Scans Reveal 13 Million Internet-Exposed DatabasesRapid7's Tod Beardsley Says Many Inappropriate Protocols Remain Exposed
Old technology never dies, but rather just fades away, albeit very slowly. As evidence, look no further than the prevalence of outdated and unsecured internet protocols and devices that remain in use, including 21 million FTP servers, as reported in Rapid7's third annual National Exposure Index, which is based on ongoing scans of the internet.
"No normal, reputable company uses FTP to ship around customer data, and here we are in this age of GDPR for everybody," says Tod Beardsley, principal security research manger at Rapid7, referring to the EU's General Data Protection Regulation , which has been enforced since May 25. "I'm worried about all of the personally identifying information that's going to be lurking in all of these FTP servers that are easy to comprise."
Protocols many might rightly have expected to die and been replaced - in FTP's case, by secure FTP - are not the only types of "should have known better" security failures to be found by Rapid7.
"Here in our third year, we've added more protocol coverage, we looking now more at databases that are hanging out on the internet, which should be a phrase that strikes terror into the hearts of all IT people in the world," Beardsley says.
To be precise, the firm found a "worrying" number - about 13 million internet-exposed databases. "One thing that databases are super good at is processing credentials when I'm trying to use a name and password, they're super fast at it, which means I can try a lot, and no database that I know of, from Oracle or MySQL or PostgreSQL or anything has any kind of rate-limiting or lockout features or any of the kinds of things that you'd see on a normal login screen, which means I can try 50 [or] 60 combinations in a second, and very few people are logging for this."
In a video interview at the recent Infosecurity Europe conference in London, Beardsley discusses:
- Widespread instances of poorly secured UDP and the voice-over-IP SIP protocol;
- The prevalence of memcached servers, which have been used this year to launch massive distributed denial-of-service attacks;
- The ongoing, worryingly high levels of SMB, telnet and FTP usage.
Beardsley is the director of security at Rapid7. He has over 20 years of hands-on security knowledge and experience, reaching back to the halcyon days of 2400 baud textfile BBSes and in-band telephony switching. Since then, he has held IT ops and IT security positions in large footprint organizations such as 3Com, Dell and Westinghouse, as both an offensive and defensive practitioner. Today, Beardsley often speaks at security and developer conferences on open source security software development, managing the human "Layer 8" component of security and software, and reasonable vulnerability disclosure handling.