Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
United Kingdom Network Privacy The Internet

British Government Is Scanning All Internet Devices Hosted In UK (bleepingcomputer.com) 34

An anonymous reader quotes a report from BleepingComputer: The United Kingdom's National Cyber Security Centre (NCSC), the government agency that leads the country's cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities. The goal is to assess UK's vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture. "These activities cover any internet-accessible system that is hosted within the UK and vulnerabilities that are common or particularly important due to their high impact," the agency said. "The NCSC uses the data we have collected to create an overview of the UK's exposure to vulnerabilities following their disclosure, and track their remediation over time."

NCSC's scans are performed using tools hosted in a dedicated cloud-hosted environment from scanner.scanning.service.ncsc.gov.uk and two IP addresses (18.171.7.246 and 35.177.10.231). The agency says that all vulnerability probes are tested within its own environment to detect any issues before scanning the UK Internet. "We're not trying to find vulnerabilities in the UK for some other, nefarious purpose," NCSC technical director Ian Levy explained. "We're beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we're doing (and why we're doing it)."
The NCSC says it will "take steps to remove [any sensitive or personal data] and prevent it from being captured again in the future."

British organizations can opt out of having their servers scanned by emailing a list of IP addresses they want to be excluded at scanning@ncsc.gov.uk.
This discussion has been archived. No new comments can be posted.

British Government Is Scanning All Internet Devices Hosted In UK

Comments Filter:
  • by Opportunist ( 166417 ) on Saturday November 05, 2022 @08:12AM (#63026349)

    ...is probably if your system doesn't just say "fuck off", sorry, "sir, would it please you to mind your own business" to that scan...

  • by Zarhan ( 415465 ) on Saturday November 05, 2022 @08:31AM (#63026399)

    If it's just a port scan and possibly some minor probing - just what is standard in corporate networks - this really should not have any downsides. Then just scan open ports and check the response if it's any known server header.

    My ISP does the same periodically. I had once misconfigured a firewall to allow an outdated Tomcat instance exposed to all of Internet and a few days later I got an automated mail from my ISP suggesting to either close the port or upgrade the server.

    Especially in this day an age when your random IoT devices might expose themselves using UPnP, this sounds like a good idea.

    • by fuzzyfuzzyfungus ( 1223518 ) on Saturday November 05, 2022 @08:41AM (#63026409) Journal
      There's also the fact that it's not really a change. I'm not sure if anyone has a comprehensive list of who is crawling huge swaths of IPv4 looking for interesting things, since some of that is done more or less quietly by botnets, but it's not a particularly short list. Shodan even puts a handy search engine around it if you are too lazy to do it yourself.

      You can think whatever you want about the feds' motives; but when it's already the case that putting something on the public internet will have it getting prodded by definitely-malicious actors within minutes to hours it's hard to get too concerned about them even under negative-into-paranoid assessments.
      • by ArchieBunker ( 132337 ) on Saturday November 05, 2022 @09:34AM (#63026459)

        This is the truth. Any live ip address will be scanned by bots within minutes. Especially with this tool. https://github.com/robertdavid... [github.com]

        My address rarely changes and ssh is not running on port 22. It starts out quite but eventually they find the ssh port and then the brute force attempts begin. Even had to up the sensitivity on sshguard. Before using sshguard one ip from China had attempted to login 50,000 times in a month.

        Remember the good old days when an unpatched XP box would be infected before the install had even finished?

        • > Remember the good old days when an unpatched XP box would be infected before the install had even finished?

          Yep, and happened to me because I forgot to unplug the cable first. Then it whined that it didn't have a connection next time around.

        • What's sshguard like compared to fail2ban?

        • I was having that same problem. Have a look at the fail2ban utility. I installed that and used a few of their generic filters (ssh being one of them). It will look at your access log for likely culprits and update your firewall rules to reject IP addresses.

          https://www.fail2ban.org/wiki/... [fail2ban.org]

          $ sudo fail2ban-client status sshd
          Status for the jail: sshd
          |- Filter
          | |- Currently failed: 7
          | |- Total failed: 78842
          | `- File list: /var/log/auth.log
          `- Actions
          |- Currently banned: 5

      • Which is why it's pointless to send a list of IPs to not scan. Even if you think they'll ignore that and scan anyway, or even prioritise that list as you've obviously got "something to hide", no one else is going to and is as much use as setting DNT on in your browser.

    • by AmiMoJo ( 196126 )

      I recall the Japanese government did this year's ago too. TBH I'm surprised that the British weren't.

    • by DewDude ( 537374 )

      If your router/firewall is blindly allowing UPnP...it's time for a new device.

  • That's all they're going to scan.

  • Sending an exclusion request is going to be the first thing IT departments do this Monday morning, and big companies is who we should be scanning in the first place since they have public exposure.

    • by Duds ( 100634 )

      If I were doing this, I'd save money by only scanning those who requested exclusion.

  • Meanwhile, this useful tool allows you to test externally facing ports on your router on demand: https://www.grc.com/shieldsup [grc.com]

  • ... now the "evil UK"!
  • Just imagine the government would use your tax money to buy/build exploit code only to later find that those exploits target systems that are not actually abundant in the UK! So in order to keep the "cyber force's" spending effective, of course they have to scan their future victims. See also: https://www.wired.co.uk/articl... [wired.co.uk]
  • From the country that implement paid tv channels by having television detecting vans roaming the streets and agents that can get in your house to check what you're watching rather than an encryption box.

  • As others have said, a simple nmap type of scan to determine vulnerabilities is probably not anything more than everyone is already getting from non-government sources. Does it matter if the government scans, too?

    A bigger concern might be mission creep... the vulnerability scanning turns into fingerprinting, with the fingerprinting being stored and monitored for changes over time. Given the fascination the British government has for finding radio frequency *receivers* (because of the bizarre-to-Americans

  • Seems they are only scanning legacy IP and completely ignoring IPv6, despite the fact that the two biggest ISPs in the UK provide IPv6 by default to their customers.

  • Put it just above the block-bogan policy and make it reject, instead of drop, traffic from their scanners.

    In addtion, miscreants now know exactly what source addresses to spoof for their reflection-type attacks...

There is no opinion so absurd that some philosopher will not express it. -- Marcus Tullius Cicero, "Ad familiares"

Working...