Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Project Sonar Crowdsources A Better Bug Killer

Scans of the entire Internet for known vulnerabilities turn up terabytes of data, but the next steps won’t be easy.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Can the vulnerabilities present in every public-facing network be recorded, identified and ultimately eradicated? That's the goal of Project Sonar, which was officially launched at the recent DerbyCon 3.0 conference in Louisville, Ky., which wrapped Sunday.

Project Sonar is the brainchild of HD Moore, who is chief research officer at Rapid7, as well as the creator and chief architect behind the Metasploit open-source vulnerability scanning tool, which can be used to test sites for known vulnerabilities. In a similar vein, Moore's latest project is focused on turning data gleaned from Internet-wide scans into actionable information for security professionals, developers and product vendors.

"Project Sonar is a community effort to improve security through the active analysis of public networks," said Moore in a related blog post. "This includes running scans across public Internet-facing systems, organizing the results, and sharing the data with the information security community." In one sense, the project focuses on spotting vulnerabilities not just for individual sites or Web applications -- as Metasploit does -- but in potentially every Internet-connected network.

[ How secure is your new iPhone? Read Apple Hackers Rate iPhone 5s Security. ]

So far, Rapid7 has released about 3 TB of raw data gathered from scans of IPv4 TCP banners and UDP probe replies, IPv4 reverse DNS lookups and IPv4 SSL certificates. It's now inviting other researchers to not just comb through the data, but generate and share their own.

What are the potential upsides of this type of project? For starters, having enormous amounts of information on the real-world vulnerabilities spotted in public-facing networks could help IT managers better prioritize their patch management plans, as well as hold vendors accountable for not just rapidly fixing vulnerabilities, but also ensuring that their customers are using the latest patches.

"Raising awareness about widespread vulnerabilities through large-scale scanning efforts yields better insight into the service landscape on the Internet, and hopefully allows both the community and companies to mitigate risks more efficiently," said Rapid7 security researcher Mark Schloesser in a related blog post.

Still, this remains relatively uncharted territory. Notably, Project Sonar is possible only due to recent big-data advances. "A few years ago, Internet-wide surveys were still deemed unfeasible, or at least too expensive to be worth the effort," said Schloesser, pointing to the need to use either lots of devices for scanning, or else long research periods. For example, the 2006 IPv4 Census conducted by the University of Southern California required four years' worth of data collection. Another effort, dubbed Internet Census 2012, illegally used 420,000 systems infected with the Carna botnet to scan about 660 million IP addresses and test 71 billion ports.

Today, however, purpose-built tools have allowed researchers -- with the right hardware -- to scan the Internet much more quickly. For example, Schloesser said, the ZMap network scanner, which is open source, can catalog every IPv4 address on the Internet in 45 minutes or less. Meanwhile, Errata Security CEO Robert David Graham's Masscan tool, which can generate 25 million packets per second, claims to be able to do the same job in just three minutes. "So this means that technically one can do Internet-wide scans with a single machine -- if the hardware is good enough," said Schloesser.

But scanning -- and Project Sonar -- is more than a technical endeavor. For one thing, port scans are often interpreted as a sign of attack, and the researchers involved in Project Sonar said that even after notifying hosting companies of the research they were undertaking, they frequently got locked out of their accounts.

"Scanning the entire Internet is bad," said Errata Security's Graham, in his Masscan release notes. "For one thing, parts of the Internet react badly to being scanned. For another thing, some sites track scans and add you to a ban list, which will get you firewalled from useful parts of the Internet."

Furthermore, when it comes to extracting useful vulnerability information, scanning the Internet -- or parts thereof -- turns out to be the easy part. "If we try to parse the data sets ourselves, even with a team of 30 people, it would take multiple years just to figure out the vulnerabilities in the data set," Moore told SecurityWeek. "It's ridiculous, really."

"The more time I spend on these scan projects, the more I realize how big the job is," Moore added. "The majority of the work isn't just figuring out the vulnerabilities themselves, but you have to identify all the affected vendors, identify the firmware versions, coordinate the disclosure process."

"It's a ton of backend work," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/1/2013 | 10:20:45 AM
re: Project Sonar Crowdsources A Better Bug Killer
David, it's not a research project, but the open question is how -- after all of this data has been collected -- the downstream requirements (identifying bugs, notifying vendors of vulnerabilities, directly informing vulnerable sites) can be dealt with. Automation is the obvious answer, but getting there would probably take some time.

As the project publicizes the vulnerabilities it finds, however, that might put pressure on vendors to patch faster, and push for better patch uptake.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
10/1/2013 | 3:24:59 AM
re: Project Sonar Crowdsources A Better Bug Killer
Assuming this can be made to work, is there any plan to contact individual site owners (in some automated way?) and alert them to vulnerabilities? Or is this strictly a research project?
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...
CVE-2013-5743
PUBLISHED: 2019-12-11
Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.
CVE-2013-5978
PUBLISHED: 2019-12-11
Multiple cross-site scripting (XSS) vulnerabilities in products.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) Product name or (2) Price description fields via a request to wp-admin/admin.php. NOTE: This issue may...
CVE-2013-3542
PUBLISHED: 2019-12-11
Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models with firmware 1.0.4.11, have a hardcoded account "!#/" with the same password, which makes it easier for remote attackers to obtain ...