[governance] Cyber search engine exposes vulnerabilities - TheWashington Post

[michael gurstein]

http://www.washingtonpost.com/investigations/cyber-search-engine-exposes-vul
nerabilities/2012/06/03/gJQAIK9KCV_print.html



Cyber search engine Shodan exposes industrial control systems to new risks


By Robert O'Harrow Jr., Published: June 3 


It began as a hobby for a -teenage computer programmer named John Matherly,
who wondered how much he could learn about devices linked to the Internet.

After tinkering with code for nearly a decade, Matherly eventually developed
a way to map and capture the specifications of everything from desktop
computers to network printers to Web servers. 

He called his fledgling search engine Shodan <http://www.shodanhq.com/> ,
and in late 2009 he began asking friends to try it out. He had no inkling it
was about to alter the balance of security in cyberspace.

"I just thought it was cool," said Matherly, now 28.

Matherly and other Shodan users quickly realized they were revealing an
astonishing fact: Uncounted numbers of industrial control computers, the
systems that automate such things as water plants and power grids, were
linked in, and in some cases they were wide open to exploitation by even
moderately talented hackers.

Control computers were built to run behind the safety of brick walls. But
such security is rapidly eroded by links to the Internet. Recently, an
unknown hacker broke into a water plant south of Houston using a default
password he found in a user manual. A Shodan user found and accessed the
cyclotron at the Lawrence Berkeley National Laboratory. Yet another user
found thousands of unsecured Cisco routers, the computer systems that direct
data on the networks. 

"There's no reason these systems should be exposed that way," Matherly said.
"It just seems ludicrous."

The rise of Shodan illuminates the rapid convergence of the real world and
cyberspace, and the degree to which machines that millions of people depend
on every day are becoming vulnerable to intrusion and digital sabotage. It
also shows that the online world is more interconnected and complex than
anyone fully understands, leaving us more exposed than we previously
imagined.

Over the past two years, Shodan has gathered data on nearly 100 million
devices, recording their exact locations and the software systems that run
them.

"Expose online devices," the Web site says. "Webcams. Routers. Power Plants.
iPhones. Wind Turbines. Refrigerators. VoIP Phones."

Homeland security officials have warned that the obscurity that had
protected many industrial control systems was fast dis-appearing in a flood
of digital light. 

"This means that these delicate [control computers] are potentially
reachable from the Internet by malicious and skilled adversaries," a
Department of Homeland Security paper concluded in 2010.

The number of intrusions and attacks in the United States is rising fast.
>From October to April, the DHS received 120 incident reports, about the same
as for all of 2011. But no one knows how often breaches have occurred or how
serious they have been. Companies are under no obligation to report such
intrusions to authorities.

                                 --------------- SNIP ---------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20120604/8141f538/attachment.htm>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t