Voice of VOIPSA » Shawn Merdinger

Revisiting Shodan Computer Search Engine: Oh Noes, the places you’ll go!

Shawn Merdinger — Thu, 26 Aug 2010 18:32:11 +0000

I’m sorry to say so
But, sadly it’s true
That bang-ups and hang-ups
Can happen to you

– Dr. Seuss, "Oh, the places you’ll go!" (1990)

Back in January 2010, I wrote a short blog post about Shodan and VoIP devices and mentioned that it’s a site well worth revisiting. Well, that time has come, and there’s plenty more to talk about when it comes to Shodan.

What is Shodan?

It is a publicly available, searchable database of pre-scanned networked devices. The scanning includes banner results from common services like telnet and http, and is akin to fingerprinting. One way to look at it is like Rainbow Tables for networked devices.

What’s the risk?

When a new vulnerability is discovered, Shodan makes it easy for attackers to search for vulnerable devices without actively scanning. For example, say a vulnerability is published about Apache Mod_Security — an attacker can easily search Shodan for vulnerable version and then launch an attack to pwn the box.

Attackers can also use Shodan search filters and really narrow down search results, by country code or CIDR netblock for example. You do have to register for more specific search functionality if you’re interested in say, the 24 Cisco boxes in Iran with no authentication.

Pssst….wanna Pwn 7000 Cisco routers/switches?

Yes you can. And only because some network admin didn’t know how to configure HTTP authentication. It’s easy peasy with Shodan’s most popular search. Click on the resulting IP addresses from that search and you’ll get the HTTP interface of a Cisco router/switch with no authentication. Add "/level/15/exec/-/sh/run/CR" to the IP address and you’ll get the "show running configuration" output of the device. Understand what’s going on here. An attacker can easily add an admin-level account, change the configuration, crack the listed Cisco passwords in the configuration to target other devices on that network, etc.

Why should I care?

Shodan creates risk by making poor configurations and other adminstrator mistakes much more visible to potential attackers. It also creates risk by providing a pre-scanned inventory of potential targets. I’ve seen some amazingly frightning devices discovered through Shodan that are wide open and have no authentication — for a few examples:

An Eastern European country’s SCADA water treatment network
A switch controlling the Neurosurgery VLANs of a hospital
Physical security door access controller systems
Routers with VoIP configurations
and plenty more….

These are just a few examples of the micro-risks. I think from a macro-risk perspective, specifically concerning the Cisco routers with no authentication, is the very possible and easy mass takeover of routers and potential for BGP attacks. Not possible? Well, think back to early 2008 when Pakistan modified BGP routes to block YouTube and because of a misconfiguration, large swaths of the Internet outside of Pakistan could not access the site. This was the result of a error from a few routers broadcasting bad BGP routes — now imagine if an attacker does this with a few thousand routers distributed globally? I think it’s really only a matter of time…

What should I do?

There are tangible steps you can take. First and foremost if to register fora free Shodan account and search for devices on your organization’s CIDR netblock. If you are working with buisness partners that are connected to you, check their CIDR netblocks in Shodan as well. Make a stink and inform the right network and security people of the risks of Shodan exposure.

You can do nothing, and let Shodan determine your fate. Your choice.

Risks Of Phone Removal From University Dorm Rooms

Shawn Merdinger — Wed, 11 Aug 2010 14:33:52 +0000

Risk: A Growing And Disturbing Trend

Today the Washington Post and WSJ Blog both reported on a decision by the University of Virgina Housing Division to remove phones from student dorm rooms. The obvious justification for the decision is the cost associated with providing phone infrastructure residence halls, in UVa’s case over 500K annually.

I can understand the financial predicament many universities find themselves in today’s economy, and clearly students in general are more frequently choosing mobile communications. Further, it’s noted in the articles that the university intends to provide dedicated phones in the hallways for emergency calls.

Still, I suggest this elimination of dorm phones is going to result in increased risk to students and residence hall staff. For what it’s worth, I speak from 6 years of experience as a former resident assistant and hall director in residence halls at large public universities. While this was several years ago, and before the widespread use of cellular phones on campus, the technical and social impact of losing dorm landlines raises several troubling issues.

Risk: Cellular versus Landline Reliability

First and foremost, having hardline phones in individuals’ dorm rooms provides a constant, always-available, and above all, reliable phone connection. With the network and cellular connection problems we all constantly experience, which by-the-way we’ve have little insight into the reasons for years, having the peace-of-mind of a reliable hardline should not be dismissed lightly. If you were starting a business with a office, would you rely soley on a cellular phone? What would be your reaction if you checked into a hotel and there was no phone?

Risk: Emergency Location (e911) Issues

If you have children at home, would you choose not to have a landline? Probably not, even if you provide them with mobile phones. You might say this is not a fair question in the context of college students, of whom most are technically adults over age 18. I’ll counter this with the fact that a typical dorm has students from all over the country and world together in a close-quarter living environment. As any residential life staff can tell you, the potential for conflict outbreaks of all kinds and levels is a constant threat, and it’s important to remember that these students come from a variety of backgrounds and all have their problems and issues that become magnified in a close-quarter living environment.

From my own experiences as residence hall staff, I’ve handled everything from common roommate conflicts, breaking-up floor parties, suicidal residents, theft/vandalism, residents unconscious from alcohol/drugs, weapons, physical fights, etc. In every case, having a phone nearby proved invaluable.

Perhaps an even more important point, on one university campus we had e911 which provided the emergency operator the actual room location from where the phone call was made. On another campus we did not have that feature, and precious time was lost in the task of determining the call location — in fact, several instances of students dialing 9-911 resulted in them accessing off-campus emergency personnel, resulting the in the time-loss of transferring the call back to campus emergency resources. And this was the case of landline phones in all rooms — we can expect more confusion as these calls will now go over cellular networks.

While the location capabilities of many cellular phones and e911 is available, the difficulty in pinpointing location should not be overlooked. Aside from the network congestion and coverage issues I alluded to earlier, in many residence hall situations the building is a multi-story residence. Expecting cellular e911 to provide emergency responders accuracy to the floor and room is unrealistic in the best of circumstances. The impact of this is going to be more confusion and lost time in responding to residence hall emergency calls made over cellular.

Risk: Losing A Known Point of Contact

An overlooked benefit of landlines is that one knows the actual location one is calling (assuming call-forwarding, etc. is not in play). In the case of dorm rooms, residence hall staff have a listing of all room phone numbers. Many, many times I’ve used this list to initiate contact with a dorm resident, from trying to determine if someone was in the room without having knocking on the door, following-up with a sick resident or a resident with a disability, or tactically approaching a room party by talking one-on-one with the room’s resident rather than facing a room party and hostile audience in the doorway.

The removal of individual room phones means the loss of a valuable tool in residence hall staff’s toolkit. The ability to initiate contact over the phone to a known room should not be discarded lightly, and the loss of these phones means residence halls staff are losing a tactical advantage.

In the case of roommate and other domestic conflicts, several times I’ve seen a fight escalate to the point where one of the parties called 911. In some cases, the resident hung-up the phone immediately, before stating the issue to the emergency operator. Of course, since the call was made from a room landline, and state law required the emergency response to the call location, soon after the university police would arrive at the room. Often this resulted in the arrest, or referral to student affairs, or the people involved, which lead to them getting assistance. With cellular phones, this response is impaired greatly, and I fear that escalating situations will not reap the benefits of current landline and police response capabilities.

There are some potential loss of privacy issues for dorm residents here as well. In the case of most landlines, one can more easily choose to block their outgoing caller-id, a useful feature if a dorm resident is calling a crisis line or making inquiries on a subject they wish to remain anonymous. The ability to do this in private, from ones room, is critical; the common-area landlines in the halls are not going to provide this physical privacy, and given the location of the phones it would not surprise me if the ability to block outgoing caller-id is disabled. Why? Because I expect the amount of crank calling from common area phones in dorms will increase by orders of magnitude…

No Easy Answers

Unfortunately there is no easy solution to this dire situation. Universities, especially in the public sector, are forced to make cost cuts in this poor economy, and telecommunications overhead like dorm phones is a easy measure to take, but the increased risk and costs are at this point not worth it. The replacement technologies, such as relying on student’s to have cellular phones, or even VoIP phones replacing landlines in dorm rooms, still lack the same robustness in emergency response features that we’ve relied upon on grown accustomed to over the years. Still, like it or not, the removal of dorm phones is a trend gaining in popularity and we’re only going to see more campuses choosing this path. To this end, some recommendations I have are:

Ensure that student’, and their parents, are made aware of the issues and risks of not having a landline, as well as the benefits
Prioritize cellular e911 location tracking on college campuses
Require residents with disabilities to have a landline
Provide residence hall staff with resident’s cellular numbers
Provide a privacy booth for landline phones placed in common areas to enable students to make calls with some level of privacy and caller-id blocking

Weaponizing the Nokia N900 – Part 1

Shawn Merdinger — Thu, 22 Jul 2010 16:32:03 +0000

In the 80s movie “The Color of Money” there’s a great scene where a player challenges Tom Cruise’s character to a game. He strolls up to Vincent and says “So what you got in there?” — to which Vincent replies. “Doom.”

This is akin to how I felt a few weeks ago after I finally got ahold of a Nokia N900 smartphone. Calling it a phone is a bit of a stretch, as it is primarily a Debian Linux tablet with impressive hardware specs and a huge number of .deb packages available for installation…oh, and you can make cellular phone calls with it. Many people use this phone, and despite some glitches it is rapidly developing into a formidable platform for security tools and penetration testing.

Broadly speaking, the objective of this series of blog posts is to introduce folks to the tools available and the potential for this phone as a security testing platform. Given the fact I’m a bit late in obtaining this phone, some smart people out there have already started to address the n900′s capabilities and available tools, and I would be remiss not to mention, and build upon, their insightful work. The key phrase here is “build upon” and get the word out, not to steal or simply re-hash their fine work and efforts!

I’ve one caveat to this series of blog posts. As my n900 is for now a “production phone” for me in that I need to use it and can’t brick it just yet, the path of this blog series on “Weaponizing the Nokia N900″ will progress from known, tested and functioning security tools on this phone — and therefore lower risk of bricking — to more advanced, edgy tools that require more tweaks and modifications, such as replacing the stock kernel. If someone out there finds this series useful, and has interest in furthering research on running security tools on the n900, I’d welcome the donation of a n900 for development and testing, and would credit them for their support. Please ping me offline if you’re interested

NeoPwn and the Nokia N900

One project to watch in particular is the upcoming release of NeoPwn, which is based on BackTrack and bills itself as the “First Ever Network Auditing Distribution for a Mobile Phone Platform” and is due for release sometime this month, hopefully before DefCon. I am fortunate to be in the BETA and will write up a blog post for this series on NeoPwn once I get full access to the NeoPwn toolset.

Worthy Resources on Nokia n900 Security Tools

1. Metasploit on the Nokia n900. ‘Nuff said.

2. knownokia.ca Blog SimonLR wrote an excellent post on “Using the N900 for Fun and Profit” that covers several awesome tools, such as Metasploit, Dsniff, SSLstrip, Aircrack-NG, etc. He’s clearly savvy and his future blogging on tools for the n900 will be great to see.

3. Asterisk on the n900

When I added the extra package repositories to my n900, I was more than a bit surprised to see a full version of Asterisk available as a .deb package. Wow. Think about this for a moment. One can run a full Asterisk server on a phone in their pocket. The capability of Asterisk on the n900 could enable attackers to do all sorts of mischief, such as running the SPITTER tool from their pocket as a simple example. From a surveillance aspect, think of “bad people” with n900s in their pockets running Asterisk servers on their phones and connecting to each other point-to-point over encrypted tunnels — now that’s a challenge.

Stay tuned for more posts on “Weaponizing the Nokia N900″

Linux crash on a Plane!

Shawn Merdinger — Mon, 07 Jun 2010 17:33:28 +0000

I don’t travel nearly as as much as I used to, yet when I do I always keep a sharp eye out for the technical glitches in devices around me in travel environments. What can I say? It provides me endless amusement.

While Linux boxes crashing in airlines’ on-board entertainment systems are nothing new, and several photos exist on the Internet depicting these crashes, I’m seeing something different these days…

On my way back from ph-neutral security conference in Berlin, I took a Continental 757 back to the US and observed the passenger entertainment system headrest in the row in front of me was frozen on the the movie selection GUI. The passenger in that seat asked the flight attendant to fix the problem and the headrest PC was rebooted from somewhere up front.

So, the funny (and a bit scary perhaps) bit is the screenshot I took of the reboot process. You can see the very high resolution photo here: http://tinyurl.com/linuxonplane

Observations from the linux crash on a plane photo:

1. 172.17.X.X private IP address range

2. FTP server IP address and transfer of system log tarball to the FTP server…user is “xxxxx” — imagine what the password might be…

Some reasonable concerns:

1. Tilting up the headrest PC and peeking behind it I saw CAT-5 cable. With a small tool or hands, and big cajones, an attacker *could possibly* unplug that cable and attach it to a laptop and hop onto the entertainment network. In addition, with some imagination and the right tools, an attacker could feasibly take over some or all aspects of the headrest PCs, including perhaps the sniffing of credit cards used by patrons, or even adding some specialized content…

2. This aircraft did not have on-board wireless Internet access, but I suspect that some airlines offering this service could have network crossover connectivity to different subnets, or perhaps only relying on VLANs for separation.

In the end, we can only hope that of the several networks likely running on a modern passenger jet, that true air-gapping is taking place and these systems are in no way connected to critical on-board networks. Time will tell if this is indeed the case. In the meantime, keep an eye out for those Linux boxes crashing on planes!

Chisco: Welcome To The Hunan Network?

Shawn Merdinger — Thu, 22 Apr 2010 17:36:36 +0000

On NPR’s ‘Fresh Air’ this week, Richard Clarke made some great points, in particular with the logic bomb scenarios of sneaking in code and untrustworthy hardware. While this is old news, it’s still a very real threat — recall that Chisco devices were discovered on US government networks and disclosed back in 2008.

With Richard Clarke’s story in mind, I think it’s worth re-visiting the “Chisco” problem. This article below is from three years ago, yet this same Chisco eBay seller mentioned, “Sincere Networking” is still up and running (ya gotta love that name, no?). Bear in mind this is just one of many Chisco eBay stores — that is, there are plenty of others moving all types of Chisco gear on eBay, including routers, firewalls, switches. We are way beyond WAN NIC interfaces folks.

Why can’t these get shut down?

Network World: “eBay ‘Chisco’ stores are selling fake Cisco products originating in China”

This counterfeit gear has already landed on plenty of networks, and it’s likely to continue. Just like the FBI’s conclusion on slide 10, I agree that a huge risk in this area stems from small ‘mom n’ pop’ subcontractor outfits that choose to purchase this gear on the cheap from eBay, and then charge-back their own clients for the list price on CCO. Of course, that dirty network engineer in your organization could do a swap-out with Chisco gear during your next change management window — and in these economic times perhaps merely to re-sell the valuable real card rather than backdoor the organization’s network.

That said, recent security conference presentations, such as CanSecWest’s “Can you still trust your network card” should be at the forefront of the discussion when this Chisco topic comes up.

I know this is a dirty subject. It’s so dirty that very few folks even want to discuss it. It’s a nightmare. But like it or not, it’s going to be up to you to make sure that your gear is legitimate, especially if you’re on a US government network as according to the FBI’s presentation on slide 40, “Cisco’s Brand Protection does NOT coordinate with Cisco’s Government Sales”

Here’s a few links to hopefully get you started on the right path.

Comments with additional resources are most welcome.

Brad Reese — most outspoken person about this issue

FBI OMB Presentation: 2008-01-11

Cisco Statement on Counterfeit Goods

Cisco Blog: Protecting Against Gray Market and Counterfeit Goods

eBay: a hacker’s source for acquiring remote monitoring medical devices for security testing?

Shawn Merdinger — Tue, 13 Apr 2010 21:45:08 +0000

Awhile back I blogged on VOIPSA about medical devices using VoIP. This is a follow-up to that post, and is a bit more tangible in that these devices are showing up on the auction sites.

I typically check eBay weekly for medical devices showing up, with an eye for anything with a network interface.

Bluetooth-enabled devices abound, but the (mis-perception) that an attacker must be physically close decreases popular interest from a security testing perspective. In contrast, it’s a box “on the wire” that enables an attacker in say, Palau, to to reach out and provide what I’d call a “negative home medical monitoring experience.”

So what’s on eBay?

Here’s a ViTel (now owned by Bosch) device and blood pressure monitor on eBay that’s a few years old, but has the ability “…to communicate via standard telephone line, broadband, or cellular and does not interfere with existing telephone service.”

ViTel Net Turtle 400 & A&D UA-767PC Blood Pres. Monitor
eBay Link: http://tinyurl.com/yytwgma

Suggested for discussion:

1. Should vendors of these devices be concerned about their sale on site like eBay? Why or why not?

2. Are there any available business services that monitor the after-market sale of these devices?

3. Would/should vendors care about re-acquiring these devices?

4. How interesting / valuable would it be to conduct a security analysis on this device, report the findings to CERT, and publish at DefCon or BlackHat?

5. Does a diagram like the one below concern anyone?

Shodan: Computer Search Engine and VoIP Devices

Shawn Merdinger — Thu, 07 Jan 2010 18:54:22 +0000

Most of us are familiar with the information disclosure risks associated with devices like phones and ATAs on the Internet, and this has been mentioned in presentations like Endler/Collier at BlackHat in 2006. However, the recent emergence of Shodan significantly raises the exposure of these devices, especially embedded systems.

Shodan bills itself as a “Computer Search Engine” and some folks have raised questions about the impact, ethics, etc. So far, Shodan has remained under-the-radar, but I expect we’ll see more coverage and questioning of what value-add this service provides to security efforts.

A few simple searches of Shodan will provide the reader more insight of the capabilities of this service. Bear in mind that searches can get much more specific. Also, Shodan is growing, and it’s worth re-visiting the site to gain better perspective of updates.

Example searches:

1. VOIP — http://shodan.surtri.com/?q=voip
2. Nortel — http://shodan.surtri.com/?q=nortel
3. Mitel — http://shodan.surtri.com/?q=mitel
4. .mil — http://shodan.surtri.com/?q=.mil
5. SCADA — http://shodan.surtri.com/?q=scada

Stoned Bootkit

Shawn Merdinger — Wed, 09 Sep 2009 14:22:04 +0000

Typically I don’t follow the deluge of Windows rootkits available because the sheer number and variety make diligently understanding all of them more than fairly daunting. After all, given limited resources, one must choose their battles and specialties in the security field.

That said, occasionally a Windows rootkit surfaces that is so mean, nasty and downright cool, that it becomes a must-know. Such is the case with the newest release of Stoned Bootkit. Be sure to go to their site and check it out, along with the paper, but here are a few highlights:

Attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record

Attacks TrueCrypt full volume encryption

Has integrated FAT and NTFS drivers

Has an integrated structure for plugins and boot applications (for future development

Understanding the threats that Windows rootkits like this pose to VoIP security, especially on end users, is key.

Home Medical Devices and VoIP Security

Shawn Merdinger — Wed, 02 Sep 2009 17:10:57 +0000

With all the hubbub surrounding medical insurance reform, town hall meetings, and other ~~distractions~~ events it’s worthwhile looking at some of the technical medical devices coming into the marketplace to be placed in patients’ homes, connected to their broadband internet connection.

Of several products in the patient home monitoring space, the Intel Health Guide PHS 6000 is perhaps one of the better positioned to garner marketshare because of several factors: including the size of Intel, on-going placement of the PHS 6000 in settings, and FDA approval in July, 2008.

Of the many PHS 6000 features, the device also supports two-way video conferencing between patient and caregiver. As this communication takes place over the broadband connection, it’s reasonable to assume that some sort of VoIP software is in place. Of course, details at this point are thin, and it’s even hard to get a real handle on what the PHS 6000 operating system really is, with some reports indicating Microsoft Windows XP, and others indicating a embedded Linux derivative. Still, it looks like there is a VoIP stack, and it’s likely SIP-based.

Clearly, the importance of the security of devices like the Intel PHS 6000 is apparent. And with the growing interest and funding towards cost-reduction and tele-health, we can expect to see these types of devices deployed widely. But what of the security posture? Sure, there’s boasting of encryption for the connection, but features like SSL mean little in the face of real attacks and vulnerabilities — think SSL encryption downgrade attacks, spoofing and man-in-the-middle vectors to start.

To get the word out, I’ve started a LinkedIn group called MedSec to get together like-minded, talented security people with an interest in medical device security. I’ve been chumming the waters with this approach in the hopes that the right people with the right connections conduct proper security evaluations of this PHS 6000 device, and it’s back-end management system as well. Of course, if approached, I’m interested in some hand’s on time too

Something Old, Something New: Nmap’s VoIP Fingerprinting

Shawn Merdinger — Wed, 12 Aug 2009 21:53:51 +0000

Over time, it’s easy to become a bit out of touch with security tools. With new tools arriving on the scene daily, and updates to established tools occurring frequently, the deluge of information can be overwhelming; not to mention all of the other security fodder we process.

That said, I find it encouraging to revisit some of the really established tools to see what changes and improvements are in place. Nmap is without a doubt the classic security tool in every aspect, from quality, to longevity, to street credibility. Even Hollywood has clue when it comes to Nmap, as evidenced in Matrix, Bourne, and Die Hard films with Nmap showing up on someone’s computer screen!

One of my favorite Nmap features is the OS Identification and Application Fingerprinting capabilities. In part, this type of identification relies on the Nmap community scanning known devices and submitting signatures to be added to the Nmap databases (service probes, OS, etc.).

As of 21 July, 2009, the Nmap OS database has the following VoIP device Fingerprints:

Also, it’s well worth taking a look at the VoIP devices identified in the Nmap Service Probes database as services that identify a VoIP device do not necessarily mean that the VoIP device has a fingerprint. In other words, there are VoIP devices in the Service Probes database that are not in the OS Fingerprint database, so look carefully!

For even more coolness, be sure to check out the NSE.

Wrapping-up, I’ve nothing less than mad props for Fyodor and all of the other folks who’ve contributed to this fantastic tool. Nmap was one of the first tools I used 10 years ago when first cutting my teeth in security, and remarkably, is a tool that I continue to use almost daily.