in short: embeded system MUST be locked down or fully upgradeable.<br><br>Basically this guy found a zillion embedded Linux devices and they were all set up stupidly. Crap like telnet running with a root password of root and just boneheaded stuff like that.<br>
<br>It's one of the blowbacks from rapid Linux adoption - idiots make devices with a full OS installed and -WHAM- you've a got a root-bot.<br><br>Embedded devices are hard to get really right. Probably impossible to get totally secure. SCADA security woes are based on a zillion embedded windows 98 and XP devices that run utilities and water treatment plants and industrial processes. Full of security holes and not fixable without a hardware refresh (at 4x the cost of the original device).<br>
<br><div class="gmail_quote">On Thu, Mar 21, 2013 at 2:56 PM, Ron Frazier (ALE) <span dir="ltr"><<a href="mailto:atllinuxenthinfo@techstarship.com" target="_blank">atllinuxenthinfo@techstarship.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
This just came out on the Security Now podcast. I thought I'd pass it along. I'll freely admit I don't understand everything discussed. However, you guys more up on security stuff will be able to research this and act appropriately. I'll explain this the best I can based on what I heard on the podcast.<br>
<br>
The podcast is entitled Telnet-pocalypse, and he reports on a very serious report by an anonymous White Hat researcher about vulnerable devices. I have not attempted to verify this information other than what's stated in Steve's podcast and in the report cited, but it appears to be legitimate.<br>
<br>
<a href="http://twit.tv/show/security-now/396" target="_blank">http://twit.tv/show/security-<u></u>now/396</a><br>
<br>
The show just came out yesterday and is not on the GRC website yet.<br>
<br>
Reference this page to see the researcher's work, although I wouldn't necessarily allow scripting:<br>
<br>
<a href="http://bit.ly/interscan" target="_blank">http://bit.ly/interscan</a><br>
<a href="http://internetcensus2012.bitbucket.org/paper.html" target="_blank">http://internetcensus2012.<u></u>bitbucket.org/paper.html</a><br>
<br>
This is similar in nature to the UPNP research that was documented recently. However, this researcher went further, and exploited the vulnerabilities he found, which is blatantly illegal in dozens of ways. As I said, all indications are that he was a White Hat, and went to great pains to do research without harming the devices that his worm infected. Regardless, the report is now public, and the Black Hat's will be quick to capitalize on this and attack with intent to do harm.<br>
<br>
As I understand it, this person created a linux worm to scan the entire ipv4 address space for vulnerabilities where telnet ports (port 23) were exposed on the public internet. As an open port was found, the worm would login via telnet using various combinations of no password, admin admin, root root, etc. Once it was able to log into the devices found, and in many cases had gotten root access to a terminal, the worm would inject it's binary code into the device found, thus self propagating and adding an additional scan engine to his collection. I get the impression that some worms were activated in a temporary manner and some may have been more permanent. If the devices were routers and printers, etc., the worm might not survive a reboot. In any case, he eventually had a botnet that he could control with compromised devices that encompassed 420 thousand machines.<br>
<br>
Let me repeat that, he actually compromised and installed a worm on 420 THOUSAND machines via TELNET, and published the results.<br>
<br>
Now, that's only .01% of all the available ip4 addresses, but that's not much comfort if you're one of the ones that's hacked. As I understand it, there are potentially millions more vulnerable machines that he didn't attempt to attack for fear of doing real harm, or machines that didn't allow code injection. I guess he also made sure his bot self destructed after he proved his theories.<br>
<br>
So, I suggest listening to the podcast if you're interested and,<br>
reviewing the researcher's published data and,<br>
checking your internet facing ports to make sure TELNET is not open.<br>
<br>
You can use Steve's Shields Up port scanner at <a href="http://grc.com" target="_blank">grc.com</a> to scan your first 1056 external TCP ports, including telnet.<br>
<br>
<a href="https://www.grc.com/x/ne.dll?bh0bkyd2" target="_blank">https://www.grc.com/x/ne.dll?<u></u>bh0bkyd2</a><br>
<br>
If anyone has specific knowledge of this research or the implications, please share it. You can bet that the bad guys will be paying close attention to this report.<br>
<br>
Sincerely,<br>
<br>
Ron<br>
<br>
-- <br>
<br>
(PS - If you email me and don't get a quick response, you might want to<br>
call on the phone. I get about 300 emails per day from alternate energy<br>
mailing lists and such. I don't always see new email messages very quickly.)<br>
<br>
Ron Frazier<br>
<a href="tel:770-205-9422" value="+17702059422" target="_blank">770-205-9422</a> (O) Leave a message.<br>
linuxdude AT <a href="http://techstarship.com" target="_blank">techstarship.com</a><br>
<br>
______________________________<u></u>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/<u></u>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/<u></u>listinfo</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://electjimkinney.org" target="_blank">http://electjimkinney.org</a><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br>
</i></i></i></i>