On November 15, the Center for Long-Term Cybersecurity hosted a lunch seminar featuring Marshall Kuypers, a cyber risk scientist at Qadium. In his presentation, “Analyzing Global Internet Data,” Kuypers explained how it is possible to scan all the publicly accessible devices in Internet Protocol version 4 (IPv4) that are connected to the internet to gain a wide range of analytic insights.
Kuypers, who is completing his PhD in Management Science and Engineering at Stanford University, has a wide range of experience in data science. He was previously a predoctoral science fellow at the Center for International Security and Cooperation (CISAC), and he has modeled cybersecurity for the Jet Propulsion Lab, developed trading algorithms with a high-frequency trading company in Chicago, and researched superconducting materials at UIUC, among other roles.
In his CLTC presentation, Kuypers provided an overview of the diverse methods used by Qadium to scan all public-facing IPs in IPv4. These 4.3 billion IP addresses connect many different types of devices, including web servers, routers, cameras, and other equipment. The process of scanning the global Internet has become incrementally faster, Kuypers explained, and can now be done in just 45 minutes. “Anyone can go out and scan the global Internet, but structuring, analyzing, and interpreting the data can be tricky,” he said.
He specifically described the practice of scanning, which relies upon identifying devices that are not secure and determining what type of device is connected at every public IP address. “When we scan the Internet, properly configured devices don’t give us much information,” he said. “Insecure devices may release lots of clues to the device type, ranging from the manufacturer to detailed info such as the serial number.”
Kuypers explained that a global Internet scan can reveal a wide range of information. The data that comes back from a scan can be used, for example, to identify counterfeit devices that have the same serial numbers, and can expose vulnerabilities in data centers, web hosting providers, and other core Internet infrastructure. He said that past scans have revealed vending machines with exposed credit-card readers; a hospital live-streaming video from exam rooms; and wide-open security and alarm control systems for major corporate buildings. “These devices are often unpatched and not updated,” he said.
In addition to identifying (and alerting companies to) these vulnerabilities, Kuypers and his colleagues have been able to glean valuable insights from the open web. For example, they can assess the size of companies’ networks, and they can identify the distribution of routers around the world by manufacturer. Kuypers emphasized that his goal is not to access or manipulate the data on those devices. “We’re trying to make the Internet more secure,” he explained. “Nothing we do should be considered hacking.”
Overall, these new techniques create great opportunities to secure the global Internet. Bad actors are continuously looking for insecure devices to hack into an organization—or to use as part of a botnet. But new technology means that defenders can move faster than attackers. Securing organizations from cyber threats will never be complete, but Marshall is optimistic that things are improving. “Lots of smart folks are working on these problems,” he said.