Metasploit creator seeks crowd's help for vuln scanning

Project Sonar combines tools, data and research

Security outfit Rapid7 has decided that there's just too much security vulnerability information out there for any one group to handle, so its solution is to try and crowd-source the effort.

Announcing Project Sonar, the company is offering tools and datasets for download, with the idea that the community will provide input into the necessary research.

The brainchild of Metasploit creator HD Moore, the aim of Project Sonar is to scan publicly-facing Internet hosts, compile their vulnerabilities into datasets, mine those datasets, and share the results with the security industry.

Even though there's widespread insecurity across the Internet, Rapid7 says “at the moment there isn’t much collaboration and internet scanning is seen as a fairly niche activity of hardcore security researchers.

“We believe that the only way we can effectively address this is by working together, sharing information, teaching and challenging each other. Not just researchers, but all security professionals.”

None of the tools HD Moore's blog post lists are brand-new: they're familiar names like ZMap (led by the University of Michigan), Nmap and MASSCAN. The first three datasets Rapid7 collected for the project cover IPv4 TCP banners and UDP probe replies; reverse DNS PTR records; and SSL certificates.

Moore told SecurityWeek it's the size of the datasets that demands a crowd approach: “If we try to parse the data sets ourselves, even with a team of 30 people, it would take multiple years just to figure out the vulnerabilities in the data set,” he said. ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

you_fail_extended_648

Open-source 64-ish-bit serial number gen snafu sparks TLS security cert revoke runaround

64 bits of cert ID on the wall, 64 bits of ID. Take the top bit down, don't pass it around, 63 bits of cert ID on the wall...

Beset by lawsuits over poor security protections, Ring rolls out 'privacy dashboard' for its creepy surveillance cams, immediately takes heat

CES Platform makeover declared a 'total joke' by internet activists
A close-up of the Windows key on a PC keyboard

Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit

Vid Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder
woman on camera as she enters her home

Australian state will install home surveillance hardware to make sure if you're in virus isolation, you stay there

Could be a wearable, could be wired. Backed by big fines and jail

Cert authority Sectigo whisks infosec biz Icon Labs into IoT security kit

Secure boot, local CA for your network o' widgets, and more
Faces screaming in the distance

Web body mulls halving HTTPS cert lifetimes. That screaming in the distance is HTTPS cert sellers fearing orgs will bail for Let's Encrypt

Expensive renewals once a year... or free certificates any time? Tough choice
Woman holding keys

Leave your admin interface's TLS cert and private key in your router firmware in 2020? Just Netgear things

Finding sparks debate over bug disclosure – and how to secure a local gateway's web control panel
A man wearing a VR headset in the year 2020

Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws...

Patch Tuesday Grab your Microsoft, Adobe, SAP, Intel, and VMware fixes now

Biting the hand that feeds IT © 1998–2020