Understanding Shodan HQ for hacking and cyber warfare
Shodan HQ is probably one of the more interesting web sites that few people know about. Shodan scans the internet looking for devices that people have left unsecured or with default if any login information. Sometimes a web site just makes you happy, and Shodan has shown that there are hundreds of thousands of devices connected to the internet that are going to be ripped apart when it comes to cyber warfare.
The ironic part of sites like this is that you get a very good feel for just how shoddy corporate and personal information security really is in the real world. While the world awaits something like a cyber-warfare pearl harbor, Shodan shows that we have sown our own seeds, and that some of companies that route banking, critical infrastructure, water, and power systems. What is amazing is that these systems despite all the warnings, despite homeland security, despite being in the Shodan HQ database have not yet secured their systems.
Over the last few months we have found bank routers with passwords that are unencrypted, we have found a ton of SCADA systems that you can basically access as a read only account so you can see what others are seeing and then figure out what the systems are doing, how they are doing, and what a good landing pad would be for working further mischief in the system.
Personally, I find this amazing that ourinternal systems are so shoddily protected that they are left wide open to anyone, and I mean anyone to waltz on into and check out what is happening. All of this because people left their systems open, no passwords, no protections, and a simple search engine can go through and identify what is running. Going there is like walking down a hallway, there is nothing standing in the way of access to these systems.
If we are going to take cyber warfare seriously, then we need to start at home, we need to understand our exposures and those exposures need to be closed. Companies that leave infrastructure open to anyone, from banks to power needs to be assisted in cleaning up what is exposed, and learn proper security practices to ensure that they are not hacked. Shodan should be an empty database, but it is not, there are 100’s of thousands of entries in there, all of it interesting, much of it an opportunity to lose and lose badly in a cyber-war.
(Cross-posted @ Managing Intellectual Property & IT Security)