State of Security
State of Security
Security Research by
Skunkhog is the research and development team team of Hedgehog Security. Based in our Tokyo office and UK offices, the team do pure security research.
At Hedgehog Security we believe every business has the right to a safer connected world. Our mission is to deliver that.
Honesty | Integrity | Excellence
State of Security: Gibraltar 2020
In 2019, Hedgehog Security adapted the Rapid7 National Exposure Index report as it did not include Gibraltar. Now in our second year, we continue this ongoing investigation into the risk of passive eavesdropping and active attack on the IP address space of Gibraltar, and offer insight into the continuing changes involving these exposed services.
The United States leads all other countries in the 2018 exposure rankings, scoring the highest in nearly every exposure metric we measure. Following the U.S. is China, Canada, South Korea, and the United Kingdom, which together control over 61 million servers listening on at least one of the surveyed ports. • There are 13 million exposed endpoints associated with direct database access, half of which are associated with MySQL. Along with millions of exposed PostgreSQL, Oracle DB, Microsoft SQL Server, Redis, DB2, and MongoDB endpoints, this exposure presents significant risk of crucial data loss in a coordinated attack. • While the number of exposed Microsoft SMB Servers dropped considerably after the WannaCry attack of 2017, there remain about a half a million targets today, primarily in the U.S., Taiwan, Japan, Russia, and Germany. • Amplification-based distributed denial of service (DDoS-A) remains a powerful technique for harming enterprises and providing cover for more sophisticated attacks. While the number of exposed UDP-based memcached servers is less than 4,000, there are about 40,000 unpatched, out-of-date memcached servers, which are at risk of being drafted into the next record-breaking DDoS attack. These key findings tell us that the most risk to the internet originates in countries that have significant investment in, and reliance on, a safe and stable internet. This indicates to us that national internet service providers in these countries can use these findings to understand the risks of internet exposure, and that they, along with policymakers and other technical leaders, are in an excellent position to make significant progress in securing the global internet.
Measuring Gibraltars Exposure
It’s important to note that it’s not just mature, traditionally “rich” or “large” countries that rely on a healthy and functioning internet. As of the start of 2018, more than half of all humans now maintain an active internet presence2 , after significant growth in both client-side and server-side infrastructure in Asia and Africa. We are in a crucial period of human history, and we need to actively measure the patterns of internet usage that impact the security and stability of this incredible, planet-wide resource. By comparing regions both globally and with their immediate neighbors, we believe it’s possible to deliberately apply some “network husbandry” to the internet to ensure it remains supportive of technical innovation, cultural value, and economic prosperity.
For 2018’s National Exposure Index, we once again took on the task of surveying the nature of the internet in order to determine (a) what is actually running on today’s internet, versus what we believe should be present there, and (b) which geopolitical regions are most at risk for deliberate, wide-scale attacks on core internet services. Regional and global outages are still occuring with some frequency. In our first National Exposure Index in mid-2016, we warned of an impending disaster involving the millions of unsecured telnet servers, which turned out to be ripe hunting ground for the world’s largest botnets, Mirai and its variants. In 2017, we were planning on shifting focus to Windows SMB, but WannaCry and its EternalBlue-powered variants beat our publish date to the punch.
The year 2018 has already seen the largest distributed denial of service (DDoS) attack on record, using unsecured ‘memcached’ UDP servers. Due to this event, we’re paying much closer attention to memcached and other connectionless UDP services that can be abused in amplification attacks, and we have added this metric to the national exposure ranking system.
We also continue to worry about the exposure level of popular database servers, such as MySQL, PostgreSQL, Microsoft SQL Server, Oracle DB, and IBM DB2, as well as the “NoSQL” databases like MongoDB and Redis. It’s our hope that by highlighting the prevalence of these services, and the specific geographic regions in which they reside, we can get ahead of a coming DB disaster.
Putting all this together, we believe that by measuring the most commonly deployed services on the internet and then breaking
these statistics out by country, we can produce a ranked list of “most exposed” countries. Armed with this information, we have
the opportunity to identify which nations can improve their local infrastructure’s “natural” exposure to hostile actors. National
borders are quite weak on the internet, as everyone is usually only a couple hundred milliseconds “away” from everyone else.
Recent events suggest that nation-state actors are keenly interested in taking advantage of national internet exposure to
pursue their own interests, so defenders can use the information presented in this paper to make informed decisions about how
to best manage their own geopolitical region of the internet.
What do we mean when we say “exposure”? For our purposes, we would consider a system to be “exposed” if it’s (a) offering a natively unencrypted service on the public internet, (b) offering a service on the internet that is unsuitable for public access, or (c) subject to amplification abuse through connectionless communication. If any of these conditions are met for a given IP-addressable server, it counts against that IP address’s geolocated country’s exposure. While exposure is a useful shorthand for security professionals, we should take a moment to unpack all three of these conditions. Cleartext Services The internet was originally designed to allow for any computer to communicate with any other computer—this is a core feature of TCP/IP networking. This was revolutionary in the computing environment of the late 20th Century, which was dominated by terminals physically wired to mainframes, as it essentially democratizes and decentralizes data, storage capability, and computing power. Anyone with a computer on the internetwork could connect to any server and interact with it. However, this decentralization also means that anyone with a view into the underlying network—the hubs, routers, and switches that actually handle the packets flowing between endpoints—could eavesdrop, impersonate, and alter any communications in transit, both actively and passively. Modern, certificate-based encryption can prevent these man-in-the-middle shenanigans9 . Even if an adversary controls one of the routers between you and yourbank.com, you have assurances built in to your web browser that https://yourbank.com is both authenticated as truly yourbank.com (and not an imposter), and that your transactions between you and yourbank.com are confidential. Without encryption, no service on the internet can reasonably guarantee that computers at either end of a connection are who they say they are, nor can they guarantee that the data passed between them is both authentic and private. Unencrypted data is commonly referred to as cleartext. Today, we know that some national security organizations in some countries have the capability to conduct large scale, passive monitoring of internet activity, and that the Internet Engineering Task Force proposed in 2014 that “Pervasive Monitoring Is An Attack” in RFC 7258, an official memorandum with that title10. While we acknowledge there is tension between the need for strong security controls and the need for reasonable and lawful surveillance capabilities for national security, we contend that cleartext services are necessarily insecure from eavesdropping, data alteration, or data breach11. After all, an adversary need not have the formidable capabilities of a three-letter agency to snoop on cleartext communications; they need only to compromise one hop, or network segment, between the target (or target population) and the intended service. This is well within the capability of even amatuer cyber criminals camped out on local WiFi access points.