Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

DerbyCon: HD Moore On Mapping the Wild West Online

LOUISVILLE – DerbyCon – During his talk on Friday, Rapid7’s HD Moore presented findings to attendees of DerbyCon, which are the result of his research and efforts to map the Internet. He focused on what he calls the “funky little ghost towns” that emerge and the trends that are reviled when one does large-scale mapping on the Internet.

LOUISVILLE – DerbyCon – During his talk on Friday, Rapid7’s HD Moore presented findings to attendees of DerbyCon, which are the result of his research and efforts to map the Internet. He focused on what he calls the “funky little ghost towns” that emerge and the trends that are reviled when one does large-scale mapping on the Internet.

Some of Moore’s findings offer a look into the state of security for systems that are exceedingly common, as well as those that may not be given a second look during a security assessment – but are critical nevertheless.

“We’re in an unprecedented time in out lives, were we have an abundant amounts of data, and not enough attention (and time) to spend on it,” he said.

DerbyCon“It’s not a matter of getting the data any more; it’s a matter of what to do with it.”

Fingerprinting has long been a tool used by security professionals on a network, and criminal hackers are no strangers to the process either. It isn’t like the data discovered is private. Networking protocols are standardized, and the services running on a given port are designed to respond one way or another. Again though, collecting the data and using or analyzing the data from a large-scale mapping project are two different things.

“You can have the same types of devices, the same types of switches, and the same type of organization, and entirely different represented exposure of vulnerabilities and exposed datasets,” Moore said.

As an example of one of the patterns within the dataset that came from his scanning initiative, Moore highlighted the 43 million servers that had Simple Network Management Protocol (SNMP) enabled. “SNMP is a pretty scary freaking protocol to expose to the world,” Moore explained.

SNMP can release a ton of information about a network, including all the different routes used, any running processes and services on Linux and Windows, installed software patches on the same versions. Moreover, SNMP arguments that are displayed can also contain passwords to services such as RDP or SSH, which are exposed in the clear. Data leaks aside, SNMP can also be used to launch amplification DDoS attacks.

UPNP, something that most administrators don’t feel is a risk by itself if exposed, is another interesting finding. Moore disagrees with the low risk assessment, as there are only about a dozen unique implementations of the UPNP software in the world being used. Almost all of them are based on the Intel SDK, which has several bugs. Moreover, most of the bugs in the SDK were forked by vendors without addressing the issues and sold to clients.

Advertisement. Scroll to continue reading.

“So you’ve got this massively potentially exploitable vulnerability, in a protocol that no one’s really looked at, that exposes more devices other than HTTP, and no one knows about it. So have fun,” Moore said.

When it comes to Cisco, there was little surprise that Moore was able to locate a massive amount of them during his scanning. Risk wise, Cisco puts out about 40 iOS updates a year, but most organizations won’t flash their routers more than once every five years. In fact, most will use the router until it breaks.

Based on the data reported by SNMP, taken from the 360,000 that were exposed, the average router had about 60 flaws. The most exploitable version of iOS on the planet is 12.2, because Cisco “added a whole slew of features that all had vulnerabilities at once, and no one ever updated past it.”

The mapping project is expected to last for another six months or so, Moore noted towards the end of his talk. Hopefully that additional work will mean stronger and more robust data sets, which in turn can be used to help administrators understand what they’re exposing to the world and why it matters.

You can view HD’s full DerbyCon talk in the video below:

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet