Wednesday, November 25, 2009

Shodan: Another Step Towards Intrusion as a Service

If you haven't seen Shodan yet, you're probably not using Twitter as a means to stay current on security issues. Shoot, I don't even follow anyone and I heard about it.

Basically a programmer named John Matherly scanned a huge swath of the Internet for certain TCP ports (80, 21, 23 at least) and published the results in a database with a nice Web front-end. This means you can put your mind in Google hacking mode, find vulnerable platforms, maybe add in some default passwords (or not), and take over someone's system. We're several steps along the Intrusion as a Service (IaaS) path already!

Incidentally, this idea is not new. I know at least one company that sold a service like this in 2004. The difference is that Shodan is free and open to the public.

Shodan is a dream for those wanting to spend Thanksgiving looking for vulnerable boxes, and a nightmare for their owners. I would not be surprised if shodan.surtri.com disappears in the next few days after receiving a call or two from TLAs or LEAs or .mil's. I predict a mad scramble by intruders during the next 24-48 hours as they use Shodan to locate, own, and secure boxes before others do.

Matt Franz asked good questions about this site in his post Where's the Controversy about Shodan? Personally I think Shodan will disappear. Many will argue that publishing information about systems is not a problem. We hear similar arguments from people defending sites that publish torrents. Personally I don't have a problem with Shodan or torrent sites. From a personal responsibility issue it would have been nice to delay notification of Shodan until after Thanksgiving.

23 comments:

Anonymous said...

If a box is to be owned it will be owned whether it is Thanks Giving or Cyber Monday. Monitors can neither sleep nor relax. Keep your eyes on the ball, is I suppose the message.

Anonymous said...

IAAS...I like it! Stormcloud Computing! Cloudjacking!

CG said...

I agree that it will probably disappear because someone is going to get pissed and call their lawyer that the vulnerable box they run got indexed and someone will probably break into it (or they'll finally do some IR and see its been broken into many times)

what was the final result of google dorks? this is essentially the same thing. easily indexable information was indexed and is now searchable.

again we take the responsibility of securing devices and systems away from responsible party (the admins and owners) and blame the bad guys with the "think of the children" argument.

why dont we start blaming the jackasses for allowing theirselves to be hacked and not the bad guys who do it. can you really blame the guy that steals the "whatever" out of the unlocked car? really?

This easily carries over into the cyber war arena. lets stop pointing our fingers at the guys breaking in and instead point our fingers at the organization who allowed it to happen.

Richard Bejtlich said...

Chris, you just went totally off the reservation with that one. Blaming the victim is not the right approach. I hope all your doors and windows are locked, that your glass is not breakable, that your locks are bump-key resistant, etc. That is not an argument you can realistically win.

CG said...

i really hate the break into the house analogy but having breakable glass is not the same as leaving my window open and going on vacation. If someone worked hard to break into a site thats not the admin's fault, having an open root shell exposed to the internet I think that is.

I'm curious as to what would be the right approach if blaming the victim SOMETIMES is not. There isnt alot you can do against the 0day rock through your window or a really determined attacker. But, pretty much anyone can be held accountable for negligence in almost every other field yet unless its holding PCI or medical information somehow people are off the hook in the security world.

You think blaming the attacker is the right approach? With the rise of all this electronic crime we still think the average "user" to our system is going to do the honest and right thing? I think not.

you've done alot of IR, you honestly still get mad at the bad guys for breaking in when some places make it SO EASY?

Innismir said...

Chris: It doesn't matter if the admin was a moron or not (for the record, the people who run these servers definitely are) however, it doesn't change the fact that the attacker still broke in.

It's the same way that if I came across your house with a window open and you being on vacation, I still would not go in. Nor would most people.

Your train of thought is akin to suggesting sexual assault victims had it coming if they were dressed in a provocative manner.

Richard Bejtlich said...

Hi Chris,

I *always* direct anger at intruders. If I discover they compromised an asset that offered an easy way in, I am usually upset with the asset owner too. However, I wouldn't have to get involved if the bad guy didn't exist.

The security world is "unique" in that we're the only ones who think redressing vulnerabilities should be the priority, whereas the whole world thinks otherwise, e.g., Threat Deterrence, Mitigation, and Elimination.

Joe Garcia said...

Ben: I think what Chris is trying to say is that, it is very easy to blame the attacker when the victim failed to carry out due diligence to protect themselves.

Yes, a person with common sense & proper values wouldn't go through an open window to someone else's home. In the real world though, there are bad people that will & do. Solution.... Don't leave your windows open when you are not home or on vacation. Shame on you if you do. Oh, and bad guys don't take holidays either.

Unfortunately we live in a victimized society, where the victim has been allowed to have no responsibility whatsoever and this has become part of most people's mentalities. The "it wasn't me. It was the other guy" train of though is weak and people need to get away from it.

Using the home break in train of though... as a home owner I make sure to have good windows, good door locks, an alarm and thorny bushes by my windows. I even make sure to tell the neighbors that I trust that I will be away, so they'll keep an eye on the place. I will go so far as to have my mail held at the P.O. Now if someone gets in, congrats to them, but I still did all that I could to help deter & prevent a burglary.

When it comes to systems, shouldn't the same approach be taken? Do all that can be done to prevent & deter.

Richard Bejtlich said...

I can't believe what I am reading. "It is very easy to blame the attacker when the victim failed to carry out due diligence to protect themselves." So if one day, you're standing next to me at a Metro station, and I bump you onto the track just as the train arrives, who is going to say "Joe didn't carry out due diligence to protect himself!"

CG said...

@innismir

i dont condone people breaking into sites. I don't want anyone to think I do. I also dont think that anyone ASKS to be attacked because they placed a host on the net or failed to secure something. However I do think the attackee SOMETIMES has a piece of the responsibility to share.

you failed to address my point of responsibility on the admin's part. which is my whole point. Does the admin have a responsibility for failing to patch? If you put a system on the internet do you have a responsibility to patch and if you fail to do that is it or is it not your fault?

if you leave your house with the door open and someone walks in and steals stuff is your insurance going to cover it? doubtful, you are at fault. That DOESNT make the thief a "good guy" and he's certainly not providing you or anyone a public service by stealing your crap but its still partly your fault, you left the door open.

back to shodan, i dont care that my site was indexed, i took reasonable precautions to protect it by turning off server version banners and i patch my stuff. if i get owned because i forgot to patch something that's my fault and not because it was scanned and indexed without my permission. I'm gonna be pissed that someone did that and probably most publicly did that but i share responsibility for letting that happen.

Rob Fuller (mubix) said...

Way off point, but I hate that house analogy, it doesn't scale. The Internet is a vastly different place than your local neighborhood. Just making up numbers here but lets think of it this way:

You have 1000 people going through your neighborhood via bike, car or walking on a daily basis, and a 1 in a million chance someone is going to at least jiggle your doors to see if they can get in.

On the Internet you have something like 8 million people constantly in your 'neighborhood'. Remove the risk of being 'caught' physically and that chance of someone jiggling your doors greatly increases. That, and as an organization you have more than just two doors (some you may not even remember/know about). Now instead of a 1 in a million, you have 1 in a 1,000 chance of someone _attempting_ a break in.

Your expected level of safety in your neighborhood no longer fits that analogy structure. It's more like leaving your door unlocked in downtown DC or LA, with your iPhone laying out. Your friends and family would just call you an idiot and not offer condolences at all.

Joe said...

You can't protect yourself against everything. You're going to miss something. That doesn't make you negligent. Attacking someone is criminal. The attacker is the problem.

Sites like this are nice. Everyone should be checking to what the internet knows about them.

Sheesh.

Prefect said...

Arguments above suggest it is wrong to point out the difference where one victim has taken extreme, reasonably irresponsible risk, and another who has exercised reasonable due care but was still owned through sophisticated attack.

While in both cases we can condemn the attacker and empathize with the victim but the degree of each will be different for attack one versus attack two.

For example, assume two people are killed. One was inside their home in a good neighborhood at 4pm. The other was out drinking all night, and on the street in a bad neighborhood at 3am. Which story will shock people more or get more attention? Will people in the second case rightfully say "Its terrible, but what was he doing in that neighborhood at that time?".

With companies it is magnified, because unlike personal risk, they have also taken risks on behalf of customers, employees, and other stakeholders with the promise that they would exercise due care with the information those parties provide them to do business.

Anonymous said...

The fact is that hackers hack, get over it!

Steve said...

Isn't Shodan just like Google street view? It's indexing information that is out there for anyone that cares to look, from a point in time (the time of the scan, the time of the photo). So, in this one lonely instance, the computer-security-as-home-security metaphor actually kind of works! Woo! Who said nothing gets done the week of Thanksgiving?

So, would a delay in the release of Shodan made a difference to the IIS 4 admins, or the Cisco HTTP and telnet admins that have been revealed by Shodan search? Probably not....those people don't follow security news. So, why should John go out of his way to keep that (public) information private? In aggregrate, this is a useful snapshot for security research and it's not anyone's responsibility to take publicly available information and keep it private, just because it's been made easier to access.

Joe Garcia said...

Richard: Using your train platform analogy, I wouldn't be close enough to the edge for you to just bump me over it. Why? Because I know that getting hit by a train will kill me or (in the least) serious maim me. If I was close enough to the edge & you pushed me you'd still be wrong & should be arrested, but I should never have been there in the first place.

Don't get me wrong, I don't agree w/ anyone breaking into anyone else's site. My point was that people have to use some common sense when it comes to protecting their systems. Like Prefect stated above, "because unlike personal risk, they have also taken risks on behalf of customers, employees, and other stakeholders with the promise that they would exercise due care with the information those parties provide them to do business." It is not just their info, but the information of others that was entrusted to them. I also agree with Chris, people have to begin shouldering some of the responsibility of allowing a weak defense.

Black said...

I believe that you can not protect an asset by letting open the information that can act as an ingredient for a well timed attack.
An application like this might sound illegal, but as it has been pointed by many, it can not be termed as illegal. People (ala govt's) might get to block it.
You must start by protecting information you withheld rather than blaming a developer for his efforts!

Adam said...

Bruce Schneier brought up a good point a long time ago on liability.

"Clearly, this isn't all or nothing. There are many parties involved in a typical software attack. There's the company that sold the software with the vulnerability in the first place. There's the person who wrote the attack tool. There's the attacker himself, who used the tool to break into a network. There's the owner of the network, who was entrusted with defending that network. One hundred percent of the liability shouldn't fall on the shoulders of the software vendor, just as 100% shouldn't fall on the attacker or the network owner. But today, 100% of the cost falls directly on the network owner, and that just has to stop."
--Bruce Schneier

http://www.schneier.com/blog/archives/2004/11/computer_securi.html

Anonymous said...

I don't see how shodan is any worse than nmap.

Richard Bejtlich said...

Anonymous,

Nmap isn't a database of whole Internet. Shodan is.

chrisk said...

Why not use the vulnerability data in the Shodan or a similar database to notify all the network/system owners. Advise them of the vulnerabilities and provide information to help them mitigate and remediate. This could help improve the overall security for the internet in-general.

Richard Bejtlich said...

Chrisk, nice idea, but who has the resources to do that?

Anonymous said...

Rich, thanks for posting about it, and thanks in advance for posting about other things that we may have not seen due to inattention to the right channels or following the right people.

And,thanks for the great blog and your good works in general!