back to article Internet hygiene still stinks despite botnet and ransomware flood

Network security has improved little over the last 12 months – millions of vulnerable devices are still exposed on the open internet, leaving them defenceless to the next big malware attack. A follow-up audit by Rapid7 – the firm behind the Metasploit pen-testing tool – found that more than a million endpoints were confirmed …

  1. Charles 9

    Not crisis enough yet.

    Serious action will only take place if, say, the entire Internet strains from the attack or it becomes directly attributable to significant loss of life. Until then, no one cares enough, especially of sovereign boundaries are in the way.

    1. Version 1.0 Silver badge

      Re: Not crisis enough yet.

      Given the numbers of systems out there, if we're down to only millions of unsecured systems then we're doing quite well.

    2. Mark 85

      Re: Not crisis enough yet.

      Add in that "average Joe User" either doesn't have a clue or reads only the mainstream news and because it's "technical" doesn't do a damn thing to protect his equipment. Yet, they will be the first to scream for help when the crap hits the fan. I'm essentially just telling "friends" that unless they get more proactive, they're on their own and will get eaten alive by the monsters out there.

  2. Anonymous Coward
    Meh

    Meh...

    "..Rapid7 hopes its research will encourage enterprises and consumers alike to adopt more restrictive security policies, shielding kit from attack by disabling ports or protecting them with firewalls."

    Until Facebook goes down, most won't care.

    And neither should they*, it should be up to the manufacturers of this crap to come up with secure defenses and simple to use updates.

    *yes I know people should take some responsibility, but you're supposed to check your tyres each day, but who does?

  3. Aitor 1

    Governments

    They just pass legislation banning security, and then use their resources to pwn you, but not to go after the criminals. It is stupid, and the problem only got this bad because governments are not only doing nothing, but contributing to the problem themselves.

  4. patrickstar

    IMNSHO you are doing something wrong if you rely on firewalls to protect your servers.

    Instead, you should simply have services listening on specific interfaces, only exposing those that are actually intended to be exposed.

    Admittedly hard to do for SMB on Windows though :-(

    Being able to filter traffic can sure come in handy, and perhaps provide an extra layer in case you screw up the config somewhere, but the response to unwanted services running shouldn't default to "firewall".

    And if you need to talk Telnet/SMB/etc over the interwebs, use a damn VPN. SMB is unlikely to get through from consumer providers and corporate networks anyways.

    1. Anonymous Coward
      Anonymous Coward

      "IMNSHO you are doing something wrong if you rely on firewalls to protect your servers."

      So firewall rules that block known miscreants, password brute forcing and other types of attack are worthless? A lot of server admins would disagree.

      1. patrickstar

        'So firewall rules that block known miscreants, password brute forcing and other types of attack are worthless? A lot of server admins would disagree.'

        Which part of "can sure come in handy" didn't you understand?

        As for running SMB on the internal network - just have it listen on an internal interface.

        Disabling uPnP is a very good idea too, for obvious reasons...

        1. Anonymous Coward
          Anonymous Coward

          "Which part of "can sure come in handy" didn't you understand?"

          Fair point.

    2. John Brown (no body) Silver badge

      but the response to unwanted services running shouldn't default to "firewall".

      But isn't that the very definition of a firewall? If SMB is a wanted service on the LAN, then how else do you stop it from being open to the outside world other than border blocks?

    3. Anonymous South African Coward Bronze badge

      First thing that I do is to block all ports, and then only open outgoing for needed ports (eg www, vpn, email etc). Inbound is blocked unless there is a specific reason for having a portforward rule (eg web server, vpn server etc). And uPNP is disabled, I set the rules, not some doohicky redneck yahoo! IoT thing.

      So firewalling at the perimeter still is a big must, especially if you have the responsibility of a corporate network. Trying to enforce individual firewalling will not work, as it will be too much admin.

      1. patrickstar

        Since you say "port forwarded" I assume your servers are behind NAT, in which case none of which I said applies to you. It's only relevant when you actually have servers sitting on public IP addresses.

        Unless it's 1:1 NAT between an external and internal address, but then you wouldn't be talking about port forwarding...

  5. RyokuMas
    Trollface

    It's all MicroSlurp's fault, withdrawing support for their 15-year-old operating system! They should be able to miracle it secure immediately, test it fully overnight and roll out the changes without any kind of forced update installation! Damn them!

  6. bobbear

    Vulnerable users are probably totally oblivious of the situation. Why couldn't the first action of a system virus scanner be to call a remote port scan of the user's IP followed by a vulnerability report?

    1. Robert Helpmann??
      Childcatcher

      Oblivious of the Situation

      Why couldn't the first action of a system virus scanner be to call a remote port scan of the user's IP followed by a vulnerability report?

      Great idea! So you want the first thing a consumer grade security product to do is scan everything in the immediate environment and send up alarms to the completely uneducated system owner? Good. I assume the report will be accompanied by a set of recommendations of actions to take accompanied by buttons to press ordering said actions? Also good. Customer pushes buttons and stuff stops working. Now what? How is this behavior different from that of any number of sketchy "security" products currently available. The problem in providing reasonable security is it takes a certain amount of expertise which is difficult to automate. The best alternative is to have a trained person help out, of which there are not enough.

      1. bobbear

        Re: Oblivious of the Situation

        I'm certainly talking about the ordinary 'uneducated user' - it is better that he/she is at least aware of the situation than blissfully ignorant of it, as it is better to know that you have cancer than to die of ignorance. In both instances if you are neither an IT expert or an oncologist, you can seek help.

        However, in most cases the solutions are simple and require no expertise or button pushing. If you are using a modem to connect to your cable or ADSL/Fibre service then don't! Buy yourself a NAT enabled modem/router. If you cant afford a hardware firewall then at least use a reputable software firewall.

  7. ilmari

    Considering the scarcity of public IP addresses and increasing numbers of NAT boxes everywhere, it's rather impressive that so much is still open to public internet.

    1. Anonymous Coward
      Childcatcher

      "Considering the scarcity of public IP addresses"

      Each one capable of supporting 65000 odd ports. Shodan and co don't care if you change from a well know to some other port, it will still find the service eventually.

  8. Anonymous Coward
    Anonymous Coward

    10 million nodes respond to telnet?

    I wonder what they are...are there consumer NAT devices that accept telnet from the outside by default? Surely there aren't corporate firewalls that still let telnet in??

  9. John Smith 19 Gold badge
    WTF?

    WTF are all these people?

    Obviously some of them are providing access to (for example) specialist academic resources.

    But who are the rest of them?

    And what would happen if you logged in with a) No credentials b) "guest"

    Who would still be using telenet to get remote access to systems to administer them in 2017?

    1. Throatwarbler Mangrove Silver badge
      Windows

      Re: WTF are all these people?

      "Who would still be using telenet to get remote access to systems to administer them in 2017?"

      Dyed in the wool Unix greybeards for whom telnet was good enough in 1987 and see no reason to change now.

      1. John Brown (no body) Silver badge

        Re: WTF are all these people?

        Plenty of old HP laser printers sitting around and if some are in peoples homes behind a consumer ISP routers, then I'd not be surprised since few home users probably even know about the various network services offered by the printer.

        1. Anonymous South African Coward Bronze badge

          Re: WTF are all these people?

          If said HP printerer is only used for printering then I don't put a gateway IP in. But if it need to send out email (scan to email) then rather have it SMTP to a small, internal mail server so as to keep it totally away from the perimeter firewall.

          Newer models have the ability of accepting emails as print jobs, which means a port have to be opened for it to listen to something. This feature gives me the heebie-jeebies and I have disabled it. Great idea, but risky. No thanks.

          1. John Brown (no body) Silver badge

            Re: WTF are all these people?

            "Newer models have the ability of accepting emails as print jobs, which means a port have to be opened for it to listen to something. This feature gives me the heebie-jeebies and I have disabled it. Great idea, but risky. No thanks."

            Apart from a few rare edge case, I can't imagine email to print being anywhere near enough a "must have" to install it into the firmware of so many printers. I suspect it's purely a marketing thing in an attempt to differentiate and add to the list of features when selling them.

    2. Meph

      Re: WTF are all these people?

      "who are the rest of them?"

      I've recently heard anecdotal evidence of door swipe access control systems administered by a third party vendor using RDP via unfiltered internet.

      Yes, this is something that someone paid money for. It also supposedly requires admin privileges to administer said software.....

      1. patrickstar

        Re: WTF are all these people?

        RDP supports encryption so it shouldn't be worse than SSH in theory.

        In practice, the RDP protocol is a lot more complex and exposes pretty much all of it before even authenticating the user, so there's a lot more room for vulnerabilities.

        And yeah, the network security aspects of that kind of system are generally horrendeous. They really need to be kept to private networks and/or VPNs.

    3. patrickstar

      Re: WTF are all these people?

      Telenet? The most common use case for administering things over X.25 nowadays is probably PSTN switches and some other telco gear. But I'd expect that to mostly be over private networks and not the public ones (Telenet, Tymnet, Datapak, et al.)

  10. Anonymous Coward
    Anonymous Coward

    Its easy enough to check your open ports on the internet

    https://www.grc.com/shieldsup

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon