Shodan is an incredible tool, but it can be also used for the bad.
Shodan stands out for highlighting this inadvertent exposure of information by gear owners.
Of course, Shodan has other uses besides helping enterprises gain a competitive edge.
Researchers often use"the scariest search engine on the Internet"tolocate potential security risks.
When they peered inside, they unearthed more than 560 million email addresses and passwords collected from other sources.
By running a sample set for his service,Hunt identified 243,692,899 unique emails.
Nearly all of them were already in Have I Been Pwned as a result of “mega-breaches” likeLinkedInandDropbox.
It’s unclear who owned the vulnerable database.
Using a name found in the database credentials, Kromtech says it belonged to someone named “Eddie.”
He then took this information and posted it into MongoVue, a tool for browsing databases.
The weakness discovered by Vickeryallowed anyone to view the information contained in the databases without any authentication.
Kromtech also confirmed that it had secured the databases.
That meant each server’s stored credentials were publicly viewable.
The researcher didn’t test any of the credentials he found.
Matherly said at the time that the numbers could be much higher.
“Shodan has currently indexed more than 2 million IPs running a public SMB service on port 445.
“Shodan has already indexed 45k confirmed [infections] so far.”
That’s far fewer than the 47,820 MongoDB servers detected online.
Some were based in Germany and South Korea at 129 and 115, respectively.
Most servers were hosted in the cloud with 1,059 instances of Amazon and 507 of Alibaba.
But they’re not the only ones searching the web for Internet-connected devices.
Nor are they alone in their use of Shodan to their advantage.
For instance,bad actors have come up with scripts thatscan the service for IPs of vulnerable Memcached servers.
Malefactors can then use those insecure assetsto launch distributed denial-of-service (DDoS) attacks against a target.
Given these abuses, it’s important that security researchers who use Shodan notify equipment owners of their exposure.
They can’t force organizations to secure their IoT products and other vulnerable assets.
Butthey can raise awareness of those issues and in so doing promote best security practices for devices more generally.
c’mon, comment on how to improve this article.
