Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/1/2013
12:49 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Researchers Unite To #ScanAllTheThings

'Project Sonar' community project launched for sharing Internet-scanning data, tools, and analysis

HD Moore's Internet-scanning projects are epic: The renowned researcher has exposed major holes in embedded devices, home routers, corporate videoconferencing systems, and other equipment on the public Internet that is open to abuse by bad guys. But even with the groundbreaking findings by Moore and other researchers of these sitting-duck systems, for the most part the devices remain exposed and unfixed.

Moore and his counterparts hope that will change with the help of a newly formed community Internet-scanning initiative called Project Sonar, which was announced this week by Rapid7, where Moore serves as chief research officer. The goal of Project Sonar, which also includes the University of Michigan, is for researchers to share their data, help educate vendors whose products are discovered via the scans, and, ultimately, to raise public awareness of the vulnerability of this Internet-facing equipment.

"The more [who] are involved, the easier it will be to do research in the future," says Moore, who is also the creator of Metasploit. "It doesn't make sense to stop this kind of work. We need to know what's out there."

But Moore says progress in fixing vulnerable Internet devices accessible via these open-systems scanners has been frustrating. "The depressing thing from my point of view is we identify vulnerabilities and shiny new bugs ... But things get worse in the infrastructure," he says. He says the state of security in Universal Plug and Play (UPnP) devices remains poor. Moore revealed earlier this year that his scans had uncovered 40 to 50 million networked devices in harm's way via flaws in the pervasive UPnP protocol, which is enabled by default in most printers, routers, network-attached storage, IP cameras, media players, smart TVs, and even video game consoles.

The situation isn't much better for Internet-facing servers and workstations, which Moore and researcher Dan Farmer earlier this year found were vulnerable to major flaws in the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMC) packaged with most servers for remote management purposes.

The underlying theme with many of these and other exposed devices on the public-facing Internet is default backdoor-type access by the vendors for internal ease of access and use, including default passwords, as well as customers either unaware or not understanding the looming dangers of the holes sitting exposed on the Internet.

Getting 'Abuse' For Helping
One of the biggest challenges faced by Moore and other researchers who conduct Internet scanning research is the abuse complaints waged against them. "People don't like being scanned and complain to our ISP. Most people can't scan the Internet because their ISP would quickly just cancel their account rather than put up with the abuse complaints. In many ways, this is a good thing because that's how they shut down hackers and viruses, but it has the side effect of shutting down good white-hat research like this," says Robert Graham, CEO at Errata Security, who has built his own open-source tool for the task called Masscan.

Project Sonar is expected to attract more security researchers into scanning the Net for vulnerable equipment as well. "White-hat researchers have been secretive about their scans in the past. Now they can come out of the closet about it," Graham says.

Moore says Project Sonar should help provide a more unified and official front for this type of research going forward. "There is safety and power in numbers," he says. And having security companies, universities, and other respected organizations behind it will help the image of this type of research, which is often misunderstood, Moore says.

Vendors with exposed products also will benefit, he says, with data on their market share as well as inventory of some of their older equipment, for instance, he says. "They may not realize that the IPS product they shipped six years ago" is still being sold out there, for example, Moore says.

The University of Michigan, which recently released Zmap, a tool that can survey the entire IPv4 Internet space in less than an hour, will host Project Sonar's data.

[A network scanner designed from scratch by three University of Michigan researchers can scan the entire IPv4 Internet in about 45 minutes, drastically reducing the speed at which such scans can be accomplished. See Fast Scanning To Fuel 'Golden Age' Of Global Flaw Finding.]

"Rapid7 Labs believes the only way to make meaningful progress is through data sharing and collaboration across the security community as a whole. As a result, we launched Project Sonar at DerbyCon 3.0 and urged the community to get involved with the research and analysis effort. To make this easier, we highlighted various free tools and shared a huge amount of our own research data for analysis," blogged security researcher Mark Schloesser, who also included information on the open-source tools for scanning as well as best practices.

Errata Security's Graham, meanwhile, says he hopes the community model will encourage white-hat research of Internet-facing vulnerabilities to keep this research alive. "So far we've been extremely open about our scans, blogging about them, announcing them, disclosing summaries of the results, adding people to our 'exclude' list, and so forth," Graham said in an email interview. "But in the future, we may have to go to the dark side -- by which I mean the same dodgy ISPs that spammers, scammers, and hackers use. We'd still be open about it, of course -- it's just that the source will appear less legitimate."

Among the big takeaways from his Masscan port scans is that exposed home routers and access points are rampant, Graham says. "My message to home users is this: That device you bought to connect you to the Internet? I give it a 70 percent chance I can hack it -- easily. Sure, some are secure, it's just that most aren't. And more expensive or 'feature-rich' or 'secure' devices from more 'reputable' vendors are no different in this respect than any other vendor/device," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Not2nite
0%
100%
Not2nite,
User Rank: Apprentice
10/2/2013 | 8:18:29 PM
re: Researchers Unite To #ScanAllTheThings
People like these guys P*$$ me off! I work as an Information Security Officer for a large government contractor and my teams waste so much time tracking down these "whitehat researchers" and their unrequested, unprompted ATTACKs that we can't check on the real attacks until later. I emphasize the word attack, because that's what they do to a network. Then when you catch them, they claim it's for research. I call B.S.!!! If I want your assistance in identifying security vulnerabilities, I'll hire you. You want to scan the networks, you better inform me before you so much as send the first ICMP packet to my firewall.
To top it off, when they discover a vulnerability and report it to a vendor, if the vendor doesn't fix the vulnerability in a time the researcher deems appropriate, they release the information to the wild. Thanks Beavis, you've just given the low-level script kiddies the ability to launch an attack. I'll be the first to state that vendors need to more quickly address issues, but if you're a whitehat why are you giving guns and ammo to blackhats? Take your skillset and use it with purpose; make the vulnerable technology safer.
Oh and yes, I'm in a rant because two members of my team just finished spending two days tracking down suspicious activity, only to find out it was "for research".
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22152
PUBLISHED: 2021-05-13
A Denial of Service due to Improper Input Validation vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially to prevent any new user connections.
CVE-2021-22153
PUBLISHED: 2021-05-13
A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with t...
CVE-2021-22154
PUBLISHED: 2021-05-13
An Information Disclosure vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially gain access to a victim's web history.
CVE-2021-20331
PUBLISHED: 2021-05-13
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "i...
CVE-2021-31215
PUBLISHED: 2021-05-13
SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling.