One Man Pinged the Whole Internet

What Happened When One Man Pinged the Whole Internet article tells about a home science experiment that probed billions of Internet devices reveals that thousands of industrial and business systems offer remote access to anyone. Moore’s census involved regularly sending simple, automated messages to each one of the 3.7 billion IP addresses assigned to devices connected to the Internet around the world (Google, in contrast, collects information offered publicly by websites).

310 million IP addresses turned out to devices which were safety defects or to permit anyone to manage them. 114000 vulnerable devices were part of a commercial or industrial system. Many came in with default passwords, and 13000 unit let in without asking for a password at all.

Moore believes the security industry is overlooking some rather serious, and basic, security problems by focusing mostly on the computers used by company employees. Many company’s IT systems have largely unknown and easily hackable backdoors. Those vulnerable accounts offer attackers significant opportunities, says Moore, including rebooting company servers and IT systems, accessing medical device logs and customer data, and even gaining access to industrial control systems at factories or power infrastructure.

Billy Rios, a security researcher who works on industrial control systems at security startup company Cylance, says Moore’s project provides valuable numbers to quantify the scale of a problem that is well-known to experts like himself but underappreciated by companies at risk. Rios says that in his experience, systems used by more “critical” facilities such as energy infrastructure are just as likely to be vulnerable to attack as those used for jobs such as controlling doors in a small office. “They are using the same systems,” he says

Many security problems are related to unsecured serial servers. Manufacturers of unsecured serial servers are not offended by those findings. They have tried to educate their customers on good security policy earlier, and they also sell services for secured connectivity.

Remember that HD Moore is not the only person scanning the Internet. Internet Census 2012: Port scanning /0 using insecure embedded devices article tells about dataset published by an anonymous hacker last month, gathered by compromising 420,000 pieces of network hardware. Also Cyber search engine Shodan exposes industrial control systems to new risks by making them easier to find (more on at at my Automation systems security issues posting).

12 Comments

  1. Tomi Engdahl says:

    Serial killer hack threat to gas pipes, traffic lights, power plants
    Report: Essential kit wide open to world+dog
    http://www.theregister.co.uk/2013/04/29/serial_port_security_threat/

    Analysis Corporate VPN systems to traffic light boxes are apparently wide open to hackers thanks to a lack of authentication checks in equipment exposed to the internet.

    That’s according to research from security toolmaker Rapid7, which says it found plenty of systems that can be freely remotely controlled via public-facing serial port servers.

    These serial port servers, also known as terminal servers or serial-to-Ethernet converters, pipe data to and from a device’s serial port over the internet. This allows workers to remotely control equipment – from sensors to factory robots – over the web or mobile phone network

    These serial port servers also pop up alongside systems that track vehicles and cargo containers, and can provide auxiliary access to network and power equipment in case of some disaster.

    A good deal of serial-connected machines each assumes that if someone can talk to it via a serial cable then that person is an authorised employee with physical access and thus no security checks are needed: it will accept commands from anyone communicating via its serial port, and thus it trusts the port server.

    The equipment’s serial port can also be exposed directly to the network by the Ethernet converter. In this mode, the port server acts as a TCP proxy and removes itself from the equation. Suddenly, the equipment is one step closer to a lurking miscreant.

    Claudio Guarnieri, a security researcher at Rapid7, told El Reg the range of vulnerable systems accessible via serial-to-Ethernet converters included medical devices, traffic control systems, fleet tracking networks and even gas and oil pipelines. The common problem in all cases was either weak or nonexistent authentication checks.

    “You have to know how to look for these systems but they’re out there,” Guarnieri explained. “Once in, anything from raising the temperature in a chemical tank to controlling the traffic lights in a city might be possible. You could shut down the power grid.”

    Rapid7 used three sets of data to identify open serial consoles as part of its research. The first pool of information came from the controversial Internet Census 2012, specifically an index of devices with open TCP ports 2001 to 2010 and 3001 to 3010. These ports were selected because they are commonly used by Digi and Lantronix serial-to-Ethernet converters configured as TCP proxies.

    Secondly, connections to port 771 were analysed to detect Digi gear running proprietary RealPort services.

    For example, building security systems may be connected to computers via Digi networking gear, but instead of using a serial port to hook up sensors and locks, the Digi device drives and monitors custom output and input signal lines to and from the security alarms and sensors, respectively.

    And in some cases, organisations may not be aware that serial ports could be exposed to the public internet via the mobile phone network: a misconfiguration could expose the hardware when connected via a port server that has cellular network capabilities.

    Reply
  2. Tomi Engdahl says:

    D Moore, the developer of Metasploit and chief security officer at Rapid7, gave a presentation on the widespread insecurity of serial port servers at the InfoSec Southwest 2013 conference.
    https://speakerdeck.com/hdm/serial-offenders

    This presentation dives into the crazy world of serial port converters, remote access devices, and terminal servers, demonstrating simple methods for accessing thousands of servers, routers, and point of sales systems using Metasploit.

    Reply
  3. Find your Network Security Key says:

    Well written. Never ever observed the topic place in this excellent way.
    So pleased to have discovered this great resource.

    Reply
  4. Tomi says:

    This Is the Most Detailed Picture of the Internet Ever (and Making it Was Very Illegal)
    http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever

    An anonymous researcher with a lot of time on his hands apparently shares the sentiment. In a newly published research paper, this unnamed data junkie explains how he used some stupid simple hacking techniques to build a 420,000-node botnet that helped him draw the most detailed map of the Internet known to man. Not only does it show where people are logging in, it also shows changes in traffic patterns over time with an impressive amount of precision. This is all possible, of course, because the researcher hacked into nearly half a million computers so that he could ping each one, charting the resulting paths in order to make such a complex and detailed map. Along those lines, the project has as much to do with hacking as it does with mapping.

    The resultant map isn’t perfect, but it is beautiful. Based on the parameter’s of the researcher’s study, the map is already on its way to becoming obsolete, since it shows only devices with IPv4 addresses. (The latest standard is IPv6, but IPv4 is still pretty common.) The map is further limited to Linux-based computers with a certain amount of processing power. And finally, because of the parameters of the hack, it shows some amount of bias towards naive users who don’t put passwords on their computers.

    The research also serves as another much-needed warning about Internet security. “A lot of devices and services we have seen during our research should never be connected to the public Internet at all. As a rule of thumb, if you believe that ‘nobody would connect that to the Internet, really nobody’, there are at least 1000 people who did,” says the report. “Whenever you think ‘that shouldn’t be on the Internet but will probably be found a few times’ it’s there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password.”

    Reply
  5. business says:

    You’re so awesome! I don’t believe I’ve truly read through anything like that before. So nice to find another person with some original thoughts on this subject. Seriously.. thanks for starting this up. This site is one thing that is needed on the web, someone with some originality!

    Reply
  6. Wp signal tracker says:

    Thank you a bunch for sharing this with all folks you actually realize what you’re speaking approximately! Bookmarked. Please also visit my website =). We can have a hyperlink exchange arrangement among us

    Reply
  7. pozycjonowanie says:

    I am will no longer confident the best place you might be getting the info, having said that great subject matter. Need to devote some time studying much more or maybe comprehending much more. Appreciation for superb information and facts I was trying to find this info in my vision.

    Reply
  8. Tomi Engdahl says:

    Compromised Devices of the Carna Botnet
    (also know and “Internet Census 2012″)
    https://docs.google.com/file/d/0BxMgdZPXsSLBQWRIZDB0cTdGU2c/view?pli=1&sle=true

    Reply
  9. Tomi Engdahl says:

    Hacker measured the Internet, infected hundreds of devices in Finland

    Especially Carna botnet Aftermath washed on. Unknown hacker polluted in the world estimated at millions of Internet connected devices, of which approximately 1.2 million are in Australian Cert authority, identifiable.

    Of these, 1.2 million units in the 420 000 was used as the “Internet Census 2012″ survey-making. The hacker, therefore, mapped out the entire internet as a botnet spread during the last year.

    Most of the contaminated equipment was located in China. The next highest number, but to a much lesser number of infections was, inter alia, Turkey, India, South Korea, Russia and the United States.

    According to the report infections in Finland was 425 pieces

    Malware infected devices are allowed to contact the telnet protocol from the public network and the default login credentials, such as admin / admin or root / password.

    According to CERT-FI contaminated equipment among other things, is a broadband terminal devices connected to the Internet and digital television receivers.

    The hacker’s trick was exceptional and strictly illegal in many countries. On the other hand Carna botnet is not guilty of, inter alia, traditionally understood spam or malware distribution. Or websites shutdown, as criminals often tend to do.

    The hacker tried his own words, to minimize the damage

    Source: http://www.digitoday.fi/tietoturva/2013/05/30/hakkeri-mittasi-internetin-tartutti-satoja-laitteita-suomessa/20137696/66?rss=6

    Reply
  10. shared hosting says:

    Everything is very open with a very clear explanation of the issues.

    It was really informative. Your website is
    useful. Many thanks for sharing!

    Here is my weblog; shared hosting

    Reply
  11. Age of Warring Empire Hack says:

    Greеtings from Los angeles! I’m bored at work so I
    deсided to check out your blog on my iphone during lunch break.
    I really lіke the knowledge you provide here and сan’t wait to take a look when I get home.
    I’m amаzed at how fast your blog loaded on my cell phone ..
    I’m not even using WIFI, just 3G .. Anyways, fantastic site!

    Reply

Leave a Reply to Find your Network Security Key Cancel reply

Your email address will not be published. Required fields are marked *

*

*