Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: Internet Audit Project

From: Dave Farber <farber () cis upenn edu>
Date: Tue, 17 Aug 1999 06:33:17 -0400


Date: Mon, 16 Aug 1999 22:33:57 -0400
From: Jim Brenton <jbrenton () earthlink net>
To: farber () cis upenn edu

Dr. Farber, 

This project and report may be of some interest to IP group, if they haven't already heard about it.  We are just 
starting what I am sure will be a very "robust discussion" of this topic within the CISSP (Certified Information System 
Security Professional) forum.  I will provide significant updates if you desire. 

Recently the Security Focus Forum published "The Internet Auditing Project" by Liraz Siri (liarz () bigfoot com) as an 
essay that discussed a project he participated in as a member of a group performing a security scan of most of the 
Internet hosts. 
   
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&amp;id=32 

As one who works in network security, I had not heard of a project of this magnitude before now.  To the best of my 
knowledge, the audit project report is the first publicly released report that objectively documents the overall state 
of Internet security (sad at best).  The Audit Project report describes how their group scanned over 36 million hosts, 
and the source code of their scanner, BASS, which is available for download by anyone at: 

http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz 

My reason for posting this information is to provide IPers with a glimpse of the technical skills and expertise that 
some people on the Internet possess.  However, these same intelligent people have now made their source code available 
to every high school student who might want to perform a few independent scans of their own. 

The forum report clearly demonstrates how much sensitive information can be archived, stored, and retrieved for future 
exploits against Internet hosts.  The group selected parameters on the scan that excluded much of corporate America, 
but that was just a configuration parameter that could be easily changed. 

This should be a wake up call.  We need to make sure that our network and system administrators have the latest vendor 
patches installed to preclude 98% of the problems that may be generated by these types of activities.  This report is 
prime example of why everyone should scan their networks externally for potential vulnerabilities and fix them, or 
someone else will find and exploit those vulnerabilities.  This report is circulating on Hacker News Network and other 
underground BBSs, in addition to the Security Focus Forum. 

The personal opinions expressed above are my own and neither of my employers, Sprint and Johns Hopkins University, gets 
any credit or can be held responsible for my absent minded ramblings. 

Jim Brenton, CISSP 
Principal Network Security Program Manager 
Sprint Corporate Security 
Adjunct Professor, Info and Telecom Systems 
Johns Hopkins University, 
School of Professional Studies in Business and Education 
   

Here is the group's PRESS RELEASE: 

PRESS RELEASE - The Internet Auditing Project 

Aug 13 - SSR, an independent security research group, have recently released a memorandum of the Internet Auditing 
Project, describing the groups efforts to scan over 36 million (circa Jan 1999) Internet hosts (including it's 
sensitive military, government and private networks) for commonly known remote security vulnerabilities. 

The article is written in full-disclosure HOWTO form, supplying the reader with everything he needs to know to repeat 
the scan on his own (wheels, map and the road), with relatively few resources, including the special-purpose bulk 
auditing software developed for the project. 

It offers several unique, interesting insights on the gloomy state of computer security on the Internet, touches on 
hacker culture, and in-between describes the group's encounter with counterprobes, angry 
e-mails, threatening lawyers (with relevant legal commentary), a crippling denial of service attack and even an 
Unidentified Cracking Object (OCO!) which successfully attacked and penetrated [part of] the group's networks with 
spine-chilling sophistication. 

The IAP's results? Grim: 

         "... immediately threaten the security [...] of many millions of 
          systems in commercial, academic, government and military 
          organizations ..." 

And even... 

         "We were stunned to find just how many networks you would expect 
          to be ultra secure were wide open to attack. Banks, billion 
          dollar commerce sites, computer security companies, even nuclear 
          weapon research centers!" 

It's implications? Grimmer, suggesting an immediate present and future threat to the world's largest and most 
significant information technology infrastructure. 

(Holy smoke! So what do we do?!) 

The article introduces a viable solution, in the form of the "International Digital Defense Network" (IDDN). An 
ambitious proposal for a public interest project which could dramaticly influence the security of the Internet (for the 
good!), and resolve many of the most serious problems covered in the 
article. 

The article is available as a guest feature (the first) on www.securityfocus.com (the good people hosting Bugtraq) at: 
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&amp;id=32 

BASS, the Bulk Auditing Security Scanner developed for the project has also been released and is free for download at: 
http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz 

Seek the wisdom.
Previous By Date Next
Previous By Thread Next

Current thread: