<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META name=GENERATOR content="MSHTML 9.00.8112.16443"></HEAD>
<BODY bgColor=#ffffff>
<DIV><A
href="http://www.washingtonpost.com/investigations/cyber-search-engine-exposes-vulnerabilities/2012/06/03/gJQAIK9KCV_print.html">http://www.washingtonpost.com/investigations/cyber-search-engine-exposes-vulnerabilities/2012/06/03/gJQAIK9KCV_print.html</A><BR><BR></DIV>
<DIV>
<DIV style="-webkit-hyphens: auto; -webkit-locale: en" id=article><!-- This node will contain a number of 'page' class divs. -->
<DIV
style="LINE-HEIGHT: 1.4; FONT-FAMILY: Palatino, Georgia, Times, 'Times New Roman', serif; FONT-SIZE: 19px"
class=page>
<H1 class=title>Cyber search engine Shodan exposes industrial control systems to
new risks</H1>
<H3 property="dc.creator">By Robert O’Harrow Jr., <SPAN contenttype="article"
pagetype="leaf" datetitle="published" epochtime="1338776373000">Published:
June 3</SPAN> </H3>
<P>It began as a hobby for a teenage computer programmer named John
Matherly, who wondered how much he could learn about devices linked to the
Internet.</P>
<P>After tinkering with code for nearly a decade, Matherly eventually developed
a way to map and capture the specifications of everything from desktop computers
to network printers to Web servers. </P>
<P>He called his fledgling search engine <A href="http://www.shodanhq.com/"
data-xslt="_http">Shodan</A>, and in late 2009 he began asking friends to try it
out. He had no inkling it was about to alter the balance of security in
cyberspace.</P>
<P>“I just thought it was cool,” said Matherly, now 28.</P>
<P>Matherly and other Shodan users quickly realized they were revealing an
astonishing fact: Uncounted numbers of industrial control computers, the systems
that automate such things as water plants and power grids, were linked in, and
in some cases they were wide open to exploitation by even moderately talented
hackers.</P>
<P>Control computers were built to run behind the safety of brick walls. But
such security is rapidly eroded by links to the Internet. Recently, an unknown
hacker broke into a water plant south of Houston using a default password he
found in a user manual. A Shodan user found and accessed the cyclotron at the
Lawrence Berkeley National Laboratory. Yet another user found thousands of
unsecured Cisco routers, the computer systems that direct data on the networks.
</P>
<P>“There’s no reason these systems should be exposed that way,” Matherly said.
“It just seems ludicrous.”</P>
<P>The rise of Shodan illuminates the rapid convergence of the real world and
cyberspace, and the degree to which machines that millions of people depend on
every day are becoming vulnerable to intrusion and digital sabotage. It also
shows that the online world is more interconnected and complex than anyone fully
understands, leaving us more exposed than we previously imagined.</P>
<P>Over the past two years, Shodan has gathered data on nearly 100 million
devices, recording their exact locations and the software systems that run
them.</P>
<P>“Expose online devices,” the Web site says. “Webcams. Routers. Power Plants.
iPhones. Wind Turbines. Refrigerators. VoIP Phones.”</P>
<P>Homeland security officials have warned that the obscurity that had protected
many industrial control systems was fast disappearing in a flood of digital
light. </P>
<P>“This means that these delicate [control computers] are potentially reachable
from the Internet by malicious and skilled adversaries,” a Department of
Homeland Security paper concluded in 2010.</P>
<P>The number of intrusions and attacks in the United States is rising fast.
>From October to April, the DHS received 120 incident reports, about the same as
for all of 2011. But no one knows how often breaches have occurred or how
serious they have been. Companies are under no obligation to report such
intrusions to authorities.</P>
<P><B>
--------------- SNIP
---------------</B></P></DIV></DIV></DIV></BODY></HTML>