Slashdot Mirror
Rapid7 Launches Crowdsourced Security Research Project
wiredmikey writes "Vulnerability management software company Rapid7 has launched an ambitious community project to scan the public Internet, organize the results and share the data with the IT security industry. The brainchild of Metasploit creator HD Moore, the overall goal of Project Sonar is to crowdsource the discovery and reporting of security vulnerabilities of affected software and hardware vendors. 'If we try to parse the data sets ourselves, even with a team of 30 people, it would take multiple years just to figure out the vulnerabilities in the data set. It's ridiculous, really,' Moore said in an interview with SecurityWeek. To start, Rapid7 has released about 3 terabytes of raw data generated from scans across public Internet-facing systems. The data sets relate to IPv4 TCP banners & UDP probe replies, IPv4 Reverse DNS PTR records and IPv4 SSL Certificates. Moore's team also listed a set of tools used to generate the data sets. They include ZMap, an Internet-scale scanner developed at he University of Michigan; UDPBlast, a stand-alone UDP scanning utility; and MASSCAN, an Errata Security tool that claims to scan the entire IPv4 internet in three seconds."
That you can download the data mean that is the opposite of NSA, is public, no deep secret, and is revealing what is there, not putting your own vulnerabilities. Is not just for few, selected, IT security companies, is for everyone, you can get and interpret it, at least if it makes sense to you,
It could also be used by low level hackers to easy their work (the high level ones already should had collected that info by themselves or be available in the dark nets), but also could be used by ISPs, countries and IT departments to be aware and warn the people in charge of those systems about this. In fact, is good to force them to act in front of this public information, not making it public wasn't stopping the hackers (and the NSA) to exploit them.
People speculate that the RDRAND instruction on Ivy Bridge processors has been compromised. If anyone has a spare CPU and motherboard lying around, this can be tested.
The RDRAND internals put the entropy through a random generator before sending the results to the user. This is similar to how rand() works: a single "seed" with limited entropy will generate a long list of seemingly random output, but because there is only one seed the output is predictable and can be reproduced.
To get around this, check the RDRAND data at reset time.
If you had access to a spare CPU and motherboard, you could install your own program in lieu of the BIOS which would catch the RESET vector, get the RDRAND information, initialize a serial port, log the results to a 2nd computer, and force the CPU into RESET.
(For clarity, glossing over some obvious stuff such as storing results in memory and dumping blocks, or dumping to a faster device than a serial port.)
All of the RDRAND tests I've seen have looked at continuously-generated data; which, due to the internal hashing algorithm, would pass even if started with a low-entropy seed. To the best of my knowledge, no one has checked to see if different machines generate the same string of random numbers, or if the starting seed has good entropy.
With a terabyte drive on the logging computer, it should be possible to see if RDRAND has at least 32-bits of entropy: log 4 billion rounds and look for collisions.
RDRAND probably has at least this much entropy, but if not - boy would that paper hit like a bombshell!