HouSecCon 2013: The Security Space Age

Transcript

1. None

2. • •

3. None
4. None
5. None
6. None
7. None
8. None
9. None
10. None
11. None
12. None
13. None
14. None
15. None

16. Measurement requires scanning ► Distributed nature makes passive analysis hard

    ► The NSA isn’t sharing their data feeds ► Scanning is getting way faster Measuring the Internet

17. Mass scanning is starting to mature ► Major improvements to

    scanning tools ► Numerous large-scale scanning efforts ► Scary and not-so-scary precedents State of Scans

18. U. Michigan team released Zmap ► Send a single probe

    across IPv4 in 45 minutes ► Detailed research paper with examples ► Development continues at GitHub ► Epic forge-socket support ► http://zmap.io ZMap $ zmap -p 80 -o results.txt

19. Over 110 internet-wide SSL scans in 12 mos ► Created

    a detailed view of the SSL ecosystem ► Realtime monitoring of Sandy outages ► Obtained 43 million unique certs ZMap: Data Collection

20. Errata Security released Masscan ► Scan all of IPv4 for

    a single TCP port in 3 minutes* ► Leverages 10GbE NICs and PF_RING sockets ► Development continues at GitHub MASSCAN $ masscan 0.0.0.0/0 -p 80

21. Nmap 6.40 makes scanning mo-better! ► Performance improvements all around

    ► Tons of new scripts and fingerprints ► XML + NSE output improvements ► Swiss army knife of scanning Nmap

22. Nmap is competitive with the right options ► Combine –sS

    with –PS for one-pass SYN scans ► Set --min-rate and --min-rtt-timeouts ► Limit retries with –-min-retries Nmap

23. Benign botnet used to scan the internet ► Used over

    420,000 devices to scan over 730 ports ► Excellent writeup and a whopping 9Tb of data Internet Census 2012

24. Shodan keeps getting better, use it! ► Over three years

    of internet scan data ► Searchable web interface & API SHODAN

25. Internet scanning has barriers to entry ► Legal concerns vary

    by region and attitude ► Scans lead to abuse complaints to ISPs ► Computing and time costs Challenges

26. Internet scanning is a niche field ► Challenges prevent widespread

    adoption ► Value is centered around research ► Businesses can see it as a threat Status Quo

27. Internet scan data is incredibly useful ► Identify and quantify

    widespread vulnerabilities ► Provide due diligence for vendors & partners ► Market share information for products ► Locate unmanaged corporate assets ► Get a handle on shadow IT Internet Scan Data

28. Hard to find any measurable improvement ► Exposures are getting

    worse each time we look ► VxWorks WDBRPC exposure is increasing ► UPnP has shown minimal improvements ► DDNS DDoS is bad enough ► SNMP is worse Security is Getting Worse

29. This is a rock the community can move ► Demonstrate

    value to IT, security, and the business ► Drive research based on quantified exposure ► Build awareness around public networks ► Hold vendors and ISPs accountable ► Provide ammo for legal reform Time for a Change

30. Community project for internet scans ► Open source tools to

    simplify scanning ► Open datasets for everyone ► Practical applications http://miniurl.org/sonar Project Sonar
31. None

32. Integration with existing tools ► UDP probes and processing tools

    for Zmap ► NSE scripts for running with Nmap ► SSL certificate grabbers ► Fast DNS lookup tools Sonar: Scanning

33. Critical.IO Archive ► Parsed banners across 18 services over 10

    months ► Current dataset is in compressed JSON ► Historical view of your networks ► Segmented for easy lookups Sonar: Dataset 1

34. ► 2.4 TB of service fingerprints (355 GB bz2 compressed)

    ► 1.57 billion records Sonar: Dataset 1
35. None

36. SSL Certificates ► All SSL certs on IPv4 port 443

    as of September 10th ► Available as raw certs and parsed IP -> Name pairs ► ~33 million records @ 50 GB ( 16 GB compressed ) ► ~8.6 million unique IP->Name pairs ( 270 MB ) Sonar: Dataset 2

37. Reverse DNS ► Full reverse DNS for IPv4, regularly updated

    ► ~1.13 billion records @ 50 GB ( 3 GB compressed ) ► Similar use cases to DeepMagic’s PTR search Sonar: Dataset 3

38. ZMap & Rapid7 teams are collaborating ► Launching a shared

    internet scan data portal ► Accepting data from third-parties (you!) ► Includes all datasets already mentioned ► Also 18 months of SSL scans! http://scans.io Data Portals & Downloads

39. You can find zero-day with public datasets ► Easy to

    identify common vulnerabilities ► Look for min/max and anomalies ► Unix pipelines are all you need Examples: Research

40. Random things that aren’t random ► Any duplicate SSL key

    is probably a vulnerability ► Tens of thousands of systems with duplicates ► We need eyes to actually classify these ► Identify vendors and report Duplicate SSL Certificates

41. SSL certificates make good fingerprints ► Identify all occurrences of

    an embedded device ► Locate otherwise hard to identify systems ► Enterprise appliances galore SSL Fingerprinting

42. Improving your company’s security ► Identify external assets you may

    have missed ► Quickly scan massive networks easily ► Historical data helps with response ► Practical data mining Examples: Infosec

43. Assets vs Incidents Identify Assets Catalog Data Assess Threats Calculate

    Impact Detect Attack Respond

44. SSL certificates are ubiquitous ► Every important site has a

    SSL certificate ► SSL certificates map to domains Cloud services often use customer certificates ► Identify undocumented third-party services ► May find 10%+ more than your IT knows about Asset Discovery (SSL)

45. Reverse DNS provides an interesting view ► Forward DNS may

    not match, but reverse is still set ► Find routers, modems, old ISP connections ► Find VPS services, rogue partners, and VARs ► Accidentally the whole intel agency Asset Discovery (DNS)

46. Classify 100,000 nodes in 5 minutes ► Quickly scan a

    small subset of ports ► Send UDP probes for dangerous services ► Analyze, sort, and prioritize assessment Quick Risk Assessment

47. http://miniurl.org/sonar Twitter: @hdmoore Email: [email protected]