Podcast Detail

SANS Stormcast Tuesday, July 7th, 2026: RCS and DNS; OpenSSH Update; Beyond Trust Advisory; PolinRider Update

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9996.mp3

Podcast Logo
RCS and DNS; OpenSSH Update; Beyond Trust Advisory; PolinRider Update
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Tuesday July 7th, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Jacksonville,
 Florida. This episode is brought to you by the SANS.edu
 Graduate Certificate Program in Cybersecurity Engineering.
 Today I wrote a quick diary about, well, less well-known
 DNS records. I noticed recently in my home network
 that there were a couple of lookups for NAPTR records.
 And while this was a record I wasn't really familiar with,
 it has been around, it has been defined for a while since
 around 2000. That's when the RFC was released and the
 record itself looked, well, interesting and somewhat
 dangerous in that it allows you to rewrite results using
 regular expressions. And we all know regular expressions,
 lots of sort of implementation issues around that. Well, it
 turns out it wasn't an attack, it was normal traffic.
 Apparently it's used as part of the rich communication
 services that's the underlying protocol that's being used for
 RCS. So RCS has been introduced in recent years and
 particularly the last couple of years been deployed more
 and more with iOS and Google and Android replacing SMS more
 and more with RCS.
 So RCS is essentially a more modern version of SMS. It gets
 rid of some of sort of the old really sort of voice network
 based craft that sort of stuck around with SMS and makes it
 more a standard internet protocol for IP using SIP as
 one of its sort of transport mechanisms here for the
 messages. The NAPTR records are here used without actually
 taking advantage of the regular expressions. They're
 really just used to communicate essentially where
 to connect to. I've seen them for Verizon and AT&T in my
 network, but of course know what exact records you'll see
 will depend on your telecommunication provider
 that you are using. I also got a comment to this on LinkedIn
 and the user here commented that there is apparently an
 international e-invoicing protocol that does take
 advantage of NAPTR records. Wasn't familiar with that
 protocol and not sure how widely it is being used, but
 appears to be an international standard. So maybe more
 visible sort of in some multinational companies or so
 that may be taking advantage of that protocol. As always,
 watch your DNS traffic. Watch out for these odd records and
 try to understand what's going on. And again, it's often not
 malicious. It's just a new technology that has been
 deployed in the network, and it's often good to know about
 these new technologies. And we have a new version of OpenSSH
 10.4. It fixes a number of security issues. None of them
 I would call sort of urgent or critical. There are a couple
 of interesting ones with SFTP where a client could be
 tricked into writing files into the wrong directory. So
 that may be worth paying some attention to. But there are
 also some new features, for example, some post-quantum
 signature algorithms that are now supported. With OpenSSH,
 what you'll usually find is that you won't see OpenSSH
 version 10.4 in current distributions for a while. But
 many of the security features are sometimes backported to
 older versions. So definitely watch out for new updates,
 even if they're not called OpenSSH 10.4. And BeyondTrust
 has released an advisory identifying four different
 recently patched vulnerabilities. Two of these
 vulnerabilities do allow authentication bypass, which,
 well, for an authentication product like BeyondTrust, of
 course, is critical. They don't specify which exact
 configurations are vulnerable. But as part of the advisory,
 they state that only specific configurations are vulnerable.
 Of course, that's not very helpful. And you better apply
 the patch if you self-host BeyondTrust. Interestingly,
 you need to apply the April rollup here. So it appears
 that the April rollup did patch some so far undisclosed
 vulnerabilities. And Socket .dev has a good blog post with
 updates regarding some of the recent supply chain attacks.
 In particular, what they're focusing on is a North Korean
 threat actor that often deploys harmless-looking
 patches and pull requests to legitimate GitHub repos and
 then does trick developers to actually use these particular
 repos as part of fake job interviews. Now, what I found
 particularly interesting here is that they're going through
 some steps to make it more difficult to detect the
 malicious modifications. They do, for example, alter the Git
 history in that way. It's more difficult to identify like,
 you know, what particular changes were made recently to
 a particular GitHub repository. And that, of
 course, makes it more difficult to identify the
 altered JavaScript files. Now, they historically have mostly
 been using NPM and Node.js, but lately have also been
 branching out to Go and to Google Chrome extensions. That
 would be, as always, careful with this. And I think the
 main takeaway here is that you can't just sort of, you know,
 rely on a quick eyeballing of the Git history in order to
 identify some of these malicious changes. Well,
 thanks for listening. Thanks for liking. Thanks for
 subscribing. And as always, if you like this particular
 podcast, please recommend it to others and talk to you
 again tomorrow. Bye.