by ana barbosa
At BinaryEdge, we are constantly assessing the state of the Internet, looking for open services and/or products that might impact the security of the end users. So we thought it would be interesting to share some of this information with you and, with that in mind, we decided to start a new series of blogposts.
Each blogpost of this series will focus on a specific country, taking a high level snapshot of how certain services are configured and exposed to the Internet.
For this new series, we decided to start with our beloved Switzerland, home of BinaryEdge’s headquarters.
If you just want a quick read,feel free to download our infographic that works as a companion for this blogpost.
This blogpost is organised in the following way:
- VNC and SCADA
- Web Servers
- Remote Management Systems
- SSL Certificates
- Big Data Technologies
But before jumping right into the technical bit, we thought it would be interesting to share with you that Switzerland has around 19 million public IP addresses, only a very small percentage (0,475%) of the 4 billion IPs that make the internet.
First, let's go over the concepts.
VNC (Virtual Network Computing) is a service that allows you to access your machine from anywhere in the world. As one might understand the benefits of this service, one can as easily understand that it’s necessary to protect this access with some type of authentication. You can find more detailed information about this in our previous blogpost VNC Image Analysis and Data Science.
SCADA (Supervisory Control and Data Acquisition) is an industrial automation control system. Due to its versatility in terms of configuration (simple to complex projects), SCADA systems can be used in many types of industries, such as:
- Food and beverage
- Oil and gas
Virtually anywhere you look, there is some type of SCADA system running, maybe even in your home.
Source: Inductive automation: What is SCADA?
An example of SCADA can be the one seen on the following diagram (Source: Schneider Electric: Modicon M340):
The controller of this industrial machine is a Modicon M340, which we just happened to have found in Switzerland, as we'll see next.
VNC and SCADA in Switzerland
We found 100 VNC servers in which many gave access to SCADA / Critical systems in Switzerland without any type of authentication, which means anyone with the simple tools could gain access to them.
For our non-technical readers, VNC can be password protected and newer versions support even more methods of authentication. However, in critical systems sometimes updating the software can be problematic. Nevertheless, this should not be an excuse as access rules can still be put in place, so that only specific ip addresses of the people that administer these systems can access these devices.
In case of VNC, it isn’t so much about the numbers but about the type of things that are available in the internet, such as critical systems. For example, we found water systems, house control systems, heating systems, GPS systems, heating systems, depuration stations and many more. We gathered a couple of examples just to give you an idea - in the images we obfuscated some information such as location or company name, since our objective is to improve security and not do any name shaming to companies:
We also found 96 SCADA systems open to the internet. Although these did not have VNC running on them, an attacker could still connect to them and execute different commands. Here are a couple of examples of the SCADA systems that we found in Switzerland:
Once again, we feel the need to reinforce that these systems are exposed to the internet without any type of password and there isn't necessary any type of attack to get access to them. These systems range from water reservoirs, factories, waste disposal systems all the way to parts of power plants, which makes their exposure to the internet even more dangerous.
Web Servers are services that process requests to deliver webpages/applications to users. Web Servers use protocols to communicate: HTTP is a basic unencrypted network protocol while HTTPS has an extra layer of security and has its connection encrypted. With this said, HTTP connections are vulnerable to attacks, such as man-in-the-middle, where they can access sensitive information - for example, your private credentials, or even inject malware to compromise your machine.
We created the following image to better explain the concepts and it can work as a real life example. If you connect to the Wifi of a cinema or a cafe like Starbucks and happen to do a login on a website that doesn't have HTTPS, a hacker that is also connected to that network will easily be able to view your username and password by performing a man in the middle attack.
The number of IPs that we found in Switzerland for both HTTP and HTTPS are very close to each other, although there is a higher number of HTTP servers (239,933) than HTTPS servers (238,083).
Even though this already presents a somewhat positive scenario, ideally, in a near future, we would like to see everything moving over to TLS/SSL.
If you would like to change your website to HTTPS have a look at Let's encrypt.
Heartbleed is a security bug found in OpenSSL that was discovered in 2014 (Many Devices Will Never Be Patched to Fix Heartbleed Bug).
OpenSSL is a software library used in software that creates a layer of security around connections between devices on the internet. It provides secure communications and it is used by two thirds of the websites in the internet.
Heartbleed is a vulnerability that allows the attackers to access the memory of data servers and retrieve critical and sensitive information from servers affected by this vulnerability. Anything that uses the vulnerable versions of OpenSSL is affected by this bug, so it doesn’t mean it’s just Web Servers, it can also be Mail Servers for example.
The following cartoon explains in a simple way how heartbleed works:
On the first step, the user Bob logs into the website, he sees the green lock on his browser so he knows it's a safe connection and sends his username and password
After Bob sends his username and password, the Browser and the Web Server start a process called a heartbeat, where the browser asks the the server if he is still there. Browser says "Are you there? Keyword is Bear" and the Server responds "Yep still here. Bear"
Because the heartbeat requests are not important, they are unencrypted. This allows the attacker to do the Heartbleed attack on the Web Server and it goes a bit like this: Hacker says: "Are you there? Keyword is Bear and 500 characters more".
Since the server doesn't check for the length of the request, the hacker then receives the entire heartbeat response from the Server. This response contains the Bear but also 500 other random things that were in the Web Servers memory, which can be garbage or important things like usernames and passwords. The hacker can repeat this request as many times as he wants to try and get access to as much information as needed.
(Thanks to the user @michabailey for helping us explain this point clearer).
In Switzerland, we found 588 IPs vulnerable to Heartbleed. Once again, even though it doesn’t seem like a big number, it makes you wonder if some of the websites you use on a daily basis made the list.
At times, it is hard to identify the organisations to whom these IP addresses belong. However our clients often use our platform to find out if they are vulnerable.
Remote management services allow you to access/manage remote machines, through a command line. Telnet and SSH are both network protocols, the primary difference between them being that SSH provides the user with an encrypted connection while the data transmitted through Telnet is clear-text. It's important for us to explain that Telnet suffers from the same problem as HTTP: in case you connect to Telnet and you are sharing a wireless network with someone else, all the credentials will be visible by hackers in that network.
In the data gathered, we found 11,997 IPs in Switzerland that are exposing the Telnet service. On the other hand, we found 55,611 IPs using SSH, a number considerably higher.
Out of curiosity, we looked for IPs that had both SSH and Telnet and found 5230 IPs. This is something that happens sometimes on appliances, however, system administrators should consider shutting off the telnet access and use SSH only.
SSL certificates are digital certificates that authenticate the identity of a website (make sure that they are who they say they are) and encrypt information using SSL technology. If the certificate is verified, a secure connection (SSL connection) is established between you and the web server, which makes the message you are transmitting (be it usernames, passwords, credit card information or any other sensitive information) only understandable by the intended receiver.
Before, when we mentioned HTTP and HTTPS, you saw a sketch that shows a connection between a user and the web server hosting the website he is visiting, through SSL connection.
In the SSL certificates data we gathered from Switzerland, we found that approximately 12% were expired. Even though the information transmitted between servers is still encrypted, there is no way to know for sure if the encryption was not compromised in some way.
The following plot shows the top 10 expiry dates for certificates in Switzerland:
Since we had already taken a look at the big data technologies in one of our first blogposts Data Technologies and Security - part 1 and again just last month Data Technologies and Security - part 2, we thought it would be interesting to check which parts Switzerland played in this big data game.
We found 522 Gigabytes of data from MongoDB, Memcached and Redis exposed on the internet. About 94% of this belongs to MongoDB - maybe because this is the most used noSQL database. Memcached accounts for 25 GB of data and Redis only 4GB.
These technologies are not secure by default and companies are still figuring out how to configure them, which might explain why there is still data exposed at this extension.
Even without any knowledge of "hacking", any person would be able to access the contents of these databases, only by using normal database clients. In the past, we found that these databases contain lots of different types of information, for example:
- Proprietary information like blueprints for robotics and custom hardware
- Pricing of items for online shops
- Lists of patients and doctors
To make this more interesting, we also looked at the companies that were exposing data and tried classifying them according to the industries they belong to:
We found that Software Development companies account for about 54% of the total data exposed. This shows that there is still huge lack of knowledge from these companies on having security be embedded into development from day 1.
Switzerland has quite a bit of fixing to do in terms of critical systems. Many of these systems exposed can cause some big damage in the hands of the wrong people and the access to these needs to be closed down as soon as possible, following the best practices of networking security should fix most of these problems.
Compared to some of the data we have seen from other countries, it seems that there are some companies in Switzerland making a big effort to try and have some good security. However, there is also a lot of work to be done by the Telecommunications industry. Usually these have huge networks which are hard to maintain, but they are also regular targets as they work great to try and pivot onto more interesting targets to attackers.
Before we started this study, a member of our team had a theory that we would find in Switzerland "better security as the country still has money to upgrade its hardware and pay people to maintain systems correctly". This connection between economics and security is something we intend to explore further in the future, crossing the data from this article comparing it to a similar study we did with Portugal a couple of years ago it sure brings to light a possible correlation between money-security.
If you would like to do your own scans, monitor your organisation and obtain scanning data have a look at our platform 40fy. .
To keep up to date with our analysis and posts please consider following us on twitter, google+ and facebook.
If you are a non-technical user, you might be interested in signing up for the BETA testers group of our mobile app that will be launched in March: Cyberfables. In this app you will be able to learn about Cybersecurity through a fun and interactive experience and also learn how to protect yourself and others against attacks.
To sign up for beta, just give us your email and we will send you an invite soon:
Use our comments section to let us know which countries you would like to see next!