Monthly Archives: August 2010

Revisiting Shodan Computer Search Engine: Oh Noes, the places you’ll go!

I’m sorry to say so
But, sadly it’s true
That bang-ups and hang-ups
Can happen to you

— Dr. Seuss, "Oh, the places you’ll go!" (1990)

Back in January 2010, I wrote a short blog post about Shodan and VoIP devices and mentioned that it’s a site well worth revisiting.  Well, that time has come, and there’s plenty more to talk about when it comes to Shodan.

What is Shodan?

It is a publicly available, searchable database of pre-scanned networked devices.  The scanning includes banner results from common services like telnet and http, and is akin to fingerprinting.  One way to look at it is like Rainbow Tables for networked devices.

What’s the risk?

When a new vulnerability is discovered, Shodan makes it easy for attackers to search for vulnerable devices without actively scanning.  For example, say a vulnerability is published about Apache Mod_Security — an attacker can easily search Shodan for vulnerable version and then launch an attack to pwn the box.

Attackers can also use Shodan search filters and really narrow down search results, by country code or CIDR netblock for example.  You do have to register for more specific search functionality if you’re interested in say, the 24 Cisco boxes in Iran with no authentication.

Pssst….wanna Pwn 7000 Cisco routers/switches?

Yes you can.  And only because some network admin didn’t know how to configure HTTP authentication.  It’s easy peasy with Shodan’s most popular search.  Click on the resulting IP addresses from that search and you’ll get the HTTP interface of a Cisco router/switch with no authentication.  Add "/level/15/exec/-/sh/run/CR" to the IP address and you’ll get the "show running configuration" output of the device.  Understand what’s going on here.  An attacker can easily add an admin-level account, change the configuration, crack the listed Cisco passwords in the configuration to target other devices on that network, etc. 

Why should I care?

Shodan creates risk by making poor configurations and other adminstrator mistakes much more visible to potential attackers.  It also creates risk by providing a pre-scanned inventory of potential targets.  I’ve seen some amazingly frightning devices discovered through Shodan that are wide open and have no authentication — for a few examples:

  • An Eastern European country’s SCADA water treatment network
  • A switch controlling the Neurosurgery VLANs of a hospital
  • Physical security door access controller systems
  • Routers with VoIP configurations
  • and plenty more….

These are just a few examples of the micro-risks.  I think from a macro-risk perspective, specifically concerning the Cisco routers with no authentication, is the very possible and easy mass takeover of routers and potential for BGP attacks.  Not possible?  Well, think back to early 2008 when Pakistan modified BGP routes to block YouTube and because of a misconfiguration, large swaths of the Internet outside of Pakistan could not access the site. This was the result of a error from a few routers broadcasting bad BGP routes — now imagine if an attacker does this with a few thousand routers distributed globally?  I think it’s really only a matter of time…

What should I do?

There are tangible steps you can take.  First and foremost if to register fora free Shodan account and search for devices on your organization’s CIDR netblock.  If you are working with buisness partners that are connected to you, check their CIDR netblocks in Shodan as well.  Make a stink and inform the right network and security people of the risks of Shodan exposure.

Or

You can do nothing, and let Shodan determine your fate.  Your choice.

Voice of VOIPSA upgraded to WordPress 3.0.1

Just a quick administrivia note – this site is now running the latest and greatest WordPress software at version 3.0.1.  In my testing, everything looks perfectly fine, but if you see anything strange on the site in terms of display issues, please do let us know.  Thanks – and thanks for continuing to read and comment here.

Risks Of Phone Removal From University Dorm Rooms

Risk:  A Growing And Disturbing Trend
 
Today the Washington Post and WSJ Blog both reported on a decision by the University of Virgina Housing Division to remove phones from student dorm rooms.  The obvious justification for the decision is the cost associated with providing phone infrastructure residence halls, in UVa’s case over 500K annually.
 
I can understand the financial predicament many universities find themselves in today’s economy, and clearly students in general are more frequently choosing mobile communications.  Further, it’s noted in the articles that the university intends to provide dedicated phones in the hallways for emergency calls.
 
Still, I suggest this elimination of dorm phones is going to result in increased risk to students and residence hall staff.  For what it’s worth, I speak from 6 years of experience as a former resident assistant and hall director in residence halls at large public universities.  While this was several years ago, and before the widespread use of cellular phones on campus, the technical and social impact of losing dorm landlines raises several troubling issues.
 
Risk:  Cellular versus Landline Reliability
 
First and foremost, having hardline phones in individuals’ dorm rooms provides a constant, always-available, and above all, reliable phone connection.  With the network and cellular connection problems we all constantly experience, which by-the-way we’ve have little insight into the reasons for years, having the peace-of-mind of a reliable hardline should not be dismissed lightly.  If you were starting a business with a office, would you rely soley on a cellular phone?  What would be your reaction if you checked into a hotel and there was no phone? 
 
Risk:  Emergency Location (e911) Issues
 
If you have children at home, would you choose not to have a landline?  Probably not, even if you provide them with mobile phones.  You might say this is not a fair question in the context of college students, of whom most are technically adults over age 18.  I’ll counter this with the fact that a typical dorm has students from all over the country and world together in a close-quarter living environment.  As any residential life staff can tell you, the potential for conflict outbreaks of all kinds and levels is a constant threat, and it’s important to remember that these students come from a variety of backgrounds and all have their problems and issues that become magnified in a close-quarter living environment.
 
From my own experiences as residence hall staff, I’ve handled everything from common roommate conflicts, breaking-up floor parties, suicidal residents, theft/vandalism, residents unconscious from alcohol/drugs, weapons, physical fights, etc.  In every case, having a phone nearby proved invaluable. 
 
Perhaps an even more important point, on one university campus we had e911 which provided the emergency operator the actual room location from where the phone call was made.  On another campus we did not have that feature, and precious time was lost in the task of determining the call location — in fact, several instances of students dialing 9-911 resulted in them accessing off-campus emergency personnel, resulting the in the time-loss of transferring the call back to campus emergency resources.  And this was the case of landline phones in all rooms — we can expect more confusion as these calls will now go over cellular networks.
 
While the location capabilities of many cellular phones and e911 is available, the difficulty in pinpointing location should not be overlooked.  Aside from the network congestion and coverage issues I alluded to earlier, in many residence hall situations the building is a multi-story residence.  Expecting cellular e911 to provide emergency responders accuracy to the floor and room is unrealistic in the best of circumstances.  The impact of this is going to be more confusion and lost time in responding to residence hall emergency calls made over cellular.
 
Risk:  Losing A Known Point of Contact
 
An overlooked benefit of landlines is that one knows the actual location one is calling (assuming call-forwarding, etc. is not in play).  In the case of dorm rooms, residence hall staff have a listing of all room phone numbers.  Many, many times I’ve used this list to initiate contact with a dorm resident, from trying to determine if someone was in the room without having knocking on the door, following-up with a sick resident or a resident with a disability, or tactically approaching a room party by talking one-on-one with the room’s resident rather than facing a room party and hostile audience in the doorway.
 
The removal of individual room phones means the loss of a valuable tool in residence hall staff’s toolkit. The ability to initiate contact over the phone to a known room should not be discarded lightly, and the loss of these phones means residence halls staff are losing a tactical advantage.
 
In the case of roommate and other domestic conflicts, several times I’ve seen a fight escalate to the point where one of the parties called 911.  In some cases, the resident hung-up the phone immediately, before stating the issue to the emergency operator.  Of course, since the call was made from a room landline, and state law required the emergency response to the call location, soon after the university police would arrive at the room.  Often this resulted in the arrest, or referral to student affairs, or the people involved, which lead to them getting assistance. With cellular phones, this response is impaired greatly, and I fear that escalating situations will not reap the benefits of current landline and police response capabilities.
 
There are some potential loss of privacy issues for dorm residents here as well.  In the case of most landlines, one can more easily choose to block their outgoing caller-id, a useful feature if a dorm resident is calling a crisis line or making inquiries on a subject they wish to remain anonymous.  The ability to do this in private, from ones room, is critical; the common-area landlines in the halls are not going to provide this physical privacy, and given the location of the phones it would not surprise me if the ability to block outgoing caller-id is disabled.  Why?  Because I expect the amount of crank calling from common area phones in dorms will increase by orders of magnitude…
 
No Easy Answers
 
Unfortunately there is no easy solution to this dire situation.  Universities, especially in the public sector, are forced to make cost cuts in this poor economy, and telecommunications overhead like dorm phones is a easy measure to take, but the increased risk and costs are at this point not worth it.  The replacement technologies, such as relying on student’s to have cellular phones, or even VoIP phones replacing landlines in dorm rooms, still lack the same robustness in emergency response features that we’ve relied upon on grown accustomed to over the years.  Still, like it or not, the removal of dorm phones is a trend gaining in popularity and we’re only going to see more campuses choosing this path.  To this end, some recommendations I have are:

  • Ensure that student’, and their parents, are made aware of the issues and risks of not having a landline, as well as the benefits

  • Prioritize cellular e911 location tracking on college campuses

  • Require residents with disabilities to have a landline

  • Provide residence hall staff with resident’s cellular numbers

  • Provide a privacy booth for landline phones placed in common areas to enable students to make calls with some level of privacy and caller-id blocking

Blackberries and Lawful Intercept

While it is not “VoIP security,” per se, much of the communications market is buzzing this week with news that calls made on Blackberry smartphones can be intercepted by the U.S. government. Many stories have been written, but here’s one:

U.S. authorities able to tap BlackBerry messaging

While many of us in the security community have known that national governments could obtain calls on mobile devices by obtaining a warrant and working with the carrier, the article I linked to mentions the big difference with RIM:

RIM is in an unusual position of having to deal with government requests to monitor its clients because it is the only smartphone maker who manages the traffic of messages sent using its equipment. Other smartphone makers — including Apple Inc, Nokia, HTC and Motorola Corp — leave the work of managing data to the wireless carrier or the customer.

RIM’s encrypted, or scrambled, traffic is delivered through secure servers at its own data centers, based mostly in its home base of Canada. Some corporate clients choose to host BlackBerry servers at other locations.

The issue here seems to be from the articles I’ve read that the United Arab Emirates government is claiming that RIM is not granting them the same surveillance capabilities as other governments.

Not having any connection whatsoever to the situation, I can’t really comment on what all is going on… but it does continue to point out the challenges in our globally interconnected world. Here are mobile devices being used wherever… routing their email messages back through servers apparently in Canada… and desired to be read by governments around the world. All sorts of jurisdiction issues … and so much more…


If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.