[Intelmq-dev] [IHAP] How do you notify ISPs/network owners about accessible (open) devices?
Jop van der Lelie (NCSC-NL)
Jop.vanderLelie at ncsc.nl
Mon Mar 13 13:19:26 CET 2017
Hi Aaron,
We're processing a couple of shadowserver feeds daily (drone report, sinkhole etc) others we do only on an incidental basis. Last week I send out notifications for the VNC feed with the following context. It might be an open VNC server and you should fix that, if it's not, we as NCSC have published some guidelines on how to secure your networks and you should prevent having a management interface (Open VNC) open on the internet. So please use VNC over a VPN or a different countermeasure.
Also we have specific mail templates that we send out with each feed in which you can give specific context per feed.
Hope this helps!
Cheers,
Jop
Jop van der Lelie
Security Specialist
.................................................................
National Cyber Security Centre
P.O. Box 117 | 2501 CC | The Hague | www.ncsc.nl
.................................................................
T +31 70 751 55 36 E jop.vanderlelie at ncsc.nl
PGP BAD3 8576 5B73 82A4 5E31 572B 9430 93ED 294E 7F0A
.................................................................
-----Original Message-----
From: L. Aaron Kaplan [mailto:kaplan at cert.at]
Sent: maandag 13 maart 2017 13:03
To: intelmq-dev at lists.cert.at; ihap at lists.trusted-introducer.org
Subject: [IHAP] How do you notify ISPs/network owners about accessible (open) devices?
Hi everyone,
I have a question. We are processing nearly all the shadowserver feeds now (VNC is still missing)
and we stumbled across a problem that we can not 100% solve currently: how do you deal with 'accessible and only potentially vulnerable' devices?
Let me elaborate. Usually we sent out notifications on vulnerable devices (ENISA taxonomy: "Vulnerable". Examples: open recursive DNS, open NTP, anything mis-useable for UDP amplification attacks, etc).
However, at some point, accessible and (only potentially vulnerable) devices came into the game. I.e. a device running telnet (or something on the telnet port). Or VNC.
The VNC server might be protected by a pwd.
So, how to deal with that? An ISP might rightfully say that this telnet port is there intentionally and we should not complain?
So, we now have two types that we are talking about:
1. Vulnerable and openly accessible ports
2. Potentially vulnerable (but not proven) and accessible ports
Candidates for the second type would be:
* VNC
* telnet
* RDP
* (maybe) Redis
* (maybe) ES
* (maybe) memcached
* (maybe) Mongo
What's your stance on this?
How do you deal with it?
Note that we are sending out * a lot* as a national CERT and we would not like an ISP to be swamped by our mails if it does not have to be the case.
Best,
a.
--
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
More information about the Intelmq-dev
mailing list