Shodan: Another Step Towards Intrusion as a Service
If you haven't seen Shodan yet, you're probably not using Twitter as a means to stay current on security issues. Shoot, I don't even follow anyone and I heard about it. Basically a programmer named John Matherly scanned a huge swath of the Internet for certain TCP ports (80, 21, 23 at least) and published the results in a database with a nice Web front-end. This means you can put your mind in Google hacking mode, find vulnerable platforms, maybe add in some default passwords (or not), and take over someone's system. We're several steps along the Intrusion as a Service (IaaS) path already!
Incidentally, this idea is not new. I know at least one company that sold a service like this in 2004. The difference is that Shodan is free and open to the public.
Shodan is a dream for those wanting to spend Thanksgiving looking for vulnerable boxes, and a nightmare for their owners. I would not be surprised if shodan.surtri.com disappears in the next few days after receiving a call or two from TLAs or LEAs or .mil's. I predict a mad scramble by intruders during the next 24-48 hours as they use Shodan to locate, own, and secure boxes before others do.
Matt Franz asked good questions about this site in his post Where's the Controversy about Shodan? Personally I think Shodan will disappear. Many will argue that publishing information about systems is not a problem. We hear similar arguments from people defending sites that publish torrents. Personally I don't have a problem with Shodan or torrent sites. From a personal responsibility issue it would have been nice to delay notification of Shodan until after Thanksgiving.
Comments
what was the final result of google dorks? this is essentially the same thing. easily indexable information was indexed and is now searchable.
again we take the responsibility of securing devices and systems away from responsible party (the admins and owners) and blame the bad guys with the "think of the children" argument.
why dont we start blaming the jackasses for allowing theirselves to be hacked and not the bad guys who do it. can you really blame the guy that steals the "whatever" out of the unlocked car? really?
This easily carries over into the cyber war arena. lets stop pointing our fingers at the guys breaking in and instead point our fingers at the organization who allowed it to happen.
I'm curious as to what would be the right approach if blaming the victim SOMETIMES is not. There isnt alot you can do against the 0day rock through your window or a really determined attacker. But, pretty much anyone can be held accountable for negligence in almost every other field yet unless its holding PCI or medical information somehow people are off the hook in the security world.
You think blaming the attacker is the right approach? With the rise of all this electronic crime we still think the average "user" to our system is going to do the honest and right thing? I think not.
you've done alot of IR, you honestly still get mad at the bad guys for breaking in when some places make it SO EASY?
It's the same way that if I came across your house with a window open and you being on vacation, I still would not go in. Nor would most people.
Your train of thought is akin to suggesting sexual assault victims had it coming if they were dressed in a provocative manner.
I *always* direct anger at intruders. If I discover they compromised an asset that offered an easy way in, I am usually upset with the asset owner too. However, I wouldn't have to get involved if the bad guy didn't exist.
The security world is "unique" in that we're the only ones who think redressing vulnerabilities should be the priority, whereas the whole world thinks otherwise, e.g., Threat Deterrence, Mitigation, and Elimination.
Yes, a person with common sense & proper values wouldn't go through an open window to someone else's home. In the real world though, there are bad people that will & do. Solution.... Don't leave your windows open when you are not home or on vacation. Shame on you if you do. Oh, and bad guys don't take holidays either.
Unfortunately we live in a victimized society, where the victim has been allowed to have no responsibility whatsoever and this has become part of most people's mentalities. The "it wasn't me. It was the other guy" train of though is weak and people need to get away from it.
Using the home break in train of though... as a home owner I make sure to have good windows, good door locks, an alarm and thorny bushes by my windows. I even make sure to tell the neighbors that I trust that I will be away, so they'll keep an eye on the place. I will go so far as to have my mail held at the P.O. Now if someone gets in, congrats to them, but I still did all that I could to help deter & prevent a burglary.
When it comes to systems, shouldn't the same approach be taken? Do all that can be done to prevent & deter.
i dont condone people breaking into sites. I don't want anyone to think I do. I also dont think that anyone ASKS to be attacked because they placed a host on the net or failed to secure something. However I do think the attackee SOMETIMES has a piece of the responsibility to share.
you failed to address my point of responsibility on the admin's part. which is my whole point. Does the admin have a responsibility for failing to patch? If you put a system on the internet do you have a responsibility to patch and if you fail to do that is it or is it not your fault?
if you leave your house with the door open and someone walks in and steals stuff is your insurance going to cover it? doubtful, you are at fault. That DOESNT make the thief a "good guy" and he's certainly not providing you or anyone a public service by stealing your crap but its still partly your fault, you left the door open.
back to shodan, i dont care that my site was indexed, i took reasonable precautions to protect it by turning off server version banners and i patch my stuff. if i get owned because i forgot to patch something that's my fault and not because it was scanned and indexed without my permission. I'm gonna be pissed that someone did that and probably most publicly did that but i share responsibility for letting that happen.
You have 1000 people going through your neighborhood via bike, car or walking on a daily basis, and a 1 in a million chance someone is going to at least jiggle your doors to see if they can get in.
On the Internet you have something like 8 million people constantly in your 'neighborhood'. Remove the risk of being 'caught' physically and that chance of someone jiggling your doors greatly increases. That, and as an organization you have more than just two doors (some you may not even remember/know about). Now instead of a 1 in a million, you have 1 in a 1,000 chance of someone _attempting_ a break in.
Your expected level of safety in your neighborhood no longer fits that analogy structure. It's more like leaving your door unlocked in downtown DC or LA, with your iPhone laying out. Your friends and family would just call you an idiot and not offer condolences at all.
Sites like this are nice. Everyone should be checking to what the internet knows about them.
Sheesh.
While in both cases we can condemn the attacker and empathize with the victim but the degree of each will be different for attack one versus attack two.
For example, assume two people are killed. One was inside their home in a good neighborhood at 4pm. The other was out drinking all night, and on the street in a bad neighborhood at 3am. Which story will shock people more or get more attention? Will people in the second case rightfully say "Its terrible, but what was he doing in that neighborhood at that time?".
With companies it is magnified, because unlike personal risk, they have also taken risks on behalf of customers, employees, and other stakeholders with the promise that they would exercise due care with the information those parties provide them to do business.
So, would a delay in the release of Shodan made a difference to the IIS 4 admins, or the Cisco HTTP and telnet admins that have been revealed by Shodan search? Probably not....those people don't follow security news. So, why should John go out of his way to keep that (public) information private? In aggregrate, this is a useful snapshot for security research and it's not anyone's responsibility to take publicly available information and keep it private, just because it's been made easier to access.
Don't get me wrong, I don't agree w/ anyone breaking into anyone else's site. My point was that people have to use some common sense when it comes to protecting their systems. Like Prefect stated above, "because unlike personal risk, they have also taken risks on behalf of customers, employees, and other stakeholders with the promise that they would exercise due care with the information those parties provide them to do business." It is not just their info, but the information of others that was entrusted to them. I also agree with Chris, people have to begin shouldering some of the responsibility of allowing a weak defense.
An application like this might sound illegal, but as it has been pointed by many, it can not be termed as illegal. People (ala govt's) might get to block it.
You must start by protecting information you withheld rather than blaming a developer for his efforts!
"Clearly, this isn't all or nothing. There are many parties involved in a typical software attack. There's the company that sold the software with the vulnerability in the first place. There's the person who wrote the attack tool. There's the attacker himself, who used the tool to break into a network. There's the owner of the network, who was entrusted with defending that network. One hundred percent of the liability shouldn't fall on the shoulders of the software vendor, just as 100% shouldn't fall on the attacker or the network owner. But today, 100% of the cost falls directly on the network owner, and that just has to stop."
--Bruce Schneier
http://www.schneier.com/blog/archives/2004/11/computer_securi.html
Nmap isn't a database of whole Internet. Shodan is.
And,thanks for the great blog and your good works in general!