Inferring Internet security posture by country through port scanning

Internet security posture

In this podcast, Tod Beardsley, Director of Research at Rapid7, talks about the recently released National Exposure Index, which aims to better understand the nature of Internet exposure – services that either do not offer modern cryptographic protection, or are otherwise unsuitable to offer on the increasingly hostile internet – and how those exposure levels look around the globe.

Internet security posture

Here’s a transcript of the podcast for your convenience.

I’m Tod Beardsley, Director of Research at Rapid7, and I’m here on Help Net today to talk about the National Exposure Index. We produce this once a year, and the 2018 version is a ripping yarn of exposure both globally and sliced up into national buckets. And we found this year that among the 187 countries and regions that we surveyed, USA is number one, and not not in a good way. The U.S. has quite a few exposed servers out on the Internet. The U.S. has far more reachable, pingable servers than anybody else. That’s about 42 million. And of those we look for things like exposed SMB services. SMB is what you used to do like Windows networking, it should never ever ever be on the Internet.

We look for things like exposed database services specifically, and I can talk more about that a little bit. But we also look for things like exposed UDP services, they’re not so great to the Internet. UDP is a connectionless protocol, things that run on UDP tend not to use encryption, and so we look for all of those things and more! We look for things like the relationship between SSH and telnet for example, like how is that telnet going, and things are going okay. Like the trend line is good for telnet, we’re losing a lot of telnet on the Internet, especially since the Mirai attack, now I guess a year or two years ago. Since then, telnet has gone down fairly significantly but there’s still bunches and bunches out there.

Internet security posture

I think the most fun part of the report is that we have tons of cool cartoons, and graphs, and charts, to take a look at the exposure both again across the Internet and within countries. We have what I believe is the most comprehensive heat map of the Internet. It’s supercool.

If you’ve read National Exposure Index before from us, and like us is our third year the heat map this year is kind of amazing. We finally put in gridlines, so you can see exactly what networks are where, you can see the density of responsive servers in those networks, and how they map to the registries out there. So, like that kind of level, and if you’re like kind of a data nerd like you can scroll around this thing all day long, like I have a ton of fun. You have a good high res image out at www.rapid7.com/national-exposure.

We have all of our data and the whole report is there. It is generally ungated, unless you’re listening to this super late. We tend to release these things in an ungated way. So please, it’s a free download, go read it. And we also make all our data available as well. So, if you think we’re lying you can check our work. If you want to look for other interesting relationships between data sets like that, we’re desperate to trick people into doing that. It’s called open source. And so we’re really looking forward to seeing how people consume this, specifically like network operators, national-level ISPs, government policy makers and lawmakers.

I feel like you can take the data that we present to you in this National Exposure Index, and really make a difference in your region. Because if you know that like you are say Germany, and you have almost 6 million open SIP nodes that are all listening on UDP 50-60, the German CERT would do well to maybe look into this. That’s kind of the value that we see for chunking this up into national buckets, is that you know, that national CERT can take a look at it, and make it sound like national ISPs can take a look at it, things like that.

Internet security posture

We have a couple other interesting nuggets in there. We look at things like duplicate SSH host keys for example. That’s the thing that tells you, like you’re talking to the SSH server that you think you’re talking to. But if there are, I don’t know a few thousand that all have the same hosts key, like something is going on. Every single one of the owners of these systems can also like MITM everybody else, so that’s bad. We took a look at that, we took a look at like the real versions of like say Microsoft SQL server. We see like Microsoft SQL server from the version 7 up through version 12 or so, just kind of hanging out on the Internet. This is a super bad idea for databases in general to allow strangers to show up, and try guessing passwords.

It turns out, funny story, database servers, I don’t know of any that come with a rate limiter on a credential. Right. Like I’m trying to login with my normal like server management software, and I’m using a username and password. I can try a whole bunch like super fast, they’re very efficient at validating or invalidating my logins, and none of them tend to come with rate limiting or lock out or anything like that. So, like if I had my choice of trying a username and password, I’ll go against database servers any day, because I could do thousands at a second. And this is one of the many reasons why you shouldn’t be exposing your database server on the internet.

All altogether, I strongly invite you to come to www.rapid7.com/national-exposure. I hope to hear from.

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.