Shodan: Exploring the Dark Internet Bill Matonte, Brian Brokling, Chris Hamm Overview • What is Shodan o The dark Internet o The Shodan Story o How Shodan works • Industrial Control Systems(ICS) and their vulnerabilities • Countermeasures The Dark Internet In order to understand SHODAN, you must understand where SHODAN operates. That is, the dark Internet. • As soon as 2001, there could have been as many as 100,000,000 hosts that are completely unreachable. • Many of these websites can be reached through "secure gatekeepers", but the security can be very lax. • The Shodan Story • SHODAN was thought of in 2003 and launched in 2009. • SHODAN is the brainchild of John Matherly. He named his creation off of the evil artifical intellegence entity, SHODAN, from the System Shock series of video games. • The main idea behind SHODAN is that there are many nodes on the internet, especially industrial and commercial systems, that use the internet, but are not normally considered part of it. • SHODAN changes this paradigm. Industrial Controls Systems(ICS) • Include Many Essential Infrastructure o Nuclear power plants o Chemical processing plants o Energy pipeline monitoring and control • Operate and monitor systems remotely • Reduces cost • Increases security risk • Designed for function not security http://www.ipcprotects.com/images/controlnetwork-security-diag-big.jpg ICS Continued • Lack basic security features o Encryption, Firewalls, Anti-Virus Software • Systems difficult to update • Default passwords often unchanged as a “safety feature" • Before 2011 thought to be “Air-Gapped” • In 2011 it was revealed that 7500 ICS nodes were exposed • Only 17% required Passwords • 20.5% were susceptible to known exploits. Shodan the Search Engine • Optimized to search for systems • Uses Indexed meta-data stored in banners • Filter information from banners to find vulnerable systems • DEMO!!! Countermeasures • Restrict your devices to only allow packets to be broadcast inside the internal LAN • Restrict what IP addresses can access your network from the internet • Use VPN to remote access your network • Change all default device passwords to something else • Surpress or minimize verbose banners • Run Shodan against yourself o see if you can find yourself with Shodan Works Cited • • • • • • • • • • • • "Frequently Asked Questions." SHODAN. N.p., n.d. Web. 22 Apr. 2014. <http://www.shodanhq.com/help/faq>. Goldman, David. "Shodan Finds the Internet's Most Dangerous Spots." CNNMoney. Cable News Network, 02 May 2013. Web. 22 Apr. 2014. Goldman, David. "Shodan: The Scariest Search Engine on the Internet." CNNMoney. Cable News Network, 08 Apr. 2013. Web. 22 Apr. 2014. Graddy, Marchello, and Dennis Strouble. "Critical Infrastructure Control Systems Vulnerabilities." International Conference on Information Warfare and Security. Reading. N.p.: Academic Conferences International Limited, 2010. 106-XIII. Web. 22 Apr. 2014. Hill, Kashmir. "Camera Company That Let Hackers Spy On Naked Customers Ordered By FTC To Get Its Security Act Together." Forbes. Forbes Magazine, 04 Sept. 2013. Web. 22 Apr. 2014. Hill, Kashmir. "The Crazy Things A Savvy Shodan Searcher Can Find Exposed On The Internet." Forbes. Forbes Magazine, 05 Sept. 2013. Web. 22 Apr. 2014. ICS-CERT. "Alert (ICS-ALERT-11-343-01A)." Control System Internet Accessibility (Update A). Deopartment Of Homeland Security, 21 June 2012. Web. 22 Apr. 2014. Leverett, Eireann. "Quantitatatively Assessing and Visualizing Industrial System Attack Surfaces." Diss. U of Cambridge, 2011. Leveret-Industrial. Web. 23 Apr. 2014. <"https://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf>. NERC. "Control Systems Security Working Group(CSSWG)." NERC. North American Electric Reliability Corporation, n.d. Web. 23 Apr. 2014. <http://www.nerc.com/>. O'Harrow, Robert, and Jr. "Cyber Search Engine Shodan Exposes Industrial Control Systems to New Risks." The Washington Post. N.p., 27 Dec. 2012. Web. 8 Apr. 2014. United States. Department of Energy.Office of Scientific and Technical Information, United States. Department of Energy, and Idaho National Laboratory. Introduction to SCADA Protection and Vulnerabilities. Washington, D.C; Oak Ridge, Tenn: United States. Dept. of Energy, 2004. Web. Wiess, Aaron. "5 Tips to Protect Networks Against Shodan Searches." - ESecurity Planet. N.p., n.d. Web. 21 Apr. 2014. <http://www.esecurityplanet.com/network-security/5-tips-to-protect-networks-against-shodan-searches.html>.