Pinging the Entire Internet

Turns out there’s a lot of vulnerable systems out there:

Many of the two terabytes (2,000 gigabytes) worth of replies Moore received from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could to let anyone take control of them.

On Tuesday, Moore published results on a particularly troubling segment of those vulnerable devices: ones that appear to be used for business and industrial systems. Over 114,000 of those control connections were logged as being on the Internet with known security flaws. Many could be accessed using default passwords and 13,000 offered direct access through a command prompt without a password at all.

[…]

The new work adds to other significant findings from Moore’s unusual hobby. Results he published in January showed that around 50 million printers, games consoles, routers, and networked storage drives are connected to the Internet and easily compromised due to known flaws in a protocol called Universal Plug and Play (UPnP). This protocol allows computers to automatically find printers, but is also built into some security devices, broadband routers, and data storage systems, and could be putting valuable data at risk.

Tags: computer security, hardware, ICS, Internet, SCADA, vulnerabilities

Posted on April 30, 2013 at 6:11 AM • 25 Comments

Comments

jeek • April 30, 2013 6:47 AM

I tried running nmap against the entire Internet, splitting it into four chunks that I ran separately their own nmaps. Shortly after I started, my ISP forwarded this letter to me that they received from the Department of Defense, so I stopped. 🙁

A host/port sweep

20121225
TCP Ports 1, 9, 22, 43 Sweep of OUR subnet(s):
128.49
FROM [redacted] (redacted [US]))
Starttime Tue Dec 25 23:54:57; Endtime Wed Dec 26 2012 01:32:08;
TCP Ports 1, 9, 22, 43: attempts on about 66 addresses.

was logged at this United States Department of Defense facility,
apparently originating from one of your machines. The time zone is
PST (Greenwich -8 hours).

Suggested interpretations:
1. One of your machines has been compromised/infected and is scanning
our networks.
2. One of your users is scanning our networks.

Thank you for your attention.

–Intrusion Detection Team
idt@spawar.navy.mil
SPAWARSYSCEN San Diego

Ari Maniatis • April 30, 2013 7:17 AM

That makes me want to try running a port scan of 128.49.0.0/16 just for the honour of getting an email from the US Navy.

Apparently I only have to hit 66 addresses!

I am not really sure what security is created by sending out these emails… in fact you could use the receipt of one of these emails as a way to determine if your hacking attempts are subtle enough and use that as a way to tune your approach.

“Warmer… I can see you…”
“Warmer, yep, still see you.”
“Colder, no email…”

foo • April 30, 2013 7:34 AM

A much more interesting ping of the Internet:

http://internetcensus2012.bitbucket.org/paper.html

wiredog • April 30, 2013 7:52 AM

Looks like Brian Krebs has pissed off the Russkies again.

kevinm • April 30, 2013 8:13 AM

IPv4 =/= The Internet since at least 9 years now. sigh.

Spaceman Spiff • April 30, 2013 8:22 AM

This reply to Moore’s research from the CTO of Digi International was a (rarely) rational response:

Joel Young, chief technology officer of Digi International, manufacturer of many of the unsecured serial servers that Moore found, welcomed the research, saying it had helped his company understand how people were using its products. “Some customers that buy and deploy our products didn’t follow good security policy or practices,” says Young. “We have to do more proactive education for customers about security.”

If they follow up on this, then they get an A+ in retro-active ass-covering… 🙂

Frank Wilhoit • April 30, 2013 8:54 AM

@kevinm: RS-485 never was the Internet, but apparently it is now: I can’t remember the last time two words sent such a chill through my blood as “serial servers”. It is disproportionately the oldest stuff that we need to be worried about.

Bob T • April 30, 2013 8:55 AM

“Large power and Internet bills, and incidents such the Chinese government’s Computer Emergency Response Team asking U.S. authorities to stop Moore “hacking all their things” have convinced him it’s time to find a new hobby.”

Screw the Chinese.

Gordon • April 30, 2013 10:41 AM

This is the context of my last comment on the, “could only happen in a movie,” post.

I am reminded of the Dune scene when Paul doesn’t feel like practising with Duncan, “In shield fighting, one moves fast on defense, slow on attack. Attack has the sole purpose of tricking the opponent into a misstep, setting him up for the attack sinister. The shield turns the fast blow, admits the slow kindjal!”

Alobar • April 30, 2013 10:41 AM

Makes me wonder why terrorists don’t destroy American companies, wreak havoc, and get rich? Less messy than bombings. And they could give away some of their loot to Americans building popular support for their cause —- i.e. become Muslim Robinhoods.

B McMahon • April 30, 2013 11:05 AM

Don’t give Digi any awards yet, retroactive or otherwise. From the actual article:

[The Digi CTO] also said that Digi would continue to ship products with default passwords, because it made initial setup smoother, and that makes customers more likely to set their own passwords. “I haven’t found a better way,” he says.

Bzzzt, wrong. Shipping devices with default passwords does not make customers more likely to set their own. It makes them more likely to retain the default unthinkingly.

To make customers more likely to set their own passwords, you need to fix your setup software so it prompts them to do so. But that would be extra work, and they’re clearly selling devices just fine as it is.

For extra credit, apply some password goodness logic … or at least warn people who pick “password” or “123456” that they are being foolish.

Clive Robinson • April 30, 2013 11:20 AM

Ahh the joy of serial servers 🙂

There are some I know of that are connected to equipment that is so old…

For instance a PDP11/70 with it’s command terminal port connected to one… It runs equipment installed back in th 1980’s which to my surprise is still functioning.

It’s not unknown for the likes of Sun equipment in telecoms operators to have multiple systems with their serial console / terminal port connected to terminal servers with many still running Sun OS 8…

I’m sure if people looked around they might find even older examples…

And for those to young to know most of these control terminal ports are plain old V24 ports using RS232 signaling designed to carry ASCII from either dumb old ASR/KSR teletypes or early VDU terminals predating 1980 over a few feet of cable in a server room and thus having zero security value built in…

Howard • April 30, 2013 11:34 AM

This reminds me of the “shodan” search engine – referred to as the “scariest search engine” on the internet. It basically shows what non-traditional/consumer devices are connected, how open they are, etc.

http://www.shodanhq.com/

Simon • April 30, 2013 1:23 PM

@wiredog – I noticed that. They must be pounding him for something again. In fact, I wonder if other bloggers are actually laying low with lame posts just to avoid receiving the same treatment.

dragonfrog • April 30, 2013 1:45 PM

@Alobar “Makes me wonder why terrorists don’t destroy American companies, wreak havoc, and get rich?”

Non-terrorist Americans are doing a perfectly good job of destroying their own companies. Any terrorist action would be lost in the noise – they might as well try to flood Cleveland by running a garden hose into lake Erie…

Eseell • April 30, 2013 5:40 PM

Very interesting. Now let’s see the data for all of the allocated IPv6 space. 🙂

Tom • April 30, 2013 7:41 PM

Try pinging the entire internet after the conversion to IPv6

Figureitout • April 30, 2013 8:53 PM

Bruce, I think you missed a big quote but the article’s short’n’sweet: But the data collected has revealed some serious security problems, and exposed some vulnerable business and industrial systems of a kind used to control everything from traffic lights to power infrastructure.
–B/c these systems can have an even greater physical effect on you b/c I’m sure many have data backups, but how’s that backup power? That generator may last, what, a week?

Anyway, why are these systems attached to an inherently insecure network?! It’s the video surveillance, isn’t it? The crosswalks systems suck @55 anyway, eliminate them! I can turn my head and cross the damn street!!

TomTrottier • April 30, 2013 10:26 PM

Pinging the entire internet will take a while. Better to loop by iterating thru the top octets. It will be a while before you revisit that subnetwork….

Clive Robinson • May 1, 2013 3:54 AM

@ figureitout,

Anyway, why are these systems attached to an inherantly insecure network?

Simple answer is it’s a series of short sighted managment “cost cutting choices” over time. But if you called them on it they would argue that legally they are required to do so as part of “shareholder value”…

Historicaly you need to study how we got from the original entirely manual systems run by people on site to our current lamentable state of affairs where everything is run by nobody at some far off place often via systems in space with close to zero security.

Basicaly the problem is a balance between the controling hand and the controling mind when seen through the perspective of efficiency. Obviously the most efficient way to control a physical process is to have the hand as close as possible to the point that requires control.

If you look at the railway system in Britain during the Victorian era where the railway crossed a road at the same level (hence UK term of “level crossing”) in a village or town there was usually a man who had a cottage and set of signals and a mechanical telegraph directly adjacent to the crossing, whose job was to stop traffic and manualy close the crossing gates and operate the signals and telegraph.

Thus the physical controling hand and mind was on site and required a full support system of home garden etc.

Many of those crossings are still there today but are fully automated with nobbody on site and not even a controling mind. In most cases just a box of electronics that has replaced the relay ladder logic to control the signal sequenciing and gate motors that had replaced the man. As for the cottage and garden it’s probably been sold off long long ago.

Oddly perhaps the time when the controling mind was least present was with the ladder logic. As comms technology has improved we now have the ability to bring the controling mind back. The reason for doing so being to increase capacity by alowing the safe distance between trains to be substantialy reduced and track speeds to be increased.

Thus the most efficient system currently is one of highly centralised mind controling thousands of hands from great distance. And as the cost of communications drops distance becomes in effect no problem, so moving the controling mind half way around the globe is now a way to save money simply by going where labour costs are the lowest, which is what we see in the Petro Chem industries.

However there is the proverbial “elephant in the room” of security or lack there of, and it arises due to legacy issues.

Back when ladder logic was designed nobody designing them envisaged that less than fifty years later communications would be where they are now, nor the technology. The transistor had been invented less than a decade previously and computers were still rarer than hens teeth and primarily were using relay and thermionic valve technology.

But those ladder logic systems were designed to have minimum service lives of twenty five years and many operated for thirty or more. They were designed for simplicity and reliability. And thereby started the problem, as long as the communications were considered private the overriding design goals were high availability achieved through high reliability and minimum repair/maintanence times. Thus simplicity of protocols etc was an overriding consideration and the only consideration towards security being that against acts of god / nature.

Then twenty years later a major revolution in communications happened it was called “deregulation” the cost of communications plumeted, distance metrics quickly became inhibitors to business and the comms market was forced to respond both legaly and to new market preasures. A race for the bottom started and one of the first casualities were the very expensive private communications networks…

The switch over was fast and nobody wanted to talk about the elephant of security, even though it was well known that these systems were vulnerable. The god of mamon had to be served through short term shareholder value, next quaters figures were the only measures of success.

So cost cutting started in areas like maintanence that short term view dictated it, the only thing of interest in walnut corridor was not preventing failure in the future just mitigating it’s effect on them if it should happen now or in the future via legal niceties and further they all assumed they would have gone on to bigger and better things anyway… So we got the likes of Enron and black outs and power shortages they enjendered.

In such an environment there was little or no chance that the wide open information security issues would be addressed as at best such activity would not be increasing short term profit even if it was not costing money it was diverting resources from profit making and thus depriving shareholders of their legal rights…

It is only in recent times where vulnarabilities are painfully obvious and being regularly exploited are people now talking about information security in such infrastructure systems.

But guess what this same problem is occuring in medical technology with the likes of implants and WiFi based bedside equipment relaying back to central nursing systems.

And guess where next?

How about smart metering where home owners will lose control of their home appliances in the name of “being green” rather than the real reason lack of investment in infrastructure by the infrastructure companies. If some have their way you will only be able to have a fridge cooker or heating or air conditioning if you cead control to them.

If you think “no way” you will have no choice you won’t legaly be able to refuse. We’ve already seen this sort of behaviour with set top boxes for cable TV and now for radio it’s becoming built into your TV with some modern sets requiring network connections to function such that the manufacturer can harvest every channel watched and when…

Welcome to the brave new technological world, where big brother is in every item with your fridge snitching about your liking of unhealthy food to the manufacture who then sells it on to your insurance company so your premiums will be automaticaly raised to cover not just the increased risk cost but also the cost of collecting the information and making the information broker extreamly wealthy…

Chelloveck • May 1, 2013 10:53 AM

I just want to know why something that calls itself “Technology Review” thinks it has to parenthetically define “two terabytes”… And why they thought “2000 gigabytes” would be any more meaningful to someone who needed the definition in the first place.

name.withheld.for.obvious.reasons • May 1, 2013 4:54 PM

@Clive
I’m afraid it’s worse than what you speak of…

There is a subtle move, telcos, government, and big business (data) and the commodification of the consumer. I would have preferred to use the term citizen, but both government and the people of the United States view it as irrelavent.

It will only be after the gates have been opened that people will wake up and recognize the facistic nature of their government and economic institutions.

Good night, and good luck.

Figureitout • May 1, 2013 11:26 PM

@Clive Robinson
–Thanks for the history lesson, interesting. That “brave” new world makes sense when a couple kids can bring an entire city under a swat-team lockdown; that’s brave. And that wonderful future you laid out, well I’m starting to see I believe microwave and infrared sensors in restrooms, some even in the stalls themselves. Think it’s more fitting to call it a “creepy” new world.

Wim L • May 2, 2013 2:02 AM

Of course, any automatic toilet, no-touch faucet or towel dispenser, etc., uses a microwave or infrared sensor. They’re really common in heavy use bathrooms.

Figureitout • May 2, 2013 2:21 PM

@Wim L
–No, they’re on the ceiling and I could light up the LED when I moved; and of course it’s in the handicapped stall. Touchless sensors do have some benefits, but point is, more room for other hardware.

Since they turn on lights, you could just put it on the door; but schools are wanting to remove doors so police officers at schools can and I quote, “Hear what’s going on in there.”