interesting-people message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]

Subject: IP: Internet Audit Project


Date: Mon, 16 Aug 1999 22:33:57 -0400
From: Jim Brenton <jbrenton@earthlink.net>
To: farber@cis.upenn.edu

Dr. Farber, 

This project and report may be of some interest to IP group, if they haven't already heard about it.  We are just starting what I am sure will be a very "robust discussion" of this topic within the CISSP (Certified Information System Security Professional) forum.  I will provide significant updates if you desire. 

Recently the Security Focus Forum published "The Internet Auditing Project" by Liraz Siri (liarz@bigfoot.com) as an essay that discussed a project he participated in as a member of a group performing a security scan of most of the Internet hosts. 
   
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&amp;id=32 

As one who works in network security, I had not heard of a project of this magnitude before now.  To the best of my knowledge, the audit project report is the first publicly released report that objectively documents the overall state of Internet security (sad at best).  The Audit Project report describes how their group scanned over 36 million hosts, and the source code of their scanner, BASS, which is available for download by anyone at: 

http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz 

My reason for posting this information is to provide IPers with a glimpse of the technical skills and expertise that some people on the Internet possess.  However, these same intelligent people have now made their source code available to every high school student who might want to perform a few independent scans of their own. 

The forum report clearly demonstrates how much sensitive information can be archived, stored, and retrieved for future exploits against Internet hosts.  The group selected parameters on the scan that excluded much of corporate America, but that was just a configuration parameter that could be easily changed. 

This should be a wake up call.  We need to make sure that our network and system administrators have the latest vendor patches installed to preclude 98% of the problems that may be generated by these types of activities.  This report is prime example of why everyone should scan their networks externally for potential vulnerabilities and fix them, or someone else will find and exploit those vulnerabilities.  This report is circulating on Hacker News Network and other underground BBSs, in addition to the Security Focus Forum. 

The personal opinions expressed above are my own and neither of my employers, Sprint and Johns Hopkins University, gets any credit or can be held responsible for my absent minded ramblings. 

Jim Brenton, CISSP 
Principal Network Security Program Manager 
Sprint Corporate Security 
Adjunct Professor, Info and Telecom Systems 
Johns Hopkins University, 
School of Professional Studies in Business and Education 
   

Here is the group's PRESS RELEASE: 

PRESS RELEASE - The Internet Auditing Project 

Aug 13 - SSR, an independent security research group, have recently released a memorandum of the Internet Auditing Project, describing the groups efforts to scan over 36 million (circa Jan 1999) Internet hosts (including it's sensitive military, government and private networks) for commonly known remote security vulnerabilities. 

The article is written in full-disclosure HOWTO form, supplying the reader with everything he needs to know to repeat the scan on his own (wheels, map and the road), with relatively few resources, including the special-purpose bulk auditing software developed for the project. 

It offers several unique, interesting insights on the gloomy state of computer security on the Internet, touches on hacker culture, and in-between describes the group's encounter with counterprobes, angry 
e-mails, threatening lawyers (with relevant legal commentary), a crippling denial of service attack and even an Unidentified Cracking Object (OCO!) which successfully attacked and penetrated [part of] the group's networks with spine-chilling sophistication. 

The IAP's results? Grim: 

         "... immediately threaten the security [...] of many millions of 
          systems in commercial, academic, government and military 
          organizations ..." 

And even... 

         "We were stunned to find just how many networks you would expect 
          to be ultra secure were wide open to attack. Banks, billion 
          dollar commerce sites, computer security companies, even nuclear 
          weapon research centers!" 

It's implications? Grimmer, suggesting an immediate present and future threat to the world's largest and most significant information technology infrastructure. 

(Holy smoke! So what do we do?!) 

The article introduces a viable solution, in the form of the "International Digital Defense Network" (IDDN). An ambitious proposal for a public interest project which could dramaticly influence the security of the Internet (for the good!), and resolve many of the most serious problems covered in the 
article. 

The article is available as a guest feature (the first) on www.securityfocus.com (the good people hosting Bugtraq) at: http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&amp;id=32 

BASS, the Bulk Auditing Security Scanner developed for the project has also been released and is free for download at: 
http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz 

Seek the wisdom.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]

Powered by eList eXpress LLC