Modernizing Authentication — What It Takes to Transform Secure Access
SAN FRANCISCO: There is no shortage of research releases at the RSA 2013 security conference. Yet one piece of research stands alone, above all others by virtue of the sheer audacity of the undertaking. HD Moore, celebrated hacker, founder of the open source Metasploit framework and CISO at Rapid7, scanned the *entire* Internet in an effort to find security flaws.
It's a truism that if you go looking for trouble, you will find it and that's precisely what Moore found. Speaking in a packed RSA session Moore noted that he has been scanning the entire IPv4 address space for the last year.
The effort was dubbed critical.io, and its primary goal was to derive large macro-trends about vulnerabilities across the Internet at large.
Moore noted that he looked at management, email, discovery and Web servers across common ports. In total, the critical.io study looked at 18 commonly exposed services. Moore used open source tools to conduct the scans, running with a pair of services in his home.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
Not everyone was pleased to have Moore scanning their IP ranges, and he said he got approximately 3,000 abuse reports about his scans. The critical.io Web page provides information about Moore's effort and includes contact information for site owners to opt out of the scan.
In total, 100 million IPs were excluded via opt-out, which only represents approximately 2.6 percent of all the addresses scanned.
"I identified 310 million unique IPs over 12 months," Moore said. "10 CVEs for vulnerabilities have been published so far and there are still a few dozen vulnerabilities in the queue."
"Web servers make the Internet go around," Moore said.
Web servers are also a major source of risk. According to Moore's scans, the number one Web server in the world is RomPager, which is an embedded technology. RomPager runs on 40 million devices, with most of the installations using older unlatched iterations that are loaded with publicly known vulnerabilities. Older versions of Microsoft IIS and Apache HTTPD were also common. All could be at risk from multiple public vulnerabilities that have been patched in newer versions of the software.
SNMP is a pervasive management protocol found on networking devices. While SNMP can be deployed securely, Moore found over 68 million systems that improperly publicly exposed their SNMP access. The majority of those devices are cable and DSL modems.
Moore also found it easy to gain unauthorized administrative access to routers. Digging into the data he sampled 16,000 Huawei routers, 30 percent of which he was able to access with the username password pair: admin/12345.
Telnet and SSH
Telnet is generally considered to be an insecure protocol for remote access, as authentication is sent in the clear and can easily be intercepted. SSH, which is encrypted, is the usual alternative. Moore found that on the Internet at large, there are more servers with Telnet on them than with SSH.
To add further insult to injury, Moore found 10,000 routers with Telnet on them where no password was required for access. "Just type telnet and you're in," Moore said. "Hacking is easy."
Email, VNC and Older Vulnerabilities
While Moore found lots of things to worry about on the Internet, he discovered that email is actually pretty secure. "Relative to everything else out there, email is good," he said. "It is widely used and not generally root-able."
VNC (Virtual Network Computing), which is used for remote desktop access, also got a good grade from Moore. He found 1.1 million servers running VNC, and only 0.02 percent of instances were found to be vulnerable.
Overall, Moore sees a lot of old vulnerabilities still easily exploited thanks to unpatched software and improper configuration. While a lot of media hype and security research is dominated by zero day flaws and Java weaknesses, Moore argued that many easily exploited vulnerabilities can be found quite literally everywhere.