| 31 Mar 2016 | ( words)

Security of a Country: Portugal

Portugal is our second destination in our series “Security of a Country”.

Back in 2012, some of our team members conducted a research about the state of cybersecurity in Portugal at that time. After 4 years and with big developments in our 40fy platform, we decided to gather some fresh new data and re-analyse the security of the country.

Portugal, as Switzerland, is a beloved country to BinaryEdge, since most of us grew up there and have most of the team split between the two countries. Even though these are both small countries, we do realise that there’s a huge difference between the two. So, for this blogpost, we decided to take the extra step and analyse if their economy reflects in any way on cybersecurity.

For Portugal we analysed the same technologies that we did for Switzerland and included a couple more interesting topics, such as Email protocols, SMB/Samba and FTP. If you’re not familiar with the protocols, technologies and concepts that we talked about before, please refer to: GHOST_URL/2016/02/16/security-of-a-state-switzerland/. For the new protocols introduced in this blogpost, we will not only present the data but explain the concepts as well.

As we did in our first blogpost of this series, we created an infographic which includes the data founded by our engine about Portugal. So if you just want a quick read, go ahead and download our infographic.

This blogpost is organised in the following way:

  • [VNC and SCADA](#VNC and SCADA)
  • [Web Servers](#Web Servers)
  • [Remote Management Systems](#Remote Management Systems)
  • [SSL Certificates and Heartbleed](#SSL Certificates and Heartbleed)
  • [Big Data Technologies](#Big Data Technologies)
  • [Email Protocols](#Email Protocols)
  • Samba
  • FTP

Portugal, as a small country, retains around 6 million public IP addresses, 0.15% of the total internet space (once again, it consists of 4 billion IPs). As you remember, Switzerland has 19 million IP addresses. If we think about the fact that Portugal has approximately 10 million habitants and Switzerland has 8 million, we can’t help but wonder why where’s such a difference in the presence is the internet space?

VNC and SCADA

VNC#####

We found 60 VNC servers without any type of authentication exposed to the Internet.
We also looked for a well known vulnerability (CVE-2006-2369) which allows an attacker to bypass authentication via an exploit on RealVNC 4.1.0 and 4.1.1. To check if these systems are vulnerable, we analysed the output string that a VNC server returns when we do our scanning (if the response contains the string “RFB 003.008” it means it is a vulnerable version). With this said, we found 395 servers running the vulnerable version of this service.

Fun fact: Portugal is famous by its amazing food, so it's not surprising that most of the VNC servers exposed to the Internet are from an application called WinREST, used in restaurants and bars.

Nonetheless, we found other devices too.

Leaving VNCs exposed and unpatched could cause serious problems, where one could compromise the entire device or even the network where that device is connected. Keep in mind that these are systems that are exposed to the Internet without any type of authentication and that we found water reservoirs, intelligent house management, and other critical systems making them desirable by attackers.
An article was published on Vice, where a hacker “sold access to devices like these for $30.000 to a russian group”.

SCADA#####

As mentioned on our blogpost about Switzerland, SCADA (Supervisory Control and Data Acquisition) is an industrial automation control system. Due to its versatility in terms of configuration (simple to complex projects), SCADA systems can be used in many types of industries, such as:

  • Energy
  • Food and beverage
  • Manufacturing
  • Oil and gas
  • Power
  • Recycling
  • Transportation
  • Water

In Portugal, we found 198 industrial and critical systems exposed to the internet without authentication specifically using the modBUS protocol, a number much higher than Switzerland.

Here are a couple of examples of models of Hardware found:

Schneider Electric BMX NOE 0100

Schneider Electric SAS TSXETY4103

And we found a few more, such as:

  • Schneider Electric TM241CE24T_U
  • Schneider Electric TM251MESE
  • Schneider Electric XBTGT7340
  • Telemecanique TSXETG1000
  • Telemecanique TWDLCAE40DRF

Having these devices exposed to the internet can cause a big risk not just for the companies that own them, but, depending on the devices that are being controlled by this hardware it can cause damage to the country and people around them. Cybercrime is targeting these devices and it’s important to secure them.

For proper literature on how to secure these devices we recommend the book: Industrial Network Security, Securing Critical Infrastructure, SCADA and other industrial control systems by Eric D. Knapp and Joel Langill.

Web Servers

We found 59,492 IP addresses with HTTPS and 88,654 IPs with HTTP. This means that most web servers run without any encryption, making them vulnerable to attacks. If someone transmits their credit card information or social security number through an insecure connection, it would be easy for an attacker to extract this information. Therefore, HTTPS brings great benefits, as customers are getting more aware of the dangers of the internet, they are more likely to do purchases in websites that have SSL. With an encrypted connection, it is safe to transmit customer personal information to the webserver, as it cannot be intercepted. With this said, it would be wise to add an encryption layer to these 88,654 IPs and allow the users to feel safe while using these servers.

Remote Management Systems

Regarding network protocols, we found 18,853 unique IPs with SSH, 14,086 IPs with telnet and 3280 IPs with both SSH and telnet.

Back in 2012 we had found 30,582 IPs with telnet - four years later, this number has dropped to about half, which is extremely positive. However, the still high number of IPs with telnet concern us. Half of the information transmitted to these systems is in plain, clear text, which means, once again, easy access to hackers or anyone who wants to exploit this information.

On a deeper analysis of SSH, we found that out of the 35,991 fingerprints found in SSH, 39% were duplicated. This means that the same keys are being reused multiple times, so if one of them is compromised, the others are too.

Here is the top20 duplicated fingerprints found in Portugal.

Considering the fingerprints presented in the plot above, we analysed to which ASN (Autonomous System Number) the corresponding IP belonged.

There is a number that stands out in this plot and it shows us that the first provider is reusing SSH keys across multiple machines.

If you have read our blogpost on SSH, you remember that at the time we looked at the vulnerability that happened with the Debian random number generator. We decided to repeat this analysis for all the SSH keys we found in Portugal and here are the results:

As one can see, even 8 years after the release of the vulnerability, there are still machines using these keys, making them extremely vulnerable.

This time we also looked at the versions of OpenSSH, so we present to you the top10 versions found in Portugal:

In the plot above, we can see that most users of OpenSSH haven't updated to the latest versions, which means that the majority is affected by vulnerabilities - the oldest the version, the more vulnerable it is. The same goes for the version we found with more frequency in our data (version 5.3) which was released in 2009, 7 years ago.

Out of curiosity, we wanted to see which was the oldest and the newest versions used on OpenSSH. The oldest version we found was 3.1 and it was present in 3 IPs. Even though it’s just a small number, it’s important to refer that this version was released in 2002 and, by being an old version, it is affected by multiple critical vulnerabilities.
The newest version we found is was 7.2 and it was present in 34 IP addresses (this version was released earlier this year).

SSL Certificates and Heartbleed

Regarding the expiration dates of SSL certificates, we conclude that 13,7% of all the SSL certificates found in Portugal are expired, which means that the great majority 86,3% is still valid. We have previously seen the same scenario in Switzerland. If you recall, Switzerland had 12% of certificates expired.
Now speaking about the Heartbleed vulnerability, we found that 335 IPs vulnerable to Heartbleed. Considering the number of IPs in Switzerland and Portugal, we can conclude that Switzerland has less percentage of IPs with Heartbleed.

Big Data Technologies

The Big Data Technologies we found exposed to the internet in Portugal were the same we found in Switzerland: MongoDB, Memcached and Redis, and they followed the same pattern. Out of the total data found (about 209.32 GB), MongoDB account for 92.8% (194.21 GB) of it, while Memcached and Redis contributed with 15.09 GB and 0.020 GB, respectively.

As we know, MongoDB is the most used noSQL database and that’s why it accounts for so much of the data exposed to the internet. However, it should really make the companies take the time to learn how to correctly configure this technologies.

Email Protocols

An email protocol can be defined as a set of rules that are used to transmit information allow the communication between an email server and the user. There are protocols used for sending emails (SMTP) and protocols used for receiving emails (IMAP and POP3).

SMTP (Simple Mail Transfer Protocol): this protocol is always used for sending emails - it is used to deliver an email to the recipient email server. When added an extra layer of security (SSL - Security Socket Layer or TLS - Transport Layer Security), the communication becomes encrypted: SMTPS.

IMAP (Internet Message Access Protocol) is used to retrieve the emails from the server itself. The user can access the emails and manipulate them in the server as they were stored in the user’s computer. IMAP requires only a small data transfer: not every email is downloaded from the server, only the emails you choose to read. The communication via IMAP can also be encrypted with SSL: IMAPS.

POP3 (Post Office Protocol) is a protocol used to download emails from a server and store them in the user’s computer. Once you have downloaded the email to a computer, it is no longer available in the mail server, therefore, not accessible from other devices. However, there’s an option to leave the emails on the server for a certain period of time. Since every email is downloaded, you are at risk of download viruses and spam email. When directed through an SSL layer, the POP3 protocol is called POP3S.

Normally, the encrypted protocol runs in one port and the unencrypted protocol runs in another port. However, in both ports for all these protocols we found protocols both encrypted and not encrypted. So, instead of presenting results by port, we will present results by service, which includes the two ports for each service.

Here is the number of IPs we found with the different email protocols.

In general, this is a good overview as we can see that the majority of the communications through these email protocols is encrypted.

Samba

Server Message Block (SMB) is a standard protocol used by the Microsoft network file system. This protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from programs in a computer network. This protocol allows an application (or the user of an application) to access files or other resources from computers (or other resources, such as printers and others) on that network, which allows applications to read, create or modify files. While SMB is mostly used by computers using microsoft, Samba runs Unix-like systems.
Both Samba and SMB allow for guest login sessions. This means that any user can access the servers without a username and password, which is one of the things that make these protocols vulnerable to attacks.
For the purpose of this blogpost, we looked at ports 139 and 445, together.

We found 1,792 IPs with this service open. Out of these, 79% (1424) has weak or no authentication, which means that anyone could access the files in these servers without any username or password, e.g., critical business information or private financial records.

Out of curiosity, we looked up the top10 operating systems running Samba.

Considering that the Unix versions were too many to group together, we decided to present all of them together in an unique category: Unix. The Windows versions however were easily grouped into the categories presented to you. Comparing the total units of Unix servers and Windows servers, we can see that there's a higher number of Windows servers running Samba.

FTP

File Transfer Protocol (FTP) is used to transfer files between a client and a server on a network. Some FTP servers allow you to login anonymously, that is, using username and password “anonymous”. If a company has a server that allows this kind of login, anyone could access the files stores in their servers. Another problem is for websites stored in FTP servers that have this kind of login, anyone could modify the content of a website. These are only a couple of examples, but there are many more dangers related to having an FTP connection that is not encrypted. Like we saw on email protocols, FTP can also be encrypted through SSL, being called FTPS.

While analyzing the scan results for both ports 21 and 990, we found that both FTP and FTPS were present in both ports. Therefore, we opted by presenting the results according to the encryption of FTP. With this said, we found 8,192 IPs with FTP and 5,312 IPs with FTPS. A possible reason that there is a higher number of unencrypted FTP servers than FTPS servers could be that when users install an FTP server, they just want a quick way to share their files so they don’t spend the time configuring SSL certificates or any other configurations (for example, we found that 5.6% of these servers allowed “anonymous” login).

Final Remarks

While comparing Portugal and Switzerland, the first big number that stood out was the industrial and critical systems exposed on the internet without authentication. Considering that Portugal has not even one third of the number of IPs in Switzerland, we found it shocking that it had a number of exposed critical systems so much higher than Switzerland (96).
On the positive side, there was a significant reduction on the number of IPs with telnet since 2012, which is a security improvement.

There are still a lot of services not running on SSL and we can't stress enough how important it is to encrypt all these communications.

If you would like to do your own scans, monitor your organisation and obtain scanning data have a look at our platform 40fy. .
To keep up to date with our analysis and posts please consider following us on twitter, google+ and facebook.

Use our comments section to let us know which countries you would like to see next!