Here is a fascinating interview with the creator of a web-based tool called Shodan. Shodan essentially does for computer systems what Google does for websites. Instead of enabling you to search for cats that have lots of swag and dance around with an infectious YOLO attitude, however, Shodan enables you to search for a particular kind of data service, and it will return links to systems that provide that service.
Unfortunately for system administrators, most of the services Shodan finds, and most of the ones bad-guy hackers will be looking for, are ones that absolutely should not be accessible to the outside world. For example, it is not uncommon for file systems that are meant to remain internal to an organization to be exposed beyond the confines of the organization’s network. This unwelcome circumstance could be just an oversight, as it is terribly easy to make mistakes on these complicated IT networks, even for accomplished networking and security professionals. Or, the systems might be exposed on purpose to make it more convenient for employees of the organization to access their documents on the road. Telnet, for example, a communication protocol developed 45 years ago, is really easy to use for people who want to access a system remotely. It’s also terrible, as everything sent via telnet is completely readable by anyone that captures the data packets, because telnet doesn’t encrypt the data at all.
That battle between convenience and security occurs everyday everywhere. The desire to provide ubiquitous, convenient access to data systems is the primary reason why there are security vulnerabilities in the first place. Computer Scientists know intimately well how to lock down systems to be nearly impervious. (I say “nearly” because it is never wise to underestimate human ingenuity). Such systems, though, would be so unusable you’d hear cursing that would make a rapper blush. Employees just want to get their work done, and any obstacle placed in their way by a well-meaning but somewhat removed IT staff will be most unwelcome.
Caving to convenience goes too far, however, when the practice extends to critical infrastructures. Shodan’s creator describes using the tool to find particular models of equipment on the power grid and other infrastructures that have particular vulnerable services running. That is truly scary, because the hard part for a decentralized, geographically expansive network like the power grid often is finding such points of vulnerability. Since these critical infrastructure systems increasingly employ desktop operating systems and hardware rather than proprietary, industry-specific ones (which, again, is a design decision made with convenience and cost in mind), once the attacker knows the vulnerability is there, he can rely on well-known techniques for exploiting it.
While I find much to worry about in this piece, the rah-rah Computer Science advocate in me relishes finding yet more evidence that cutting-edge advances in cyber security require the skill set that computer science students learn simply as part of their coursework. You’ll notice that the developer started by using a tool called Nmap to scan for services on local networks and then applied his coding skills to figure out how Nmap worked and how to write a new version of it that could reach out beyond local networks to survey the entire internet. He had to be intimately familiar with how to use the tool. Beyond that, though, he had to know a lot about how to program network sockets, how to map the network stack, and how to maximize his returns through mathematical probability theory. Computer Scientists can do those kinds of things, and that makes them especially valuable as cyber security experts.
The fact remains, though, that this tool is scarier than a sweaty Steve Ballmer leading an arena full of conference goers who’ve had too much geek-aid. Basically, we’ve sucked at this cyber security thing for a long, long time, and now this tool comes along to reveal all our dirty laundry. Yikes.