SANS Internet Storm Center Podcast Discusses Critical Cybersecurity Topics

In this June 23, 2025 edition of the SANS Internet Storm Center Stormcast podcast, Johannes Ullrich addresses several crucial cybersecurity topics. Recorded in Stockheim, Germany, the podcast begins with a discussion on Alternate Data Streams (ADS) in the Windows NTFS file system. Ullrich explains that the "mark of the web" is encoded in files as alternate data streams, but these streams can also contain malicious data. Ullrich mentions tools developed by DDier to decode these alternate data streams, including cut-bytes.py, a Python tool, and file scanner, a faster tool written in C. These tools facilitate the extraction of information from alternate data streams, which is particularly useful for verifying the origin of a downloaded file. The podcast then discusses security improvements made by Microsoft to its virtual PCs in the cloud, particularly those running Windows 11. These virtual PCs are designed to be isolated and not connected to local systems by default. Microsoft has disabled features like clipboard sharing and USB passthrough by default and introduced features like hypervisor-protected code integrity and virtualization-based security. These measures aim to make it more difficult for attackers to access data, even though virtual PCs behave like real PCs and can be persistent or ephemeral as needed. Another topic covered is the vulnerability of software used to exchange files with business partners. Horizon 3 AI discovered a critical vulnerability in Zent 2, allowing unauthorized access to files from different users, both for reading and writing. Although this vulnerability does not allow arbitrary code execution, it remains concerning. A patch was released on June 10. Finally, Ullrich discusses parsing differences, a problem where different parsers for complex formats like JSON and XML can behave differently, leading to vulnerabilities. He mentions a blog post by Trails of Bits that explores these differences in the Go programming language, highlighting that these issues also exist in other languages and formats. In conclusion, this podcast provides valuable insights into alternate data streams, security improvements for virtual PCs in the cloud, and vulnerabilities in file exchange software and parsers. This information is crucial for cybersecurity professionals seeking to protect their systems against emerging threats.