Shodan crawls the web, searching for any connecting device -- from PCs to industrial systems, from printers to smartphones -- and analyzes the software running on those devices for, among other things, security flaws. Of course, it finds plenty. In fact, it has notoriously exposed vulnerabilities in control systems for industrial processes and even power grids.
Accessing tens of millions of devices, Shodan users have poked their digital noses into -- as the website says -- webcams, routers, power plants, iPhones, wind turbines, refrigerators, VoiP phones... Is it time for us to be terrified again?
Not according to Matherly, who told San Diego City Beat that he's trying, through Shodan, to be a "good citizen on the Internet." Matherly says his own work is nonmalicious and "entirely legal." But what about his users? Isn't he providing a dream machine for black hat hackers who want to gain access to devices for criminal purposes?
Shodan does have some controls on user activity. Anonymous users are allowed to generate a very restricted number of search results. Paid subscribers, apparently, tend to be security professionals checking their own networks. From this evidence, Matherly concludes that Shodan is making the Internet safer.
That's a peculiarly sunny view.
Honest users are finding "bank routers with passwords that are unencrypted... a ton of SCADA systems that you can basically access as a read only account so you can see what others are seeing and then figure out what the systems are doing, how they are doing, and what a good landing pad would be for working further mischief in the system." We can be confident that dishonest users are finding the same thing. How difficult is it to open a Shodan account with a fake identity, a dummy email address, and a stolen credit card? How many users have done so already? And how many more engines like Shodan are we likely to see?
As some analysts have said, there's no point blaming the messenger. The security expert Dan Tentler has emphasized that the idiocies exposed by Shodan are the problem, not Shodan itself. There's some truth in that, but even if we are all living in glass houses, passing around convenient stones to throw may be a bad idea.
And that there are entire black markets where hackers and other criminals buy and sell their evil wares, stolen Social Security numbers and IDs, and other riches they've reaped or created to steal from us.
So I guess we are supposed to take him at his word that he is providing this service as a good citizen and that Shodan is not being used for any malicious activity at least by him. Does anyone know of any companies or organizations that has used this particular service?
If this search engine scares people, then it should be even more scary that bad guys already have similar tools and no one knows how long they've had them or been using them....
As far as I know--and I may be wrong--Matherly's contribution to the common good is providing Shodan as tool for security professionals to identify and repair vulnerabilities in their own systems. I'm not aware that he's helping fix things himself.
I am not surprised that Shodan is finding all these insecurities or that so many devices are unprotected. Nor am I really surprised that there's a tool available to help people locate weaknesses. But it is absolutely terrifying. Is Matherly associated with a company that helps organizations fix their security breaches?
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
The Murdoch/News International scandal has all the elements of the digital age, from phone-hacking through embarrassing emails to agile digital reporting.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
Cisco's rumored sale of Linksys suggests we may have problem with innovation and profit at the edge of our Internet, and that could be critical to the evolution of many Internet-delivered services.
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
With the advent of low-cost Web cameras and broadband network connections, home security systems have become a hot business. In addition to traditional security suppliers, like ADT, the market is attracting telcos, cable companies, and energy providers, thereby creating an area of increasing competition.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Ushering in a new era of cognitive computing systems, IBM announced today the IBM Watson Engagement Advisor, a technology breakthrough that allows brands to crunch big data in record time to transform the way they engage clients in key functions such as customer service, marketing, and sales.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
Game-screenshot of System Shock's Shodan.
