From: Elias Levy [aleph1@SECURITYFOCUS.COM] Sent: Friday, August 13, 1999 12:12 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Internet Auditing Project I believe this will be of interest to everyone. Recently Security Focus received an essay for the Guest Feature forum that discussing a project by a group of people that performed a security scan of most of the Internet. To my knowledge this is a first (at least publicly). They scanned over 36 million hosts. The results a very interesting. They have also made the source code of their scanner, BASS, available for download. Here is their announcement: PRESS RELEASE - The Internet Auditing Project Aug 13 - SSR, an independent security research group, have recently released a memorandum of the Internet Auditing Project, describing the groups efforts to scan over 36 million (circa Jan 1999) Internet hosts (including it's sensitive military, government and private networks) for commonly known remote security vulnerabilities. The article is written in full-disclosure HOWTO form, supplying the reader with everything he needs to know to repeat the scan on his own (wheels, map and the road), with relatively few resources, including the special-purpose bulk auditing software developed for the project. It offers several unique, interesting insights on the gloomy state of computer security on the Internet, touches on hacker culture, and in-between describes the group's encounter with counterprobes, angry e-mails, threatening lawyers (with relevant legal commentary), a crippling denial of service attack and even an Unidentified Cracking Object (OCO!) which successfully attacked and penetrated [part of] the group's networks with spine-chilling sophistication. The IAP's results? Grim: "... immediately threaten the security [...] of many millions of systems in commercial, academic, government and military organizations ..." And even... "We were stunned to find just how many networks you would expect to be ultra secure were wide open to attack. Banks, billion dollar commerce sites, computer security companies, even nuclear weapon research centers!" It's implications? Grimmer, suggesting an immediate present and future threat to the world's largest and most significant information technology infrastructure. (Holy smoke! So what do we do?!) The article introduces a viable solution, in the form of the "International Digital Defense Network" (IDDN). An ambitious proposal for a public interest project which could dramaticly influence the security of the Internet (for the good!), and resolve many of the most serious problems covered in the article. The article is available as a guest feature (the first) on www.securityfocus.com (the good people hosting Bugtraq) at: http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32 BASS, the Bulk Auditing Security Scanner developed for the project has also been released and is free for download at http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz Seek the wisdom.