Shodan Search Reveals Open Cloud Control Panels

While researching web server frameworks, I ran across something that seemed very odd. I found what appeared to be unsecured Cloud Cluster controls. And using Shodan I could tell the difference between the ones that were using account login control and those that were surprisingly completely open to the public.

Twisted Web is a Python based web server used in many network applications. Over the years I have noticed that specific versions seem to be used for different tasks. I ran into one the other day that I do not remember seeing before.

An internet search using Shodan (the “search engine for Internet-connected devices”) for Twisted Web servers returned some odd results that I did not recognize. A specific version (10.2.0) returned what appeared to be some sort of cloud control interface on the internet.

If you go to the “Shodan.io” website and search for “twistedweb/10.2.0” it will list all of the systems in question, as seen below:

Shodan Cloud Security 1

There seem to be password protected ones and what appear to be completely unprotected ones. The difference being password protected ones contain a login.html file in the Shodan return, the completely open ones point to index.html.

So to have Shodan find all of the ones that appear completely open to the public, just search for “twistedweb/10.2.0 index.html” as seen below:

Shodan Cloud Security 2

As you can see there are more than 700 of them. They appear to be DataStax Enterprise Cluster Storage controls as seen in this picture from a DataStax YouTube demo:

Shodan Cloud Security 3

From the Datastax YouTube video it explains that you can completely control and monitor the Cluster storage from this interface. I was thinking this was something that really shouldn’t be completely open to the public on the internet. There must be a “require login” setting that people are just not using to secure them. As I wasn’t sure I ran the information by my friends at Evident.io.

“What you are seeing here is the failure to implement proper security controls around administrative interfaces of, in this case, Enterprise Cassandra NoSQL clusters. The unprotected administrative interface gives remote attackers the ability to connect to the cluster and perform administrative functions without authentication or resistance. This is often the result of business pressure to deploy technology to solve complex problems, but failure by the business to invest in time and resources to help those product teams protect the infrastructure and services themselves. A simple verification of security control deployment around this kind of technology would prevent this security incident from happening in the first place, and guarantee continued protection against mistakes that create unnecessary risk for the company,” said Tim Prendergast, co-founder and CEO of Evident.io.

There must be some way to protect these systems, or to notify cloud users of these issues.  Well, according to Prendergast, there is:

“Tools like the Evident Security Platform (ESP) help prevent these kinds of issues from being exploited by attackers by providing comprehensive visibility into the security controls deployed in your cloud, or alternatively you could build your own set of custom security controls through the custom signatures feature. Either way, nobody should operate their cloud environment without fast, accurate, and actionable information on these types of risks. The only way to protect your organization from suffering due to unprotected attack surfaces is to create a continuous, enforceable security practice around your cloud.”

As we have seen here, some improperly protected cloud controls across the world were found very easy using Shodan.  We could also easily differentiate between systems that had account login controls (I hope they used strong passwords) and those that didn’t. The advantages of using the cloud are obvious, but like any computing resource they must be protected properly from online threats.

About the Author

Daniel W. Dieterle is an internationally published author and computer security researcher with over 20 years’ experience in the IT field. His technical “How-To” articles have been featured in numerous computer magazines, and referenced by both industry websites and the media. He has also written three Ethical Hacking Security books based on Kali Linux, including latest book, “Basic Security Testing with Kali Linux 2” –  which contains a chapter on using Shodan.

 

 

Advertisements

Looking at North Korea’s IP Space with Shodan

Shodan North Korea 1

With all the news about North Korea’s online capabilities being shutdown I figured I would take a quick look at their IP space with Shodan, the “hacker’s Google”.

First I pulled up North Korea’s main IP space of 175.45.176.0 – 175.45.176.255 and found about 755  returns, 234 being SIP or Voice over IP – basically some sort of voice/video device.

Shodan North Korea 5

But what if we filter the search to just look for regular servers?

Shodan North Korea 3

8 results! You read that right, just eight! Most of them run some sort of CentOS Linux version with Apache. Looking at the rest of their IP space I found the following:

  • net:175.45.177.0/24 server turned up 2 more.
  • net:175.45.178.0/24 server turned up 8.
  • And finally net:175.45.179.0/24 server returned with 2.

So according to these searches with Shodan, N. Korea has around 20 servers active. Not a massive internet presence by any stretch of the imagination.

Web Enabled Printer (In)Security

Printer Insecurities

In the name of simplicity, it seems like every device is “Web Enabled” now. But the question is, where is the security? I was always stunned on how many Printers you can find completely open on the web through Shodan. I never understood why, until now.

I was setting up a brand new “web enabled” printer. It went great, the quick start guide walked me through installing the ink cartridges, had a great video on connecting the paper trays to the printer and how to correctly insert paper.

It even walked me through turning on networking and getting it connected to my Wireless network.

In no time I was up and running!

It wanted to turn on printing from the internet, it got an e-mail address from the web all by itself and then wanted to turn on additional apps. It was so helpful!

But then I wondered, how is this thing secured?!?

So, I surf to the IP address that the printer was assigned and it had a beautiful web control interface for the printer. That was completely unsecured…

I dug through the menus and finally found the option to turn Web Based security to “On” and put in an administrator password. It informed me that it would not block internet users from seeing everything, but would limit them informational pages only.

Then I realized, it never prompted me to turn control panel security on, and never asked me for a password. So I dug through the included manual (instead of just browsing the quick start guide) thinking I missed something.

Everything was in the manual, including troubleshooting network connectivity. But nowhere did it mention turning security on or how to even do it!

It’s just a printer you say – But printers can leak some very important information, like internal network settings, logs, files and in some cases, even user accounts.

And a few quick keyword searched on Shodan turns up Tens of thousands of insecure printers.

Yikes!

Last month the author of “Shodan Blog” wrote a great article on printers bleeding information publicly.

Titled, “I know You Need Toner“, it lists the printers worldwide that currently are in need of toner:

Need Toner

It also shows the number of printers that need toner by country, and a list of the top organizations that need to change their toner.

Cute, I know, but it should really be a warning to people about what information is being bled publicly through the horde of web enabled devices that we are putting throughout our organizations.

It took several years, but most router manufacturers now ship new routers with some level of security turned on. It looks like other web enabled devices (like printers) need to start doing this too!

Server Remote Control iLO Boards Found on Shodan

I’ve been spending way too much time with Shodan (the computer search engine) lately. But what really bothers me is, every time I put time into searching for new things, I find them. And many times what I find boggles the mind.

Recently I found several search terms that bring up built in Server remote control iLO boards.

Integrated Lights Out, or iLO boards are installed on many servers. They are remote support solutions that allow an administrator to  log into the computer and manage it from afar. Most allow complete control of the server including remote keyboard and mouse, the ability to power cycle the system and mount and access additional media remotely.

So far, I have found eight unique search strings on Shodan (like this) that reveal iLO boards for Dell, HP, Fujitsu and Sun servers.

When I was a server team guy for a large corporation, we regularly used these to completely set up and configure heavy duty servers that were located in different states. The local IT techs would unbox the server and plug it into a network jack. We would then log in to the iLO and install the Operating System, web apps, or whatever else was needed, remotely, without ever physically touching the box.

We also used them for trouble shooting. If a remote server had locked up and not responding at all, we would log in remotely to the iLO board and be able to service the system. Again without ever physically touching the system.

The fact that iLO boards can be found online is rather concerning. Granted many are there purposefully (so they can be remotely managed!) and are protected by a strong password. But several appeared to be using the default password.

If your company uses iLO boards on your servers, check them and make sure you are not using the default passwords! Change iLO passwords to long complex strings that you would use on any important system that is publicly available online. Disable or remove iLO boards (check your documentation) if they are not needed.

A little security can go a long way in protecting your servers from online threats.