18 Feb
2020
18 Feb
'20
2:51 a.m.
Hello Swinog Users,
Has anyone of you received some info from MELANI / GovCERT about some IoT vulnerability
you might be exposed to?
Well I did and I found very very strange things in this report.
1. The report contains only a timestamp, an IP address and a DNS name. Not which
vulnerability, not potential loopholes, traces or ANYTHING useful to analyze whats
happening.
2. The single IP address in the report is not in my network (I used to have that IP range
in the past but I sold it in 2016. So long long ago. )
3. The abuse email they sent the report to is not in the whois of that network.
4. The DNS name used in the report is not the reverse PTR of that IP. Nor does the forward
DNS point to that IP.
5. The DNS name points to a host in my network but that host is definitively not a IoT
device which has any kind of default password. Its a solid Linux machine with a up to date
distribution with 2 usernames only on it with very secure passwords and only one specific
application running which doesn't talk to outside my network at all. If that machine
would have gotten hacked, it would surprise me very much. At least I have found nothing
unusual on that IP. No unexpected network activity, CPU load, processes etc.
So MELANI tells me my big fat Linux server is now a IOT device which has default passwords
and I should simply do a factory default (and by doing this erase terabytes of data). I
should look for "_SOMETHING_" without specifying it on SOME IP I don't own.
And they address such a report to me while I am not the abuse contact of this SOME_IP.
Furthermore SOME_IP looked not being reachable anyway when I tested.
So the report contains ZERO usable information. The only thing which might not be wrong
in the report is the timestamp (but thats not verified neither).
I am shocked that a government entity which should take security seriously, is sending out
such utter nonsense reports and wasting all our precious time.
If they got such reports from 3rd parties it should contain verifiable information and
USEFUL information. Apparently MELANI has become some kind of open CERT-SMTP relay without
authentication.
Let me know your experiences.
Andrea Fink
Fink Telecom Services
--.- .-. -
> ENGLISH VERSION
>
> Dear Sir or Madam
>
> You are receiving this email because your email address is either registered as abuse
contact for AS6775 in our system or because your email address is referenced as abuse
contact for AS6775 at RIPE.
>
> The Reporting and Analysis Centre for Information Assurance (MELANI) has been
informed by a partner about one of more devices (IoT - "Internet of Things") in
your network that are likely to be compromised by Hackers and that are being used for
malicious purpose. Attached to this email, you can find a list of all IP addresses that
has been reported to us in the past 24 hours.
>
> The affected devices have most probably been compromised by hackers, likely due to
the usage of a a default password. Therefore, hackers where able to install a malware
(Mirai) on the said devices
>
> We therefore recommend you to identify the affected devices or customers, securing
them and clean them up (e.g. by doing a factory reset). An overview of recommendations
concerning IoT devices can be found on our website:
>
> Security in the internet of things (IoT):
> https://www.melani.admin.ch/iotsecurity
<https://www.melani.admin.ch/iotsecurity>