Chapter 25 Privacy

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 25 Privacy

Lab Exercises

25.01 Shodan

25.02 Insecam

25.03 Google Hacking

Lab Analysis

Key Term Quiz

The Merriam-Webster dictionary defines privacy as “the quality or state of being apart from company or observation” and “freedom from unauthorized intrusion” (www.merriam-webster.com/dictionary/privacy).

NIST’s definitions of privacy include “restricting access to subscriber or Relying Party information in accordance with Federal law and Agency policy,” “assurance that the confidentiality of, and access to, certain information about an entity is protected,” “freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual,” and “the right of a party to maintain control over and confidentiality of information about itself” (https://csrc.nist.gov/glossary/term/privacy).

Violations of privacy can lead to breaches of confidentiality (seeing something that shouldn’t be seen), integrity (changing something that shouldn’t be changed), and availability (denying access to data and information to authorized individuals).

A cybercriminal or pentester can certainly use technical skills to breach confidentiality, integrity, and availability. However, would you believe that there are ways of just asking simple queries or simply clicking links on certain websites to get data and information that could cause great damage to confidentiality, integrity, and availability?

What you’re going to see and do in this chapter will shock, amaze, and even scare you. How can so much private data and information be so readily available and public facing?

60 MINUTES

Lab Exercise 25.01: Shodan

Although Shodan is often labeled the world’s scariest and most terrifying search engine, Google is usually the first thing that comes to mind when you hear the term search engine. However, what Shodan is looking for is completely different from what Google is looking for. Google’s spider crawls the World Wide Web, a collection of information that can be accessed through web pages, identified by URLs (Uniform Resource Locators), also known as web addresses, typed into the address bar of a browser. Documents accessed from the World Wide Web are written in HTML (HyperText Markup Language) and are accessed through HTTP (Hypertext Transfer Protocol) or HTTPS (Hypertext Transfer Protocol Secure), which uses HTTP over TLS (Transport Layer Security) for encryption and decryption. The World Wide Web is just one way that data and information are sent and received over the Internet, a global interconnection of networks and devices that use the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol suite.

The Internet and the World Wide Web are not the same thing. The Internet represents the infrastructure connecting systems and networks worldwide. It’s the hardware—computers, routers, switches, and more. It includes the client and server services and software running on these devices, as well as the TCP/IP suite that all devices use. It also includes the cables and wireless technologies connecting the devices.

The Internet itself is what Shodan searches. Shodan is looking for webcams, routers, servers, and lots of different types of devices connected to the Internet of Things (IoT).

IoT represents nontraditional computing devices that have sensors, software, and more that communicate with other devices. They can be found in smart homes, vehicles, and organizations including medical and healthcare, transportation, manufacturing, agriculture, maritime, infrastructure (city, energy, and environmental), military, and much more.

Many IoT devices have little to no security for various reasons. The financial cost of implementing security could make the device less profitable. Security is inversely proportional to convenience and usability (just like a seesaw, when one side goes up, the other goes down), so some manufacturers make their IoT devices as simple as possible for users, worrying that some customers won’t buy a device they believe will be hard to use and configure. IoT devices don’t have much RAM and CPU power, compared to other devices, and as such can’t support certain security mechanisms. Many use default passwords that are a simple web search away. Some were designed without a single thought toward security and have literally none! Some IoT devices need a human to initiate an upgrade or security patch (which is not a guarantee), while others don’t even have the capability of updates.

Now consider that IoT devices are always connected to the Internet, are constantly collecting tons of data and information, and are running on networks with little to no security using insecure protocols.

One of my favorite stories is about a casino that got hacked through its Internet-connected fish tank thermometer. Read about it here: https://thehackernews.com/2018/04/iot-hacking-thermometer.html.

There is a famous meme, “The S in IoT Stands for Security,” which should make complete sense now.

The greatest users of Shodan are not actually cybercriminals, but rather cybersecurity specialists, penetration testers, academic researchers, law enforcement, and governments.

Billions of devices are accessible online. These devices can be identified easily by banner information. These banners contain metadata about a device’s software, including the version and options supported, as well as welcome messages, warning messages, and more. From the banners, Shodan is able to identify the specifics of these devices, including make and model. The banners could even indicate what authentication mechanisms are used or if authentication is disabled. Banners vary based on the person creating them and the type of the service the device provides. When this information is combined with geographic information, Internet service provider (ISP) information, and more gleaned from the IP address, a clear picture of a device can emerge. That clear picture can include device vulnerabilities that can be easily exploited, such as unchangeable hardcoded passwords and manufacturer-created backdoors. Shodan is a great tool that can help find these vulnerable devices, which will ultimately lead to securing them.

Shodan can even collect statistics and calculate measurements. For example, Shodan can indicate countries that are increasingly connecting with each other more, which version of Apache is used the most, and even how many devices are vulnerable to a new piece of malware.

Some of the IoT devices found by researcher Dan Tentler using Shodan in 2013, five years after its debut in 2008, included traffic light controls, traffic cameras, a swimming pool acid pump, a hydroelectric plant, a hotel wine cooler, a hospital heart rate monitor, a home security app, a gondola ride, and a car wash. In the case of traffic light controls, a warning message “DEATH MAY OCCUR !!!” was visible in the banner. If Tentler wanted to, he could have easily put the lights in “test” mode and caused unimaginable damage! Why? These controls, incredibly enough, required no login credentials.

In further research, announced at the beginning of 2016, Tentler found webcams showing marijuana plantations, bank back rooms, rooms inside houses (including kitchens, living rooms, and garages), areas outside of houses (including front gardens and backyards), public locations such as ski slopes and swimming pools, students in colleges and schools, laboratories, and even cash registers inside of retail stores.

In 2013, another researcher, Shawn Merdinger, detailed what he found with Shodan, including Caterpillar trucks whose onboard monitoring systems had an easily guessable username/password combination, fetal heart monitors, and even the power switch that controlled a hospital’s neurosurgery wing.

Also in 2013, researcher Billy Rios, who had already found close to 2,000 building management systems that had no username or password configured on Shodan, found one such building management system without credentials belonging to…Google.

Anything that has a web interface can be discovered by Shodan, including smart TVs, smart refrigerators, water treatment facilities, wind turbines, yachts, license plate readers, heating and security control systems for banks, condos, corporations, and universities, industrial control systems, SCADA systems (some controlling nuclear power plants), and electrical grids.

In his book Complete Guide to Shodan, Shodan founder John Matherly explains how the discovery process of Shodan works:

The basic algorithm for the crawlers is:

1. Generate a random IPv4 address.

2. Generate a random port to test from the list of ports that Shodan understands.

3. Check the random IPv4 address on the random port and grab a banner.

4. Goto 1.

This means that the crawlers don’t scan incremental network ranges. The crawling is performed completely random to ensure a uniform coverage of the Internet and prevent bias in the data at any given time.

Remember, “The S in IoT Stands for Security.”

Learning Objectives

In this lab exercise, you’ll explore Shodan. At the end of this lab exercise, you’ll be able to

• Understand how Shodan works

• Perform Shodan searches

Lab Materials and Setup

The materials you need for this lab are

• The Principles of Computer Security: CompTIA Security+ and Beyond textbook

• A web browser with an Internet connection

Let’s Do This!

The question of legality is often raised with Shodan. As per the following sources, there seems to be no reason to worry.

The following is from www.safetydetectives.com/blog/what-is-shodan-and-how-to-use-it-most-effectively/:

Shodan is completely legal and does not breach the US government’s Computer Fraud and Abuse Act. On its own, the service only collects data that was already available to the public. The metadata for various IoT devices is already broadcasted online, and Shodan simply reports what it finds.

The following is from www.comparitech.com/blog/vpn-privacy/remove-device-shodan/#Is_Shodan_legal:

One of the first questions the uninitiated ask is, “Is it legal?” CT Access’s Scott Hirschfeld, answering from a technical point of view, says it is. Because Shodan is just a “massive port scanner” and simply exposes vulnerable devices (does not actually use the information it discovers), it is legal. “Port scanning is not a violation of the Computer Fraud and Abuse Act, because it does not meet the requirement for damage concerning the availability or integrity of the device.” Popular scanners like nMap and Nessus can do pretty much the same job.

Finally, the following is from https://securitygladiators.com/what-is-shodat/:

To put it in simpler terms, Shodan runs a simple scan of each and every port that almost all Internet of Things run on. After doing that, the scan comes back with various search results which are both structured and readable. Now, the thing you need to understand here is that the results Shodan scan comes back with are already available on various open ports even without any help from services like Shodan. That is why we said that Shodan on its own does nothing. It does nothing apart from showing information that is already available. In other words, Shodan finds already-available information. Moreover, our research also shows that activities such as port scanning are not illegal. Such activities in no way violate anything that is mentioned in the Computer Fraud and Abuse Act. To take an example, Google does a terrific job of tailoring its search results which are actually based on a very specific algorithm. After doing that, Google presents all the information that it has found on the internet in ways that Google feels would provide the most benefit to a given online user. Now, we are aware of the fact that Shodan does not do any of that. All that a simple search result actually does is that it exposes vulnerable systems and devices.

The preceding does not represent any official legal advice. The author and publisher are not to be held liable for any reason regarding this lab exercise. This includes, but is not limited to, trying to access and change configurations on any devices. You have the ability to decide on how to proceed.

Step 1 You’ll start by creating a free Shodan account and logging in. Then you’ll be ready to perform your first Shodan searches.

a. Go to https://www.shodan.io/, as shown in Figure 25-1.

FIGURE 25-1 Shodan

b. Click the red Create a Free Account button on the left.

Enter a username, password, confirmed password, and e-mail address and then click the green Create button.

Verify your account by clicking the link in your e-mail.

c. Provide your username and password when prompted to log in and click the green Login button. Click the Shodan link in the top-left menu bar (to the left of Developers).

d. After just a few searches, you’ll see the message, “Error! Daily search usage limit reached. Please wait a bit before doing more searches or use the API,” as shown in Figure 25-2.

FIGURE 25-2 Daily search usage limit reached

If you’re okay with that, you’ll have to wait a day before continuing to use the Shodan search feature. If you’d like to continue sooner, click the green Upgrade button at the right, as shown in Figure 25-2.

You’ll be brought to a page with the following offer: “Gain Full Access for $49 Unlock everything that Shodan has to offer by becoming a member.” If you are interested, click either the Check Out with PayPal button or the Buy Now button, and then follow through to become a member by submitting all the required information. That $49 charge is a one-time fee for lifetime membership. I highly recommend it. You will still be limited, though, to 200 daily searches via the website.

After you submit payment, you’ll be brought to a page with access to new items, including the following:

• A digital copy of the Complete Guide to Shodan, which provides an overview of the websites and the API, and also explains how everything works

• The Shodan API, which provides complete access to collected data

• Increased access to Shodan Maps

• Access to a new search interface for browsing Shodan-collected screenshots that were collected from many different services (X11, RDP, webcams, and so on)

• The ability to launch scans, monitor networks in real time, and more, through the command line, as well as access to the Help Center, sample commands, and short tutorial videos

2a–2g

Step 2 Now you’ll execute some specific queries.

a. In the Shodan search bar, at the top, type school and click the red Search button to the right of the search bar. You’ll notice lots of results, including banners, IP addresses, ISP information, city information, and more. On the left sidebar, you’ll notice a world aggregation, with categories including Top Countries, Top Services, Top Organizations, Top Operating Systems, and Top Products. If you click a country, the display will rearrange and show stats proportional to that country for the other categories, while the Top Countries category will change to Top Cities.

If you click any other item in the results pane, the results will align accordingly to what you clicked. For example, if you clicked United States and then HTTP, you’ll see Top Cities, Top Organizations, and Top Products for results of United States and HTTP. You can further drill into the results by filtering by city, organization, or product. The number of total results decreases with each click because you’re getting more and more specific.

If you search for “Staten Island” without the proper Shodan filters, you’ll notice multiple results that contain gas tank information. I just got 20 total results for this search. When clicking the IP address in the result, you’ll see more than the preview on the search results page, as shown in Figure 25-3.

FIGURE 25-3 Gas tank information from a Staten Island gas station

b. Now try searching with the proper Shodan filters. When searching by city:“Staten Island” state:“NY”, I got 49,979 results!

c. For results that have screenshots, you can search by has_screenshot:yes and then filter the results by adding to the search query or clicking items in the results pane on the left. For example, has_screenshot:yes city:rochester state:ny shows all results with screenshots in Rochester, New York. At this point, you can click Rochester Institute of Technology in the Top Organizations category in the results pane on the left, which will add org:“Rochester Institute of Technology” to the search query.

d. Search by the string “default password” to find results that have those words, which could indicate a potential vulnerability waiting to be exploited.

e. Search by port:23 to find instances of obsolete Telnet servers that can be exploited.

f. Search by org:Starbucks to find all results tied to Starbucks to find any potential vulnerable devices in coffeehouses where coffee lovers are unaware of the risks they are taking by using public Wi-Fi without a virtual private network (VPN).

g. Under the Shodan search bar is a menu bar. Click the Explore link or go directly to
www.shodan.io/explore.

After selecting one of the featured categories on the left, read about each item and then click one of the Explore buttons. At the time of writing, the featured categories are Industrial Control Systems, Databases, and Video Games. Clicking each of those links gives you buttons to click that perform searches for specific devices in each category. The Explore page also allows you to click links for “Top Voted” and “Recently Shared” searches. You can go even deeper by clicking the More Popular Searches… and More Recent Searches… buttons.

Submit screenshots for the five most interesting results returned.

Step 3 A list of filters can be found here:

https://beta.shodan.io/search/filters

A list of examples can be found here:

https://beta.shodan.io/search/examples

A guide to search query fundamentals can be found here:

https://help.shodan.io/the-basics/search-query-fundamentals

Using information from these links, construct and execute five original queries. Use multiple criteria for each query to produce specific results.

60 MINUTES

Lab Exercise 25.02: Insecam

The following is from www.insecam.org:

Welcome to Insecam project. The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world. You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password. Mozilla Firefox browser is recommended to watch network cameras.

The following actions were made to Insecam for the protection of individual privacy:
- Only filtered cameras are available now. This way none of the cameras on Insecam invade anybody’s private life.
- Any private or unethical camera will be removed immediately upon e-mail complaint. Please provide a direct link to help facilitate the prompt removal of the camera.
- If you do not want to contact us by e-mail, you can still remove your camera from Insecam. The only thing you need to do is to set the password of your camera.
- You can add your camera to the directory by following next link. It will be available only after administrator’s approval.

Here are the two sentences that really stand out to me: “If you do not want to contact us by e-mail, you can still remove your camera from Insecam. The only thing you need to do is to set the password of your camera.”

One of the biggest mistakes organizations make when setting up their networks is leaving default settings “as is” and not changing simple settings such as username and password. Think back to the port-scanning lab exercise from Chapter 16. Different camera manufacturers have their webcams listen and send on certain ports.

Insecam sends out port scans to random IP addresses. When a port scan reveals that a certain port is open, Insecam can identify the manufacturer, just by that port number.

Cameras, like many IoT devices, come with default username and password combinations. If it’s not admin/admin, a simple Google search will reveal those credentials. However, in the FAQ of Insecam, it is noted that none of the cameras on the site have any password configured.

If your camera is on Insecam, the way to remove is to set a password. That’s it! Yes, it’s that simple.