Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contents
1 Foreword .......................................................................................................... 4 1.1 2 Disclaimer .............................................................................................. 4
Analysis Summary ............................................................................................ 5 2.1 2.2 2.3 2.4 2.5 Unencrypted protocols ........................................................................... 6 Web interfaces ....................................................................................... 7 SCADA .................................................................................................. 8 The vulnerability landscape ..................................................................... 8 Recommendations ................................................................................. 9
Operating System analysis .............................................................................. 11 3.1 3.2 3.3 3.4 3.5 3.6 3.7 TOP-20 all fingerprints .......................................................................... 12 Linux kernel versions ............................................................................ 13 Windows versions ................................................................................ 13 Firewall / Switch / Router devices ............................................................ 14 Home router devices ............................................................................ 14 Printer devices ..................................................................................... 15 Possible SCADA systems ..................................................................... 15
Port analysis ................................................................................................... 16 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 TOP-40 port list.................................................................................... 17 Ports open, counted by hosts .............................................................. 18 Database ports .................................................................................... 21 Unencrypted protocol ports.................................................................. 21 Management interface ports ................................................................. 22 Proxy ports........................................................................................... 22 Denial of service ports .......................................................................... 23 Printing ports........................................................................................ 23 Other sensitive ports ............................................................................ 23 Firewall data comparison ...................................................................... 24
October 2013
Serviceprobe analysis ..................................................................................... 25 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 Www Generic Web-servers ............................................................... 26 Www Embedded servers and network router servers ........................ 27 Www Firewall, proxy and management servers.................................. 27 Www Printer servers .......................................................................... 28 Www Media and surveillance servers................................................. 28 Www Possible SCADA-related servers .............................................. 29 FTP Servers ......................................................................................... 29 SSH Servers......................................................................................... 30 Telnet servers ....................................................................................... 30 SMTP Servers ...................................................................................... 31 DNS Servers ........................................................................................ 31
5.12 IMAP Servers ....................................................................................... 32 5.13 SNMP Servers...................................................................................... 32 5.14 MS SQL Servers .................................................................................. 33 5.15 MySQL Servers .................................................................................... 33 6 7 Vulnerability Analysis ....................................................................................... 34 References ..................................................................................................... 35
October 2013
1 Foreword
A huge amount of data titled Internet Census 2012 was released earlier this year. It was acquired with a botnet named Carna between June and October 2012, which used insecure embedded devices to scan the Internet: Overall Internet Census 2012 project information:
420
MILLION IP ADDRESSES THAT RESPONDED TO ICMP PING AT LEAST TWO TIMES BETWEEN JUNE 2012 AND OCTOBER 2012.
The data contains a lot of different scan information, like open ports, trace routes, reverse DNS queries and much more. This information provides an overview of what the Internet looked like during the time period. This data was made publicly available through the BitTorrent network. We at Nixu decided to take a look at the data from a Finnish viewpoint and this report covers the results of this analysis. Main data items we considered interesting was operating system statistics, TCP port statistics and the results of some service probes which contain the actual server responses. In addition it provided a view into systems and services which should not be directly available from the Internet. There were 13,782,236 Finnish IP addresses in our list. We isolated data associated to these IP addresses from the complete data set. This subset was further processed and analyzed to generate statistics and draw conclusions. No correlation was done between the analyzed data sets. Analysis was done by Nixus Security Intelligence and Research team (Nixu SIR).
1. 1 Disclaimer
Even though the data has been acquired unethically by hacking into devices and utilizing these for scanning the Internet, doing analysis on data released to public domain should only be viewed as a research exercise. We think that the data is likely authentic, but there are no guarantees it is not manipulated or crafted. Also note that properly rewalled servers are not included in the data. We do not have any supporting numbers available on the total amount of Internet-connected devices that could have been fully rewalled or shut down during the port scan activity, which could have added to the analysis as another way of indicating the network posture. When viewing this report, bear in mind that it is based only on the publicly available data, accurate or not. Even thought the scan has been done some time ago, we do not believe the overall picture has changed that much.
October 2013
2 Analysis Summary
Finland is said to have one of the cleanest network environments, at least in terms of malware infections. However, there are potentially serious weaknesses in the Finnish cyber landscape. A basic network reconnaissance provided by the Internet Census scan revealed that most of the over 500.000 hosts scanned have a relatively healthy number of ports open (94.6%).
This means the attack surface is smaller with these hosts, but still there are tens of thousands of Internet-connected hosts with practically open doors for attackers. All these contribute to the available attack surface a potential attacker can try to utilize. Whether it is a common ADSL router used by thousands of end-users or one corporate printer sitting directly on the Internet, security could potentially be compromised.
This in essence means that there are thousands of Internet-connected devices and information systems that are prone to eavesdropping, information gathering and other abuse even with a limited hacking skill set.
The Internet Census data can be used as a valid source for reconnaissance intelligence into services running at governmental entities, industries and organizations, without the need to actively probe their networks. An attacker could for example map the services used across the globe to enable global exploitation of widely used and vulnerable services. He could also pinpoint one single Internet-connected device to use as an entry point into the selected target organization. We believe that the scan revealed just the tip of the iceberg of the weaknesses in Finnish networks in overall when taking into consideration also the application-level vulnerabilities. Nixu has done hundreds of security assessments of systems owned by different organizations and governmental entities and our ndings support this conclusion. Four in ve systems we have assessed have multiple vulnerabilities that for example allow bypassing access controls which leads to unauthorized access of condential data.
October 2013
The perimeter security is usually on a good level but when inside, things tend to get worse. On technical level the focus still tends to be perimeter-centric revolving around rewalls and intrusion detection systems and such. Vulnerability management, system hardening and application-level security should be bolstered. Perimeter defense alone isnt sufcient to protect against cyber threats. Organizations should take the time to verify their Internet exposure. Regular scanning of own networks and taking action based on the results is a recommended practice. It is worth mentioning that the data has been collected during the period of ve months and analyzing this amount of data takes up resources, even with limited scope. The following chapters take a deeper look into some of the identied problem areas.
Secure mgmt (83 494) Insecure mgmt (90 874) Insecure FTP (67 286) Proxy ports (17 760)
FTP is a good solution to use if it is used only to serve public les anonymously.
October 2013
Generic (275 000) Embedded/Router (38 000) Management/FW/Proxy (6 500) Media/Surveillance (5 000) 11.51 % SCADA (4 100) Printer (1 700)
After a successful installation of a product, no additional conguration hardening is usually done to the device, leaving for example the web-based management interface listening on all possible network interfaces. When the device is directly connected to the Internet, with specic device types probably by mistake, it enables anyone on the Internet to connect to the offered resources. Such uncongured devices can have vendors default administrative credentials, unwanted services like Telnet and SNMP (Simple Network Management Protocol) and many other issues in place. In worst case there is no password set at all. The web-based management interface can also have exploitable vulnerabilities just like typical web applications do. The interfaces can enable an attacker to gain foothold on the device and information stored on it. For example certain printer models often have a hard disk which stores the printed documents for a period of time, which can give the attacker access to sensitive documents. In addition devices offering SNMP by default with known community strings can give an attacker a wealth of information regarding internal network conguration and listening processes to use in further attacks.
Eventually having foothold on an uncongured device can lead to a situation where the attacker is able to modify and use the device to penetrate deeper into an organization network. This can lead to sensitive information and IPR leaking into the wrong hands.
If an organization has networked security cameras or video conferencing systems open for all to use and spy on, it offers many new intelligence gathering methods and attack vectors to a malicious party. Operators selling broadband and Internet services to organizations and consumers many times have their own preferred devices and brands they offer. It can be that many of these devices offer the interfaces by default, which the seller and buyer are not aware of. Another possible reason can be that buyers get the devices directly from retailers and lack the needed know-how on setting up the devices in a secure manner.
October 2013
The discussed unencrypted protocols, SNMP and web interfaces contribute the most to the available attack surface. Most of the already discussed TCP ports, based on our half-year rewall data analysis, are in the TOP-10 what attackers are looking for. The attackers probably try to nd services offering a login possibility, which can then be attacked with dictionary and brute force password guessing attacks.
2.3 SCADA
There appears to be ICS/SCADA related devices directly connected to the Internet. Even though the number is not very high, an attacker can utilize for example the Internet Census or Shodan search engine (http://www.shodanhq.com/) data for initial reconnaissance to nd desired targets. The devices might be serial device servers, Ethernet-to-Serial bridges, Serial-to-IP converters, communication processors, building management systems, embedded controllers, environmental controllers, data loggers and automation systems which can control different types of processes, energy and drive engineering. The products can have exploitable vulnerabilities, hard-coded passwords and default congurations that are exploitable by an attacker. These can help gain access to the environment or cause substantial damage to whatever the devices are controlling. Obviously such systems should not be directly placed on the Internet.
33.10 %
8.32 %
58.58 %
Low (82)
The above chart shows the amount of unique vulnerabilities Nixu Watson discovered based on the banner versions. There were potentially 326 High-level, 577 Medium-level and 82 Low-level vulnerabilities present in the list of 693 different software versions. (See Chapter 6 for more details)
October 2013
The most vulnerable service category was the web servers and related additional web-based components; especially older versions of Apache and PHP. Based on our analysis the typical role for a server in Finland offering services to the Internet is an Apache HTTP server. In overall, based on the vulnerability data there was thousands of vulnerable systems present during the scan period.
Another troubling discovery is that there are databases, the crown jewels for many, directly open to the Internet. A well congured and hardened database that is kept updated may be relatively secure, but in our opinion it is still not an advisable practice. HTTP, HTTPS, SSH, FTP, Telnet and SMTP are the protocols which are most commonly available in the Finnish landscape. (See chapter 4.1 TOP-40 port list) For these protocols there are also one or two specic server software that dominate the landscape, making any remotely exploitable vulnerability in these a lucrative target for the attackers, if they aim to get as many systems as possible under their control.
2.5 Recommendations
It is recommended for an organization to verify what assets it has directly connected to the Internet. If it turns out there are devices that should not be directly accessible, place them behind a properly congured rewall in the correct network segment. This allows control on what internal or external networks can connect to them. If the conguration or software/rmware patch level of the asset contains clear deciencies which an attacker could have exploited, performing an assessment or re-installation and conguration of the asset is advisable assuming such actions are possible. Using encrypted protocols for remote management, such as SSH with public key authentication or VPN, is strongly recommended. In case Telnet is the only option, this should be placed listening on a separate network interface not visible to the Internet, and which allows access only from a management network segment. The brute force potential in many of the mentioned management services can be tackled with the SSH public key authentication, if that is a viable option. For web-based interfaces the mechanism has to be built-in. If FTP is supposed to be used with real credentials to access les, use an FTP server that uses SSL. Another alternative is to use SFTP or SCP, which are part of SSH software package. Operators that sell devices to customers and organizations are recommended to analyze the available attack surface of their products, harden the congurations and offer pre-congured devices. It is also advisable to provide proper instructions on how to take a device securely into use. This doesnt however solve the customer direct buy problem. Only sensible way to solve this problem is to require the manufacturers to provide the devices in a secureby-default conguration.
October 2013
As a suggestion, this could be included in the Finnish Cyber Security Strategy as one point to enforce, to ensure operators provide citizens and organizations devices with hardened congurations. Countries should together push a global initiative to require that manufacturers ship the devices and software in a secure-by-default conguration.
Organizations should also have clear policies on how devices should be congured, placed on the network and managed, to ensure these pose minimal risk to the rest of the organization network. Proper vulnerability management processes ensure hosts are kept updated with the latest patches. For the SCADA devices there is a simple recommendation. If connecting from a remote location is absolutely necessary, these should be heavily rewalled or behind VPN (Virtual Private Network) connection. Additionally, allowing only a small set of IP-addresses and trusted users is advisable. Databases should preferably be run in their own rewalled segment with restricted access to the database port. Alternatively, on systems running both the application and database, the database should be set to listen only on a local port or socket to minimize the available attack surface. From national security perspective it would be a very interesting exercise to do a more in-depth analysis of the governmental and critical infrastructure networks and systems, with actual cross-references of the different data sets and vulnerability information available. This could give the government an initial tool to start the work in analyzing the available attack surface and possible threats regarding their Internet presence, and improve security as a part of the Finnish Cyber Security Strategy.
October 2013
10