Tag: shodan

Netgear router update

If you use a Netgear router for your home network, please log on to your router and use the upgrade feature to apply an important security update. That feature is probably located under the Advanced and/or Administration sections of the router’s web-based menus.

This update addresses several vulnerabilities, some of which are remotely exploitable. The linked page indicates which vulnerabilities affect which routers, and I found that my router was affected by one of the vulnerabilities.

If a character in a story you’re writing needed to exploit this kind of thing against a target, it’s not a great stretch of the imagination. If your character emailed her target an email with a link to a web page she controls, and if the target clicked the link while on a computer at home, she’d have the target’s IP address (she could get that from looking at server logs). Once she knew the target’s IP address, she could interrogate the address herself with readily-available network tools, or she could use something like shodan to try to identify the kind of router her target uses. If the target has remote administration enabled (which may be a default settings in some router models), she could use publicized vulnerabilities like the ones linked above to break into her target’s home network.

You should probably run updates on your home router even if it isn’t made by Netgear.

Advertisement

Yesterday’s IoT attack on Dyn

Yesterday criminals used an “Internet of Things” (IoT) botnet to attack dyn.com, a provider of name services. The domain name service (DNS) is the network protocol that converts something memorable (like http://www.amazon.com) into the IP address you browser needs (54.239.26.128) in order to connect to the remote server hosting the web page you want to visit. dyn.com is a company that provides these services. And as the InfoSec Handlers point out, lots of big-name web sites including twitter and spotify use dyn.com services and were affected by the attack.

IoT is the name given to consumer devices that you can buy and then attach to the Internet for various reasons (I’ve written about IoT before). Many of these devices have really poor security. They commonly have default and well-known passwords that many users don’t change. So there are lots of Internet-connected devices (easily discoverable with databases like Shodan) with no protection against someone who knows the default passwords.

Brian Krebs has a lot of good detail about yesterday’s attack and how it was the work of IoT devices like video cameras and DVRs controlled by Mirai. Mirai is (publicly available!) malware that scours the Internet looking for devices with default passwords and uses them to attack specific targets. Yesterday someone pointed those devices at dyn.com, and that’s why you had trouble tweeting about why you couldn’t listen to your music.

Manufacturers have sold a lot of this IoT junk, and we’ll be stuck with this sort of thing for years.

Late July 2016 roundup

Here are a few news stories that caught my interest lately. Maybe one of them will be good for a story.

Internet-connected cameras are a terrible idea

These devices seem like a great idea. You use one like a security camera, but it’s connected to the internet and has a web interface, so that you can log on to it from anywhere to download footage or pictures.

Unfortunately many devices like this don’t get much attention from the manufacturer after production. It turns out that lots of these cameras all have the same remotely-exploitable command injection vulnerability. So it’s not hard to use one or more of these cameras to perform distributed denial-of-service attacks on other targets. These cameras also have a common signature which makes them fairly easy to locate in things like the Shodan search engine.

A SANS infosec article about this points out that people install these devices on the same networks where they have servers hosting sensitive resources. So it’s not a stretch to imagine your main character using Shodan to find vulnerable cameras on a target network and using the cameras to attack the target’s web servers.

Turn your head and cough

Medical devices can have a similar problem. A hospital buys an X-ray machine, and it’s really expensive and mission-critical (it’s in the business of saving lives, after all), so no one wants to mess with it. The hospital just wants to install it and have it run perfectly forever.

But over time vulnerabilities creep in that neither the manufacturer nor the hospital wants to take the risk of patching, because who wants to stick a patient in an MRI machine only to find that the control system stopped working after running an update last night? As a result some of these medical devices are riddled with malware that crooks can use to attack riper targets. Does your character want to hack a hospital to get at patient data he can use for identity theft? It might not be that hard.

Grand theft auto

Here’s an article with video of someone using a laptop to steal a 2010 Jeep Wrangler. It’s not clear what the person is doing, but a policeman quoted in the article speculates that the thief used the laptop to persuade the car’s computer to recognize a key fob the thief had with him. It’s probably just a matter of time until that technique is possible with a phone. “There’s an app for that.”

And as if on cue, Fiat Chrysler is running a bug bounty to pay people to find and report security problems in cars’ computer systems.

Insecure databases

People love storing information in databases, because databases make it easy to store, sort, and search large amounts of data. Sometimes those databases are not as secure as they should be.

Traditional databases are great for storing structured data, like a list of books. Books are sort of uniform, in that you describe books pretty well with a small set of identifiers (like title, ISBN, author, year of publication, publisher, etc.), and those identifiers don’t change a lot over time or from book to book. A spreadsheet will often suffice for this kind of thing.

Describing people is harder, because people are weird. Consider medical records. Women would need lots of columns men don’t need, and vice versa. A patient with diabetes would have lots of columns not relevant to a non-diabetic. Likewise for a cancer patient.

A relatively new class of database called NoSQL is good at storing records on people and other complicated subjects, because NoSQL databases can store (and sort and search) unstructured data. MongoDB is a popular open-source NoSQL database product.

The idea is that a company installs MongoDB on their server, pours data into it, and writes a web application (or some other kind of interface) to access the data. Earlier versions of MongoDB had some poorly-chosen default settings which would make the database itself directly available over network connections. More recent versions of the software have better defaults, but the damage is done: lots of people installed MongoDB with the network-available default, and they never changed it.

So even if they wrote a web application with good access controls, the database itself might be open to the internet. If the database’s network port wasn’t firewalled, anyone could completely bypass the web application’s access restrictions by connecting directly to the database (and they could download as much data as they wanted).

It’s important to note that this problem is not specific to MongoDB. This could happen with any network-enabled database system. But because of some recent discoveries of internet-accessible MongoDB databases, they’re in the spotlight. The Office of Inadequate Security has reported on several high-profile examples of open MongoDB databases, including a voter registration database with 191 million records. A security researcher named Chris Vickery used Shodan to find these databases.

That bears repeating: an ordinary guy used a search engine to find a database with the voter registration data of 191 million Americans.

All too often people don’t take care of their data. The Office of Inadequate Security reports on data breaches large and small all the time. Sometimes it’s 191 million voter records over a network connection, and sometimes it’s patient records left on a sidewalk next to a trash can when a doctor’s office goes out of business. That site might be a good place to look for inspiration when you’re writing a character that needs to acquire data that wouldn’t (or shouldn’t) be widely available. Whether your character needs to do some port scanning or some dumpster diving, she might be able to get her hands on all kinds of data.

Default passwords

A network router is a device which forwards traffic between two networks. Your computer is on one segment of the internet, and your favorite web site is (likely) on a different segment. There’s at least one network router between you and your favorite web site moving the data packets back and forth.

Routers will typically more-or-less work right out of the box, but they generally need some configuration to do their jobs well (and securely). Routers frequently offer a web interface for this: you connect a computer to the router, go to a particular web address (specified by the product’s documentation), and then configure the device for its particular purpose. For example, if you’re setting up a router for an elementary school, you might configure the router to send all web traffic through some kind of content filter.

More and more devices are like this: you buy a shiny new gizmo, connect it to your network, and it offers some feature you can control with an app on your phone. This is the “Internet of Things” (IoT):

Network-enabled security cameras are another interesting example of this kind of thing. Imagine being able to log on to a camera hundreds of miles away, have it take pictures on demand, and view the images.

These devices typically ship with a default password. And that’s the big problem with these things: they don’t necessarily force you to change the password, and those default passwords are well documented and widely available: they’re in the product documentation that the manufacturer probably puts on their web site for anyone to download.

(Sometimes the manufacturer will try to assign a unique default password to every unit they sell. This is great when they do it right, but sometimes they fail hilariously.)

Shodan and Censys are projects which portscan the internet and make the data available to anyone who wants to look at it. This data often reveals the manufacturer and model number of internet routers. Netgear devices often give the full model number in the remote administration password prompt. And there are web sites (like routerpasswords.com) devoted to making it easy to look up the default password for a particular network device model.

There are two important points to remember here:

  1. If you are writing about a character who wants to compromise a network target, and if she can determine the manufacturer and/or model number of the router protecting her target (either through shodan or by portscanning it herself), she can look up the default password either through something like routerpasswords.com or by downloading product documentation from the manufacturer. If the network pukes at the target haven’t secured their router, your character could add routing table rules allowing her direct access to resources on the internal network.
  2. If you haven’t changed the password on the home router that may be sitting on your desk, now would be a good time to do so. (And unless you REALLY need it, you should disable the remote administration feature which was probably enabled by default.)