Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

12/1/2013
11:20 AM
50%
50%

5 Protocols That Should Be Closely Watched

Attackers frequently scan for open SSH, FTP, and RDP ports, but companies need to watch out for attacks against less common protocols as well

For decades, opportunistic attackers have scanned the Internet for open ports through which they can compromise vulnerable applications.

Such scanning has only gotten easier: The Shodan search engine regularly scans the Internet and stores the results for anyone to search; researchers from the University of Michigan have refined techniques to allow for fast, comprehensive scans of a single port across the Internet; and programs, such as NMap, allow anyone to scan for open, and potentially vulnerable, ports.

While the most commonly attacked ports are those used by Secure Shell (SSH), the file transfer protocol (FTP), the remote desktop protocol (RDP), and Web servers (HTTP), companies need to monitor network activity aimed at less common protocols and ports, say security experts. Attackers will likely increasingly look for vulnerabilities in less common ports, says HD Moore, chief research officer for vulnerability-management firm Rapid7, which has made a name for itself scanning the Internet for just those ports.

"This stuff is not in the top bucket, in terms of priority, but it tends to bite people because they are not keeping an eye on it," he says.

Companies should not just monitor for malicious activity using these protocols, but proactively take an inventory of the applications inside their own networks and connected to the Internet that expose firms to potential opportunistic attacks, says Johannes Ullrich, dean of research for the SANS Technology Institute. The SANS Institute's DShield project collects data from contributors to analyze the ports in which attackers are most interested.

"Companies need not just detect the attacks coming in, but to inventory all the devices that have in their network looking at traffic on these ports," he says. "It sort of comes down to inventory control on the network."

For companies looking for a place to start, Ullrich and Moore suggest five protocols where companies can check for weaknesses.

Intelligent Platform Management Interface (IPMI)
Over the past year, security researcher Dan Farmer has investigated weaknesses in the Intelligent Platform Management Interface (IPMI) protocol. Many companies use servers that can be monitored and managed through a baseboard management controller, an embedded device that communicates using IPMI. Farmer found that the IPMI standard and various implementations have a number of security flaws.

['Project Sonar' community project launched for sharing Internet-scanning data, tools, and analysis. See Researchers Unite To #ScanAllTheThings.]

Rapid7 investigated SuperMicro's specific implementation, finding that the company's baseboard management controller used default passwords and was vulnerable to a number of universal plug-and-play issues.

"IPMI is used a lot by businesses, and they don't really understand what all the risks are," Moore says. "It is really difficult to have an IPMI installation that is not vulnerable."

Moore and other security experts recommend managing devices that use the IPMI protocol behind virtual private networks, firewalls, and other security, always assuming the devices are in a hostile network.

Embedded Web Servers
A variety of devices are vulnerable not because of the native protocols that they use, but because of the lightweight Web servers embedded in the devices to provide a management interface. From printers and baseboard management controllers to routers and PBXes, companies host a wide array of devices that likely have vulnerable Web interfaces to manage the technology.

"These undocumented, undisclosed, and unmonitored Web interfaces are a bigger deal than most people realize," Moore said. "They are really common, but they are not something that people normally keep track of."

Ullrich agrees, saying that DShield data shows that companies are seeing opportunistic scans for the devices.

"All the miscellaneous devices -- routers, switches -- sometimes have a management interface on an uncommon port, but you see a decent amount of scanning activity for these," he says.

Videoconferencing
Last year, Moore scanned the Internet for signs of videoconferencing systems connected directly to the Internet and set to auto answer, estimating that some 150,000 devices were vulnerable to an attacker directly calling into the conferencing system.

"Most folks did not do any sort of security on the videoconferencing side, and many of them had really horrible security on the Web management interface," Moore says.

Companies should scan their public Internet space on port 1720, typically used by the H.323 messaging protocol, using a "status enquiry" to nonintrusively check for potential vulnerable systems, according to Rapid7.

SQL Servers
Databases are frequent targets of attacks. Many attackers scan for open Microsoft SQL Server and MySQL ports, but rather than attempting to compromise such systems with exploits, they instead attempt to brute-force the password protecting the databases, says the SANS Institute's Ullrich.

"They typically don't search for a vulnerability there, but for a weak password," he says. "They scan for the databases and then try to connect by guessing passwords."

Companies should track down any database accessible from the Internet and ensure that adequate steps are taken to secure access to the servers.

Simple Network Management Protocol (SNMP)
The DShield project sees some scanning for the Simple Network Management Protocol (SNMP), but Ullrich sees the protocol as mainly an overlooked risk.

Moore, however, sees SNMP as an engine for future attacks. Because many companies do not pay attention to SNMP, the protocol could be used as a vector for compromise and as a method of amplification for distributed denial-of-service attacks, Moore says.

"SNMP tends to get short shrift in terms of security exposure, not to mention it can be used for amplification attacks," Moore says. Amplification attacks typically use the DNS system, which can be made to respond to a single request with a multitude of packets. The SNMP protocol has similar characteristics, he says.

Companies should filter inbound malformed packets to prevent their systems from being used in a distributed denial-of-service attack and to block all outbound SNMP packets.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.