Podcast Detail

SANS Stormcast Friday, December 19th, 2025: Less Vulnerabie Devices; Critical OneView Vulnerablity; Trufflehog finds JWTs

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9746.mp3

Less Vulnerabie Devices; Critical OneView Vulnerablity; Trufflehog finds JWTs

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026

… more classes

Positive trends related to public IP range from the year 2025
Fewer ICS systems, as well as fewer systems with outdated SSL versions, are exposed to the internet than before. The trend isn’t quite clean for ISC, but SSL2 and SSL3 systems have been cut down by about half.
https://isc.sans.edu/diary/Positive%20trends%20related%20to%20public%20IP%20ranges%20from%20the%20year%202025/32584

Hewlett-Packard Enterprise OneView Software, Remote Code Execution
HPs OneView Software allows for unauthenticated code execution
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1

Trufflehog Detecting JWTs with Public Keys
Trufflehog added the ability to detect JWT tokens and validate them using public keys.
https://trufflesecurity.com/blog/trufflehog-now-detects-jwts-with-public-key-signatures-and-verifies-them-for-liveness

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026
Network Monitoring and Threat Detection In-Depth	Online \| Arabian Standard Time	Jun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-Depth	Riyadh	Jun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 21st - Sep 26th 2026

Podcast Transcript

 Hello and welcome to the Friday December 19th, 2025
 edition of the SANS Internet Storm Centers Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Cybersecurity Engineering. So a big note about the next
 couple weeks because we do have holidays sort of midweek
 both weeks. I'm planning on having at least a podcast on
 the Monday of each week. But aside of that, I'll ladle it
 by ear and see if there's any significant news to make a
 podcast worthwhile. Other than that, it'll probably just the
 one podcast either Monday or Tuesday of each week. And
 talking about holidays, something to celebrate is
 certainly that we do appear to have less exposed industrial
 control system devices and other simple exploitable
 devices than we had about a year ago. Jan took a look at
 some of the statistics in Shodan and he sort of has been
 tracking them continuously over a couple years now. And
 when it comes to just industrial control system
 devices there, I don't think it's a done deal yet in the
 sense that they're going to soon be dying out here. There
 seems to be some odd sort of peaks during the summer month
 when we have more industrial control devices exposed than
 we had sort of during the winter. But overall, there
 seems to be a downward tendency, even though we are
 at about the same level as we had a year ago. Where it looks
 much better is support for SSL version 3 and in particular SL
 version 2. Both dropped approximately by half over the
 last year. So that's pretty good. Now, I was saying that
 it's unlikely that a server will be exploited because it's
 running SL version 3 or SL version 2 for that matter. But
 it's often indicator that there's a lot of other things
 wrong with this particular server that, you know, there's
 just no support for more modern ciphers based on
 outdated operating systems or outdated TLS libraries. So
 it's overall a good thing that these numbers are going down.
 We don't know why they're going down, if this is people
 actually cleaning them up or them basically just dying of
 old age. An HP Enterprise released update for its
 OneView software fixing a single vulnerability with a
 CVSS score of 10.0. This vulnerability allows an
 unauthenticated hacker to basically gain full remote
 code execution as admin access to affected systems. So
 definitely that's a patch you probably want to roll out
 before you close down for the holidays if possible. But what
 you really should check is that these systems are not
 remotely accessible. HP OneView is used essentially to
 remote manage servers. And then we got an early Christmas
 gift from the folks at Trufflehog. Trufflehog, the secret
 scanner that's extremely popular, has added now support
 for JWTs or JSON web tokens. JWTs are a little bit tricky
 in the sense that, yes, you know, they're digitally signed
 credentials. But one thing that Trufflehog is kind of
 famous for is for actually checking if these credentials
 are actually valid so that they can actually be used. And
 that's a little bit tricky with these JWTs unless you
 have the public key to verify that these credentials are
 actually properly signed. That's the support they now
 added to Trufflehog. So not only will it find JWTs, it'll
 also try to make sure that they work. And with that, that
 they're worthwhile to act on and probably remove from
 whatever repository Trufflehog found them in. Well, and
 this is it for today. So thanks for listening. Thanks
 for liking and subscribing and talk to you again on Monday,
 maybe Tuesday next week. Bye. Bye. Bye.