Posted on 02/08/2013 7:39:37 PM PST by nickcarraway
Aren’t you glad Shodan is in the hands of good guys like John Matherly?
Ask John Matherly if he’s a hacker, and he’ll struggle for a moment with the term.
On one hand, he’s a hacker, in the sense that he’s an innovative programmer, arms deep in the information-security industry. On the other, he’s hypersensitive to how his baby—a project called Shodan—is portrayed in the press. In the past year, it’s surged in notoriety and not just in technology publications, such as Ars Technica and Wired. Shodan’s been the subject of multiple Washington Post investigative features, profiled on Dutch television and name-dropped by Sen. Joe Lieberman both in a statement on the Senate floor and in a New York Times op-ed, in which he characterized the site as a “nefariously named” hacking tool that was becoming more powerful and easier to use each year.
“I’m not doing anything malicious,” Matherly, who lives in Encinitas, says. “I’m trying to be a good citizen on the Internet.”
Simply put, Shodan is a search engine. While Google crawls the Internet looking for websites, Shodan is scanning for devices connected to the Internet and recording information about the software running on those devices. What has the press and security professionals worried is that Shodan has revealed wide-scale holes in Internet safety, from somewhat embarrassing privacy oversights to keep-you-up-at-night vulnerabilities in critical infrastructure.
Imagine a building. Now imagine a private detective checking out the building, snooping around the perimeter, noting what security company’s sticker is on the window, what kind of locks are on the doors, what kind of sprinkler system waters the landscaping, what brand of air conditioner is mounted on the roof, what electric company services the smart meter around the back. Now imagine that investigator does the same thing for every office, every home, every school, every factory, power plant, hospital and football stadium and uploads it to a publicly available database. That’s what Shodan does, but with IP addresses.
It’s almost like an automated way to digitally case every joint in the world.
“But casing already usually implies some malicious intent,” Matherly says. “Because why are you casing in the first place if you’re not trying to get inside? My intention obviously is not to get inside. For the record, everything I do is 100-percent legal.”
American-born and raised in Switzerland, Matherly, now 28, dropped out of his Swiss high school and moved to San Diego in 2001 to live with his aunt and obtain a GED. He designed the first iteration of Shodan—named after the villainous artificial intelligence from the video game System Shock—while studying at Mesa Community College, but his original goal was to create a way for technology firms to conduct market research. When he formally launched Shodan in 2009, the hacking community quickly realized it had much greater potential; Matherly had created a living database of every insecure machine connected to the Internet, from home printers to large-scale industrial systems.
Related content Takeaways from ToorCon 2012 Related to:John MatherlyThe InternetShodanhackers “The fact that somebody is basically shining a flashlight into a dark room shouldn’t be the part people are afraid of,” says Dan Tentler, a San Diego-based information-security consultant. “The part people should be afraid of is the fact that some genius decided to take, for example, a five-megawatt hydroelectric plant in France, put its control computer on the Internet and allowed everybody that knew about the IP address to connect to it and make changes to this dam, with no encryption or authentication to speak of.”
In other words, don’t blame the messenger.
During the last few years, Tentler’s been delivering shocking presentations on what he’s discovered using Shodan: security cameras, automated wine-chilling systems, electronic freeway signs, red-light cameras, ice-rink temperature monitors, institutional climate-control systems, fuel cells. In some cases, the systems are left entirely open; other times, the authentication process—such as a password—is improperly configured or set to the default.
“The list goes on,” Tentler says. “It’s insanity. There’s stuff that was connected to the Internet that in some cases I didn’t know existed, like septic systems that are fully automated, that you can connect to with a web browser.”
Obviously, it requires a certain level of technological sophistication to make the most of Shodan, but certain actions are easy enough for a lay person. For example, if a user plugs the term “auther” into Shodan, he will find hundreds, if not thousands, of unsecured web cams whose software was written by a programmer who misspelled “author.” If the user searches for “Iomega,” he can access personal storage devices, containing business documents, family photos and downloaded videos.
Shodan, Matherly says, reveals widespread reliance on “security through obscurity”—the misconception that the Internet is so big that you can put something online and, as long as it doesn’t show up on Google, no one will ever find it. That hasn’t been true for at least a decade.
“Bad guys doing bad things don’t use Shodan, they use their own scanner,” Tentler says. “Their scanners are automated, and when they find known vulnerabilities, they will automatically break in and drop malware or do whatever else attack they feel is necessary. Shodan is our ticket to this party that is 10 years old.”
Yet, the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team has had its eye on Shodan since at least 2010, when researchers began reporting how they were able to use it to find a certain type of industry system called SCADA (supervisory control and data acquisition) on the Internet. DHS expressed concern that hackers would use Shodan, and in July 2012, the FBI somewhat confirmed that fear. A cyber alert claimed a hacker using the moniker “@ntisec” used Shodan to publicly out businesses that were running a particularly vulnerable system. As a result, hackers allegedly accessed a New Jersey air-conditioning company’s internal climate-control and ventilation systems.
Matherly says that’s an aberration from the norm, and he’s never received a cease-and-desist letter or subpoena or been asked by the government to shut Shodan down. He’s careful in granting access to the database: Anonymous users are allowed to generate only 10 search results at a time, while registered users can see 50 results; paid subscribers can gain greater access. He estimates the site currently has about 80,000 users, mainly information-security professionals checking the security of their employers’ networks.
“Shodan is being used for good,” Matherly says. “There’s enough evidence for me to unequivocally argue that point…. It’s a tool. It can be used for both good and bad, but the vast majority of users have used it— historically, empirically, not just anecdotally—for good research that has been used by DHS and by other people to make the Internet safer.”
Matherly allows academic researchers to use the site for free, and the results so far are astounding. In one of the most recent examples, two researchers with the firm InfraCritical used Shodan to identify 7,200 devices linked to critical infrastructure systems in the U.S. In response, DHS is using the data to track down the private-sector owners of the devices to help them lock them down. DHS has also notified more than 100 countries about vulnerabilities identified through Shodan. In January, as The New York Times reported, researchers with Citizens Lab at the University of Toronto used Shodan to confirm that Egypt, Kuwait, Qatar, Saudi Arabia and the United Arab Emirates had deployed digital censorship software and that 18 nations—including Russia and India—were using digital surveillance and tracking equipment.
The next big development may be in medical devices, particularly as the health industry moves toward digital record keeping, Matherly says. The Washington Post reported on Christmas Day that a hacker had been able to use Shodan to find a wireless glucose monitor in Wisconsin that was vulnerable to hacking.
“I think, eventually, everything is going to be connected in a way, and these devices historically have not been security tested in a way that you would test Windows or something you know will be exposed to viruses or malware, or, speaking in general, random people connecting to it.”
For them to do that it would require every individual with any private sector data files to violate 17 different federal laws governing maintenance of such files!
Folks who collect money, audit customers (USPS has customers), or undertake scientific research frequently take temporary custody of private sector data bases ~ without courtesy of a warrant ~ which means the agencies cannot just look at that data ~ just the custodian. There are laws controlling release of that information, and the way you maintain a closed shop with a widespread loose network is the computer systems folks have to have access to that data ~ which, of course, is prohibited by law.
Just in case you needed to have an example, that's one of those PRIVACY OVERSIGHTS ~ no doubt he tricked his way in.
I’m really not surprised that this tool turned up so many vulnerabilities and holes. “Ethical Hacking” and penetration testing are some of the biggest scams in information security today, because they can realistically only tell you one of two things about your security:
1) It sucks
or
2) You don’t know.
The second is because if the tester doesn’t find anything, all it means is any holes were beyond *the tester’s* capabilities. Since there is “always a bigger fish”, you can never really be totally secure. This new tool is just a more thorough version of human testers, and is therefore able to expose more holes. However, it isn’t the be-all-end-all, because again, it’s only as comprehensive as its programmer could make it.
Plus, many companies *STILL* don’t give information security the kind of priority they should be (many still think the IT department is either optional or at least doesn’t *really* need that big budget; after all, nothing has stopped working, right?).
Update on Shodan: The scariest search engine on the internet -- http://www.freerepublic.com/focus/f-news/3050600/posts
I added a few more. :-)
Heh. There’s never too much to think about, is there?!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.