Skip to comments.The world’s Most Dangerous Search Engine
Posted on 02/08/2013 7:39:37 PM PST by nickcarraway
Arent you glad Shodan is in the hands of good guys like John Matherly?
Ask John Matherly if hes a hacker, and hell struggle for a moment with the term.
On one hand, hes a hacker, in the sense that hes an innovative programmer, arms deep in the information-security industry. On the other, hes hypersensitive to how his babya project called Shodanis portrayed in the press. In the past year, its surged in notoriety and not just in technology publications, such as Ars Technica and Wired. Shodans been the subject of multiple Washington Post investigative features, profiled on Dutch television and name-dropped by Sen. Joe Lieberman both in a statement on the Senate floor and in a New York Times op-ed, in which he characterized the site as a nefariously named hacking tool that was becoming more powerful and easier to use each year.
Im not doing anything malicious, Matherly, who lives in Encinitas, says. Im trying to be a good citizen on the Internet.
Simply put, Shodan is a search engine. While Google crawls the Internet looking for websites, Shodan is scanning for devices connected to the Internet and recording information about the software running on those devices. What has the press and security professionals worried is that Shodan has revealed wide-scale holes in Internet safety, from somewhat embarrassing privacy oversights to keep-you-up-at-night vulnerabilities in critical infrastructure.
Imagine a building. Now imagine a private detective checking out the building, snooping around the perimeter, noting what security companys sticker is on the window, what kind of locks are on the doors, what kind of sprinkler system waters the landscaping, what brand of air conditioner is mounted on the roof, what electric company services the smart meter around the back. Now imagine that investigator does the same thing for every office, every home, every school, every factory, power plant, hospital and football stadium and uploads it to a publicly available database. Thats what Shodan does, but with IP addresses.
Its almost like an automated way to digitally case every joint in the world.
But casing already usually implies some malicious intent, Matherly says. Because why are you casing in the first place if youre not trying to get inside? My intention obviously is not to get inside. For the record, everything I do is 100-percent legal.
American-born and raised in Switzerland, Matherly, now 28, dropped out of his Swiss high school and moved to San Diego in 2001 to live with his aunt and obtain a GED. He designed the first iteration of Shodannamed after the villainous artificial intelligence from the video game System Shockwhile studying at Mesa Community College, but his original goal was to create a way for technology firms to conduct market research. When he formally launched Shodan in 2009, the hacking community quickly realized it had much greater potential; Matherly had created a living database of every insecure machine connected to the Internet, from home printers to large-scale industrial systems.
Related content Takeaways from ToorCon 2012 Related to:John MatherlyThe InternetShodanhackers The fact that somebody is basically shining a flashlight into a dark room shouldnt be the part people are afraid of, says Dan Tentler, a San Diego-based information-security consultant. The part people should be afraid of is the fact that some genius decided to take, for example, a five-megawatt hydroelectric plant in France, put its control computer on the Internet and allowed everybody that knew about the IP address to connect to it and make changes to this dam, with no encryption or authentication to speak of.
In other words, dont blame the messenger.
During the last few years, Tentlers been delivering shocking presentations on what hes discovered using Shodan: security cameras, automated wine-chilling systems, electronic freeway signs, red-light cameras, ice-rink temperature monitors, institutional climate-control systems, fuel cells. In some cases, the systems are left entirely open; other times, the authentication processsuch as a passwordis improperly configured or set to the default.
The list goes on, Tentler says. Its insanity. Theres stuff that was connected to the Internet that in some cases I didnt know existed, like septic systems that are fully automated, that you can connect to with a web browser.
Obviously, it requires a certain level of technological sophistication to make the most of Shodan, but certain actions are easy enough for a lay person. For example, if a user plugs the term auther into Shodan, he will find hundreds, if not thousands, of unsecured web cams whose software was written by a programmer who misspelled author. If the user searches for Iomega, he can access personal storage devices, containing business documents, family photos and downloaded videos.
Shodan, Matherly says, reveals widespread reliance on security through obscuritythe misconception that the Internet is so big that you can put something online and, as long as it doesnt show up on Google, no one will ever find it. That hasnt been true for at least a decade.
Bad guys doing bad things dont use Shodan, they use their own scanner, Tentler says. Their scanners are automated, and when they find known vulnerabilities, they will automatically break in and drop malware or do whatever else attack they feel is necessary. Shodan is our ticket to this party that is 10 years old.
Yet, the Department of Homeland Securitys (DHS) Industrial Control Systems Cyber Emergency Response Team has had its eye on Shodan since at least 2010, when researchers began reporting how they were able to use it to find a certain type of industry system called SCADA (supervisory control and data acquisition) on the Internet. DHS expressed concern that hackers would use Shodan, and in July 2012, the FBI somewhat confirmed that fear. A cyber alert claimed a hacker using the moniker @ntisec used Shodan to publicly out businesses that were running a particularly vulnerable system. As a result, hackers allegedly accessed a New Jersey air-conditioning companys internal climate-control and ventilation systems.
Matherly says thats an aberration from the norm, and hes never received a cease-and-desist letter or subpoena or been asked by the government to shut Shodan down. Hes careful in granting access to the database: Anonymous users are allowed to generate only 10 search results at a time, while registered users can see 50 results; paid subscribers can gain greater access. He estimates the site currently has about 80,000 users, mainly information-security professionals checking the security of their employers networks.
Shodan is being used for good, Matherly says. Theres enough evidence for me to unequivocally argue that point . Its a tool. It can be used for both good and bad, but the vast majority of users have used it historically, empirically, not just anecdotallyfor good research that has been used by DHS and by other people to make the Internet safer.
Matherly allows academic researchers to use the site for free, and the results so far are astounding. In one of the most recent examples, two researchers with the firm InfraCritical used Shodan to identify 7,200 devices linked to critical infrastructure systems in the U.S. In response, DHS is using the data to track down the private-sector owners of the devices to help them lock them down. DHS has also notified more than 100 countries about vulnerabilities identified through Shodan. In January, as The New York Times reported, researchers with Citizens Lab at the University of Toronto used Shodan to confirm that Egypt, Kuwait, Qatar, Saudi Arabia and the United Arab Emirates had deployed digital censorship software and that 18 nationsincluding Russia and Indiawere using digital surveillance and tracking equipment.
The next big development may be in medical devices, particularly as the health industry moves toward digital record keeping, Matherly says. The Washington Post reported on Christmas Day that a hacker had been able to use Shodan to find a wireless glucose monitor in Wisconsin that was vulnerable to hacking.
I think, eventually, everything is going to be connected in a way, and these devices historically have not been security tested in a way that you would test Windows or something you know will be exposed to viruses or malware, or, speaking in general, random people connecting to it.
For them to do that it would require every individual with any private sector data files to violate 17 different federal laws governing maintenance of such files!
Folks who collect money, audit customers (USPS has customers), or undertake scientific research frequently take temporary custody of private sector data bases ~ without courtesy of a warrant ~ which means the agencies cannot just look at that data ~ just the custodian. There are laws controlling release of that information, and the way you maintain a closed shop with a widespread loose network is the computer systems folks have to have access to that data ~ which, of course, is prohibited by law.
Just in case you needed to have an example, that's one of those PRIVACY OVERSIGHTS ~ no doubt he tricked his way in.
I’m really not surprised that this tool turned up so many vulnerabilities and holes. “Ethical Hacking” and penetration testing are some of the biggest scams in information security today, because they can realistically only tell you one of two things about your security:
1) It sucks
2) You don’t know.
The second is because if the tester doesn’t find anything, all it means is any holes were beyond *the tester’s* capabilities. Since there is “always a bigger fish”, you can never really be totally secure. This new tool is just a more thorough version of human testers, and is therefore able to expose more holes. However, it isn’t the be-all-end-all, because again, it’s only as comprehensive as its programmer could make it.
Plus, many companies *STILL* don’t give information security the kind of priority they should be (many still think the IT department is either optional or at least doesn’t *really* need that big budget; after all, nothing has stopped working, right?).
Update on Shodan: The scariest search engine on the internet -- http://www.freerepublic.com/focus/f-news/3050600/posts
I added a few more. :-)
Heh. There’s never too much to think about, is there?!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.