Hacking into the rest of our technology

One of those darn kids invented a monster.  It is called Shodan.  And it threatens everything connected to the internet, which is now pretty much everything:

It began as a hobby for a ­teenage computer programmer named John Matherly, who wondered how much he could learn about devices linked to the Internet.

After tinkering with code for nearly a decade, Matherly eventually developed a way to map and capture the specifications of everything from desktop computers to network printers to Web servers.

He called his fledgling search engine Shodan, and in late 2009 he began asking friends to try it out. He had no inkling it was about to alter the balance of security in cyberspace.

“I just thought it was cool,” said Matherly, now 28.

Matherly and other Shodan users quickly realized they were revealing an astonishing fact: Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers.

Control computers were built to run behind the safety of brick walls. But such security is rapidly eroded by links to the Internet. Recently, an unknown hacker broke into a water plant south of Houston using a default password he found in a user manual. A Shodan user found and accessed the cyclotron at the Lawrence Berkeley National Laboratory. Yet another user found thousands of unsecured Cisco routers, the computer systems that direct data on the networks.

“There’s no reason these systems should be exposed that way,” Matherly said. “It just seems ludicrous.”

The rise of Shodan illuminates the rapid convergence of the real world and cyberspace, and the degree to which machines that millions of people depend on every day are becoming vulnerable to intrusion and digital sabotage. It also shows that the online world is more interconnected and complex than anyone fully understands, leaving us more exposed than we previously imagined.

via Cyber search engine exposes vulnerabilities – The Washington Post.

About Gene Veith

Professor of Literature at Patrick Henry College, the Director of the Cranach Institute at Concordia Theological Seminary, a columnist for World Magazine and TableTalk, and the author of 18 books on different facets of Christianity & Culture.

  • formerly just steve

    Eventually, hopefully, everyone will learn that their connection to the internet is a front door separating them from a potentially very bad neighborhood and that they need to take measures to make their data more difficult and less appealing to pursue. Many people need to be burglarized to learn that lesson. Unfortunately, identity theft is like burglarizing the house of a guy who keeps all his money under the mattress.

  • formerly just steve

    Eventually, hopefully, everyone will learn that their connection to the internet is a front door separating them from a potentially very bad neighborhood and that they need to take measures to make their data more difficult and less appealing to pursue. Many people need to be burglarized to learn that lesson. Unfortunately, identity theft is like burglarizing the house of a guy who keeps all his money under the mattress.

  • WebMonk

    “One of those darn kids invented a monster. It is called Shodan. And it threatens everything connected to the internet”

    I hope that was an prefatory overstatement. Tools like “Shodan” have been around for ages. I use some regularly for work to test and ensure the security of our systems. Shodan is an open-source freebie and pretty darned good, but it’s hardly up to industrial standards. We have some software tools that make Shodan look like a pre-injection Captain America.

    The state of computer security in public utilities and private individual networks is deplorable, but Shodan is far from being some super computer-compromising hacker tool about to bring down the Internet.

  • WebMonk

    “One of those darn kids invented a monster. It is called Shodan. And it threatens everything connected to the internet”

    I hope that was an prefatory overstatement. Tools like “Shodan” have been around for ages. I use some regularly for work to test and ensure the security of our systems. Shodan is an open-source freebie and pretty darned good, but it’s hardly up to industrial standards. We have some software tools that make Shodan look like a pre-injection Captain America.

    The state of computer security in public utilities and private individual networks is deplorable, but Shodan is far from being some super computer-compromising hacker tool about to bring down the Internet.

  • EricM

    I agree completely with WebMonk. Shodan is nothing new. Tools that scan the Internet have been around since at least the early 90′s. Many of the tools will tell you the type of system as well as its vulnerabilities. Other tools allow you to automate the exploitation of the vulnerabilities.

    The fact that sensitive systems are connected directly to the internet is simply negligence on the part of the organization. Systems that are very sensitive or that control critical systems should not be connected at all.

    BTW – one item in the story is incorrect. The water system in Houston was not attacked. It turned out to be a legitimate administrator of the system who happened to be accessing it remotely while on vacation. That story just seems to have a life of its own.

  • EricM

    I agree completely with WebMonk. Shodan is nothing new. Tools that scan the Internet have been around since at least the early 90′s. Many of the tools will tell you the type of system as well as its vulnerabilities. Other tools allow you to automate the exploitation of the vulnerabilities.

    The fact that sensitive systems are connected directly to the internet is simply negligence on the part of the organization. Systems that are very sensitive or that control critical systems should not be connected at all.

    BTW – one item in the story is incorrect. The water system in Houston was not attacked. It turned out to be a legitimate administrator of the system who happened to be accessing it remotely while on vacation. That story just seems to have a life of its own.

  • WebMonk

    The Washington Post is slipping even further into the depths of reporting mediocrity.

    First this story is pure, alarmist hype.
    Second, one of the supporting examples wasn’t actually hacking.

    Thanks Eric, now that you mentioned it, it does sound familiar. It made a splash a while back, but that particular instance was a false alarm. The plant’s admin was on vacation in Russia or China when he logged in.

    But, there have been plenty of other real instances where people have gained unauthorized access to public utilities systems. Just not the instance the news story claims.

  • WebMonk

    The Washington Post is slipping even further into the depths of reporting mediocrity.

    First this story is pure, alarmist hype.
    Second, one of the supporting examples wasn’t actually hacking.

    Thanks Eric, now that you mentioned it, it does sound familiar. It made a splash a while back, but that particular instance was a false alarm. The plant’s admin was on vacation in Russia or China when he logged in.

    But, there have been plenty of other real instances where people have gained unauthorized access to public utilities systems. Just not the instance the news story claims.

  • formerly just steve

    Monk, I think we talked about this before. You suggest this story is alarmist hype but that’s because you know the subject matter. I submit that if this article were about (fill in the blank) and you were somewhat of an expert in (fill in the blank) you would have a similar opinion.

  • formerly just steve

    Monk, I think we talked about this before. You suggest this story is alarmist hype but that’s because you know the subject matter. I submit that if this article were about (fill in the blank) and you were somewhat of an expert in (fill in the blank) you would have a similar opinion.

  • WebMonk

    fjs – you lost me.

    Obviously, if I didn’t know the subject, I might not realize it is junk.
    Because I do know the subject, I do realize the article is junk.

    I’m missing your point.

  • WebMonk

    fjs – you lost me.

    Obviously, if I didn’t know the subject, I might not realize it is junk.
    Because I do know the subject, I do realize the article is junk.

    I’m missing your point.


CLOSE | X

HIDE | X