Hello, welcome to the Wednesday, January 18th, 2017 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Brussels, Belgium.

Mark Bagot wrote up a new script that he released that allows you to relatively efficiently look up who is information for domains.

The main feature here is that it will whitelist domains

that are, for example, part of the top Alexa domains

and only pull who is information if the domain is not listed.

It then particularly checks the created date in order to figure out if the

domain was recently created and if it was created within the last 90 days, the script will consider

the domain as new and with that somewhat suspicious. So the idea here is to have a relatively small number

of domains that will actually have to be looked up via Whois because Who Is is slow. Also can get

you placlisted if you're looking up too many domains and at the same time you will get a list

of new domains which of course are often involved in malicious activity.

And then you have a vulnerability disclosure for remote code execution vulnerabilities

in Sychcel and billion routers.

Now, these routers are not vulnerable by default, but Thai ISP true online does install custom

firmer on these devices which does introduce several remote code execution flaws, some

of which do not require authentication.

There are a few million customers of this particular ISP affected.

Not clear if other ISPs may use similar firmware, but this particular problem appears

to be limited to modems that are distributed by this particular ISP.

But then we also have some good news to report. The German penetration

...