British Government Is Scanning All Internet Devices Hosted In UK (bleepingcomputer.com) 34
An anonymous reader quotes a report from BleepingComputer: The United Kingdom's National Cyber Security Centre (NCSC), the government agency that leads the country's cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities. The goal is to assess UK's vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture. "These activities cover any internet-accessible system that is hosted within the UK and vulnerabilities that are common or particularly important due to their high impact," the agency said. "The NCSC uses the data we have collected to create an overview of the UK's exposure to vulnerabilities following their disclosure, and track their remediation over time."
NCSC's scans are performed using tools hosted in a dedicated cloud-hosted environment from scanner.scanning.service.ncsc.gov.uk and two IP addresses (18.171.7.246 and 35.177.10.231). The agency says that all vulnerability probes are tested within its own environment to detect any issues before scanning the UK Internet. "We're not trying to find vulnerabilities in the UK for some other, nefarious purpose," NCSC technical director Ian Levy explained. "We're beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we're doing (and why we're doing it)." The NCSC says it will "take steps to remove [any sensitive or personal data] and prevent it from being captured again in the future."
British organizations can opt out of having their servers scanned by emailing a list of IP addresses they want to be excluded at scanning@ncsc.gov.uk.
NCSC's scans are performed using tools hosted in a dedicated cloud-hosted environment from scanner.scanning.service.ncsc.gov.uk and two IP addresses (18.171.7.246 and 35.177.10.231). The agency says that all vulnerability probes are tested within its own environment to detect any issues before scanning the UK Internet. "We're not trying to find vulnerabilities in the UK for some other, nefarious purpose," NCSC technical director Ian Levy explained. "We're beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we're doing (and why we're doing it)." The NCSC says it will "take steps to remove [any sensitive or personal data] and prevent it from being captured again in the future."
British organizations can opt out of having their servers scanned by emailing a list of IP addresses they want to be excluded at scanning@ncsc.gov.uk.
Well, first sign being vulnerable... (Score:3)
...is probably if your system doesn't just say "fuck off", sorry, "sir, would it please you to mind your own business" to that scan...
Re: (Score:3)
Reminds me of the old saying "May god keep our beloved king .... alive and away".
Government? What government? (Score:2)
Three Steps to killing Franklin's republic:
1. Forgot how contagious Homer's lies were.
2. Develop psychological advertising technology to deliver votes.
3. Unleash the Kraken computers.
Won't matter if we #HeilElon as oligarch, kleptocrat, or idealist, he who dies with the most toys is still dead.
Re: (Score:3, Insightful)
Help me the government ran nmap against me after thousands of bot already did!
Re: (Score:3, Informative)
I'm not sure why people laud Regan for bragging about his incompetence.
Anyway if you think the government doesn't help, then put your liberty where your mouth is and move somewhere that is true such as the libertarian paradise of the Congo.
Re: (Score:2)
Re: (Score:1)
I am an idiot. I wish I could delete my previous post.
Defense of the country from the invaders and attacks is the responsibility of the government.
"Our mission is to provide the military forces needed to deter war and ensure our nation's security."
https://www.defense.gov/About/ [defense.gov]
I wouldn't mind, if it's just NMAP and/or Nessus (Score:5, Interesting)
If it's just a port scan and possibly some minor probing - just what is standard in corporate networks - this really should not have any downsides. Then just scan open ports and check the response if it's any known server header.
My ISP does the same periodically. I had once misconfigured a firewall to allow an outdated Tomcat instance exposed to all of Internet and a few days later I got an automated mail from my ISP suggesting to either close the port or upgrade the server.
Especially in this day an age when your random IoT devices might expose themselves using UPnP, this sounds like a good idea.
Re:I wouldn't mind, if it's just NMAP and/or Nessu (Score:5, Insightful)
You can think whatever you want about the feds' motives; but when it's already the case that putting something on the public internet will have it getting prodded by definitely-malicious actors within minutes to hours it's hard to get too concerned about them even under negative-into-paranoid assessments.
Re:I wouldn't mind, if it's just NMAP and/or Nessu (Score:4, Informative)
This is the truth. Any live ip address will be scanned by bots within minutes. Especially with this tool. https://github.com/robertdavid... [github.com]
My address rarely changes and ssh is not running on port 22. It starts out quite but eventually they find the ssh port and then the brute force attempts begin. Even had to up the sensitivity on sshguard. Before using sshguard one ip from China had attempted to login 50,000 times in a month.
Remember the good old days when an unpatched XP box would be infected before the install had even finished?
Re: (Score:1)
> Remember the good old days when an unpatched XP box would be infected before the install had even finished?
Yep, and happened to me because I forgot to unplug the cable first. Then it whined that it didn't have a connection next time around.
Re: (Score:2)
What's sshguard like compared to fail2ban?
Re: (Score:2)
I was having that same problem. Have a look at the fail2ban utility. I installed that and used a few of their generic filters (ssh being one of them). It will look at your access log for likely culprits and update your firewall rules to reject IP addresses.
https://www.fail2ban.org/wiki/... [fail2ban.org]
$ sudo fail2ban-client status sshd /var/log/auth.log
Status for the jail: sshd
|- Filter
| |- Currently failed: 7
| |- Total failed: 78842
| `- File list:
`- Actions
|- Currently banned: 5
Re: (Score:1)
Which is why it's pointless to send a list of IPs to not scan. Even if you think they'll ignore that and scan anyway, or even prioritise that list as you've obviously got "something to hide", no one else is going to and is as much use as setting DNT on in your browser.
Re: (Score:2)
I recall the Japanese government did this year's ago too. TBH I'm surprised that the British weren't.
Re: (Score:2)
If your router/firewall is blindly allowing UPnP...it's time for a new device.
My VPN server should be OK (Score:2)
That's all they're going to scan.
There should be no opt-out mechanism (Score:2)
Sending an exclusion request is going to be the first thing IT departments do this Monday morning, and big companies is who we should be scanning in the first place since they have public exposure.
Re: (Score:2)
If I were doing this, I'd save money by only scanning those who requested exclusion.
ShieldsUp! (Score:2)
Meanwhile, this useful tool allows you to test externally facing ports on your router on demand: https://www.grc.com/shieldsup [grc.com]
First Russia, then China... (Score:1)
Only done to save your precious tax money! (Score:2)
That's the expected.. (Score:1)
From the country that implement paid tv channels by having television detecting vans roaming the streets and agents that can get in your house to check what you're watching rather than an encryption box.
A bigger concern is mission creep... (Score:1)
As others have said, a simple nmap type of scan to determine vulnerabilities is probably not anything more than everyone is already getting from non-government sources. Does it matter if the government scans, too?
A bigger concern might be mission creep... the vulnerability scanning turns into fingerprinting, with the fingerprinting being stored and monitored for changes over time. Given the fascination the British government has for finding radio frequency *receivers* (because of the bizarre-to-Americans
Missing IPv6 (Score:2)
Seems they are only scanning legacy IP and completely ignoring IPv6, despite the fact that the two biggest ISPs in the UK provide IPv6 by default to their customers.
Re: (Score:2)
Seems you have no clue how "scanning" works...
sounds like time for a new firewall policy (Score:2)
Put it just above the block-bogan policy and make it reject, instead of drop, traffic from their scanners.
In addtion, miscreants now know exactly what source addresses to spoof for their reflection-type attacks...