In many ways bug bounty programs are a form of security crowdsourcing—there are even third-party companies that specialize in that—but Project Sonar is casting a wider net, tapping the masses of amateur and professional security folk out there to “scan all things,” analyzing vast data sets gleaned from the public internet and what’s available freely online for security concerns. Participants aren't rewarded monetiarily, either. They're encouraged to either spend time parsing through data sets that Rapid7 itself is generating, or to perform scans themselves using specific free tools provided by Rapid7, to then share the data later on.
“If scanning is not your thing, take a look at the data provided by others and share your views on what it means and what we can do about it,” said Rapid7 researcher Jen Ellis in the Sonar blog. “Apply your learnings to your own environment – how are you exposed? Can you help other people with the knowledge you’ve gained? Can they help you?”
The firm said that it will coordinate with other research institutions and scanning projects to be able to provide the data to everyone, and said that it will establish boundaries and limits of rates and frequencies for the best practices in order to reduce the impact of this kind of research on networks and IT staff, and avoid duplication and unnecessary usage of bandwidth.
A few projects to date have attempted this kind of scanning, but internet-wide surveys have largely been considered unfeasible thanks to the scale, and attendant cost and labor time, in carrying them out. Exceptions include the IPv4 Census published by the University of Southern California in 2006, which sent ICMP echo requests to all IPv4 addresses between 2003 and 2006 to collect statistics and trends about IP allocation. There was also the 420,000 machine-strong Carna botnet, which carried out the illegal Internet Census 2012. The EFF SSL Observatory meanwhile has investigated "publicly-visible SSL certificates on the Internet in order to search for vulnerabilities, document the practices of Certificate Authorities, and aid researchers interested the web's encryption infrastructure.”
The idea behind Project Sonar is to take this kind of undertaking and move it from the world of hard-core security researchers to a place where the masses can get involved. To that end, individuals and organizations can participate at any number of levels, and every little bit counts.
Ellis added, “We believe that the only way we can effectively address this is by working together, sharing information, teaching and challenging each other. Not just researchers, but all security professionals… You can kick off a new scanning project; you can analyze existing data sets; you can suggest action plans for fixing bugs or share your security horror stories. There are so many ways to get involved.”
The positives of widespread information-sharing are manifold: companies can use these kinds of datasets to gain visibility into their assets and public facing services. They can also reduce risks of misconfiguration and learn about common problems with devices and software. Research about problems and bugs also simply raises much-needed awareness, at the most basic level.
“In our opinion visibility into publicly available services and software is lacking severely. Research like the EFF Observatory leads to better knowledge about problems and allows us to improve the security of the internet overall,” explained Rapid7 researcher Mark Schloesser in a blog. “Datasets from efforts such as the Internet Census 2012, even though obtained through illegal means, provide fertile ground for researchers to find vulnerabilities and misconfigurations. If we were able to obtain datasets like this on a regular basis through legal means and without noticeable impact on equipment, it would allow the security community to research trends, statistics and problems of our current public internet.”