Search Engine Reveals Worrying Security Holes

A relatively unknown search engine is revealing worrying security vulnerabilities in many corporate systems

Potential and rather worrying security vulnerabilities are being highlighted by a little known search engine known as Shodan.

Unlike Google, which looks through actual websites, Shodan searches for online content that’s not created for public viewing. This includes “servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet,” CNN Money reported 8 April, calling Shodan “the scariest search engine on the Internet.”

Worrying Picture

In these days of heightened cyber-security concerns, and increasingly connected devices, the report paints an ominous picture.

Shodan, it says, runs around the clock, collecting information from 500 million-plus connected devices and services each month.

The report continued:

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

virtual machine network security browser web map © Sergey Nivens ShutterstockWhat’s really noteworthy about Shodan’s ability to find all of this – and what makes Shodan so scary – is that very few of those devices have any kind of security built into them.

The upside to the story is that, again unlike Google, the number of searches that can be performed are limited. John Matherly, its creator, limits searches to 10 without an account and 50 with one, and there’s also the matter of a payment.

Matherly said he uses the site “for good” and expects that folks with other intentions “may use it as a starting point” but are more likely rely on botnets – infected computers that can be made to perform tasks without their owners’ knowledge.

Potential Risks

Lawrence Pingree, a research director with Gartner, says that Shodan shows what’s been available on the Internet for years, but much more quickly and efficiently than it could previously be found.

“Without proper security technologies such as Firewalls, intrusion prevention, vulnerability scanning technology and other security controls, any of these systems could potentially be breached by an attacker,” Pingree told eWEEK.

“Placing any device without the proper protection mechanisms on the Internet, in an un-patched state without the proper security,” he added, “makes you a sacrificial lamb for an attacker.”

Research firm Extensia expects the number of machine-to-machine (M2M) connections – such as those used in smart heating systems, for example – to grow at an annual compound growth rate of 50 percent worldwide over the next 10 years.

By 2021, the firm expects the number of M2M device connections to reach 2.1 billion, and to have “far-reaching implications for communications service providers, vendors and networks.”

In February, following reports that The New York Times, The Wall Street Journal and even the US Federal Reserve had been hacked,  President Obama signed an executive order that sought to help address cybersecurity concerns by allowing federal agencies to share information with private industry. A day later, the Cyber Intelligence Sharing and Protection Act of 2013 was introduced in the House of Representatives.

A criticism of the order is that while it’s well intentioned, the best practices it sets forth aren’t mandatory and can’t be enforced.

IBM has said that enforcement should fall on an appointed, accountable person, such a chief security officer.

During an 6 April cyber-security event for the electric power sector, Andy Bochman, security energy leader for IBM Security advised, “The best way for a utility to introduce cyber-security into its infrastructure is to go in with a high-ranking executive to own the cyber-security risk for the enterprise.”

Gartner’s Pingree agrees.

“Security is a drag on most businesses. The most efficient way to make money is to do nothing – until you get hurt. But if you build a solution properly you can avoid the shortfalls and the costs involved with being breached,” said Pingree. “You need someone in the organisation to be a champion for security.”

Are you a security expert? Try our quiz!

Originally published on eWeek.