[CRTech] Christian Radio Tech [MSG 79188]
[Thread Prev] [-- Thread Index --] [Thread Next] [Date Prev] [-- Date Index --] [Date Next]
Shodan, Google, and hacking explained (Was: hacking continued)
To: CRTech <crtech@crtech.org>
Subject: Shodan, Google, and hacking explained (Was: hacking continued)
From: Sherrod Munday <smunday@ieee.org>
Date: Wed, 15 Mar 2017 14:29:12 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=EE+DxwmoR/F3k3ic/sZueAENilzmHPjg202L1Up1F4M=; b=jeMlsUei5RmtzMDAGDPTUOLKwM7e+VeokelobRdmtzb77R3hZayDjGhHNo7vtFeR7M 2wXuHNoXo+EbCzMlCs5l1b5ih2Hp2LcNMR7vb77XpHOlwj1JPus7tOLDhV7663gbZAHf GNLXH8eT8cd1gwC8xn6DbSx+7m04d9hVzBimnXbF0m3oWU5FhCErnBGTk5vONO5TG2ct h4FyX+dJqdOPDMKoVV+b/yk8HgxReg1uCngytsqAg45eR387LfX06BNdUi1jMb06sDHG A5uzLy3wXlNTBAbDI0aV69/3PwmlaLNovQwXEefwMrnbE7xK9rpxEOXE8QKB7Lb4VSlu kNvA==
In-reply-to: <CAJHfeBtkWNoMDzpxPeGowe1YxqoM6oWwkgFnV62qMjYkCMsKbA@mail.gmail.com>
References: <812f36bb-e2cc-bf85-ba40-df7d81d2e32b@knlr.com> <CA+0ZtTbaKdN5=+5Az7+QMLY2bJSmn-5ZpVyAHTA5TQ+xg=-uDg@mail.gmail.com> <BN6PR08MB246701D62D41EC66378345DBB5240@BN6PR08MB2467.namprd08.prod.outlook.com> <07dc058b-68e1-ab5c-6449-1d451da55bda@reyware.us> <CAJHfeBtkWNoMDzpxPeGowe1YxqoM6oWwkgFnV62qMjYkCMsKbA@mail.gmail.com>
On Mar 15, 2017, at 10:37, BIll Moede <bmoedereplay@gmail.com> wrote:
> So is the hacking coming through the internet connection at the station?

Let's clarify a few terms and practices:

Shodan is simply a search engine.  It simply searches for and indexes information about *devices*, not web (HTTP) content.  

Google is also simply a search engine.  It simply searches for and indexes *content* available via web browsers.

It's possible to use results from Google to launch an attack- think "doxing" (searching for publicly-available documentation on a person and then compiling it and releasing it, often with the intended result of releasing information that could be construed as private about a person) as one example.

It's similarly possible to use the results from Shodan to launch an attack against devices.  As the Wiki article on Shodan ( http://bit.ly/2n0qwwl ) explains, there are APIs to hook the results of Shodan into attack programs (i.e. hacking software).  But that doesn't make Shodan evil -- there are obviously APIs to hook Google results into many apps and programs, but that doesn't make Google evil either.  (Whether Google is actually evil is *not* going to be discussed on this forum!!!  :-)

With the understanding that Shodan (like Google) is simply a search engine, recognize that it does not directly launch hacks or attacks.  A ping, TCP connection attempt, or other similar probe against an IP address doesn't mean you're being hacked... it just means that something is looking for open ports and/or services.  That "something" could be Shodan, an individual running a command manually, a botnet, or someone running a targeted port scan directly from their computer.  

So, understand that Shodan sniffing your IP doesn't mean anyone or anything is trying to hack you or your devices; it just means Shodan is attempting to gather information like any other search engine.

Now, obviously in the O.P.'s case where someone seems to have turned on the tone in the Amb-OS receiver: if we connect the dots correctly, the picture makes it look like someone used the information (that possibly was gathered by Shodan) to know where to log in to some device.  Whether they knew what an Amb-OS receiver actually *is* or *does* is irrelevant -- it's a device that is connected to the Internet, so someone wanted to poke around and find out if there are any vulnerabilities that could be exploited.  (*Why* they wanted to know that is a separate discussion.)  While logged into the receiver's web GUI, they obviously (according to the O.P.) enabled the tone output, which effectively resulted in corrupted programs/content that a radio station wanted to use.

This action, in its simplest form, becomes a relatively mild form of a Denial of Services ("DoS") attack just against that particular radio station.

And, to answer Bill Moede's question above: Yes, the "hacker" in this case could have accessed the Amb-OS receiver directly through the Internet, but I doubt that the ex-post-facto records of Shodan's search poking into the external firewall's IP address prove anything about who did it.  It is entirely possible that someone inside the organization/radio station went poking around on the internal network and discovered an open port (port number 80 is used for standard unencrypted web (HTTP) traffic, and is the port that web browsers look for by default) and hit it with a web browser to poke around and find out what it was.  

I'd imagine some young unsupervised computer-savvy intern could have gotten bored and not realized the impact of toggling that setting just as easily as I'd concede that it could have been a malicious intentional action by an outside actor (looking to gain fame for another Barix anti-Trump campaign).  Without records of all connections through the firewall, however, it will be impossible to prove.

On that note, that is exactly the reason I log all connections through our firewalls.  By using netflows and sending them to a collector, I can review back to any five-minute period over the last year or more (I forget how far back I've got it logging) and see a record of every TCP conversation, UDP flow, or ICMP traffic that goes through our firewall and also across a wide-area network between two of our sites.  I don't record the actual conversation -- but I do have records that the conversation took place.  In that aspect, it's identical to the NSA getting the metadata of all the calls that you've had on your cellphone without listening to the conversation.  

Such netflow records are what's essential to forensic investigations of hacks that occur: they provide the details that are necessary for postmortems and learning.   (That's how some hacked company like Target can say long after the hack occurred (even if it started a year ago) that they had large volumes of data being exfiltrated from their site to a site in China, Russia, or anywhere -- netflows provide that record.)

And now, we return you to your regularly scheduled day job activities.  :-)

Sherrod Munday

Follow-Ups: Re: Shodan, Google, and hacking explained (Was: hacking continued)
(Sherrod Munday <smunday@ieee.org>, 15 Mar 2017 18:52:02 -0000)
References: hacking continued
(Terry Cowan <tcowan@knlr.com>, 14 Mar 2017 15:43:11 -0000)
Re: hacking continued
(Matthew Chambers <mchambers@showmeham.info>, 14 Mar 2017 15:45:06 -0000)
RE: hacking continued
(Mike Shane <mshane@salemomaha.com>, 14 Mar 2017 23:42:25 -0000)
Re: hacking continued
(dave allen <crtech-mail@reyware.us>, 15 Mar 2017 14:19:11 -0000)
Re: hacking continued
(BIll Moede <bmoedereplay@gmail.com>, 15 Mar 2017 14:37:48 -0000)
Prev by date: RE: T12 to T8 Flourescent
(Bill Hurne, 15 Mar 2017 18:07:23 -0000)
Next by date: Re: Shodan, Google, and hacking explained (Was: hacking continued)
(Sherrod Munday, 15 Mar 2017 18:52:02 -0000)
Prev by thread: Re: hacking continued
(BIll Moede, 15 Mar 2017 14:37:48 -0000)
Next by thread: Re: Shodan, Google, and hacking explained (Was: hacking continued)
(Sherrod Munday, 15 Mar 2017 18:52:02 -0000)