Forgot your password?
typodupeerror
Security Social Networks

Rapid7 Launches Crowdsourced Security Research Project 39

Posted by samzenpus
from the mark-it-with-a-flag dept.
wiredmikey writes "Vulnerability management software company Rapid7 has launched an ambitious community project to scan the public Internet, organize the results and share the data with the IT security industry. The brainchild of Metasploit creator HD Moore, the overall goal of Project Sonar is to crowdsource the discovery and reporting of security vulnerabilities of affected software and hardware vendors. 'If we try to parse the data sets ourselves, even with a team of 30 people, it would take multiple years just to figure out the vulnerabilities in the data set. It's ridiculous, really,' Moore said in an interview with SecurityWeek. To start, Rapid7 has released about 3 terabytes of raw data generated from scans across public Internet-facing systems. The data sets relate to IPv4 TCP banners & UDP probe replies, IPv4 Reverse DNS PTR records and IPv4 SSL Certificates. Moore's team also listed a set of tools used to generate the data sets. They include ZMap, an Internet-scale scanner developed at he University of Michigan; UDPBlast, a stand-alone UDP scanning utility; and MASSCAN, an Errata Security tool that claims to scan the entire IPv4 internet in three seconds."
This discussion has been archived. No new comments can be posted.

Rapid7 Launches Crowdsourced Security Research Project

Comments Filter:
  • by slick7 (1703596)
    What, the NSA is going commercial?
    • by gmuslera (3436)

      That you can download the data mean that is the opposite of NSA, is public, no deep secret, and is revealing what is there, not putting your own vulnerabilities. Is not just for few, selected, IT security companies, is for everyone, you can get and interpret it, at least if it makes sense to you,

      It could also be used by low level hackers to easy their work (the high level ones already should had collected that info by themselves or be available in the dark nets), but also could be used by ISPs, countries a

      • Whatever, they will get their IPs blocked on public dns blacklisted and if not, on our own custom blacklist.

      • by slick7 (1703596)
        It's not what or how information is downloaded, but the manner in which the spin doctors twist it around by the propaganda machine.
  • Reminds me of http://internetcensus2012.github.io/ [github.io]. I hope they'll publish all the data sets and I hope they won't have legal problems because of some sensitive data there, though I don't really believe it's possible. That's why the original author of IC2K12 published it anonymously.
  • by Anonymous Coward

    come back when the results are publicly disclosed and not just "shared with the security community"

    • Exactly. Besides, the biggest security threat is the government (all governments), and there is no way to mitigate that problem. All effective tools are "born secret"

  • Research suggestion (Score:4, Interesting)

    by Okian Warrior (537106) on Sunday September 29, 2013 @10:20AM (#44985617) Homepage Journal

    People speculate that the RDRAND instruction on Ivy Bridge processors has been compromised. If anyone has a spare CPU and motherboard lying around, this can be tested.

    The RDRAND internals put the entropy through a random generator before sending the results to the user. This is similar to how rand() works: a single "seed" with limited entropy will generate a long list of seemingly random output, but because there is only one seed the output is predictable and can be reproduced.

    To get around this, check the RDRAND data at reset time.

    If you had access to a spare CPU and motherboard, you could install your own program in lieu of the BIOS which would catch the RESET vector, get the RDRAND information, initialize a serial port, log the results to a 2nd computer, and force the CPU into RESET.

    (For clarity, glossing over some obvious stuff such as storing results in memory and dumping blocks, or dumping to a faster device than a serial port.)

    All of the RDRAND tests I've seen have looked at continuously-generated data; which, due to the internal hashing algorithm, would pass even if started with a low-entropy seed. To the best of my knowledge, no one has checked to see if different machines generate the same string of random numbers, or if the starting seed has good entropy.

    With a terabyte drive on the logging computer, it should be possible to see if RDRAND has at least 32-bits of entropy: log 4 billion rounds and look for collisions.

    RDRAND probably has at least this much entropy, but if not - boy would that paper hit like a bombshell!

    • Sounds like a thesis. Go get a grant.

      • Sounds like a thesis. Go get a grant.

        Interesting.

        Your post suggests that research must be done from the benevolent endowment of the government ("grant"), and is the purview of degree'd academics or in pursuit of such a degree.

        Are there no Gentleman Scientists [wikipedia.org] any more?

        I suppose in today's terms we would call them Makers [hackaday.com]. Moxie Marlinspike [wikipedia.org] probably isn't a credible researcher.

    • by Anonymous Coward on Sunday September 29, 2013 @11:21AM (#44985945)

      RDRAND backdoor more subtle than that.

      Only few chips backdoored, most not. Brazilian mission to the United Nations in New York had computer spied on. Botnet uplink was to 177.135.198.244, still online, very big.

      Hardware reversing of CPU: Masks normal to optical anaylsis. But transistor doping tampered with on feed from CBC-MAC whitener to CTR cascade DRBG. All but 32 read constant. Microcode tampered with on sample to shortcut AES-NI after XORing in RDRAND.

      If known constant and mask, CTR(n+1)-CTR(n) with 2^32 search. Sounds familiar. Recent publish.

      Sorry for poor language: Identity disguise.

      You stole our revolution. Now we're stealing it back. 0x7a69

  • Hopefully this is not a stupid question, but how long would it be, approximately, before much of these data go stale (stale before it becomes useless)?

    • by JSG (82708)

      Stale -Ha!

      Here's a snippet from one of the data dumps (telnet is less than 300MB), note the dates. Have a look yourself and you'll get the IP address this belongs to along with many, many others:

      (This is a telnet login banner which I've had to clean out somewhat to post here)
      Copyright (c) 1998-2007 Huawei Technologies Co., Ltd. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed.

      I was pretty horrified but not too surprised at the content

"It's when they say 2 + 2 = 5 that I begin to argue." -- Eric Pepke

Working...