Shodan Search Reveals Open Cloud Control Panels

•April 24, 2016 • Leave a Comment

While researching web server frameworks, I ran across something that seemed very odd. I found what appeared to be unsecured Cloud Cluster controls. And using Shodan I could tell the difference between the ones that were using account login control and those that were surprisingly completely open to the public.

Twisted Web is a Python based web server used in many network applications. Over the years I have noticed that specific versions seem to be used for different tasks. I ran into one the other day that I do not remember seeing before.

An internet search using Shodan (the “search engine for Internet-connected devices”) for Twisted Web servers returned some odd results that I did not recognize. A specific version (10.2.0) returned what appeared to be some sort of cloud control interface on the internet.

If you go to the “Shodan.io” website and search for “twistedweb/10.2.0” it will list all of the systems in question, as seen below:

Shodan Cloud Security 1

There seem to be password protected ones and what appear to be completely unprotected ones. The difference being password protected ones contain a login.html file in the Shodan return, the completely open ones point to index.html.

So to have Shodan find all of the ones that appear completely open to the public, just search for “twistedweb/10.2.0 index.html” as seen below:

Shodan Cloud Security 2

As you can see there are more than 700 of them. They appear to be DataStax Enterprise Cluster Storage controls as seen in this picture from a DataStax YouTube demo:

Shodan Cloud Security 3

From the Datastax YouTube video it explains that you can completely control and monitor the Cluster storage from this interface. I was thinking this was something that really shouldn’t be completely open to the public on the internet. There must be a “require login” setting that people are just not using to secure them. As I wasn’t sure I ran the information by my friends at Evident.io.

“What you are seeing here is the failure to implement proper security controls around administrative interfaces of, in this case, Enterprise Cassandra NoSQL clusters. The unprotected administrative interface gives remote attackers the ability to connect to the cluster and perform administrative functions without authentication or resistance. This is often the result of business pressure to deploy technology to solve complex problems, but failure by the business to invest in time and resources to help those product teams protect the infrastructure and services themselves. A simple verification of security control deployment around this kind of technology would prevent this security incident from happening in the first place, and guarantee continued protection against mistakes that create unnecessary risk for the company,” said Tim Prendergast, co-founder and CEO of Evident.io.

There must be some way to protect these systems, or to notify cloud users of these issues.  Well, according to Prendergast, there is:

“Tools like the Evident Security Platform (ESP) help prevent these kinds of issues from being exploited by attackers by providing comprehensive visibility into the security controls deployed in your cloud, or alternatively you could build your own set of custom security controls through the custom signatures feature. Either way, nobody should operate their cloud environment without fast, accurate, and actionable information on these types of risks. The only way to protect your organization from suffering due to unprotected attack surfaces is to create a continuous, enforceable security practice around your cloud.”

As we have seen here, some improperly protected cloud controls across the world were found very easy using Shodan.  We could also easily differentiate between systems that had account login controls (I hope they used strong passwords) and those that didn’t. The advantages of using the cloud are obvious, but like any computing resource they must be protected properly from online threats.

About the Author

Daniel W. Dieterle is an internationally published author and computer security researcher with over 20 years’ experience in the IT field. His technical “How-To” articles have been featured in numerous computer magazines, and referenced by both industry websites and the media. He has also written three Ethical Hacking Security books based on Kali Linux, including latest book, “Basic Security Testing with Kali Linux 2” –  which contains a chapter on using Shodan.

 

 

How to install Bitdender’s free Ransomware Protection Tool

•March 29, 2016 • Leave a Comment

Bitdefender has just released a free tool that can protect against ransomeware viruses. Here is how to install it.

Hackers have been hitting everything from hospitals to police stations with Ransomeware viruses. Bitdefender has released a tool that could help fight it:

“Bitdefender anti-malware researchers have released a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families.

“The new tool is an outgrowth of the Cryptowall vaccine program, in a way.” Chief Security Strategist Catalin Cosoi explained. “We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea.”

Installation could not be easier

  1. Download the file:

https://labs.bitdefender.com/2016/03/combination-crypto-ransomware-vaccine-released/

  1. Run it:

Ransomeware Protection 1

 

3. Click Next, and then install:

Ransomeware Protection 2

  1. And then Finish

Ransomeware Protection 3

And that is it!

Ransomeware Protection 4

How easy was that?

If you want you can change the settings for the program. You may want to set it to “minimize on startup” and “minimize to tray on close”:

Ransomeware Protection 5

But it is pretty much an install and forget about it type app, no fuss, no muss.

Bitdefender has always been one of my favorite anti-virus programs, and this is a handy tool to have.

Check it out!

Book Review: Basic Security Testing with Kali Linux 2

•March 26, 2016 • Leave a Comment

Basic Kali 2

A fully updated version of the very popular “Basic Security Testing with Kali Linux” is now available! Now totally re-written from the ground up to cover the new Kali Linux “2016-Rolling” with the latest pentesting tools and Ethical Hacking techniques.

I was honestly shocked how well received the first Basic Security Testing book was received by the security community. But all in all, it was my first book attempt and definitely had room for improvement. I was flooded with requests and advice from students, instructors and even military personnel on recommended changes and ways the book could be improved.

I took every comment to heart and with the help of an amazing editorial and reviewer team, that included a computer security professor and a CTF player, created Basic Security Testing 2!

What’s new:

  • Completely re-written to cover topics more logically
  • Better lab layout that is used consistently throughout the book
  • Written for the latest version of Kali (Kali 2.0 “Sana” & Kali “2016-Rolling”)
  • Includes an introduction chapter for the new Kali 2016-Rolling
  • All tools sections have been updated – old tools removed, new tools updated
  • Now uses PowerShell for most of the remote Windows Shells
  • XP removed, Windows 7 used as the main Windows target (though Windows 10 is mentioned a couple times  :)  )
  • More tool explanations and techniques included
  • 70 pages longer than original book

What’s the same:

  • Learn by doing
  • Hands on, Step-by-Step tutorials
  • Plenty of pictures to make steps more understandable
  • Covers the same major topics as the original, but using the latest tools
  • The front cover, well, except for the “2”!

My goal was to provide a common sense Ethical Hacking how-to manual that would be useful to both new and veteran security professionals. And hopefully I have accomplished that task. Thank you to everyone for your continuous support and feedback, it is greatly appreciated!

So what are you waiting for, check it out!

Basic Security Testing with Kali Linux 2

 

 

 

 

Security Book Give Away: Intermediate Security Testing with Kali Linux 2

•March 18, 2016 • 20 Comments

UPDATE 4/3 – The Contest is now over, and winners have been notified. Thank you everyone for your interest and support!

Want a chance to win a signed copy of “Intermediate Security Testing with Kali Linux 2”?

This almost 500 page hands-on, step-by-step tutorial style book doesn’t dwell on the theory of security, but instead walks you through implementing and using the latest security tools and techniques using the most popular computer security testing platform, Kali Linux:

Book Cover proof

My third book, “Basic Security Testing with Kali Linux 2” a total update of my hugely popular “Basic Security Testing” book, has just been published! To celebrate I am giving away four signed copies of my second book, “Intermediate Security Testing with Kali Linux 2”.

Simply share a link to this article on your favorite social media site. Then place a copy of the link in the comments field below. Winners will be chosen at random in two weeks (April 1st) from links in the comments section.

 
Follow

Get every new post delivered to your Inbox.

Join 357 other followers