The United Kingdom's National Cyber Security Centre (NCSC), the government agency that leads the country's cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities.
The goal is to assess UK's vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture.
"These activities cover any internet-accessible system that is hosted within the UK and vulnerabilities that are common or particularly important due to their high impact," the agency said.
"The NCSC uses the data we have collected to create an overview of the UK's exposure to vulnerabilities following their disclosure, and track their remediation over time."
NCSC's scans are performed using tools hosted in a dedicated cloud-hosted environment from scanner.scanning.service.ncsc.gov.uk and two IP addresses (18.171.7.246 and 35.177.10.231).
The agency says that all vulnerability probes are tested within its own environment to detect any issues before scanning the UK Internet.
"We're not trying to find vulnerabilities in the UK for some other, nefarious purpose," NCSC technical director Ian Levy explained.
"We're beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we're doing (and why we're doing it)."
How to opt out of vulnerability probes
Data collected from these scans includes any data sent back when connecting to services and web servers, such as the full HTTP responses (including headers).
Requests are designed to harvest the minimum amount of info required to check if the scanned asset is affected by a vulnerability.
If any sensitive or personal data is inadvertently collected, the NCSC says it will "take steps to remove the data and prevent it from being captured again in the future."
British organizations can also opt out of having their servers scanned by the government by emailing a list of IP addresses they want to be excluded at scanning@ncsc.gov.uk.
In January, the cybersecurity agency also started releasing NMAP Scripting Engine scripts to help defenders scan for and remediate vulnerable systems on their networks.
The NCSC plans to release new Nmap scripts only for critical security vulnerabilities it believes to be at the top of threat actors' targeting lists.
Comments
ThomasMann - 1 year ago
"We're not trying to find vulnerabilities in the UK for some other, nefarious purpose..." Of course not! No governement would do that to its people!
And to make the sorting out easier for the government, those who want to be on a list for the "extra suspicious", you may add yourself on a list at scanning@ncsc.gov.uk.
Where would we be , without our governements taking such good care of us....
The future looks bright.
horsedoggs - 1 year ago
This I a good thing, there are too many foolish people that don’t understand the security aspect of networking, public facing systems should always be locked down only to the required country’s that need them and should also enforce mfa security protocols.
yawnshard - 1 year ago
@horsedoggs
Dramatization. Not every infrastructure is critical or relevant. Scanning your local bakery's website for vulns is a waste of time. Scanning your local hospital (as the government) for vulns is good, as they host sensitive data. Your scanning will not turn the average joe into an expert.
paulthekelly - 1 year ago
If it is internet facing, it can be hacked. This is a risk not only to the victim (even the local bakery doesn't want to be locked out of their systems by ransomware), but to everyone else as every hacked computer can be used as an attack vector by the bad guys. Given the prevalence of state -backed actors looking for infrastructure weaknesses, not doing this would be a dereliction of duty.
And the "scanning" being done here is not invasive, and there are no special superpowers being used by NCSC to do it. Connecting to a server, handshaking, and looking at the response is not pen testing, it's not "hacking" and it's less than Google or Bing do when indexing the internet for search.
h_b_s - 1 year ago
There's a difference in healthy skepticism and ridiculous paranoia. You're coming off like an irrational raving lunatic.
This is precisely what governments should be doing for multiple legitimate reasons. First of all, many device users will never assess their vulnerability footprint themselves either out of ignorance or because of perceived costs if they're a medium sized or larger business.
Second, related to the first, most individuals have absolutely no clue how to deal with their connected tools responsibly. The average person has a half loaded gun on their desk (or in their hand) and they're waving it at random people on the street while pulling the trigger.
Third, the security of a nation's infrastructure presence is absolutely in the realm of government oversight and interest - that infrastructure includes every single device connected to it - its vulnerability to attack and its potentials for harm to others and the infrastructure itself.
It boils down to if the government doesn't do it, and the business or individual won't do it, then criminals certainly will.
If there's something about this you don't like, then by all means get off the Internet. No one will miss you.
StephenRidgway - 1 year ago
Is this legal?