You can absolutely learn to do penetration testing on your own time with your own servers. We have a script we give people to do the same thing. If you feel like you have a knack for systems programming, being a good systems programmer is 1/2 the hard part of appsec; the other 1/2 is literally "taking pleasure in finding creative ways to break things", and you can find out if you have that personality streak in just a couple hours of trying attacks.
Agree. Fully understand the ability to self learn (and have done that with almost everything I've ever made a dollar on despite going to one of those good business schools which is why people think I make money rather than other qualities).
My comment strictly related to the style of what they were saying (and how I might rewrite that) I think it's a great idea.
Would be interesting to offer this script as "ptaas" penetration testing as a service. That way instead of having the script and having the potential to abuse the script (or temptation) someone would be forced to allow tracking of the IP (presumably their own or their companies) that they are doing the testing on (and you could compile statistics for use elsewhere as a condition if they got the script for free). I know companies already offer this service (we had to go through one of those for PCI) but iirc it was rather expensive. FWIW the bank that required it never followed up after the initial "you have to do this and we suggest this particular company".
Same here. Windows PC is Xerxes, after the AI that gets completely overtaken, and linux server is shodan, the AI that thinks it's smarter than it really is. Linux laptop is polito, the human identity that Shodan assumes for a while (ie 'little shodan')... and the wifi network that carries everything is the 'vonbraun'... :)
I apologize for the downtime/ delays, this was a big surprise this morning and I clearly wasn't prepared for the full on-slaught of CNN etc. If you have any questions about Shodan I can try to answer them here.
It would kill your business eventually so it may me a naive question but : do you need volunteer work to help identify and warn those insecure networks ?
Yes, I encourage security researchers to always notify the relevant network operators/ authorities if they make an interesting discovery. And that data is always provided for free to agencies such as the CERT. At the end of the day I would like to think that Shodan helps make the Internet a safer place by having smarter people than me find critical infrastructure, and then notifying the operators so things can get fixed. There will always be security issues as long as people are deploying them, so I'm not worried about Shodan becoming obsolete.
Maybe you could provide some place to keep track of who has been notified ? Or even better : handle a "report" form yourself, so sources are notified only once and wild internet don't know if source may be watching its logs or not.
Also, sorry for highschoolers, but this is for their own good :)
I had my own "let's see what we can do" youth, and sure thing it is very insightful. If we were talking only about business damage, I would say : "well, they desserve it". But we're not.
What do you think would happen if tomorrow, news headline was : "Massive oil truck crash kills 10, caused by hacker tempering with traffic lights." ? Repressive laws against any kind of computer toying would become even harder, and our highschoolers may go to jail for simply trying to have fun.
Well, it would be way better if we could add some kind of "source notified" flag directly on the database, we do not want to add mail flood to security breach. :)
I could be wrong, but I believe Shodan actually portscans the entire internet, whereas Google only crawls known URLs. They also index HTTP headers, which Google doesn't do.
No! I do NOT try to authenticate with username/ password! The only exception to that is for FTP, where I try to do an anonymous/anonymous connection (identical to what Firefox etc. do). I put a lot of effort into making the crawling as benign and unobtrusive as possible, so I definitely do NOT try to brute force devices.
Is that legal? I've seen all kinds of analogies like "if your neighbor leaves the front door unlocked..." or "but if you go down the street testing each lock..." but never anyone who really knew what actual criminal law says.
It is a grey area, at least in the US. The main federal law for computer crimes is the ancient Computer Fraud and Abuse Act. The provisions of the act state all work off the concept of "exceeding authorized access" - but the law never defines what authorized access actually is. Logging in with a default username and password has never been tested in court, as far as I know, and I think there are arguments to be made for both sides about whether that counts as authorized access.
I'm not an expert in it by all means, but from what I've seen it is like having Google log all the http headers and servers connected to requested as well. This means that it is incredibly easy to, for example, track down certain servers with a certain exploit that you know about [1], or complete systems that shouldn't really be attached to the internet in their current state [2]. Not sure either of those are possible with Google.
A "bad" search engine should treat robots.txt pretty much in reverse: Anything disallowed should go to the top of the list of things to index.. There are sites out there that uses robots.txt rules to prevent Google from indexing things that should be password protected but isn't...
The irony is that robots.txt doesn't even prevent things from being indexed. The files can still be indexed if there's a link to them on the Internet; that's what <meta noindex> is for. (Which, ironically, requires that the page not be robotted, because if it is it can't be crawled, which means the meta tag can't be discovered.)
it was an honest question and i don't think your reaction is appropriate behaviour for this site.
If most think my comment is worthless, the voting system will make it enter the void. If others think it isn't it will be upvoted. That's how this site works.
Just responding with "Shut up" adds nothing to the discussion and is something i am shocked to see on this site :(
I used to be able to tell people like you to go back to Reddit. Unfortunately the quality of HN has declined far enough that your content-free insulting of a decent question is not immediately recognizable as something with no place here.
I consider that fact a sad commentary on how far HN has fallen.
Responding to trolls probably does more to decrease the quality of discourse than the original troll does, since those typically get voted into oblivion relatively quickly.
Tossing in a belittling jab at another website to boot doesn't help either.
I'm a relatively new HN reader (~1 year) and have taken much away from my time here (much reading, few comments). I understand where you're coming from with concerns about quality; however, I resent the fact that I may be considered part of the increased readership responsible for "HN's decline"
Hopefully knowing my fuller opinion will decrease your resentment.
I suspect that new users follow something like an 90/10 rule. 90% of them are good to have around, and contribute more than they detract. New blood is good. But 10% contribute junk that is like virtual cholesterol, it builds up, clogs the system, and if left untreated eventually will be lethal to the community. of that 10%, perhaps 10% are simply toxic waste that you want to get rid of, and 90% just need encouragement to fit in better.
I sometimes comment on egregious comments by the 10%. You've reminded me that I should more often acknowledge the existence of the 90%, and on my hope that the 10% I'm looking at are part of the redeemable 9%.
There is an observation that goes back centuries, which applies here. The observation is that if you pack a barrel of apples and there is even a single bad one, the whole barrel will spoil. But if every apple is good, the barrel will remain good for the entire winter. Thus, "don't let a few bad apples spoil the barrel". We want the apples, but none of the bad ones.
Unfortunately the advent of refrigeration has caused us to forget the original wisdom and the saying is currently used as the exact reverse of its original meaning ("oh, it was just a few bad apples").
During packing we were still checking all the pears for injuries ("stem punch", caused by other pears), since apparently it would spoil the whole box if there was a bad one. (Packing pears in New Zealand for export to Europe and the US) - On a commercial and longterm scale you apparently still have to take care.
Rotting fruits release ethylene gas which is a ripening agent. This causes fruit next to rotting fruit to ripen then rot.
An interesting mechanism I think. Before looking that up I would have suspected a biological transmission of infection or something, not a chemical transmission.
That's how all communities work though. As a community grows and attracts new members, the old guard moan about how it was better when they were noobs.
In fact this is true for real -"offline"- life as well.
For similar coverage about finding barely-secured devices that shouldn't have ever even been connected to the Internet, check out the Security Now! podcast, episode 396 - The Telnet-pocalypse:
But he added that cybercriminals typically have access to botnets -- large collections of infected computers -- that are able to achieve the same task without detection.
What do botnets have to do with crawling the web for unsecured devices? I'm not sure I understand the correlation.
The article is full of technical misconceptions, but if I had to guess:
1) Botnets give you a ton of bandwidth to run port scans or crawling searches.
2) They also allow you to "map" port scans or searches over thousands of computers (e.g. one computer in the botnet scans one specific port times ten thousand ports), obscuring the fact that a scan is even occurring.
Funny enough that question was answered in a rather public way just a few weeks ago: https://news.ycombinator.com/item?id=5404642 (Researcher sets up illegal 420,000 node botnet for IPv4 Internet map)
From Wikipedia: SHODAN (Sentient Hyper-Optimized Data Access Network) is a fictional artificial intelligence and the main antagonist of the cyberpunk-horror themed action role-playing video games System Shock and System Shock 2.
Most of those types are some sort of hash of the MAC which are quickly reversed. A quick search will contain many fruitful examples. How else do you think the default password ends up the same on a system reset?
Yeah, but at least it's not trivial to learn the MAC of a system across the world (right? I admit I don't know a whole lot about this.) Anyone sitting on the LAN so that they know the MAC likely has other attack avenues anyway.
Usually the MAC is stored in the network card's flash while the system image is stored in a different flash altogether, which is often cheaper if you can find a way to get away with making them all exactly the same.
1) Are you sure that MAC is actually coming from that one flash that netgear's programming? The real datasheet for the AR7161 isn't public as far as I can tell, but very few SoCs require the end user of the SoC to write their own firmware to provide their own MAC. That type of thing is usually stamped in at the SoC factory. Commonly, it's on a ROM or other OTP memory somewhere, but without the datasheet, I can't tell for sure. And the process which programs that information in is likely separate from the process which programs netgear's firmware in. If you've signed the requisite NDAs and have access to the datasheets, then you may know more, but I still don't think that's a common setup and I doubt netgear would write their firmware assuming that setup.
2) Even if we lived in a world where netgear was doing all this for MAC addresses on SoCs anyway often in computing the question isn't why something isn't done now, but why it was done that way the first time someone wrote it. Build systems, factory processes and other legacy cruft build around a certain way of doing things and often those ways become the way even if new technology makes other ways more simple later.
That would make the devices more costly to produce and would raise prices. I know that ISPs do this with their devices sometimes, but some companies will cheap out and will just ship with a generic username and password since they only have to flash one single ROM image.
It shouldn't really. I mean, it's not like devices don't come with at least 3 or 4 unique IDs for different purposes. Just using one of those for the default password or adding a new ID shouldn't be that big of a task.
I know that this is how some of the router/modem combos from french DSL providers worked - the admin and WPA passwords are two seperate UUIDs printed on the device.
The gateways provided by the cable ISPs here in Western Canada tend to have unique passwords. It would be prudent on the part of the device manufacturer to just create a scheme for creating default passwords based on the unique serial that the device has and then just print labels for each and have the default ROM just sort it out upon it being powered up for the first time.
They can flash a single ROM image, create a random password on the device , and just by adding a led , they communicate said password to a mobile app, when needed.
Good luck with that model. There are many better ways to approach this via things like captive portal that does good enforcement of the user setting good parameters up front before just plugging and playing. The vendors should not allow any Internet access until the device is secured appropriately or the user acknowledges insecure defaults.
At least over here, traffic lights fail and turn off on their own, no need for hackers :) . Now, fixing them (for example setting up a "green wave"... hmm that could be a more interesting use :)
For each given stop light, speed limit, and vehicle configuration, there is a rubicon that is crossed where it is impossible to stop before entering the intersection. Set up your camera and creep the yellow light time down past this limit and profits just start rolling in.
Exactly. There's uncountable number of stories easily google-able across the country where intersections with red light cameras magically coincidentally have their yellow light interval dropped by 1/4 to 1/3 vs intersections without red light cameras, to increase revenue.
You should also glance in your rear-view mirror to verify that the car behind you follows the same rule before you commit to stopping. Simple rules about traffic safety usually need a little tweaking IRL...
just because there is an html page being served doesn't mean you can access the control systems.
you're also assuming no one has done it - I have no idea wether or not someone has used shodan for malicious purposes, but that certainly doesn't mean it hasn't happened.
I read a novel in the late 1970s where a "hacker" breaks into a city's computer system and messes with traffic lights - does anyone remember the title? In the novel, the modified traffic light timing kills some joyriding teens who blow through an intersection counting on the light to stay green. At the climax of the book, the villain tries to kill off the protagonists by electronically locking the data center doors and triggering the CO₂ fire suppression system. Does anyone else remember this book? Was this "The Terminal Man" or am I mixing up two books?
I don't think you could crash the ISS into New York. I don't even think that's possible. It doesn't have the engines necessary to get back to the surface.
ISS has some engines, crashing on earth is very simple, you can just thrust in the opposite direction that you are going (thus falling into the planet, although slowly and probably astronauts can find the attacker and put it back into orbit before anything serious happens) or you can trust in a diagonal of sorts, to slow your speed AND toward the planet (if you just accelerate toward the planet is more probably that you will only create a elongated orbit, and if you insist, you will slingshot out of orbit).
Right. I was assuming/implying a lot by saying, "if you had the controls." In the hypothetical where you have complete control of the ISS (despite manual overrides, et al), you'd still have a very hard time hitting a specific target on Earth. You could crash the thing fairly easily though. That's all I meant to say; I understand that this isn't a practical reality.
Yup, I understood. I was just adding a thought about how it was even more impractical than your comment suggested. Wasn't arguing against your point itself.
I'm not sure the ISS has enough delta-v to get back down quickly. Lowering the orbit enough so that it will fall down in a few weeks is probably possible.
It's likely that a decent orbital dynamics model and a relatively small, well-timed delta-v would bring the ISS down within a rater small planned impact area. It wouldn't be necessary to decelerate very much to accomplish that. Remember that the ISS must periodically boost its orbit to compensate for frictional losses, on that basis it can be assumed that the craft's dynamics are well-understood:
Perhaps, but ~70% of the Earth is empty ocean, and lots of the remainder is relatively empty landmass (huge deserts, unpopulated areas like Siberia, etc.), so just from a statistical perspective the odds of something that survives re-entry hitting a populated area without remote guidance are pretty slim.
" The good news is that Shodan is almost exclusively used for good.
Matherly, who completed Shodan more than three years ago as a pet project, has limited searches to just 10 results without an account, and 50 with an account. If you want to see everything Shodan has to offer, Matherly requires more information about what you're hoping to achieve -- and a payment. "
How does the fact that he charges for it mean that it's "almost exclusively used for good"? I would argue there is very little incentive to pay for something like this unless there is a monetary gain.
Actually, a lot of companies use Shodan data for research! For example, if you want a training set for your new webapp fingerprinting software then loading Shodan might be a good start. Or if you want to create whitepapers for your business, to drive sales for a specific product/ service, then Shodan can provide some empirical data to back up your claims. As was demonstrated with the Internet Census 2012, for people with bad intentions it's easier and much less attention-getting to just use a botnet (plus you don't need to go through the typical business agreements as you would with me). I hope that clarifies it a bit!
I seem to remember Matherly saying that he charged larger institutions who need lots of data for legit research. He also (as of a year and a half ago) said that he was basically breaking even.
I guess a university security researcher is looking for monetary gain in the form of grants, though.
"Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan."
How can there be any conceivable reason to connect these systems to the internet? Do they WANT an attack right out of a technothriller novel or the latest James Bond film?
Many embedded systems run Linux and are frequently attached to the netword for remote control. The root passwords aren't usually changed on these Linux boxes, so they are a wide open security hole.
Many companies pay attention to this sort of thing and make an effort to isolate these kind of devices to the local intranet. For every company that is it good about it, there are probably 10 that aren't even aware of the issue.
This is awesome, I never knew such a thing existed! But it's also quite alarming that so many devices are connected to the internet/computers that probably shouldn't be.
So my big question is: Is there a way to solve this 'security failure'? And if so, what is it/is it feasible? For someone with malintentions, Shodan seems to be golden.
It used to be fairly costless to ship products without security. It still is but the more attacks there are the more incentive there is to fix stuff. But there are so many more online devices shipping...
Part of the problem too is that when a particular product is compromised, most people stop at "Product X sucks" and don't ask themselves if the same vulnerabilities are present in products they themselves use.
As an example, take WordPress. I talk to people all the time who say "oh, WordPress isn't secure" even though the reasons most WordPress sites get hacked are due to practices that would make you vulnerable no matter what CMS you run -- not keeping up with security patches, running unneeded services on the server, not putting the admin area behind SSL, etc. But there's lots of people who move from WP to, say, Drupal and think that's made them secure, even as they continue doing all those same practices.
A nice article regarding the deep web is this one from fravia http://search.lores.eu/deepweb_searching.htm. It's from 2008 but I guess there is still some information there that is useful and relevant with Shodan.
I've been playing with the data from the Carna botnet output[1]. Basically someone scanned a massive portion of the Internet using broken routers as bots. There's some interesting finds in the data but analysing it is quite awkward given the size. Shodan is interesting but unless you take up a subscription is pretty limited.
Actually, more than 90% of the website's services are completely free! There are only 2 services that I charge for: HTTPS and Telnet. All of the new stuff for the past year I've added and made available for free. And with the Developer API you can easily access the data from within your own scripts.
Oh, and I've seen this in a few locations now but: NO SUBSCRIPTION REQUIRED. All of the stuff that's sold on the website is a one-time charge. There are no subscriptions on the website :)
That's interesting and I stand corrected, I was under the impression for some reason that subscriptions existed. As an aside, have you had a look at the Carna botnet output, and if so how does it compare to your data?
That problem has been fixed! I made an error in configuring nginx for memcached and it ended up treating certain pages as static (which prevents them from getting POST requests).
They also missed ERIPP, which does something similar.
This is all old news though, these things are constantly mentioned in other security reports. Even the government knows these things exist, which means that CNN is not scouping anyone :)
ERIPP is cool (I spoke to the author years ago), but to my knowledge it hasn't been updated in a while. And I cover 20+ services at the moment, so it's not just HTTP.
It's a variety of factors that is causing downtime at the moment. The main culprit is the network itself at the moment, and I'm still trying to put out fires to hopefully make the website a bit more stable.
