Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rapid7 Launches Crowdsourced Security Research Project

Posted by samzenpus on from the mark-it-with-a-flag dept.

wiredmikey writes "Vulnerability management software company Rapid7 has launched an ambitious community project to scan the public Internet, organize the results and share the data with the IT security industry. The brainchild of Metasploit creator HD Moore, the overall goal of Project Sonar is to crowdsource the discovery and reporting of security vulnerabilities of affected software and hardware vendors. 'If we try to parse the data sets ourselves, even with a team of 30 people, it would take multiple years just to figure out the vulnerabilities in the data set. It's ridiculous, really,' Moore said in an interview with SecurityWeek. To start, Rapid7 has released about 3 terabytes of raw data generated from scans across public Internet-facing systems. The data sets relate to IPv4 TCP banners & UDP probe replies, IPv4 Reverse DNS PTR records and IPv4 SSL Certificates. Moore's team also listed a set of tools used to generate the data sets. They include ZMap, an Internet-scale scanner developed at he University of Michigan; UDPBlast, a stand-alone UDP scanning utility; and MASSCAN, an Errata Security tool that claims to scan the entire IPv4 internet in three seconds."

17 of 39 comments (clear)

  1. I like it. by d33tah · · Score: 1

    Reminds me of http://internetcensus2012.github.io/. I hope they'll publish all the data sets and I hope they won't have legal problems because of some sensitive data there, though I don't really believe it's possible. That's why the original author of IC2K12 published it anonymously.

    1. Re:I like it. by d33tah · · Score: 1

      Ah, sorry, link's dead, here's a copy: http://internetcensus2012.bitbucket.org/

  2. Thanks, but no. by Anonymous Coward · · Score: 1

    come back when the results are publicly disclosed and not just "shared with the security community"

    1. Re:Thanks, but no. by fustakrakich · · Score: 1

      Exactly. Besides, the biggest security threat is the government (all governments), and there is no way to mitigate that problem. All effective tools are "born secret"

      --
      “He’s not deformed, he’s just drunk!”
  3. Re:NSA by gmuslera · · Score: 2

    That you can download the data mean that is the opposite of NSA, is public, no deep secret, and is revealing what is there, not putting your own vulnerabilities. Is not just for few, selected, IT security companies, is for everyone, you can get and interpret it, at least if it makes sense to you,

    It could also be used by low level hackers to easy their work (the high level ones already should had collected that info by themselves or be available in the dark nets), but also could be used by ISPs, countries and IT departments to be aware and warn the people in charge of those systems about this. In fact, is good to force them to act in front of this public information, not making it public wasn't stopping the hackers (and the NSA) to exploit them.

  4. Research suggestion by Okian+Warrior · · Score: 3, Interesting

    People speculate that the RDRAND instruction on Ivy Bridge processors has been compromised. If anyone has a spare CPU and motherboard lying around, this can be tested.

    The RDRAND internals put the entropy through a random generator before sending the results to the user. This is similar to how rand() works: a single "seed" with limited entropy will generate a long list of seemingly random output, but because there is only one seed the output is predictable and can be reproduced.

    To get around this, check the RDRAND data at reset time.

    If you had access to a spare CPU and motherboard, you could install your own program in lieu of the BIOS which would catch the RESET vector, get the RDRAND information, initialize a serial port, log the results to a 2nd computer, and force the CPU into RESET.

    (For clarity, glossing over some obvious stuff such as storing results in memory and dumping blocks, or dumping to a faster device than a serial port.)

    All of the RDRAND tests I've seen have looked at continuously-generated data; which, due to the internal hashing algorithm, would pass even if started with a low-entropy seed. To the best of my knowledge, no one has checked to see if different machines generate the same string of random numbers, or if the starting seed has good entropy.

    With a terabyte drive on the logging computer, it should be possible to see if RDRAND has at least 32-bits of entropy: log 4 billion rounds and look for collisions.

    RDRAND probably has at least this much entropy, but if not - boy would that paper hit like a bombshell!

    1. Re:Research suggestion by foniksonik · · Score: 1

      Sounds like a thesis. Go get a grant.

      --
      A fool throws a stone into a well and a thousand sages can not remove it.
    2. Re:Research suggestion by Okian+Warrior · · Score: 1

      Sounds like a thesis. Go get a grant.

      Interesting.

      Your post suggests that research must be done from the benevolent endowment of the government ("grant"), and is the purview of degree'd academics or in pursuit of such a degree.

      Are there no Gentleman Scientists any more?

      I suppose in today's terms we would call them Makers. Moxie Marlinspike probably isn't a credible researcher.

    3. Re:Research suggestion by Anonymous Coward · · Score: 5, Interesting

      RDRAND backdoor more subtle than that.

      Only few chips backdoored, most not. Brazilian mission to the United Nations in New York had computer spied on. Botnet uplink was to 177.135.198.244, still online, very big.

      Hardware reversing of CPU: Masks normal to optical anaylsis. But transistor doping tampered with on feed from CBC-MAC whitener to CTR cascade DRBG. All but 32 read constant. Microcode tampered with on sample to shortcut AES-NI after XORing in RDRAND.

      If known constant and mask, CTR(n+1)-CTR(n) with 2^32 search. Sounds familiar. Recent publish.

      Sorry for poor language: Identity disguise.

      You stole our revolution. Now we're stealing it back. 0x7a69

  5. Re:how do I set up robots.txt by gmuslera · · Score: 1

    robots.txt tells the good guys that you don't want your system scanned, but that don't stop the bad ones, the ones that the means and motivations to try to hack your system. Want to keep being hacked and not letting anyone to warn you about that? Ignorance is bliss, until it becomes hell.

  6. Whatever by ls671 · · Score: 1

    Whatever, they will get their IPs blocked on public dns blacklisted and if not, on our own custom blacklist.

    --
    Everything I write is lies, read between the lines.
  7. Hopefully by The+Wild+Norseman · · Score: 1

    Hopefully this is not a stupid question, but how long would it be, approximately, before much of these data go stale (stale before it becomes useless)?

    --
    "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
    1. Re:Hopefully by JSG · · Score: 1

      Stale -Ha!

      Here's a snippet from one of the data dumps (telnet is less than 300MB), note the dates. Have a look yourself and you'll get the IP address this belongs to along with many, many others:

      (This is a telnet login banner which I've had to clean out somewhat to post here)
      Copyright (c) 1998-2007 Huawei Technologies Co., Ltd. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed.

      I was pretty horrified but not too surprised at the contents of just one data dump after a quick look.

      Cheers
      Jon

  8. Re:how do I set up robots.txt by JSG · · Score: 1

    AC up there is almost certainly joking - riffing on hosts file ...

    Cheers
    Jon

  9. Re:Yet another probing system. by Zapotek · · Score: 1

    If you don't want people to grab the banner of the services you've made publicly accessible, it may be a good idea to keep them private.

  10. Re:Yet another probing system. by SocietyoftheFist · · Score: 1

    Just like I can't view your license plate in public as you drive by heh? If its public its fair game.

  11. Re:NSA by slick7 · · Score: 1

    It's not what or how information is downloaded, but the manner in which the spin doctors twist it around by the propaganda machine.

    --
    The mind conceives, the body achieves, the spirit manifests.