Page 40 - index
P. 40
Shodan travels the internet looking for publicly accessible devices, focusing on SCADA
(supervisory control and data acquisition) systems and findings range from standalone
workstation to wide area networking configurations (Hill).
When a person first visits Shodan they are allowed up to ten results without making an account,
after a person creates an account they are allowed up to fifty results for each search. If a user
would like to have more results than fifty, then they are required to provide a reason and pay a
fee. This option is mainly for researcher, professor, and penetration tester, since the primary
users of the Shodan are cybersecurity professionals, researchers and law enforcement
agencies. But still some cybercriminals or hackers can also sign up for the site, but most are
reluctant to do so since the site can track active and hackers have access to botnets which can
accomplish a similar task being anonymous (Schearer).
“Shodan Hacking Alerts are vulnerability RSS (Really Simple Syndication) feeds which regularly
pulls search results from the Shodan search engine. Bishop Fox’s a free defensive tools uses
Shodan data into its defense alerts by utilizing the feature to turn Shodan search results into its
RSS feeds by appending &feed=1 to common Shodan query URLs. These free RSS alerts can
be utilized to perform ongoing monitoring of Shodan result to look for new vulnerabilities in
systems or software”.
While the Shodan site can be used to do great harm, the site is mostly used for good which
offers penetration testers a useful tool for completing their jobs. A pen tester or government
official can use the site in order to find nodes that should not be located online or be left
unsecured and then reports them to Computer Emergency Readiness Team (CERT). In today’s
technology age companies will often buy systems that will enable them to remotely access a
system like a heating system with a computer in order to provide better accessibility and control
in case of an emergency. But rather than connecting them directly, many IT departments just
plug them both into a Web server, inadvertently sharing them with the rest of the world. ) Of
course there’s no security on these device, said Matherly, “They don’t belong on the internet in
the first place”.
In most cases, the affected control system interface was designed to provide remote access for
monitoring system status or certain asset management features. The identified system range
from stand-alone workstation application to larger WAN (wide area network) configurations
connecting remote facilities to central monitoring systems. These systems have been found to
be readily accessible from Internet and with tools, such as Shodan.
In addition to the increased risk of account brute forcing ( trying multiple usernames and
passwords until you gets in a system) from having these systems available on the Internet,
some of the identify system continue to use default user names and passwords or common
vendor accounts for remote access into these system. These default accounts can in many
cases be easily found in online documentation or online default password repositories. Control
System owners and operators are advised to audit their control system whether or not directly
connected to the internet for the use of default administrator level user names and passwords.
40 Cyber Warnings E-Magazine – April 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
