Scan of Entire Internet Reveals Too Many Leaky Devices

There are 3.7 billion IP addresses on the Internet, and HD Moore has pinged every one of them.

Moore is chief security officer at Rapid7, a cyberthreat and risk management company. In February, he decided as a hobby project to conduct a census of all the devices connected to the Internet, using a nest of computers in a spare room in his home. What he found from a security perspective was disturbing.

He discovered millions of unsecured embedded devices on the Web — printers, set-top TV boxes, modems, routers and such.

“While everyone is concerned with managing patches and Java and things like that, the number one way to break into the most devices on the Internet is break into these plug-and-play devices,” he told TechNewsWorld.

One of the problems with these machines, which use the UPNP protocol to talk to each other and the Internet, is that unlike computer software, the firmware in these devices is rarely patched to address security flaws.

“A lot of times manufacturers don’t have updates for them,” he said. Those who do provide updates may not have done so for devices that are older than a year or two. “That means if you have a router that’s more than a year old, which is most of us, you’re not going to get an update for it.”

Recruited for Botnet Service

There haven’t been a lot of high-profile cases of these devices being exploited for nefarious purposes. However, Moore cited an incident in Brazil in which almost every cable modem for one ISP was hacked, and everyone using those modems was redirected to an malware infection site.

There are 1.2 million embedded devices on the Internet with passwords that are either admin or root being used in distributed denial of service attacks, Moore said.

“A lot of the source systems for the DDoS attacks in the news are these embedded devices that have been hijacked and used as part of a botnet.”

Pinging the Internet can bring some unwanted attention to yourself, Moore learned. “I got a lot of phone calls and emails from AGs in different states wanting to know what I was doing.”

In some of those cases, “law enforcement folks came back and said, ‘Now that we know you’re doing this, can you tell us how to secure our IP range?'”

Real Name Downside

Much hullabaloo has been raised over the use of real names at sites like Facebook and Google+. The idea is that people behave with more civility if they can’t hide behind anonymity.

From a security standpoint, though, real names can make the life of a hacker or identity thief easier. That’s because instead of making a miscreant work for finding both a username and password, they’re getting usernames without working up a sweat.

“Instead of two possible points of failure, there’s only one point,” DashlaneVice President of Marketing Nishant Mani told TechNewsWorld.

Another insecure practice encouraged by websites involves urging newcomers to register with a Facebook or other account, he added. If a Facebook account is compromised, it can have a domino effect on digital lives.

“Websites aren’t doing that because they actually want you to use Facebook,” he said. “Most websites would rather that you give them something unique because they don’t want their relationship with you governed by a third party.”

They’re doing it because it’s convenient, Mani said. “The average user doesn’t want to remember a whole bunch of passwords, and website owners don’t want to put another barrier between them and a consumer using their service.”

Crowdsourcing Benchmarks

Crowdsourcing has been cropping up everywhere — from raising capital for new tech products to tracking down terror suspects. Now it’s making an appearance in how security benchmarks are established.

The Center for Internet Security(CIS) creates benchmarks for the default settings for security configurations used by everything from operating systems and Web servers to firewalls.

While there are many sources of that kind of information — operating system makers, for example, and the federal government — the CIS’s crowdsourcing approach sets it apart, said Rick Comeau, who is with the organization’s benchmark division.

“Our benchmarks are the result of a consensus-based crowdsourced effort of folks representing a huge swath of organizations and experiences,” he told TechNewsWorld.

A problem with crowdsourcing is it can devolve into noise and no action. That problem has worked itself out in the years since CIS has been using crowdsourcing.

“There have been some folks who make noise and don’t provide the best recommendations, but they tend to get crowded out by the crowd,” Comeau said.

Breach Diary

  • April 29. Javelin Strategy & Research estimates that total cost to society of health data breach in Utah in which personal information of some 750,000 residents was compromised to be US$406 million.
  • April 30. notifies its users that it had “identified, interrupted and swiftly shut down an external attack” on its network. Information accessed during the breach included names, email and postal addresses and in some instances phone numbers, dates of birth and occupational information.
  • April 30. Minnesota Attorney General moves to dismiss federal lawsuits stemming from data breach in which a state Natural Resources department employee snooped on driver license information for several people. Minimum damages for violation of driver license information is $2500 per violation.
  • May 1. AlienVault Labs discovers Site Exposure Matrices (SEM) website of U.S. Department of Labor compromised and serving malware to visitors.
  • May 1. Datalane reports that 60 percent of some 50 million passwords compromised at Living Social in April were reused at other sites by the members of the daily deal site. It also notes that the average netizen uses the same password at 49 websites.
  • May 1. Pennsylvania Senate passes by unanimous vote a bill requiring state agencies to notify residents within a week of a data breach. Current law requires notification “as soon as possible.”
  • May 2. Bloomberg News reports defense contractor QinetiQ’s systems were compromised by Chinese hackers for three years. Sensitive information pilfered by intruders could include the deployment and capabilities of the U.S. combat helicopter fleet.

Upcoming Security Events

  • May 8. Securing the Mobile Workforce from BYOD to Teleworking. 1 p.m. ET Government Security News Webinar. Free.
  • May 15-16. NFC Solutions Summit. Hyatt Regency San Francisco Airport. Registration $760-$1020.
  • May 19-22. 13th annual Computer and Enterprise Investigations Conference (CEIC). Orlando, Fla. Registration: $1095.
  • June 10-13. Gartner Security & Risk Management Summit. National Harbor, Md. Registration: $2375.
  • June 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. ET. Newseum, Washington, D.C. Registration for Non-government attendees through June 10, $495; Onsite, $595.
  • June 14-22. SANSfire 2013. Washington Hilton, 1919 Connecticut Ave. NW,Washington, D.C. Course tracks range from $1800-$4845.
  • June 15-16. Suits and Spooks Conference. La Jolla, Calif. Registration: Until May 10, $395; Securing Our eCity Foundation members, $345; government/military $295. After May 10, $595.
  • July 24. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. Newseum, Washington, D.C. Registration: government, free; non-government $395 through July 23; Onsite, $595.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels