Insights For Success

Strategy, Innovation, Leadership and Security

Fun with Shodan and IOT

Edward Kiledjian

Read this related article: Find phishing and malware with a simple search

Search engines have become a favourite starting point for threat actors, so it should also be your starting point. Beyond Google, there are a bunch of specialized search engines that are powerful and scary. This article talks a bit about Shodan. Think of this article as a gentle introduction.

What is shodan

Shodan is often called the world's most dangerous search engine. Shodan attempts to catalogue metadata about its targets and its targets are often Internet of Things (IOT) devices. Hackers and security researches use Shodan daily to find vulnerable webcams, open traffic light systems, SCADA in manufacturing plants and much more.

I'm going to assume you have a free Shodan account.

Browse the categories

If you visit the Shodan Explore section, you can find all kinds of interesting systems listed.

Unprotected webcam

For this example, I searched for the Axis 212 webcam which is known to have many vulnerabilities and a known default password.

As an example, the webcam I highlighted seems to be in a daycare facility and isn't even password protected.

I've blurred out the children and teacher.

Some are unprotected. Some have kept their default passwords (there are lots of default password lists like this one). Obviously many of these cameras are made by a handful of manufacturers in China and are never updated. Once you find a vulnerability on one model it is often workable on dozens of others.

Routers

You can search Shodan for common router brands like Belkin, D-Link, Netgear, etc and then try to log in using the default admin passwords. Above is an example of a Linksys router exposed to the internet without a password. Others are exposed with the default password.

Intel AMT Exposed to the internet

There is a major Intel AMT vulnerability but Shodan shows that 4,647 devices with AMT (on July 22) were connected to the internet.

If you search for "http intel active management" in Shodan, you will get a listing of these devices.

Other searches you can perform

Netgear device with port 80 open to the internet

Bitcoin servers

You can even use the Shodan ShipTracker dashboard to track realtime ship

ShipTracker is harmless on its own, but combined with data available from other sources and the knowledge that many ship systems use default passwords and it is a disaster waiting to happen.

There is a known vulnerability that allows a threat actor to steal or modify information from a Memcached server. This vulnerability was used to target GitHub with a massive DDoS attack. Not all Memcached servers are vulnerable ( I won't show you how to find the vulnerable ones) but how would you search for Memcached servers on the net? The answer is with a Shodan query.

 

Conclusion

Obviously, this is just the tip of the iceberg. A true threat intel specialist will be able to automate Shodan queries and then combine them with known vulnerabilities, exploits or default credentials. I am hoping this article created a bit of interest in you to learn more. 

For this article, I only chose examples that were exposed to the internet and were not password protected. Be careful as laws differ around the world. In some countries even testing default passwords could be considered "hacking". 

Find phishing and malware with a simple search

GeneralEdward Kiledjian

A very important function of any information security team is threat intelligence. Threat Intel can be a complicated and costly service in some cases but can be as simple a running a simple search in other cases. Here is a trick to get you started with the simple and cheap function.

Did you know you can find lots of "fun" phishing and malware links using nothing more than a simple VirusTotal search? Search VirusTotal for Google Storage API (precooked link). 

Go down midway on the results page and voila.

The one I highlighted above takes you to a dropbox phishing site

Some may not be fully formed yet. Some may already be taken down but you can find some interesting opportunities for research. 

Simple "script kiddy" level Threat Intel for you.

2 secrets you need to know for Amazon Prime Day

GeneralEdward Kiledjian

Amazon Prime Day is here and expect millions of customers to go crazy buying things they don't need. At least those unneeded items are deeply discounted, right? Maybe! Thousands of items will be sold at their lowest price ever, but that isn't the case for everything.

The internet is here to save the day again. A free online tool called CamelCamelCamel will show you the truth.

You paste an Amazon link into the search bar at CamelCamelCamel and it will show you the item's price over time.

You copy the Amazon URL into the CamelCamelCamel search bar

Then you scroll midway down the results page and notice that the current promo is actually a good deal.

CamelCamelCamel covers Amazon sites for Canada, USA, Australia, China, France, Germany, Italy, Japan, Spain and the United Kingdom.

Do you want an example of a not so good deal? Here is one for you:

Looks like a good lightning deal...

CamelCamelCamel says this item was sold December 2017 for $53.82, a full $6.48 cheaper. This means that if you don't need this item right away, you may want to wait a bit or find an alternative that may actually be a deal. 

And one more thing

I'll sweeten the pot with one more tip for Amazon Prime Day (PrimeDay) and this one is related to the product reviews. You will notice that those Bluedio headphones seem to have a good user review rating of 4/5 stars (with 273 customer reviews). Can you trust those reviews?

Enter Fakespot! Like CamelCamelCamel you copy the Amazon product URL into the Fakespot search bar and you are presented with a review reliability score

Fakespot isn't perfect but it is a great way to quickly determine how much trust you should put in the user reviews. Notice above the analysis is old. if you see that button, press the ReAnalyze button and wait until you get a new rating.

When I tested Fakespot with these on-special headphones, the user review rating improved from an F to a D. 

The moral of the story is that you will probably find hundreds of great deals worth the asking price but make sure to perform your own due diligence using CamelCamelCamel and Fakespot

Google Chrome's Spectre Mitigation is consuming 10% more RAM

GeneralEdward Kiledjian

Google Chrome has always been a resource hog, but you may have noticed it's been consuming just a little bit more RAM lately (on your desktop).

This new more demanding Chrome is because of the Google's Spectre mitigation efforts.
The Google Chrome security team has enabled site isolation as a default (in Chrome v67 for desktops). Justin Schuh, head of Google Chrome Security, explained that site isolation separates each website process thereby preventing a malicious tab from stealing data from another.

When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using “out-of-process iframes.”

Don't expect to see this update on the Android version anytime soon, the resource consumption requirements are too high (for now).

Chrome is obviously my browser of choice but I have been concerned at the amount of resources it requires and this move (although right from a security perspective) further pushes Chrome in the wrong direction. 

Additional reading:

Honest review or NordVPN

GeneralEdward Kiledjian

Recently I started seeing more ads for the NordVPN service. It seems some of you may be in the same position as I've received several emails asking me for my opinion about them. 

After a careful review, here it is. NordVPN is best described as a good "one size fits all" VPN service. You pay one fixed price and get full access to their network endpoints (1000+ servers in 57 countries) and the full available speed.

TL;DR:NordVPN offers impressively fast VPN, good security and easy to use clients. 

You will find an impressive list of tutorials for dozens of different platforms from the usual (Windows, Mac, iPhone and Android) to Belking, Microtik and Arris routers. 

Protection

NordVPN promises that it is a no-log service. They use 2048-bit encryption; they run their DNS servers to minimize DNS leakage and have a "kill switch" that will block application internet access in case the VPN get's disconnected.

Validating their claims

Many providers promise a no-log service, but there is no way for consumers to validate this statement independently. I have chatted with their support and had no reason to doubt their claim. 

I have run my standard VPN tests on Windows and MacOS and can confirm that I did not detect any DNS, WebRTC or identity leakage. My most useful test was validating their kill switch functionality  (by manually killing the VPN process) and confirmed it worked

Multiple devices

NordVPN offers access to 6 devices simultaneously. If you connect multiple devices to the same endpoint, you will have to choose different VPN protocols for each (L2TP, PPTP, OpenVPN TCP and OpenVPN UDP). 

Price

I recommend you shop around for deals. Their "normal" promo is $79.00 for 2 years (a 72% discount). If you browse the web, you can find links with additional discounts of up to 77%. Here is the link I used below (not an affiliate link) 

Conclusion

Overall NordVPN seems like a competitive offering with good security.