[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] Internet Auditing Project (from: aleph1@SECURITYFOCUS.COM)

----- Forwarded message from Elias Levy <aleph1@SECURITYFOCUS.COM> -----

Date:         Fri, 13 Aug 1999 09:11:53 -0700
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
Subject:      Internet Auditing Project

I believe this will be of interest to everyone. Recently Security Focus
received an essay for the Guest Feature forum that discussing a project
by a group of people that performed a security scan of most of the
Internet. To my knowledge this is a first (at least publicly). They
scanned over 36 million hosts. The results a very interesting. They
have also made the source code of their scanner, BASS, available for

Here is their announcement:

PRESS RELEASE - The Internet Auditing Project

Aug 13 - SSR, an independent security research group, have recently
released a memorandum of the Internet Auditing Project, describing the
groups efforts to scan over 36 million (circa Jan 1999) Internet hosts
(including it's sensitive military, government and private networks)
for commonly known remote security vulnerabilities.

The article is written in full-disclosure HOWTO form, supplying the
reader with everything he needs to know to repeat the scan on his own
(wheels, map and the road), with relatively few resources, including
the special-purpose bulk auditing software developed for the project.

It offers several unique, interesting insights on the gloomy state of
computer security on the Internet, touches on hacker culture, and
in-between describes the group's encounter with counterprobes, angry
e-mails, threatening lawyers (with relevant legal commentary), a
crippling denial of service attack and even an Unidentified Cracking
Object (OCO!) which successfully attacked and penetrated [part of] the
group's networks with spine-chilling sophistication.

The IAP's results? Grim:

        "... immediately threaten the security [...] of many millions of
         systems in commercial, academic, government and military
         organizations ..."

And even...

        "We were stunned to find just how many networks you would expect
         to be ultra secure were wide open to attack. Banks, billion
         dollar commerce sites, computer security companies, even nuclear
         weapon research centers!"

It's implications? Grimmer, suggesting an immediate present and future
threat to the world's largest and most significant information technology

(Holy smoke! So what do we do?!)

The article introduces a viable solution, in the form of the "International
Digital Defense Network" (IDDN). An ambitious proposal for a public interest
project which could dramaticly influence the security of the Internet (for
the good!), and resolve many of the most serious problems covered in the

The article is available as a guest feature (the first) on
www.securityfocus.com (the good people hosting Bugtraq) at:

BASS, the Bulk Auditing Security Scanner developed for the project has also
been released and is free for download at

Seek the wisdom.

----- End forwarded message -----