Scouring the Web for Insecure Systems using Shodan-Fu

Shodan

Shodan – “The computer search engine”, seems to be one of the most (if not the most) controversial search engines on the internet. Shodan searches for computer systems and not people or things. According to reports from major media it would seem that you can search for vulnerable power plants on a whim and control traffic lights with ease. But is it really that easy?

Well, yes and no.

I remember when Shodan first started offering it’s search engine publicly. One highly respected security guru said that it would be shut down in a week. Well, it has been quite a while and Shodan is still up and running. Granted if you know what to look for you can find vulnerable or completely open systems with a few simple search terms. But you can also do the same with Google if you know how to craft the search terms.

I don’t think it’s Shodan that is as much the problem, as it is that people keep putting completely insecure systems on the internet!

Or they leave very outdated systems out on the internet that haven’t been patched or updated in years!

For example a quick Shodan search for “IIS/2.0” returns about 90 systems that are still live on the internet! That Microsoft Web Server version is over 16 years old!

Here are some more:

  • IIS/3.0 returns over 600 systems
  • IIS/4.0 about 14,000
  • IIS/5.0 about 500,000!

And IIS/5.0 is so much newer than 2.0, heck it was released with Windows 2000…

You can search for operating system versions too. How about “Windows NT 4.0”?

This returns about 900 systems.

“Microsoft-Windows-NT/5.1” Returns about 1800 systems. These are basically Windows XP systems running a web server – What could go wrong with that?

And that is just operating systems, you would be surprised how many wide open printers you will find out there. A quick search for network print server names will return  thousands of printers many which have the security disabled.

And that is very sad as on many network print servers, turning on security is literally just a mouse click or two.

You can even refine your searches on Shodan using commands like port, country or even city.

But is it really that easy to find open security systems and SCADA systems as main media makes it seem? No, not really, you need to know very specific search terms to find these. But if you do know these terms, then it is a different story.

But sometimes these search words are very obscure, and of course they are not advertised.

But if you do know the terms you can find a lot of systems, like these overseas Wind Farm systems:

Wind Farm

Wow, that is a lot of power and that is just one wind farm!

No worries though, the summary is a gimme, you are not allowed to change anything with these wind farm system without logging in. I hope they use complex passwords…

You can find some pretty funny stuff too doing Shodan searches, like this one:

Shodan Funny

I believe that Shodan is a critical tool for security specialists. With it you can search for your company and see what is actually out there. Many large companies have public facing systems that they have completely forgotten about. These systems may be exploitable and could allow an attacker into your internal system.

You can also check to see if you have public facing devices that are wide open. For example, what if your network administrator set up a print server and left it completely open on the internet. Do you really want someone from a different company or country going in to your print server and telling it to e-mail a copy of everything printed to them?

As usual with all security tools, some people will use Shodan for evil purposes. That is why it is critical that security departments use it first to check out their own company. Also make sure that login credentials for any publicly facing system has a long complex password.

A little bit of security goes a long way!

(When using Shodan remember, do not attempt to log in to a system that is not yours or try to access information that does not belong to you. Doing so is highly illegal and you could end up in jail.)

Worldwide Map of Internet Connected SCADA Systems

Every once in a while you run across some information that should not be accessible from the internet, and SCADA systems are by far no exception. Researchers from Free University Berlin are working on a stunning project of mapping internet accessible SCADA Systems worldwide using Shodan and a custom search program.

And… Their map includes sites that contain known vulnerabilities!

According to the project website SCADACS.org, their Industrial Risk Assessment Map (IRAM) “visualizes the approximate geospatial locations of ICS/SCADA and BMS network interfaces found on the Internet. Currently, we use Google Earth and Google Maps for this purpose.”

The custom map allows a user to “browse for ICS/SCADA systems by location and by keyword, and to drill down on information the map backend gathers on these systems from open sources. One such source is the Shodan computer search engine. Another source of information is the alpha version of our own crawler which covers services the Shodan engine does not cover.”

And as you can see from their video above, this map information backend includes a list of known vulnerabilities. Yes the video shows two locations that contain vulnerabilities, one in Austria and another in the US. But before you get too excited, these locations have been tagged as no longer publicly accessible.

So, how big a problem is internet connected SCADA systems, how many are there in Europe?

Oh, a few:

SCADA Systems Europe

Okay, how about America?

SCADA Systems USA

With all the hype about a “Cyber Pearl Harbor” (when Chinese hackers take over our country, kills our power and takes away FaceBook), that doesn’t really look so bad.

But there is a catch.

According to an exceptional article titled “The Great Cyberscare: Why the Pentagon is razzmatazzing you about those big bad Chinese hackers” by Dr. Thomas Rid (Reader in War Studies at King’s College London), the map only displays German manufactured systems:

“The United States looks as if it has the measles. But note that the map is incomplete: It is biased towards German products, the project’s founder told me. If that flaw can be fixed, the United States and other countries would look as bloody red as Germany does already.”

So there is definitely a lot of work to do in securing America’s public systems. Some good news is that the Pentagon plans to create 100 defensive cyber teams by 2015. Of the 100, thirteen teams will focus on defending our national infrastructure:

National mission forces will employ 13 teams focused on securing U.S. private networks powering critical infrastructure such as transportation systems and other vital industries.

Hopefully this will be done sooner, rather than later.

A sanitized public Google Maps and Google Earth version of the IRAM map can be located at SCADACS website.

Chinese Hack Energy Company, Attack Pentagon, and Try to Steal Stealth Bomber Skin

Our manufacturing powerhouse ally(?) in the East have been very busy. Amidst a flood of Chinese hacking and espionage attacks against the US, three of the latest news stories stand out. From breaking into a large energy company, to increased attacks on the pentagon, to trying to smuggle tons(!) of stealth fighter skin material out of the US, our “Trading Partners” have been very busy indeed…

CHINA HACKS ENERGY COMPANY

First up, Calgary-based Telvent a company that monitors large sections of US energy industry has allegedly been infiltrated by Chinese hackers. According to KrebsonSecurity, Telvent discovered the breach of its internal systems on September 10th:

“Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies.”

Communication sent to Telvent customers show numerous files that were infected along with fake malicious update services AdobeUpdate.exe and nupdater.exe. The domains and captured network traffic seem to point to the Chinese hacker team the “Comment Group”.

This is very concerning as in the case of a possible future military conflict, attacking our power grid would be a top priority of the enemy.

INCREASED PENTAGON ATTACKS

Cyber attacks against the pentagon increased 17 fold from 2009 to 2011 and show no signs of decreasing:

“Their level of effort against the Department of Defense is constant”, Rear Admiral Samuel Cox said concerning the history of cyber threats, “It’s continuing apace, in fact, I’d say it’s still accelerating.”

China is well know for trying to steal military and scientific research, in an attempt to catch up on technology. How successful have they been? Just check out this cockpit comparison between China’s new Chengdu J-20 Stealth Fighter and the US F-22 Raptor:

In a full frontal view the planes look pretty much identical.

But where they have been successful in making physical copies, re-creating the actual technology has been a bit harder for them. Apparently, China cannot develop the engines needed for their Stealth Fighters internally and has to import them from Russia:

“China’s inability to domestically mass-produce modern high-performance jet engines at a consistently high-quality standard is an enduring Achilles’ heel of the Chinese military aerospace sector,” wrote Andrew Erickson, a Naval War College analyst. Erickson chalked up the engine gap to a lack of standardization, cooperation and quality control in Chinese industry.

And engines aren’t the only thing China is having a hard time reproducing. It seems the special skin used on the fighters is very difficult to make also. So, instead of trying to steal the plans on how to make it, they apparently have tried to smuggle tons of the material out of the US!

CHINA TRIES TO STEAL FIGHTER GRADE CARBON FIBER

Ming Suan Zhang was charged in Federal Court for “attempting to illegally export aerospace-grade carbon fiber“, and faces up to 20 years in prison.  Allegedly, Zhang and unnamed accomplices tried to obtain the carbon fiber and have it exported out of the US to China. Luckily for the US, the company that Zhang contacted was actually a front business for Homeland Security and the “buyer” Zhang talked with was actually a US agent:

“During an April teleconference, the buyers told the agent they wanted to ship “multiple tons of carbon fiber” from the U.S. to China through a third country in order to skip having to acquire an export license, and that acquiring the carbon fiber was “problematic” because it was related to a “military matter.” When the offer to use a middleman was rebuffed, the buyers asked if the carbon fiber could be mislabeled as something else, thereby sneaking past federal authorities. The agent told the buyers that what they were doing was quite illegal.”

But that didn’t stop the determined Zhang, who pressed the matter and the agent played along. An intercepted e-mail from China stated that the material was “needed for a test flight of a new Chinese fighter jet.” And Zhang also told an undercover agent that the material was indeed for a “fighter plane“.

Zhang was promptly arrested as soon as he entered the US.

Obviously China can “obtain” military secrets from foreign countries, but they apparently don’t have the technical know-how (at least for now) to completely duplicate some weapons systems. But what if China shared the secrets they obtain through cyber-espionage with other nations, like Russia?

Moves are being made to improve our cyber defenses. But for now it looks like we will just have to batten down the hatches a little tighter in the face of a rising tide of “friendly” attacks…

US Gas Pipeline Companies Currently Under Major Cyber Attack

Natural Gas Pipeline companies are currently facing a major targeted phishing attack from a single source according to the Christian Science Monitor. The attacks that seemed to have begun in December 2011 have caused the DHS to release three amber alerts, and the ICS-CERT team to release an incident response report on Friday:

That fact was reaffirmed late Friday in a public, albeit less detailed, “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an arm of DHS based in Idaho Falls. It reiterated warnings in the earlier confidential alerts made directly to pipeline companies and some power companies.”

The incident response report explained that an analysis of the attacks shows that attacker was using a “spear-phishing” technique:

Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign from a single source. It goes on to broadly describe a sophisticated “spear-phishing” campaign – an approach in which cyber attackers attempt to establish digital beachheads within corporate networks.”

Natural Gas companies in the US and Canada seem to be the focus of the attacker and according to the article, some of the intrusion attempts may have been successful:

Multiple natural gas pipeline organizations have reported either attempts or intrusions related to this campaign.

Spear-phishing is an attack where the attacker researches certain individuals at a company using both online public and private resources. Public corporate news is analyzed, as well as individual’s social media sites, like Facebook and LinkedIn. The information gained is them used in a social engineering attack, usually a specially crafted e-mail that contains malicious links or attachments.

When the target runs the attachment or clicks on the link, remote access to the target’s computer is obtained or the attacker could harvest credentials or other pertinent information.

It is too early to tell who is responsible for these intrusions, but with the current concern of SCADA and public infrastructure attacks, it will be interesting to see which country or entity is behind this attack.