Re: [Full-disclosure] Broadband routers and botnets - being proactive
http://myspaceinfosec.blogspot.com/ Myspace fails to protect it's community from malicious hackers. As of May 12th, 2007, Myspace has 176,968,475 users in it's community and it is growing fast. To put this number in perspective, the US Census Bureau estimates there are currently 301,821,743 US citizens. The current number of users is well over half of the population of the entire United States. With this being said you would think that a company that has this many user's in it's community would pay closer attention to security. Myspace provides a lot of services to it's user community and one of the most popular is Myspace Groups. There are thousands of groups covering a wide range of themes and let people collaborate on anything from beenie babies to the arts. One group in particular, The World Artist Network (WAN) http://groups.myspace.com/wan is the largest single group on Myspace and has over 200,000 members worldwide. This group serves the Art community and gives artists a place to go to collaborate with other artists. You can almost classify this as a somewhat educational experience because people will post their art there to get feedback from other artists and art enthusiasts. This helps to build an artists skill set and helps them to become a successful artist. However, since around February of this year, a hacker has been targeting groups by exploiting Myspace's lack of security controls and causing DoS (Denial of Service) attacks by flooding the groups with thousands of postings making it nearly impossible to find the content posted by the members. The World Artist Network is currently under attack by this relentless hacker. After the attack started several days ago, the group has been brought to it's knees. The way the topics are displayed has been damaged by the attack and now the first 27 pages are blank. Several members now cannot even post to the group, myself included. It appears the hacker may be using code to perform various administrative functions which includes banning members as well as pinning/unpinning topics (a flag that lets the moderator anchor various topics to the top of the list). The hacker also seems to be able to bypass banning functions. Even when he is banned he is still able to post. He has created other accounts as well and after he is finally banned he will simply use a new profile to begin the attack all over again. Using a special technique I was able to get one of the first attacker's IP addresses which shows the attacker was using an IP address from the Internet Service Provider intrstar.net (InterStar Communications, Inc) who is located in Clinton, NC. I sent a complaint to Inter Star and included all the relevant information yet they never responded to the incident. During this attack the hacker posted hundreds of pages of extremely disgusting and vial SCAT porn images. SCAT is pornography that deals with feces. Myspace was also alerted to this activity and there was no response. Although Myspace is 'free' to users I still think it is their obligation to at least make a best effort attempt at protecting it's users. One of the biggest things they can do is have a better response to security incidents. Another would be to track down these people and prosecute them. And by putting simple controls in place and preventing these types of attacks from happening in the first place. One such method could be using software called CAPTCHA which forces a human to enter text displayed in an image file. Say after 10 posts within 5 minutes force the user to enter the text. This would make it literally impossible for the attacker to flood an entire group and thereby making it much less desirable for them to perform future attacks. This is such a simple thing to do it is bizarre to me that they haven't done it yet. I can tell you one thing I truly believe, Myspace's banner ads, where their main revenue comes from, will always be working very smoothly. Just don't forget, it is your Myspace community that are the ones that either click or don't click on those ads. You need to protect those precious resources. http://myspaceinfosec.blogspot.com/2007/05/myspace-fails-to-protect-its-community.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Broadband routers and botnets - being proactive
Fergie replied on NANOG to my recent post on the subject of broadband routers insecurity: I'll even go a step further, and say that if ISPs keep punting on the whole botnet issue, and continue to think of themselves as 'common carriers' in some sense -- and continue to disengage on the issue -- then you may eventually forced to address those issues at some point in the not-so-distant future. I understand the financial disincentives, etc., but if the problem continues to grow and fester, and consumer (and financial institutions) losses grow larger, things may take a really ugly turn. He is right, but I have a comment I felt it was important - to me - to make. Not just on this particular vulnerability, but on the war. I must admit, vulnerabilities are endless and new exploitation vectors will never end, even if it was possible and we were all 100% secure, someone (an attacker rather than a vulnerability) will find a way to make it 99% again for the right investment or with the right moment of brilliance. Enough with cheap philosophy though... as tired (even exhausted) as I am of the endless repeating circle which security is, on all levels (from the people involved through the interests involved all the way to the same-old-FUD) I still haven't burned out, and I am still here. The world isn't going to end tomorrow, and even if the Internet was to die (which I doubt it will), we will survive. However, in the recent couple of years a new community has been forming which we started refering to as Internet security operations. These folks, for various motives, work to make the Internet stay up and become safer (actually being safe is a long lost battle we should have never fought the way things were built). With such a community being around, treating issues beyond our little corner of the `net is possible to a level, and at least some progress is made. Some anti virus engineers no longer care only about samples, some network engineers no longer care only about their networks, etc. Is any of this a solution? No. The problems themselves will not go away, they aren't in any significant fashion currently being dealt with beyond the tactical level of a fire brigade. Is it the end than? Of course not. But operations vs. research are determined by intelligence. As we have some intelligence, I can point to yet another annoying vulnerability in the endless circle which those of us who will want to, can study, and if they feel it is justified, defend against. That is the broadband routers issue, which personally I'd really rather avoid. Unfortunately, this limited defense is what most of us can do at our own homes, or tops as a volunteer fire brigade or neighborhood watch. The Internet is the most disconnected global village I can imagine, but we all have the funny uncle on another network and a weird one on yet another. I sometimes feel that the old analogy of the Internet to the Wild West is not quite it. Perhaps we are living in the Wild West, only if instead of wastelands and small towns, we have New York city and the laws of a feudal dark ages Kingdom. Things will eventually change, and some of us will stick around to help that change (or try to). For now though, it is about one vulnerability ignored at a time, and working on our communities. Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Broadband routers and botnets - being proactive
In this post I'd like to discuss the threat widely circulated insecure broadband routers pose today. We have touched on it before. Today, yet another public report of a vulnerable DSL modem type was posted to bugtraq, this time about a potential WIRELESS flaw with broadband routers being insecure at Deutsche Telekom. I haven't verified this one myself but it refers to Deutsche Telekom Speedport w700v broadband router: http://seclists.org/bugtraq/2007/May/0178.html If you all remember, there was another report a few months ago about a UK ISP named BeThere with their wireless router being accessible from the Internet and exploitable, as another example: http://blogs.securiteam.com/index.php/archives/826 Two issues here: 1. Illegitimate access to broadband routers via wireless communication. 2. Illegitimate access to broadband routers via the WAN. I'd like to discuss #2. Some ISPs which provide such devices (as in the example of #2 above) use them as bridges only, preventing several attack vectors (although not all). Many others don't. Most broadband ISPs have a vulnerable user-base on some level. Many broadband ISPs around the world distribute such devices to their clients. Although the general risk is well known, like with many other security issues many of us remained mostly quiet in the hope of avoiding massive exploitation. As usual, we only delayed the inevitable. I fear that the lack of awareness among some ISPs for this not yet widely exploited threat has resulted in us not being PROACTIVE and taking action to secure the Internet in this regard. What else is new, we are all busy with yesterday's fires to worry about tomorrow's. Good people will REACT and solve the problem when it pops up in wide-exploitation, but what we may potentially be facing is yet another vector for massive infections and the creation of eventual bot armies on yet another platform. My opinion is, that with all these public disclosures and a ripe pool of potential victims, us delaying massive exploitation of this threat may not last. I believe there is currently a window of opportunity for service providers to act and secure their user-base without rushing. Nothing in security is ever perfect, but actions such as changing default passwords and preventing connections from the WAN to these devices would be a good step to consider if you haven't already. My suggestion would be to take a look at your infrastructure and what your users use, and if you haven't already, add some security there. You probably have a remote login option for your tech support staff which you may want to explore - and secure. That's if things were not left at their defaults. Then, I'd also suggest scanning your network for what types of broadband routers your users make use of, and how many of your clients have port 23 or 80 open. Whether you provide with the devices or not, many will be using different ones set to default which may pose a similar threat. Being aware of the current map of vulnerable devices of this type in your networks can't hurt. It is not often that we can predict which of the numerous threats out there that we do not address currently, is going to become exploited next. If you can spare the effort, I'd strongly urge you to explore this front and be proactive on your own networks. The previous unaddressed threat which most of us chose to ignore was spoofing. We all knew of it for a very long time, but some of us believed it did not pose a threat to the Internet or their networks for no other reason than it is not currently being exploited and there are enough bots out there for spoofing to not be necessary. I still remember the bitter argument I had with Randy Bush over that one. This is a rare opportunity, let's not waste it. We are all busy, but I hope some of you will have the time to look into this. I am aware of and have assisted several ISPs, who spent some time and effort exploring this threat and in some cases acting on it. If anyone can share their experience on dealing with securing their infrastructure in this regard publicly, it would be much appreciated. Thanks. Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Broadband routers and botnets - being proactive
On 5/11/07, Gadi Evron [EMAIL PROTECTED] wrote: In this post I'd like to discuss the threat widely circulated insecure broadband routers pose today. We have touched on it before. even better when they sit on fiber. , fiber... Today, yet another public report of a vulnerable DSL modem type was posted to bugtraq, this time about a potential WIRELESS flaw with broadband routers being insecure mmm, wireless and fiber! If you all remember, there was another report a few months ago about a UK ISP named BeThere with their wireless router being accessible from the Internet and exploitable hey, those hidden ports (? lol) accepting login are for maintenance or technical support, aka a feature, not a bug! [the blatant, non-hidden telnet @ 23 is even better. roffle] Two issues here: 1. Illegitimate access to broadband routers via wireless communication. like verizon fios/dsl, with their WEP key set to the MAC of the WAN port? that's a problem when the wireless BSSID of the AP is just a few iterations from the WAN MAC. oops. mmm, fiber... 2. Illegitimate access to broadband routers via the WAN. I'd like to discuss #2. yay for busybox linux routers. cross compile and rootkit for botnet joy. remember to alter the factory reset tarball / image on the fs. (seriously, who thought up that procedure?) Although the general risk is well known, like with many other security issues many of us remained mostly quiet in the hope of avoiding massive exploitation. As usual, we only delayed the inevitable. oh yeah, it's coming. legions of fiber zombies! unfortunately when you look at the ToS / fine print you'll discover that they don't support that broadband router, even though they gave it to you and set it up. it's YOUR responsibility, and when they get r00ted en masse, guess what? the telco's/ISP's are going to pass the buck. i predict massive customer revolt... I fear that the lack of awareness among some ISPs for this not yet widely exploited threat has resulted in us not being PROACTIVE and taking action to secure the Internet in this regard. quick! root them first, and patch! (ah, curious blue. such a tantalizing and horrible idea.) What else is new, we are all busy with yesterday's fires to worry about tomorrow's. Good people will REACT and solve the problem when it pops up in wide-exploitation the patch procedure for a compromised router is a truck roll. see above about passing the buck. this means lots of pissed customers heading to best buy to purchase new routers, since theirs is pwned, and the telco/ISP claims no responsibility. great news! but what we may potentially be facing is yet another vector for massive infections and the creation of eventual bot armies on yet another platform. mmm, fiber! always on! hard-to-fix! My opinion is, that with all these public disclosures and a ripe pool of potential victims, us delaying massive exploitation of this threat may not last. I believe there is currently a window of opportunity for service providers to act and secure their user-base without rushing. lol i love to dream too, Gadi. but it doesn't keep my stack and heap sanitary. they aren't going to listen until it becomes a debacle full of pissed off customers and saber rattling politicians... Nothing in security is ever perfect, but actions such as changing default passwords and preventing connections from the WAN to these devices would be a good step to consider if you haven't already. how about an embedded network element best practices? because really, WEP keys broadcast by BSSID, factory defaults on open ports, etc, etc, are just idiotic mistakes. i'm all for individual responsibility, but that kind of shit is just ridiculous. My suggestion would be to take a look at your infrastructure and what your users use, and if you haven't already, add some security there. You probably have a remote login option for your tech support staff which you may want to explore - and secure. speaking of which, some ISP's who will remain nameless use stunnel to authenticate incoming mgmt connections. since firmware is notoriously out of date, compared to patched systems, anyone using openssl 0.9.8b on their router might want to check for an update. (see also: PKCS#1 v1.5 fun) Then, I'd also suggest scanning your network for what types of broadband routers your users make use of, and how many of your clients have port 23 or 80 open. and the hidden ports too, like , etc. I am aware of and have assisted several ISPs, who spent some time and effort exploring this threat and in some cases acting on it. If anyone can share their experience on dealing with securing their infrastructure in this regard publicly, it would be much appreciated. i'd love to hear some tales of ISP's being responsible and promptly addressing such flaws. right now all i see are big behemoths waiting for their consumer cattle to get slaughtered, en