juice jacking" technique, where malicious USB chargers can act as keyboards and send keystrokes to a device. This technique, once considered largely mitigated, has returned in the form of "joyjacking." Researchers from the University of Technology in Kratz, Austria, discovered that Android devices and, to a lesser extent, iOS devices were vulnerable. iOS patched this vulnerability with update 18.4, and Android has also been updated, although protection depends on using the latest version of the operating system. The technique involves using the power delivery protocol to change the device's role from charger to charged device, allowing keystrokes to be sent to the vulnerable device. In conclusion, Johannes Ullrich reminds viewers of the importance of always using their own chargers to avoid these risks and mentions that he will not be at the RSA conference this week but will be teaching a class in San Diego the following week. He encourages listeners to visit the SANS booth at RSA for more information on conferences and panels. For more details, watch the full video at the following address: https://www.youtube.com/watch?v=sETzl5BwESw