Hello, welcome to the Tuesday, December 20th, 2016 edition of the Sands and it's Storm Center's Stormcast.

My name is Johannes Ulrich and the day I'm recording from Jacksonville, Florida.

For about a week now we have seen an increase in scans for port 6,789.

Now the suspicion here was always, it's something Marai related, just based on the

frequency of the scans and the kind of hosts that are doing the scanning. Well, look today my honeypot,

and on this port we are seeing inbound traffic that appears to enable the Telnet server on port 19,058. At this point, I haven't

really seen any incoming connections on port 19,058 yet, but it's possible that this first wave

just sets up the back door and it will have a second wave later trying to connect to that backdoor.

An open SSH released version 7.4 of the client and server and it is following current standard practice in removing support for old protocol versions. The server will no longer

support version one of the SSH protocol and in August 2017, SISH version one support will also be

removed from the client. Now SZH version 1 has been shown to be insecure for

many years now. Not exactly sure when this came out, but at least 10 years, I would think. It's about

time to disable it. Of course, it's always unfortunate if you do still have some old devices

around that do not support SH version 2, and in some cases you

may then actually have to use TELNET instead to still access those devices.

I don't think it will be a big problem for S-H-Version 1, but it also removes small RSA keys.

The smallest accepted size is now 1,024 bits and it will make some

hardening techniques like Pro-H separation mandatory so it will no longer run without it.

This version also features a number of security fixes, so as you apply this patch, double check your configurations

and make sure that you are already

running in the recommended

configuration with

...