Think Information. Think Security.
 A scan of the Internet over 20 days has yielded terabytes of data and also some alarming weaknesses including misconfigured routers, vulnerability riddled databases and more than 1,000 exposed passwords.

It's a project that HD Moore calls his hobby. The Internet-wide survey looked for open TCP ports, SNMP system descriptions, MDNS responders, UPNP endpoints and NetBIOS name queries. At the DerbyCon security conference, Moore told a packed room of hundreds of attendees that the project has resulted in a treasure-trove of data that is continually being analyzed. Computing power has increased and costs have come down to enable mapping projects and data correlation, Moore said.

Moore, the creator of the popular pen testing platform Metasploit and currently chief security officer at Boston-based vulnerability management vendor Rapid7, has been railing against misconfigured systems and remote access weaknesses.  Internet-enabled devices such as routers and video conferencing systems are often deployed at home or in enterprises with default passwords and configurations that can often be a weak point for attackers. He described some of the results of the project in a blog post in June which highlighted a number of those video conferencing weaknesses. At the conference, he told attendees that any one of them can conduct similar analysis and spot weaknesses and configuration issues. For example, his analysis found more than 43 million devices exposing Simple Network Management Protocol (SNMP) to the Internet. SNMP is used to remotely configure devices. If exposed it can be used by an attacker to gain access to network traffic and detect other vulnerabilities on a system.

The scan also enabled Moore to conduct analysis of the number of MySQL database management systems still vulnerable to a dangerous authentication bypass vulnerability, which allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password. The flaw, which was patched by Oracle, offers instant data loss to attackers if the issue is not addressed. The number of systems still vulnerable to the attack is down from more than 3 million systems that were initially impacted, but Moore said a check in August found more than 90,000 exposed.

Cisco routers were among the most exposed since most people ignore their routers until they break. With more than 40 security advisories a year coming from the networking giant, it is difficult to keep up, he said. The analysis determined that the average router has over 60 flaws. The scan also yielded SSH exposure on F5 BIG-IP system hardware and software. More than 13,500 BigIP appliances were identified as being configured with SSH open, Moore said. More than 1,000 exposed passwords to database drivers, email clients, point-of-sale systems and retail B2B and eCommerce systems were also uncovered by the scan. HTTP cookie analysis identified specific cookie sessions and further analysis could yield random Web application zero-day flaws, Moore said.

The project has landed Moore on the top attacker's list at the SANS Internet Storm Center'sDShield monitoring site. He's had to handle more than 1,700 abuse complaints and 1 out of every 5 ISPs have formally blocked the project from scanning their servers. "Scanning the Internet annoys people," Moore said. "You can scan the entire Internet with one probe in about 7 hours."

Cross-posted from: Search Security

Leave a Reply.