LOUISVILLE, Ky. -- A scan of the Internet during a 20-day period yielded terabytes of sensitive data and also some alarming enterprise security weaknesses, including misconfigured routers, vulnerability-riddled databases and more than 1,000 exposed passwords.
The Internet has gone from this nebulous, scary thing that's hard to map to … something that you can gain lot of interesting insight by analyzing information like this.
Metasploit creator; CSO, Rapid7 LLC
It's a project that Internet security pioneer HD Moore calls his hobby. His Internet-wide survey looked for open TCP ports, Simple Network Management Protocol (SNMP) system descriptions, multicast domain name system (mDNS) responders, universal plug-and-play (UPnP) endpoints and NetBIOS name queries. At the DerbyCon security conference, Moore told a packed room of hundreds of attendees that the project has resulted in a treasure trove of data that is continually being analyzed.
Computing power has increased and costs have come down, Moore said, enabling mapping projects like this and subsequent data correlation efforts.
"The Internet has gone from this nebulous scary thing that's hard to map to … something that you can gain lot of interesting insight by analyzing information like this," Moore said. "Resources have caught up with scalability of how we use computers."
Moore, the creator of the popular pen testing platform Metasploit and chief security officer at Boston-based vulnerability management vendor Rapid7 LLC, has been railing against misconfigured systems and remote access weaknesses. He said Internet-enabled devices such as routers and video conferencing systems are often deployed at home or in enterprises with default passwords and configurations, making them easy targets for attackers.
Moore described some of the results of the project in a June blog post, which highlighted a number of deployment and configuration mistakes made with video conferencing products. At the conference, he told attendees that any one of them can conduct a similar analysis and spot the same weaknesses and configuration issues.
For example, his analysis found more than 43 million devices exposing SNMP to the Internet. SNMP is used to remotely configure devices. If exposed, it can be used by an attacker to gain access to network traffic and detect other vulnerabilities on a system.
The scan also enabled Moore to conduct analysis of the number of MySQL database management systems still vulnerable to a dangerous authentication bypass vulnerability, which allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password. Moore said the flaw, which was patched by Oracle Corp., offers instant data loss to attackers if the issue is not addressed. The number of systems still vulnerable to the attack is down from the more than 3 million systems that were initially impacted, but Moore said a check in August found more than 90,000 exposed.
Cisco routers were among the most exposed, Moore said, noting that many people ignore their routers until they break. With more than 40 security advisories a year coming from the networking giant, he said, it is difficult to keep up. The analysis determined that the average router has more than 60 flaws.
The scan also yielded SSH exposure on F5 Networks Inc. BIG-IP system hardware and software. More than 13,500 BIG-IP appliances were identified as being configured with SSH open, Moore said.
More than 1,000 exposed passwords to database drivers, email clients, point-of-sale systems and retail business-to-business and e-commerce systems were also uncovered by the scan. HTTP cookie analysis identified specific cookie sessions and further analysis could yield random Web application zero-day flaws, Moore said.
The project has landed Moore on the top attacker's list at the SANS Internet Storm Center's DShield monitoring site. In turn he's had to handle more than 1,700 abuse complaints; one out of every five Internet service providers has blocked Moore from scanning its servers.
"Scanning the Internet annoys people," Moore said. "You can scan the entire Internet with one probe in about seven hours."