The State of Missouri Office of Cyber Security’s (OCS) “Using Public Data to Alert Organizations of Vulnerabilities” program identifies vulnerable internet connected systems belonging to organizations from various industries across the State of Missouri. The program identifies high-risk systems that, if left insecure, could lead to disruptions within critical infrastructure or significant data loss, and contacts the owners of the impacted systems to mitigate risks.
Understanding the high probability that there are critical, yet potentially forgotten about infrastructure connected to the Internet, OCS set its sights on identifying these vulnerable systems within the geographical boundaries of the State of Missouri. The Regents of the University of Michigan in collaboration with Google have created an indexer of all “things” on the Internet called Censys.io. Censys.io is a publicly available research platform that scours the entire Internet and indexes devices, open ports, the services exposed, and so much more. Using this service, OCS has been identifying vulnerable systems statewide, including systems belonging to both government and non-government organizations. Using privileged research credentials granted by the Censys.io admins, OCS leverages their API to find vulnerable systems based on banner feedback and running services. The raw data is carefully reviewed and then cross referenced against the American Registry for Internet Numbers (ARIN) to obtain contact information for every system identified. Once contact information has been obtained, OCS sends a notification to all impacted organizations with an explanation of the program and a listing of all impacted systems for that particular entity. OCS has built several scripts that automate the bulk of the effort as thousands of hosts are generally involved on any given run.
The primary business goal of this program is to protect the critical infrastructure belonging to governments, businesses, utilities, and academic institutions across the State of Missouri. Critical infrastructure provides the foundation of many life sustaining services such as healthcare, government, public safety, energy, transportation, communication, food/agriculture, and manufacturing. Keeping these services available around the clock are critical to today’s way of life. A secondary business goal is to safeguard the data belonging to Missouri citizens, students, and customers. Our data lives online as much as we do, and to safeguard it has become essential to prevent identify theft, financial loss, and brand reputation impact.
Significant server side vulnerabilities within the recent years such as ShellShock and Heartbleed highlight what’s at stake for unpatched servers. In the not too distant future a critical vulnerability within IIS 6, Windows Server 2003’s web server, is a very real possibility. In May 2016, the public data vulnerability program was used to identify over 9,000 Windows Server 2003 hosts geographically located within Missouri. Microsoft ended support for Windows Server 2003 in July 2015, so if any critical vulnerabilities were identified, the situation could be dire for the continuity of business and government services. While many of the 177 organizations involved were state, local, and educational entities, quite a few of the hosts belonged to Fortune 500 companies. In spot checking the data for accuracy, many of the hosts appeared to have been forgotten about or overlooked. Once compilation of the results was finished, OCS promptly notified all of the organizations individually with information about each host. The reception of the program by the various organizations was very positive and welcoming. Since notifying the organizations, OCS has been watching the Windows Server 2003 host count drop by over 16% since the first run back in May.
In early August 2016, OCS used the public data vulnerability program to identify devices accepting Telnet connections. Telnet is an antiquated protocol typically used for administration that offers no protection from eavesdroppers. By default, Telnet does not encrypt the transmission of data (including credentials), it doesn’t offer non-repudiation, and over the years multiple critical vulnerabilities have been identified within common Telnet daemons. Over untrusted networks, attackers could easily sniff administrative credentials and perform various nefarious activities with vulnerable Telnet systems such as distributed denial of service or remote code execution attacks.
Utilizing this program, OCS notified 161 entities that had a combined Telnet device count of 10,300. These Missouri based devices belonged to local governments, education, small businesses, and Fortune 500 companies. As mentioned in the summary, while examining the results of the query looking for Telnet devices within Missouri, OCS noticed customer information within the Telnet banner of network equipment being managed by an ISP. On noticing the situation, OCS promptly called the organization to make them aware of the privacy and security concerns of their current configuration or business practice. As with the other entities involved, they received a report outlining all of the impacted devices and their meta data, including the Telnet banner information, publicly linking customers to their IP addresses.
The following abridged presentation has been shown at various conferences:
IIS 6 Hosts
SELECT ip, p80.http.get.headers.server, location.province, location.city, autonomous_system.organization, autonomous_system.asn FROM ipv4 WHERE p80.http.get.headers.server=”Microsoft-IIS/6.0″
SELECT ip, p23.telnet.banner.banner, location.city, autonomous_system.organization, autonomous_system.asn FROM ipv4 WHERE p23.telnet.banner.banner is not null
Heartbleed Vulnerable Hosts
SELECT ip, location.province, location.city, autonomous_system.organization, autonomous_system.name, autonomous_system.asn FROM ipv4 WHERE p443.https.heartbleed.heartbleed_vulnerable = TRUE
The overall response has been quite positive and enforces the direction of OCS’ involvement in assisting / collaborating with all forms of industry. OCS will continue to run similar reports in the future to reduce the overall risk to the State of Missouri and its citizens. If you have any questions about this project, please contact us.