A recent Internet scan threw a bucket of cold water on the notion that wonky, unsecured services have been significantly reduced from the Internet.
“Today’s Internet in 2016 looks like the 1996 Internet, which is a little depressing,” said Rapid7 security research manager Tod Beardsley.
Beardsley and colleagues Bob Rudis and Jon Hart today published a report called the “National Exposure Index,” which is a deep dive into the top services being run on the Internet, and how those services are adopted on a national and regional level.
“Other than being a lot bigger, we’re not seeing much more to encrypted services as we were expecting,” Beardsley said. “We were hoping to see more encrypted services compared to their unencrypted counterparts, after all, it’s easier to stand up encrypted services today than it was 10 or 20 years ago. It’s pretty push-button for SSH and HTTPS. We’re just not seeing that level of adoption.”
What the scan did find was a remarkably large number of telnet installations beaconing out on the Internet (15 million-six million more than a similar search on Shodan turns up) that could be used to access public-facing systems. Old Microsoft SMB services are still alive and well on the public network as well, primarily in the United States, China, Belgium, Australia and Russia.
“The security of the Internet is not matching up with the deployment speed of the Internet,” Beardsley said. “We’re not seeing the security engineering that we’d hope to see today.”
The data was gathered using Rapid7’s Project Sonar, which is used to scan the Internet and collect data on protocol usage. This particular project set out to identify the top 30 most prevalent TCP ports/services on the IPv4 Internet, data on which was aggregated and compared across countries and regions worldwide.
Of the 15 million telnet nodes, 11.2 million afforded direct access to relational databases (mostly MySQL and Microsoft SQL Server) and another 4.5 million to printer services. While an encrypted Internet is mostly an illusion, Rapid7’s data does show that SSH adoption over telnet is greater in 50 percent of the regions surveyed.
Only three of the top dozen services are encrypted (No. 2 HTTPS, No. 3 SSH, and No. 12 POP3S), while others such as No. 1 HTTP, FTP, SMTP, telnet, DNS, IMAP and others are unencrypted services.
Rapid7’s report points out that some of the unencrypted services can be secured, but generally are deployed in the clear, case in point SMB/CIFS over port 445. Other protocols, such as SMTP or SQL Server, allow for opportunistic encryption, Rapid7, but must first do so by negotiating insecure connections, opening the door to man-in-the-middle attacks.
And if you’re wondering whether a country’s gross domestic product correlates to security, think again; the most exposed countries are the U.S., China, France and Russia. Overall exposure for these countries isn’t much better with Belgium at the top of Rapid7’s national exposure index, with Australia at No. 4, China No. 5, France at No. 13 and the United States at No. 14. Belgium’s overall exposure may be so high—31 percent of its servers responded on all ports surveyed by the scan—because Amazon Web Services operates a large data center in the country servicing most of Europe. The U.S., meanwhile, was especially high in its exposure of Microsoft SMB services, and 43.5 million servers/devices responding on all ports surveyed.
“I don’t think there are good reasons for it,” Beardsley said for the overall insecurity of the public Internet. “Largely it’s going to be implementation errors compounded by the fact that some people just don’t know.”