Insights For Success

Strategy, Innovation, Leadership and Security

hack

Fun with Shodan and IOT

Edward KiledjianComment
shodan1.PNG

Read this related article: Find phishing and malware with a simple search

Search engines have become a favourite starting point for threat actors, so it should also be your starting point. Beyond Google, there are a bunch of specialized search engines that are powerful and scary. This article talks a bit about Shodan. Think of this article as a gentle introduction.

What is shodan

shodan2.PNG

Shodan is often called the world's most dangerous search engine. Shodan attempts to catalogue metadata about its targets and its targets are often Internet of Things (IOT) devices. Hackers and security researches use Shodan daily to find vulnerable webcams, open traffic light systems, SCADA in manufacturing plants and much more.

I'm going to assume you have a free Shodan account.

Browse the categories

If you visit the Shodan Explore section, you can find all kinds of interesting systems listed.

Unprotected webcam

shodan4.PNG

For this example, I searched for the Axis 212 webcam which is known to have many vulnerabilities and a known default password.

As an example, the webcam I highlighted seems to be in a daycare facility and isn't even password protected.

I've blurred out the children and teacher.

I've blurred out the children and teacher.

Some are unprotected. Some have kept their default passwords (there are lots of default password lists like this one). Obviously many of these cameras are made by a handful of manufacturers in China and are never updated. Once you find a vulnerability on one model it is often workable on dozens of others.

Routers

shodan7.PNG

You can search Shodan for common router brands like Belkin, D-Link, Netgear, etc and then try to log in using the default admin passwords. Above is an example of a Linksys router exposed to the internet without a password. Others are exposed with the default password.

Intel AMT Exposed to the internet

There is a major Intel AMT vulnerability but Shodan shows that 4,647 devices with AMT (on July 22) were connected to the internet.

shodan8.PNG

If you search for "http intel active management" in Shodan, you will get a listing of these devices.

shodan9.PNG

Other searches you can perform

Netgear device with port 80 open to the internet

Netgear device with port 80 open to the internet

Bitcoin servers

Bitcoin servers

You can even use the Shodan ShipTracker dashboard to track realtime ship

Screenshot 2018-07-23 at 10.45.49 PM.png

ShipTracker is harmless on its own, but combined with data available from other sources and the knowledge that many ship systems use default passwords and it is a disaster waiting to happen.

Screenshot 2018-07-23 at 10.54.59 PM.png

There is a known vulnerability that allows a threat actor to steal or modify information from a Memcached server. This vulnerability was used to target GitHub with a massive DDoS attack. Not all Memcached servers are vulnerable ( I won't show you how to find the vulnerable ones) but how would you search for Memcached servers on the net? The answer is with a Shodan query.

Screenshot 2018-07-23 at 10.53.36 PM.png

 

Conclusion

Obviously, this is just the tip of the iceberg. A true threat intel specialist will be able to automate Shodan queries and then combine them with known vulnerabilities, exploits or default credentials. I am hoping this article created a bit of interest in you to learn more. 

For this article, I only chose examples that were exposed to the internet and were not password protected. Be careful as laws differ around the world. In some countries even testing default passwords could be considered "hacking". 

AI.Type Android Keyboard leaks data from 31M users

GeneralEdward Kiledjian2 Comments
firefighters-808901_1920.jpg


ZDNet got the scoop on this significant leak. AI.type, a third-party keyboard replacement for Android has leaked data for its 31 million users online. 

How did this happen? A database administrator didn't secure the database.  Anyone with basic skills could access and query the unprotected database and "have fun" with the 577 GB of data it contained.

What type of data leaked? The leak includes fun elements like name, email address, precise user geolocation data, city and country. Researchers have also found [that some records contain] phone numbers, IP addresses dates of birth, gender, etc.

Why stop there? Researchers also found that some user contacts were in the database. One table contained ~375M telephone numbers.

This is a perfect example why Apple forces users to enter passwords and sensitive information using their native keyboard (even if the user has chosen to install a third party one.)

On Android, I use the Google keyboard for this exact reason. Another alternative is Swiftkey, which now belongs to Microsoft (another company I would trust).

Hackers that hacked Cellebrite released a data dump

GeneralEdward KiledjianComment
Image from the Cellebrite website

Image from the Cellebrite website

Cellebrite is an Israeli company that specializes in tools (hardware and software) to break cell phone security. The Universal Forensic Extraction Device (UFED) is their most popular product and it can extract info from a wide variety of cell phones in minutes. Needless to say, law enforcement loves Cellebrite and has made them a very wealthy company. 

Cellebrite confirmed being breached and 900 GB of data was taken (which we believed contained end user licensing information). Cellebrite was quick to point out that passwords or payment information was not taken.

The hackers have published the dump which includes source code and customer information but also more importantly exploitable vulnerabilities for IOS, Android and Blackberry.

Cellebrite's UFED uses many of these vulnerabilities to extract the information its customers want from locked or otherwise protected devices.

Motherboard spoke to world renown IOS security expert, Jonathan Zdarski, who said the IOS vulnerabilities are already commonly known and therefore nothing earth shattering. The Blackberry vulnerabilities haven't been released yet and those will be interesting.

Obviously Celebrite is continuously updating its products with the latest vulnerability discovery so it is safe to assume this won't damage their thriving business with law enforcement. 

You can see a small sliver of the 900GB on site pastebin site (which will quickly disappear of course.)

The links to download the first parts of the dump are here:

  1. https://mega.nz/#!sZUkSbDT!l740KTf5TG-TgjN-YNZcejSOfhUn43jZ8jR3Lw_w7dY

  2. https://mega.nz/#!0d9zBQLI!DdKhZDXoMEnO6RpZDHWMGVV7nBXXZ98cPzjzVqLsVuw

These files may be taken down anytime so... Your Mileage May Vary.

The hackers are promising to released another small sump with files retrieved "via the weaponized Cellebrite update service deployed on MS Windows based devices and desktops"

Analysis of the compression and obfuscation employed by Cellebrite on products supplied to British MOD juxtaposed with the protection free versions supplied to SOCOM and others is also included within.” added the hacker.

The hackers are hacking the hackers. Let's see how this story unfolds.

Cover your laptop's webcam now

GeneralEdward KiledjianComment
IMG_20161030_110234 copy.jpg

We learned a couple of month's ago that Mark Zuckerberg covers his webcam with black tape (via a NY Times article) . 

Then FBI director James Comey made the same recommendation:

"There's some sensible things you should be doing, and that's one of them," Director James Comey said during a conference at the Center for Strategic and International Studies."

The truth is bad actors can easily hack into a laptop equipped with a camera without the user knowing it.  Travellers are at an even higher risk because airports and hotels are used by intelligence agencies around the world to collect information (especially when you use a WIFI hotspot without first setting up a VPN - read this article).

Instead of using black tape which could leave residue, I bought a re-usable webcam cover from amazon for $3. 

iCloud attack was really a phishing

GeneralEdward KiledjianComment
Image by  Christiaan Cole  used under Creative Commons License

Image by Christiaan Cole used under Creative Commons License

Remember the "iCcloud hacking" where celebrity photos were stolen and published? Well the man behind it (aka Celebgate) was convicted of accessing more than 300 iCloud and Gmail accounts (30 of which belonged to real legitimate celebrities). You can read the district attorney brief if interested.

Now this is the story that wasn't... While most media outlets were shocked that Apple would allow hackers to "break into" iCloud accounts and steal pictures, it turns out, Apple couldn't have done much. The attack relied on good old fashioned phishing.

Phishing is the act of faking a popular website or service and tricking users to enter their credentials on the harvesting page.

So iClous was never compromised but Apple probably could have done more to detect the unauthorized access' and protect its user data. 

So the moral of the story is :

  • be extra vigilant where you use your passwords
  • never re-use the same password for more than one site
  • use complicated (non dictionary) passwords
  • turn on 2 factor authentication