Podcast Detail

SANS Stormcast Wednesday, May 6th, 2026: Cleartext Passwords in Edge; SSL.com Root Rotation; DAEMONTOOLS Backdoor;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9920.mp3

previous
Podcast Logo
Cleartext Passwords in Edge; SSL.com Root Rotation; DAEMONTOOLS Backdoor;
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Wednesday, May 6, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Jacksonville,
 Florida. And this episode is brought to you by the SANS.edu
 Graduate Certificate Program in Industrial Control System
 Security. Well, in diaries today, we got two kind of news
 items from Rob. First one affects Microsoft Edge.
 Microsoft Edge manages passwords like all browsers
 pretty much do these days. And well, it stores passwords in
 an encrypted file on your system. However, once you
 start Edge, it will load all of these passwords into the
 browser's memory and decrypt them. Even though you as a
 user have to sort of authenticate yourself for each
 password individually, as you use it to refill these
 passwords into a website, well, the passwords are
 already decrypted in memory. So as Rob points out, this is
 sort of more a little bit security theater. So what's
 the threat here? Well, at first you may say, well, it's
 not really a big deal, because in order to gain access to the
 memory, you have to be logged in as the user. If you are
 having all the privileges of the user, you can probably do
 things like capture keystrokes, load browser
 extensions, and things like this. So you would have access
 to the passwords as they're being used. But the big risk
 here is that attacker can get bulk access to all of your
 passwords, even with timely, very limited access to your
 system. The other problem, of course, is that any kind of
 memory leak and browser sadly are kind of known for them
 could be exploited in order to then gain access to these
 passwords, given the exact nature of the memory leak, of
 course. So that's the real risk here. That's why
 Microsoft probably should do something about it and fixed
 it, even though that they classified it as intended
 behavior as it was reported to Microsoft. Other browsers
 usually do a little bit different and your best bet
 still is to go with a third party password manager. Some
 of them had similar issues in the past, but fixed them
 because well, after all, keeping your password secure,
 that's of the primary mission of a password manager. So they
 tend to be a little bit more detail oriented when it comes
 to protecting your passwords. Second news item here is that
 a zel.com, one of the larger commercial certificate
 authorities is rotating their root certificates today.
 Ideally, nobody really should worry about this and should
 notice it. Typically, whenever you update your operating
 system and such, there are often updated root certificate
 authority files being loaded into your operating system.
 However, well, reality is it depends a little bit on how
 you're managing your root certificates. In particular,
 in the Unix world, there are sometimes several sort of
 certificate authority files that are on your system. Also,
 if you're doing things like mutual TLS or such, you may
 have very specific root certificates. And then in
 particular in mobile applications, many developers
 are these days using certificate pinning or at
 least certificate authority pinning, but they only allow
 certificates from a specific sort of authority to be used
 in order to protect themselves from rogue certificate
 authorities or well, attackers are good at social
 engineering, being able to obtain a certificate to
 impersonate a particular company. So that's why you
 probably should double check and make sure how you're using
 SSL.com certificates if you're using them at all. Again, if
 you're just using them in a browser and if not managing
 any servers using them, then nothing really to worry about.
 Another little site issue here that's not just SSL.com.
 Remember that certificate authorities will now, and I'm
 talking about public server authorities, will no longer
 issue certificates that are server and client certificate.
 Typically, you only get server certificates now. This has
 recently been changed and there's a particular issue if
 you are doing mutual TLS because then, well, if you're
 using the same certificate for the server as well as client
 function, well, you must have both of these properties set
 in your certificate. For mutual TLS, most people are
 using internal certificates, particularly if you're using
 it sort of in a between containers and such in like a
 microservices architecture. So again, shouldn't really worry
 too much. But if you're using any public server authorities
 for some externally exposed mutual TLS purposes, then this
 may be a problem for you. And today's supply chain
 compromise was found by Kaspersky and does affect
 Demon Tools. If you're not familiar with Demon Tools,
 well, the name already sounds a little bit malicious, but
 it's not. It's a set of usually legitimate tools that
 can be used to mount various disk images. They exist for
 Mac and Windows. Kaspersky talks about the Windows
 version. Not sure if the Mac version got compromised too.
 But if you're downloading a version of Demon Tools from
 the legitimate website, you will receive a malicious
 version of Demon Tools, basically a backdoored one
 that is also signed with a legitimate Demon Tools
 certificate. So it looks like a complete compromise of the
 website and their build architecture. Wouldn't be
 surprised if the Mac version has similar malicious code
 embedded, had had a chance to give it a try yet. Once you're
 running the malicious version, it will access a site called
 daemontools.cc. Now the legitimate website for Demon
 Tools is daemon-tools.cc. So very simple here, easy to mix
 up. And I think what's worse is that according to
 Kaspersky, the website and the tools were compromised for
 about a month now. I just before recording this went to
 the Daemon Tools website for any kind of notice update.
 Didn't see anything, but there was also like no news or blog
 or any sort of page like this, where you typically would find
 a notice like this. So not sure if they're aware, not
 sure if the tools have been replaced with safe versions at
 this point. I would treat them still as malicious. And if you
 downloaded Daemon Tools for the last month, sorry, you
 have to double check again. They're just downloading the
 command and the attacker could have then pretty much executed
 any command. Kaspersky is documenting in their blog some
 of the commands that they have seen. And they basically
 installs of the usual information stealer, backdoors
 and the like. So nothing too crazy here necessarily. Well,
 basically just your standard malware at this point. Well,
 that's it for today. Thanks for listening, for liking, for
 commenting on the podcast. And a couple of you also sent a
 little bit of feedback as to what content you would like to
 see more, less of what actually helped you. Always
 really useful. So, you know, also in the future, if there
 is a particular topic that really helped you, let me
 know. Or if there's a topic where you felt that really
 just wasted your time, let me know that too. And I can
 basically pick different topics. The goal here is
 really to make this short and impactful, really help you
 basically have a better day. So thanks and talk to you
 again tomorrow. Bye.
 Bye.