Tales from Room 641A

Take a moment and check out:    ISC SANS PORT 5060

It appears that the sources/day was on the rise again.  I recently ran into a situation where it appears that someone was using wunderbar_emporium root kit to own a system. Then the system started attempting traffic out on 5060.

So, apparently wunderbar_emporium was mitigated by a kernel update : http://serverfault.com/questions/72986/how-to-prevent-wunderbar-emporium-rootkit    , but of course a lot of enterprise systems do not do frequent kernel updates. It’s not practical, cost effective, or even possible in most of the HA environments.  You have to fight to get an hour Change window at times.

It appears that the code takes advantage of CVE-2009-2692

Now the fun begins, I get to peer into the source code of wunderbar and see if I can figure out what makes it tick.  Probably not, but hey, maybe I get lucky.

Youtube of exploit

Dark reading: Ford Firewall

I remember a day when it used to be firebirds on the road.. not firewalls. I do wonder.. and hope dearly, that there is an air gap separation between the in car wifi systems and the actual vehicle systems. One can just envision driving down the road, and suddenly, your car speeds up, slows down, and a voice comes over the in car phone ” Credit card number or the car won’t stop!”

Ok.. Ok.. a wee bit movie plot threat, but there are so many vectors and threats this could open. Anyone have a new ford I can play with?

Nothing we can do about it….

Nothing we can do about this vulnerability… sorry to all you who get hacked!
Love,

Time warner!

— If you find anywhere on their site where they disclose the issue to clients, or have heard about notifications being sent, please let me know.