Censys Inc, vendor of the popular Censys internet-mapping tool, has revealed that state-based actors are trying to abuse its services by hiding behind academic researchers.
Censys started life in 2015 as an academic project that aimed to scan the internet and provide data to the research community. In 2017 the project formed a company that now provides a comprehensive map of the internet that it says can help cyber-defenders to find threats and respond before they create a problem.
Universities are being used to proxy offensive government operations, turning research access decisions political
The company continues to provide data to researchers, but in a paper [PDF] it will present at the SIGCOMM conference next week, admits “Equitably operating a research program is more challenging than we anticipated.”
“While it is easy to verify the identity of well-established researchers with a Google Scholar profile or presentations at conferences like Blackhat or BSides, these constitute only a small fraction of requests,” the paper states.
Most requests come from “independent researchers and students who have no public reputation,” the paper states. Censys has therefore established evaluation criteria that include submission of a clear research plan, researchers’ intention to publicly disseminate results, and receiving confirmation that work is conducted independently or as part of a non-profit or academic institution. An internal team reviews applications from researchers and applies those criteria.
But the work isn’t easy.
“Many students lack coherent research plans and without significant back-and-forth, it is difficult to discern between poorly written requests, requests from first-time researchers exploring, and fabricated plans,” the paper states.
“We struggle to process many international requests because of language barriers and mounting evidence that universities are being used to proxy offensive government operations in some countries, turning research access decisions political,” it continues, before observing that Censys staff have recently seen “malicious actors use the research program to identify vulnerable systems.”
The company has responded by establishing “multiple access tiers that provide delayed access or access to a subset of data.”
Sometimes the process turns nasty.
“Much to our surprise, it is not uncommon for researchers to send vitriolic messages, accusations, and, in rare cases, threats,” the paper reveals, noting that such abuse “can quickly turn program administration into a thankless job, similar to the experiences expressed by open source maintainers.”
The purpose of the paper is to inform the networking and security communities about the evolution of Censys, because the company feels it hasn’t documented its history in research literature. The paper therefore reveals that Censys can now see 794 million IPv4 services, up from 275 million in 2015, and has improved its ability to scan for IPv6 systems and name-addressed HTTP(S) services.
The document also explains how Censys scans the internet, and asserts its data is more accurate than rivals like Shodan, Fofa, ZoomEye, and Netlas. ®