SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Johannes B. Ullrich
A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
Episodes
Mentioned books
12 snips
Mar 12, 2026 • 7min
SANS Stormcast Thursday, March 12th, 2026: Zombie Zip;
Discussion of 'Zombie Zip' malformed archives that can hide payloads by mismatching compression indicators. Examination of practical limits and updated tools that try to extract such tricky ZIPs. Coverage of bcrypt's 72-byte truncation problem that can break authentication when salts are handled incorrectly. A note on a simple-git regex bug enabling malicious git parameters and file overwrite risks.
10 snips
Mar 11, 2026 • 6min
SANS Stormcast Wednesday, March 11th, 2026: Windows, Fortinet, Adobe, and Zoom Patches
A rapid rundown of March patching across Microsoft, Fortinet, Adobe and Zoom. Highlights include Microsoft’s large Patch Tuesday with multiple critical fixes and disclosed issues. Deep dives on Fortinet OpenSSL and switch LLDP flaws and Adobe commerce and Acrobat fixes. A high-severity Zoom patch and a reminder about ongoing SAP updates round out the coverage.
11 snips
Mar 10, 2026 • 7min
SANS Stormcast Tuesday, March 10th, 2026: Encrypted Client Hello; ExitTool Vulnerability;
Discussion of the new RFCs that formalize Encrypted Client Hello and DNS-based key bootstrapping. Exploration of why encrypting the Client Hello improves SNI privacy and reduces fingerprinting. Coverage of deployment status and Cloudflare support. Walkthrough of a critical ExifTool flaw that lets image processing run commands. Warning about Nextcloud Flow leaking super-admin secrets via Windmill.
9 snips
Mar 9, 2026 • 5min
SANS Stormcast Monday, March 9th, 2026: YARA-X Update; IP Camera Targeting; Node.js Upgrades; nginx UI Vuln
A rundown of a YARA-X release and a new debugging command for rule dependencies. Discussion of a spike in attacks against IP cameras and links to regional physical conflict. Overview of a Node.js LTS upgrade and modernization assistance program and why LTS matters. Explanation of nginx UI flaws including backup API and exposed encryption headers, plus mitigation reminders.
9 snips
Mar 6, 2026 • 7min
SANS Stormcast Friday, March 6th, 2026: Targeted or Not? pac4j-jwt auth bypass; freescout dangerous uploads; MSFT Authenticator vs Graphene OS
A dive into distinguishing targeted intrusions from noisy internet scanners. A critical pac4j-jwt authentication bypass that accepts only a public key. Dangerous file-upload flaws in FreeScout that can lead to remote code execution. Compatibility problems between Microsoft Authenticator and Graphene OS on secure Android builds.
15 snips
Mar 5, 2026 • 8min
SANS Stormcast Thursday, March 5th, 2026: XWorm Analysis; Cisco “Secure” Firewall Managmeent Center; LastPass Phishing
Detailed breakdown of an XWorm infection chain, from 7‑zip and JavaScript to a final DLL payload. Discussion of attackers poisoning AI search results to push malicious installers. Coverage of critical Cisco Firewall Management Center flaws and urgency to patch. Review of renewed LastPass phishing campaigns and defenses for password managers.
8 snips
Mar 4, 2026 • 5min
SANS Stormcast Wednesday, March 4th, 2026: CrushFTP Brute Force; Android Patches 0-Day; 0Auth Phishing Abuse
Brute-force scans probing CrushFTP servers using default admin credentials and the risk of misconfiguration. Android March 2026 security updates covering 140 flaws, including an exploited Qualcomm display driver bug. OAuth redirection abuse used to steer users to phishing sites and deliver malware. Exposed Google API keys creating risk of unexpected charges and abuse.
14 snips
Mar 3, 2026 • 8min
SANS Stormcast Tuesday, March 3rd, 2026: Finding URLs in ZIPs in RTFs; Merkle Tree Certificates; Taming Agentic Browsers
A walkthrough of how attackers hide ZIPs inside RTF files and where to find the embedded URLs. A look at Merkle tree certificates as a compact alternative to bulky quantum-safe TLS certs and how Cloudflare and Google plan rollouts. An alert about a Chrome issue where extension access to a new Gemini panel could expose camera and mic, and the wider risks from browser AI features.
12 snips
Mar 2, 2026 • 8min
SANS Stormcast Monday, March 2nd, 2026: Reversing Fake Fedex; Abusing .ARPA; MSFT Authenticator Update; Apex One Vuln; Special AirSnitch Webcast
A walkthrough of a FedEx-themed phishing attack that delivers a Donut loader and XSwarM payload. A deep dive into attackers abusing .ARPA reverse zones and how to spot suspicious DNS lookups. A heads-up about Microsoft Authenticator blocking rooted and jailbroken devices. A critical Trend Micro Apex One directory traversal fix and an invite to a live AirSnitch webcast.
10 snips
Feb 27, 2026 • 9min
SANS Stormcast Friday, February 27th, 2026: Finding Singal (@sans_edu intern); Google API Keys and Gemini; AirSnitch Breaking Client Isolation
A dive into running honeypots and coping with alert overload, including using AI to triage noisy data. A discussion of how unconstrained Google API keys can now access Gemini and why that creates new risks. An explainer on AirSnitch methods that break Wi‑Fi client isolation and practical mitigations for networks.
