Podcast Detail

SANS Stormcast Tuesday, April 29th: SRUM-DUMP 3; Policy Puppetry; Choice Jacking; @sansinstitute at #RSAC

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9428.mp3

previous
Podcast Logo
SRUM-DUMP 3; Policy Puppetry; Choice Jacking; @sansinstitute at #RSAC
00:00

SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics
Mark Baggett released SRUM-DUMP Version 3. The tool simplifies data extraction from Widnows’ System Resource Usage Monitor (SRUM). This database logs how much resources software used for 30 days, and is invaluable to find out what software was executed when and if it sent or received network data.
https://isc.sans.edu/diary/SRUM-DUMP%20Version%203%3A%20Uncovering%20Malware%20Activity%20in%20Forensics/31896

Novel Universal Bypass For All Major LLMS
Hidden Layer discovered a new prompt injection technique that bypasses security constraints in large language models.
The technique uses an XML formatted prequel for a prompt, which appears to the LLM as a policy file. This “Policy Puppetry” can be used to rewrite some of the security policies configured for LLMs. Unlike other techniques, this technique works across multiple LLMs without changing the policy.
https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/

CHOICEJACKING: Compromising Mobile Devices through Malicious Chargers like a Decade ago
The old “Juice Jacking” is back, at least if you do not run the latest version of Android or iOS. This issue may allow a malicious USB device, particularly a USB charger, to take control of a device connected to it.
https://pure.tugraz.at/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf

SANS @RSA: https://www.sans.org/mlp/rsac/

Podcast Transcript

 Hello and welcome to the Tuesday, April 29th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ulrich and today I'm recording from
 Jacksonville, Florida. And in diaries today we got a new
 Python tool for a change, not from Didier, but from the Python
 master himself, Mark Baggett. Mark wrote SRUM DUMP, SRUM the
 systems resource usage monitor. That's the part of
 Windows that logs how much resources different software
 used for the last 30 days. And it's of course really
 interesting in forensics and instant response because you
 can check, well, which software was running when and
 did it use the network? How much data did it send? All of
 this is in the system research usage monitor logs. And well,
 that's exactly what this tool exports for you, presents it
 in easy to use formats. So if you are in that line of
 business, definitely take a look. And Mark is always
 interested in feedback. There's also a little run
 through of the tool and how to use it in sort of a simple
 case, kind of to give you an idea for how you could apply
 this tool to any kind of investigation that you are
 performing. And then we got an interesting new technique to
 perform a prompt injection in large language models. This
 comes from Hidden Layer and what they say is unique about
 their particular technique, they call it a policy
 puppetry, is that it's fairly universal. The same technique,
 the same style prompt can be used across multiple LLMs.
 They sort of tested all the big ones as part of their
 research. There have been similar prompt injections for
 specific models. But as Hidden Layer points out, well, they
 can't easily sort of be transferred then to another
 model and, of course, have in part been patched in the past.
 What they essentially are doing is that they're not only
 using the role-playing trick. And that trick is old. That,
 of course, has been used by itself in the past. Where you,
 for example, ask the language model, hey, write me a movie
 script, how to build a bomb or something like this. That's
 not alone what they're doing. In addition, they're also
 prefacing this particular prompt with a snippet of XML.
 The reason they're using XML is that this is usually how
 the policy files are using that these large language
 models are using that are actually defining some of the
 constraints. So, by essentially confusing the
 model as to what is the prompt or what is the policy, well,
 they end up being able to overwrite some of the fixed
 policy or supposedly fixed policy, which then leads the
 large language model to actually act on the prompt
 that is following that particular policy insert. It's
 an interesting trick. They say it's difficult to patch. It's
 sort of back to the good old bad pattern where you're sort
 of mixing instructions and data and user data. So, mixing
 code and user data that usually never goes very well.
 So, I think they probably have to figure this out in a more
 fundamental way than sort of just by simple block listing
 certain strengths. Well, it looks like an older attack.
 Juice jacking is back again. Juice jacking referred to the
 ability of malicious USB chargers to essentially act as
 a keyboard and then send keystrokes to a device. This
 was an issue that was sort of thought to be mostly
 mitigated. Now, if you remember, maybe if you're at
 RSA this week, I'm not sure if the NSA still has its USB
 charger at its booth, sort of as a little nod to this
 particular technique. But it looks like it sort of made a
 little bit a comeback in the form of Joyce jacking.
 Researchers at the Graz University of Technology in
 Austria have developed a technique that Android, as
 well as in a limited form, iOS were vulnerable to. Now, iOS
 fixed this last month with the update to 18.4. And these
 research were also credited with notifying Apple of this
 particular weakness in Android. It was fixed as well.
 But then again, depends on whether or not you're running
 the latest version of Android, whether or not you are
 protected. The trick here is similar to sort of the old
 juice jacking in that the device changes its nature.
 Now, the little difference here is that they're also
 taking advantage of the power delivery protocol. The power
 delivery protocol is usually used between the charger and
 the device to figure out what voltages the device is willing
 to accept. But it can also be used to basically indicate
 that the device is a charger or a device that actually
 receives a charger or power from another device. And
 that's sort of part of this here where the device is first
 charging. But then basically telling the phone, hey, I'm
 now actually a device that wants to be charged. So it
 changes in this host mode. And that's sort of the first step
 here. On Android, they also developed a technique that
 involves just filling up the input queue with sort of
 requests. And then when you're making the switch at the right
 time, it will essentially then turn the device into the
 ability to actually send keystrokes to the vulnerable
 phone or tablet or whatever you have in this system. Now,
 there's lots of details here. There's also another technique
 here where it actually involves then using a
 Bluetooth input device. Bluetooth, of course, similar
 issue where the charger could also include a Bluetooth
 interface and then basically emulate a Bluetooth keyboard.
 A number of different techniques are being
 demonstrated here. Again, if you are running the latest
 versions of respective operating systems, you should
 be good. Personally, I'm always not that terribly
 worried about chargers in airports and such all of a
 sudden turning malicious. Apparently, it has happened in
 the past. My main concern usually is of the electrical
 safety of some of these chargers. But for the most
 part, if you want to stay safe, just use your own
 charger. And this shouldn't really be a problem. Well,
 that's it for today. I will actually not be at RSA this
 week. I'll be in San Diego teaching a class next week. If
 you happen to be at RSA, stop by at the SANS booth. They'll
 be able to tell you what SANS instructors are speaking at
 RSA. There will also be the famous Most Dangerous Attack
 panel again. And well, let them know how much you like
 the podcast. And that's it for today. And talk to you again
 tomorrow. Bye. Bye. Bye. Bye. Thank you.