subject:"\[swinog\] MELANI \/ GovCERT.ch"

Re: [swinog] MELANI / GovCERT.ch

2020-02-19 Diskussionsfäden Ralph Krämer

I would suggest to use recent information to file such a mail.

For me it looks like the are relying on stale information collected a long time 
ago.

whoever is hosting this stale information ...

you simply could query the live DNS and the RIPE whois server ...

I agree with Andreas ... they do not carry out professionality.

- Am 18. Feb 2020 um 9:08 schrieb Silvan M. Gebhardt 
gebha...@openfactory.ch:

> So what I suspect happened is this
> 
> 
> On 2/18/20 1:51 AM, Andreas Fink wrote:
>> 2. The single IP address in the report is not in my network (I used to
>> have that IP range in the past but I sold it in 2016. So long long ago. )
> 
> it might still be registred to you via shadowservers.org OR another org
> like this
> 
>> 3. The abuse email they sent the report to is not in the whois of that
>> network.
> it might be becuase it shows it to belong to you via shadowservers.org
> instead.
>> 4. The DNS name used in the report is not the reverse PTR of that IP.
>> Nor does the forward DNS point to that IP.
>> 5. The DNS name points to a host in my network but that host is
>> definitively not a IoT device which has any kind of default password.
>> Its a solid Linux machine with a up to date distribution with 2
>> usernames only on it with very secure passwords and only one specific
>> application running which doesn't talk to outside my network at all.
>> If that machine would have gotten hacked, it would surprise me very
>> much. At least I have found nothing unusual on that IP. No unexpected
>> network activity, CPU load, processes etc.
> 
> 
> it looks to me like there is something going wrong with
> shadowservers.org and any other report like this. seems they just
> forwarded it without fact checking, which, is kinda not their job either
> (would swamp them massively I guess)
> 
> 
> so yeah, guess you'd have to ask which source the report came from?
> 
> 
> 
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] MELANI / GovCERT.ch

2020-02-18 Diskussionsfäden Silvan M. Gebhardt

So what I suspect happened is this


On 2/18/20 1:51 AM, Andreas Fink wrote:
> 2. The single IP address in the report is not in my network (I used to
> have that IP range in the past but I sold it in 2016. So long long ago. )

it might still be registred to you via shadowservers.org OR another org
like this

> 3. The abuse email they sent the report to is not in the whois of that
> network.
it might be becuase it shows it to belong to you via shadowservers.org
instead.
> 4. The DNS name used in the report is not the reverse PTR of that IP.
> Nor does the forward DNS point to that IP. 
> 5. The DNS name points to a host in my network but that host is
> definitively not a IoT device which has any kind of default password.
> Its a solid Linux machine with a up to date distribution with 2
> usernames only on it with very secure passwords and only one specific
> application running which doesn't talk to outside my network at all.
> If that machine would have gotten hacked, it would surprise me very
> much. At least I have found nothing unusual on that IP. No unexpected
> network activity, CPU load, processes etc.


it looks to me like there is something going wrong with
shadowservers.org and any other report like this. seems they just
forwarded it without fact checking, which, is kinda not their job either
(would swamp them massively I guess)


so yeah, guess you'd have to ask which source the report came from?



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] MELANI / GovCERT.ch

2020-02-17 Diskussionsfäden Andreas Fink

Hello Swinog Users,

Has anyone of you received some info from MELANI  / GovCERT about some IoT 
vulnerability you might be exposed to?

Well I did and I found very very strange things in this report.

1. The report contains only a  timestamp, an IP address and a DNS name. Not 
which vulnerability, not potential loopholes, traces or ANYTHING useful to 
analyze whats happening.

2. The single IP address in the report is not in my network (I used to have 
that IP range in the past but I sold it in 2016. So long long ago. )
3. The abuse email they sent the report to is not in the whois of that network.
4. The DNS name used in the report is not the reverse PTR of that IP. Nor does 
the forward DNS point to that IP. 
5. The DNS name points to a host in my network but that host is definitively 
not a IoT device which has any kind of default password. Its a solid Linux 
machine with a up to date distribution with 2 usernames only on it with very 
secure passwords and only one specific application running which doesn't talk 
to outside my network at all. If that machine would have gotten hacked, it 
would surprise me very much. At least I have found nothing unusual on that IP. 
No unexpected network activity, CPU load, processes etc.

So MELANI tells me my big fat Linux server is now a IOT device which has 
default passwords and I should simply do a factory default  (and by doing this 
erase terabytes of data). I should look for "_SOMETHING_" without specifying it 
on SOME IP I don't own. And they address such a report to me while I am not the 
abuse contact of this SOME_IP. Furthermore SOME_IP looked not being reachable 
anyway when I tested.

So the report contains ZERO  usable information. The only thing which might not 
be wrong in the report is the timestamp (but thats not verified neither).

I am shocked that a government entity which should take security seriously, is 
sending out such utter nonsense reports and wasting all our precious time.
If they got such reports from 3rd parties it should contain verifiable 
information and USEFUL information. Apparently MELANI has become some kind of 
open CERT-SMTP relay without authentication.


Let me know your experiences.


Andrea Fink
Fink Telecom Services
--.-  .-.   -


>> ENGLISH VERSION
>> 
>> Dear Sir or Madam
>> 
>> You are receiving this email because your email address is either registered 
>> as abuse contact for AS6775 in our system or because your email address is 
>> referenced as abuse contact for AS6775 at RIPE.
>> 
>> The Reporting and Analysis Centre for Information Assurance (MELANI) has 
>> been informed by a partner about one of more devices (IoT - "Internet of 
>> Things") in your network that are likely to be compromised by Hackers and 
>> that are being used for malicious purpose. Attached to this email, you can 
>> find a list of all IP addresses that has been reported to us in the past 24 
>> hours.
>> 
>> The affected devices have most probably been compromised by hackers, likely 
>> due to the usage of a a default password. Therefore, hackers where able to 
>> install a malware (Mirai) on the said devices
>> 
>> We therefore recommend you to identify the affected devices or customers, 
>> securing them and clean them up (e.g. by doing a factory reset). An overview 
>> of recommendations concerning IoT devices can be found on our website:
>> 
>> Security in the internet of things (IoT):
>> https://www.melani.admin.ch/iotsecurity 
>> 

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] MELANI / GovCERT.ch

Re: [swinog] MELANI / GovCERT.ch

[swinog] MELANI / GovCERT.ch

3 matches

Site Navigation

Mail list logo

Footer information