It Is Shocking What You Can Find On the Internet

If you know how to do some creative looking around on the Internet, it is truly shocking just how much access you can get to systems without really trying.  Recently an Internet Security Expert Paul McMillan (@PaulM) build a tool to scan for machines which were exposed to the Internet and which didn’t have any security in place so that if you knew they were there would simply allow you to access them.  What was found, and the screenshots which were published are a shocking display of systems security failure.

You would think that various colleges around the US would have a better idea of network security, but apparently not.  Now these aren’t really all that important, and it would slightly embarrassing at worst if someone started making changes to these.  However not everything that was found was so.

A kiosk at a college

A kiosk at a college

Something else at a college

Something else at a college

Display board of a college library

Display board of a college library

A desktop at a college

A desktop at a college

There’s some stuff that could have a direct impact on peoples day to day lives.  Such as the controls for a grain silo, which I could be told to dump all the grain from the silo onto the ground, which would ruin the grain and cost the farmer a lot of money.

Appears to be a Grain Silo

Appears to be a Grain Silo

Or we could lock down the pumps at this gas station.

A large Gas Station

A large Gas Station

Ever wanted to control a car wash?

A Car Wash Control System

A Car Wash Control System

How about a movie theater?

Cinema City Movie Theater Control System

Cinema City Movie Theater Control System

Or maybe we could screw around with the Parking ticket Kiosk for the city of Oakland, California, USA.

City of Oakland Parking Ticket Payment System

City of Oakland Parking Ticket Payment System

There were a large number of people’s desktop computers just sitting there available.  In this one the person is writing code for an application.

Someone actively writing code

Someone actively writing code

It isn’t just small companies that have their systems exposed to the Internet for no reason at all. Here’s the Double Tree hotel in Boston, MA (a member of the Hilton family of hotels).  This system happens to be the display board for what’s going on in the conference rooms on the day the screenshot was taken.

The Boston Double Tree's conference room TV

The Boston Double Tree’s conference room TV

So far all of these systems have been pretty harmless.  But there are some pretty big control systems online as well.  Here’s the control systems for a hydro-electric plan which is producing around 480kw or power.

Some sort of Hydro-electric plant generting about 480kw of power

Some sort of Hydro-electric plant generating about 480kw of power

Here’s what appears to be another power plant.

My best guess is a power plant

My best guess is a power plant

Or if coal mining is more your speed, this appears to let us control the loaders, belts, trains, etc. for an active coal mine.

Coal Mine Control System

Coal Mine Control System

Here’s the control systems for a few more power plants, all of which are available to anyone who knows how to look for them.

A Power Plant

A Power Plant

Another Power Plan

Another Power Plan

Yet another power plan

Yet another power plant

I’m not really sure what this controls, but it looks pretty important.

Something very industrial looking

Something very industrial looking

I wonder what kind of wells these are that we can shutdown?  Water, oil, could be anything.

What appears to be a well monitoring system

What appears to be a well monitoring system

Maybe there’s someone important hooked up to this heart monitoring system at a hospital.

Heart Monitor for a hospital bed

Heart Monitor for a hospital bed

Every one of these systems can be connected to, and controlled from anywhere in the world because they don’t have even the most basic network security setup on these devices.  Do any of these devices need to be connected to the public Internet?  No, there’s no valid reason for a single one of these to be on the Internet, but they are.

Companies who run these systems need to take better care of their networks, because eventually someone who is looking to do some actual damage is going to stumble across the tools and techniques which are used to find and access these systems.  And once that happens it’s to late.  Thankfully Paul McMillan was just doing research, imagine if his plan was to do actually do damage.  I’ve shown you just some of the power plants, hospital equipment, and food storage locations which he found.  It would have been a simple task to just shutdown all those systems one by one as he found them and no one would have had any idea that it was him, or even what happened.  According to all the logs at the power plants someone would have issued the shutdown command from which ever control system that Paul was connected to.

Someone needs to get the message out to these companies, utilities, etc. that they need to fix these problems BEFORE it’s to late, not after.

Denny

Special Thanks to Paul McMillan for doing the hard work of scanning all these systems, and to Information Security Expert Dan Tentler (@Viss) for sifting through and finding some of the interesting ones and sharing them with me for this post.

What does “Heartbleed” mean to the rest of us?

By now we’ve all read about the Internet bug called “Heartbleed“.  But what does this mealy mean to the rest of us?  In a nheartbleedutshell it means that there is a real good chance that someone has your username and password that you don’t want to have it.

Is my computer infected?

No, your home computer isn’t going to be infected with anything.  Heartbleed exists because of a bug in the software which handles the data encryption on some web servers.

Are all websites infected?

No.  Not every website is infected.  There is no easy way for us the end users to know which websites are still suffering from the problem and which ones aren’t.

How can I protect myself?

The only way to protect yourself is to not use websites which are suffering from the Heartbleed problem.  If you are using websites which haven’t had the needed patches installed on them, then any information which you send to those websites could be read by an attacker.

Is there a list of websites which are safe to use?

Sadly no, there is no list of websites.  All you can do is check with the company which runs the website or wait for them to tell you that their webservers have been patched.

Is this something that I need to worry about?

Sadly the answer here is yes.  If you shop online, or use the same username or password or different websites then you might be at risk.  There’s no way to know if your information has been leaked or not, so it’s best to change your passwords for all the websites that you use.

How would I know if a website is safe to use?

There’s no easy way, or any way to really know for sure.  The best bet for an end user is to look at the SSL certificate for the website and see what the dates for when the SSL certificate was issued.  If that date is April 2014 or later then it is probably safe.  The reason that I say this is that part of the threat is that the private keys for the websites certificate may have been compromised, so websites are getting new certificates and having the old ones disabled.

Finding if the certificate is new is pretty straight forward.  In your web browser such as Internet Explorer, Firefox or Chrome connect to the website in question, I’ll use Google.com as an example.  Once connected to the website find the padlock which shows that the website connection is secure, which I’ve circled below in Internet Explorer, and click on the padlock.

lock

When you click on the padlock you’ll get some basic information similar to what you see below.  Click on the “View certificates” link at the bottom.

view

This will show you the certificate itself, which you can see below.  At the bottom you’ll see the dates which the certificate is valid from and to.  If the from date is in April 2014 or later then it’s probably safe.  You’ll notice that the from date in this case is April 2, 2014.

cert

If you are using Firefox or Chrome the steps will be very similar but the screens will look a little different.

What should I do?

The best thing you can do is change your passwords for all the websites which you use, and use a different password for each website.

As I learn more about this, I’ll post it here.

Denny

%d bloggers like this: