17 C
London
Monday, September 25, 2017
Home Tags TCP/IP

Tag: TCP/IP

Almost 30 years after its inception, it's time to fix the engine that both fuels the modern day Internet and is the root cause of its most vexing security challenges.
Linkerd, providing an enterprise-level open source service mesh for cloud-native applications, has moved to a 1.0 release.Offered by cloud software provider Buoyant, the mesh adds service discovery, load balancing, failure handling, instrumentation, and routing to all interservice communication.[ InfoWorld's quick guide: Digital Transformation and the Agile Enterprise. | Download InfoWorld’s essential guide to microservices and learn how to create modern web and mobile applications that scale. ] Bouyant describes a service mesh as a dedicated infrastructure layer for safe, fast, and reliable service-to-service communication, sitting as a layer of abstraction above TCP/IP.
It's responsible for delivering requests through a complex topology of services in a cloud-native application, said William Morgan of Buoyant.To read this article in full or to leave a comment, please click here
Not even HTTPS can hide your secret Gilmore Girls fetish An infosec educator from the United States Military Academy at West Point have taken a look at Netflix's HTTPS implementation, and reckons all he needs to know what programs you like is a bit of passive traffic capture.…
Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan.

Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique.
Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network.

The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface.
If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking).
So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack. Clever little fakes To date, we have seen two versions of the trojan: acdb7bfebf04affd227c93c97df536cf; package name – com.baidu.com 64490fbecefa3fcdacd41995887fe510; package name – com.snda.wifi The first version (com.baidu.com), disguises itself as a mobile client for the Chinese search engine Baidu, simply opening a URL http://m.baidu.com inside the application.

The second version is a well-made fake version of a popular Chinese app (http://www.coolapk.com/apk/com.snda.wifilocating) for sharing information about Wi-Fi networks (including the security password) between users of the app.
Such information is used, for example, by business travelers to connect to a public Wi-Fi network for which they don’t know the password.
It is a good place to hide malware targeting routers, because users of such apps usually connect with many Wi-Fi networks, thus spreading the infection. The cybercriminals even created a website (though badly made) to advertise and distribute the aforementioned fake version of com.snda.wifilocating.

The web server that hosts the site is also used by the malware authors as the command-and-control (C&C) server. The infection process The trojan performs the following actions: Gets the BSSID of the network and informs the C&C that the trojan is being activated in a network with this BSSID Tries to get the name of the ISP (Internet Service Provider) and uses that to determine which rogue DNS server will be used for DNS-hijacking.

There are three possible DNS servers – 101.200.147.153, 112.33.13.11 and 120.76.249.59; with 101.200.147.153 being the default choice, while the others will be chosen only for specific ISPs Launches a brute-force attack with the following predefined dictionary of logins and passwords: admin:00000000 admin:admin admin:123456 admin:12345678 admin:123456789 admin:1234567890 admin:66668888 admin:1111111 admin:88888888 admin:666666 admin:87654321 admin:147258369 admin:987654321 admin:66666666 admin:112233 admin:888888 admin:000000 admin:5201314 admin:789456123 admin:123123 admin:789456123 admin:0123456789 admin:123456789a admin:11223344 admin:123123123 The trojan gets the default gateway address and then tries to access it in the embedded browser. With the help of JavaScript it tries to login using different combinations of logins and passwords. Judging by the hardcoded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers If the attempt to get access to the admin interface is successful, the trojan navigates to the WAN settings and exchanges the primary DNS server for a rogue DNS controlled by the cybercriminals, and a secondary DNS with 8.8.8.8 (the Google DNS, to ensure ongoing stability if the rogue DNS goes down).

The code that performs these actions is a complete mess, because it was designed to work on a wide range of routers and works in asynchronous mode. Nevertheless, I will show how it works, using a screenshot of the web interface and by placing the right parts of the code successively. If the manipulation with DNS addresses was successful, the trojan report its success to the C&C So, why it is bad? To appreciate the impact of such actions it is crucial to understand the basic principles of how DNS works.

The DNS is used for resolving a human-readable name of the network resource (e.g. website) into an IP address that is used for actual communications in the computer network.

For example, the name “google.com” will be resolved into IP address 87.245.200.153.
In general, a normal DNS query is performed in the following way: When using DNS-hijacking, the cybercriminals change the victim’s (which in our case is the router) TCP/IP settings to force it to make DNS queries to a DNS server controlled by them – a rogue DNS server.
So, the scheme will change into this: As you can see, instead of communicating with the real google.com, the victim will be fooled into communicating with a completely different network resource.

This could be a fake google.com, saving all your search requests and sending them to the cybercriminals, or it could just be a random website with a bunch of pop-up ads or malware. Or anything else.

The attackers gain almost full control over the network traffic that uses the name-resolving system (which includes, for example, all web traffic). You may ask – why does it matter: routers don’t browse websites, so where’s the risk? Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network use the same rogue DNS.
So, after gaining access to a router’s DNS settings one can control almost all the traffic in the network served by this router. The cybercriminals were not cautious enough and left their internal infection statistics in the open part of the C&C website. According to them, they successfully infiltrated 1,280 Wi-Fi networks.
If this is true, traffic of all the users of these networks is susceptible to redirection. Conclusion The Trojan.AndroidOS.Switcher does not attack users directly.
Instead, it targets the entire network, exposing all its users to a wide range of attacks – from phishing to secondary infection.

The main danger of such tampering with routers’ setting is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked.

Even if the rogue DNS servers are disabled for some time, the secondary DNS which was set to 8.8.8.8 will be used, so users and/or IT will not be alerted. We recommend that all users check their DNS settings and search for the following rogue DNS servers: 101.200.147.153 112.33.13.11 120.76.249.59 If you have one of these servers in your DNS settings, contact your ISP support or alert the owner of the Wi-Fi network. Kaspersky Lab also strongly advises users to change the default login and password to the admin web interface of your router to prevent such attacks in the future.
Home modems open up admin controls with zero authentication A widespread attack on the maintenance interfaces of broadband routers over the weekend has affected the telephony, television, and internet service of about 900,000 Deutsche Telekom customers in Germany. The German Federal Office for Information Security (BSI) issued a statement indicating that the cyber-assault, which was detected on Sunday and continued into Monday, has also targeted government networks, but has been inconsistent in its effect due to protective measures. It is believed that a modified version of the Mirai worm – which commandeered huge numbers of CCTV cameras and other Internet-of-Things gear – is now scanning home routers for security vulnerabilities, and either crashing or hijacking devices.

This upgraded malware was potentially behind the weekend's outage in Germany, by attacking the modems' maintenance interface on port 7547. Deutsche Telekom has issued a patch for two models of its Speedport broadband routers (Speedport W 921V, Speedport W 723V Type B) and offered affected customers a free day-pass for internet access through mobile devices while the issue gets resolved. The Register last week reported that tens of thousands of Eir broadband modems in Ireland appeared to be vulnerable to remote takeover via TCP port 7547, following the publication of a proof-of-concept exploit. In an email to The Register, Darren Martyn, a security researcher with Insecurety Research, said that there are two issues with the Eir D-1000 broadband router, made by ZyXEL. The first problem, he said, is that TR-064 interface is accessible via the internet-facing WAN port and allows remote management with no authentication. This appears to be a consequence of TR-069 – aka the Customer-Premises Equipment WAN Management Protocol – which typically makes TCP/IP port 7547 available.
ISPs use this protocol to manage the modems on their network. However, on vulnerable boxes, a TR-064-compatible server is running behind that port and thus accepts TR-064 commands that configure the hardware without authentication. The second problem, according to Martyn, is that the SetNTP Server functionality in the router's TR-064 implementation is vulnerable to command injection. "The first issue, that of TR-064 being wide open to the internet, affects a whole host of other ISPs and vendors, and is, in fact, just as serious as the second one," said Martyn. Martyn said he has confirmed that two routers provided by UK ISP TalkTalk are vulnerable – a ZyXEL modem and the D-Link DSL-3780.

And he said that devices from T-Com/T-home (SpeedPort), MitraStar, Digicom, and Aztech are also at risk.
In a tweet on Monday, Martyn said he has found 48 devices are vulnerable to the TR-069/TR-064 issue. All together, this suggests this particular security nightmare is widespread.
It goes beyond Deutsche Telekom, Eir and TalkTalk: ISP subscribers using the aforementioned weak modems are at risk of infection or losing their connectivity until their firmware is updated. The Register asked TalkTalk for comment today and was told that a response will not be immediately forthcoming because the working day in the UK was just ending. "The TR-064 interface being accessible via WAN with no authentication means that just about anyone on the internet can interact with it, and reconfigure the device remotely," said Martyn. What's at risk An attacker could thus alter the DNS settings of the router, alter the port forwarding settings, steal Wi-Fi credentials, and update the ACS/Provisioning Server configuration settings, among other things.

Changing the configuration details thus would allow an attacker to manage hijacked devices using an ISP's ACS management software, Martyn explained. A metasploit module incorporating the vulnerability was created earlier this month.

According to a post in the SANS ISC InfoSec Forum, it appears that the exploit is being used in a modified Mirai botnet. On Monday, in an emailed statement to The Register, Eir said it has been made aware of potential security vulnerabilities in its ZyXEL D1000 and ZyXEL P-660HN-T1A devices, which account for approximately 30 per cent of its retail customers' broadband modems. As of September, Eir had about 867,000 broadband customers, which includes 443,000 retail customers and 424,000 wholesale broadband connections.
So approximately 130,000 Eir customers may be affected. "We have been working with ZyXEL, the supplier, and we have deployed a number of solutions both at the device and network level which will remove this risk," said Eir's spokesperson. "All of the potentially affected modems are now protected with the network mitigation we have taken. We continue to deploy the firmware patch." Eir is recommending that customers with affected modems change both the administrative password and the Wi-Fi password.

The two passwords should not be the same. A Shodan search [login required] indicates that approximately five million devices offer a service on port 7547 over the internet. While not all of these devices are necessarily vulnerable, plenty of them are. ® Sponsored: Customer Identity and Access Management
TCP networking code scores own goal Analysis A flaw in the Linux kernel lets hackers inject malware into downloads and webpages, smash Tor connections, launch denial-of-service attacks, and more. This is a troubling security headache because Linux is used widely across the internet, from web servers to Android smartphones, tablets and smart TVs. The TCP/IP networking blunder, present in the open-source kernel since version 3.6, can be exploited by miscreants to confirm whether any two systems are talking to each other over a network.

Furthermore, it can be abused to break their connections or insert malicious code and data into their communications if the exchange is not properly encrypted.
In other words, you can hijack HTTP with this. Crucially, you do not need to be a man-in-the-middle attacker to pull this off; you do not need to be eavesdropping on a network. You can be off to the side, firing the right packets at both ends to compromise their exchanges. You have to know the IP addresses of both sides of the connection, and you have to be able to send spoofed packets to them.

And that's about it. The security weakness was discovered by eggheads at the University of California, Riverside.
It's buried within the Linux implementation of RFC 5961, which was published in 2010 and has been supported in the kernel since 2012.

This standard was supposed to make internet communications more secure – but quite the opposite has happened. "The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out," said project leader Zhiyun Qian. "Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing.

The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain." RFC 5961 was designed to block spoofed packet injection attacks by introducing challenge ACK packets.

To successfully insert data into a connection you have to know the two IP addresses and the source and destination ports – known as a four-tuple – plus the next valid serial numbers stamped on the exchanged packets.

Challenge ACKs are used to ensure that no one is trying to forcibly introduce themselves into a valid connection. Crucially, Linux rate limits the output of these challenge ACKs. On a simple level, here's how a hijacking could work: after inferring the source and destination ports in a connection between a server and a client, an attacker can hit the server with dodgy packets to confuse it.

That makes the server send challenge ACKs to the client until the server hits its limit and temporarily stops sending them.

Then the attacker can turn to the client and send spoofed IP packets to break or inject itself into the connection, which will be accepted by the client because the server has been silenced. As a workaround while patches to fix the problem are prepared and distributed, you can raise the rate limit on your Linux machine or gadget so that it cannot be reached, by appending the following to /etc/sysctl.conf: net.ipv4.tcp_challenge_ack_limit = 999999999 And then use sysctl -p to activate the new rule. You need to be root to do this. According to the researchers: The root cause of the vulnerability is the introduction of the challenge ACK responses and the global rate limit imposed on certain TCP control packets.

The feature is outlined in RFC 5961, which is implemented faithfully in Linux kernel version 3.6 from late 2012.

At a very high level, the vulnerability allows an attacker to create contention on a shared resource, ie, the global rate limit counter on the target system by sending spoofed packets.

The attacker can then subsequently observe the effect on the counter changes, measurable through probing packets. Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable.

Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating.
If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection.

To demonstrate the impact, we perform case studies on a wide range of applications. The basic idea is to repeat the following steps: 1) send spoofed packets to the connection under test (with a specific four-tuple), 2) create contention on the global challenge ACK rate limit, ie, by creating a regular connection from the attacker to the server and intentionally triggering the maximum allowed challenge ACKs per second, and 3) count the actual number of challenge ACKs received on that connection.
If this number is less than the system limit, some challenge ACKs must have been sent over the connection under test, as responses to the spoofed packets. Youtube Video For encrypted HTTPS or SSH transmissions the worst that can be done is to break the connection.

But with unencrypted traffic, the attacker could insert new content into communications and even add malware, with no additional input from the two legitimate owners of the connection. The boffins, presenting at the 25th Usenix Security Symposium in Austin, Texas, on Wednesday, demonstrated the hack on the main website of USA Today, by injecting JavaScript code that siphoned off passwords from a reader login form.
Sites like this are perfect because they have long duration connections between content on the site and servers providing it. They also demonstrated an attack against a Tor relay server – set up specially so as not to interfere with legitimate traffic – and examined 40 Tor relays around the world.
Sixteen relays rejected the attack, probably due to firewalls blocking the packets, but the team broke 88.8 per cent of the rest in an average time of 51.1 seconds. "In general, we believe that a DoS attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide," the team said in a white paper [PDF]. "The default policy in Tor is that if a connection is down between two relay nodes, say a middle relay and an exit relay, the middle relay will pick a different exit relay to establish the next connection.
If an attacker can dictate which connections are down (via reset attacks), then the attacker can potentially force the use of certain exit relays." The team notes that while later versions of Linux are vulnerable to this attack, Windows, OS X and FreeBSD aren't vulnerable because they haven't fully implemented RFC 5961 as yet.

The flaw finders have developed and distributed a patch for this serious error, but that's still going to leave a lot of servers unpatched – and the exploit only requires one end of the communicators to be unpatched for the hack to work. ® Sponsored: 2016 Cyberthreat defense report
Microsoft Internet Explorer Memory Corruption Vulnerabilities Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory.

The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user.
If the current user is logged on with administrative user rights, the attacker could take control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer, and then convince a user to view the website.

The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerabilities.
In all cases, however, an attacker would have no way to force users to view the attacker-controlled content.
Instead, an attacker would have to convince users to take action, typically by an enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email.

The update addresses the vulnerabilities by modifying how Internet Explorer handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Internet Explorer Memory Corruption Vulnerability CVE-2016-0199 No No Internet Explorer Memory Corruption Vulnerability CVE-2016-0200 No No Internet Explorer Memory Corruption Vulnerability CVE-2016-3211 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. FAQ I am running Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2.

Does this mitigate these vulnerabilities?
 Yes.

By default, Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration.

Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server.

This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone. Can EMET help mitigate attacks that attempt to exploit these vulnerabilities? Yes.

The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit memory corruption vulnerabilities in a given piece of software.

EMET can help mitigate attacks that attempt to exploit these vulnerabilities in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer. For more information about EMET, see the Enhanced Mitigation Experience Toolkit. Multiple Scripting Engine Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in the way that the JScript 9, JScript, and VBScript engines render when handling objects in memory in Internet Explorer.

The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user.
If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer and then convince a user to view the website.

An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine.

The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements.

These websites could contain specially crafted content that could exploit the vulnerabilities.

The update addresses the vulnerabilities by modifying how the JScript 9, JScript, and VBScript scripting engines handle objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Scripting Engine Memory Corruption Vulnerability CVE-2016-3202 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-3205 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-3206 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-3207 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-3210 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds The following workaround may be helpful in your situation: Restrict access to VBScript.dll and JScript.dll For 32-bit systems, enter the following command at an administrative command prompt: takeown /f %windir%\system32\vbscript.dll cacls %windir%\system32\vbscript.dll /E /P everyone:N cacls %windir%\system32\jscript.dll /E /P everyone:N For 64-bit systems, enter the following command at an administrative command prompt: takeown /f %windir%\syswow64\vbscript.dll cacls %windir%\syswow64\vbscript.dll /E /P everyone:N cacls %windir%\syswow64\jscript.dll /E /P everyone:N Impact of Workaround. Websites that use VBScript or JScript may not work properly. How to undo the workaround. For 32-bit systems, enter the following command at an administrative command prompt: cacls %windir%\system32\vbscript.dll /E /R everyone cacls %windir%\system32\jscript.dll /E /R everyone For 64-bit systems, enter the following command at an administrative command prompt: cacls %windir%\syswow64\vbscript.dll /E /R everyone cacls %windir%\syswow64\jscript.dll /E /R everyone Internet Explorer XSS Filter Vulnerability - CVE-2016-3212 A remote code execution vulnerability exists when the Internet Explorer XSS Filter does not properly validate JavaScript under specific conditions.

An attacker who exploited the vulnerability could run arbitrary code with medium-integrity level privileges (the permissions of the current user). In a web-based attack scenario, an attacker could host a website in an attempt to exploit this vulnerability.
In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force users to view the attacker-controlled content.
Instead, an attacker would have to convince users to take action.

For example, an attacker could trick users into clicking a link that takes the user to the attacker's site.

The update addresses the vulnerability by fixing how the Internet Explorer XSS Filter validates JavaScript. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Internet Explorer XSS Filter Vulnerability CVE-2016-3212 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. WPAD Elevation of Privilege Vulnerability - CVE-2016-3213 An elevation of privilege vulnerability exists in Microsoft Windows when the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process.

An attacker who successfully exploited this vulnerability could bypass security and gain elevated privileges on a targeted system. To exploit the vulnerability, an attacker could respond to NetBIOS name requests for WPAD.

The update addresses the vulnerability by correcting how Windows handles proxy discovery. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited WPAD Elevation of Privilege Vulnerability CVE-2016-3213 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds The following workarounds may be helpful in your situation. Disable WINS/NetBT name resolution Open Network Connections. Click the Local Area Connection to be statically configured, and then from the File menu, click Properties. In the list of components, click Internet Protocol (TCP/IP), and then click Properties. Click Advanced, click the WINS tab, and then click Disable NetBIOS over TCP/IP. Optionally, you can select the Use NetBIOS setting on the DHCP server if you are using a DHCP server that can selectively enable and disable NetBIOS configuration through DHCP option types. Stop WPAD using a host file entry Open the host file located at following location as an administrator: %systemdrive%\Windows\System32\Drivers\etc\hosts Create the following entry for WPAD in the host file: wpad 255.255.255.255 Impact of workaround. Autoproxy discovery will not work, and for this reason, some applications, such as Internet Explorer, will not be able to load websites properly. How to undo the workaround.  Open the host file located at following location as an administrator: %systemdrive%\Windows\System32\Drivers\etc\hosts Remove the following entry for WPAD in the host file: wpad 255.255.255.255
15m telnet nodes, 4.5m printers TCP port 445... Millions of services that ought to be restricted are exposed on the open internet, creating a huge risk of hacker attack against databases and more. Infosec firm Rapid7’s researchers took a close look at the millions and millions of individual services that live on the public IP network, one of the most fundamental components of the internet. Researchers attempted to ascertain to which extent various internet protocols are in use, where they are located, and how much of this is inherently insecure due to running over non-encrypted, cleartext channels. Millions of systems on the internet offer services that should not be exposed to the public network.

The survey uncovered 15 million nodes appearing to offer telnet (usually unencrypted), 11.2 million appearing to offer direct access to relational databases, and 4.5 million apparent printer services. Around 4.7 million systems expose one of the most commonly attacked ports used by Microsoft systems, 445/TCP. Oddly 75 per cent of the servers offering SMB/CIFS services – a (usually) Microsoft service for file sharing and remote administration for Windows machines – originated in just six countries: the United States, China, Hong Kong, Belgium, Australia and Poland. The most exposed nations on the internet included countries with the largest GDPs, such as the United States, China, France, and Russia. The research – summarised here – was put together by Bob Rudis, Jon Hart and Tod Beardsley.

Beardsley explained that the research gave the team a fresh perspective on the services deployed on the public side of firewalls the world over. Although, to the man on the street, the internet is imagined to run over the one or two protocols that the World Wide Web runs on – HTTP and HTTPS – there are loads of other services. Rapid7’s researchers say their study shows how much telnet, SSH, FTP, SMTP, or any of the other protocols that run on TCP/IP is actually in use, where are they all located, and how much of it is inherently insecure due to running over non-encrypted, cleartext channels for the first time. He explained this was different from, but complementary to, other research efforts. “While projects like CAIDA and Shodan perform ongoing telemetry that covers important aspects of the internet, we here at Rapid7 are unaware of any ongoing effort to gauge the general deployment of services on public networks.
So, we built our own, using Project Sonar,” Beardsley said. ® Sponsored: Rise of the machines