Blog / Secret doesn’t mean secure
No one could really blame you for thinking that the internet is basically just a collection of email and websites. After all, websites are pretty much the only things most search engines (including Google) return. When websites are the only thing most people ever get presented with, it’s easy to understand why some people might come to that conclusion. A lot of people get surprised by how much more there really is out there, and how much information gets missed by the regular search engines?
A lot. Like, a lot a lot. It’s impossible to really describe how much without going into some of the gritty details on how the internet works, and we’re going to start with Internet Protocol addresses, more commonly referred to as IP addresses. Every website has one, just like every computer in your company network. Communication to a website is handled by the Transmission Control Protocol (TCP). Think of an IP address like your cell phone number, and TCP as everything that happens between your phone and your friends when they call you.
In any case, Transmission Control Protocols allow each IP address to have up to 65,535 different ports. A website will take up 2 ports—one for the unencrypted version of the site (HTTP) and one for the encrypted version (HTTPS). Email is another commonly used communication option and that uses up another 10 or so possible ports (depending on how you’re communicating). Even when you consider that the first 1024 ports are used heavily by other things and that some ports are usually reserved for Windows’ Active Directory, you’re still only using a very small fraction of your roughly 65,000 available ports.
Why am I bringing this up? Because of a search engine you may not have heard of, called Shodan. Shodan is different from other search engines because it doesn’t intentionally limit itself to searching for and returning only web pages; it scans for anything. It will find websites, email servers, FTP sites, SCADA equipment, or anything else that has been setup to respond to traffic from the internet. Shodan has been designed to cycle through every IP address on the internet and scan all of its ports. It then records any responses it gets (on any port) and moves on to scan the next IP. Since this information can change, it’s constantly repeating the scan over and over again. Hopefully you can see where this is going.
To be fair, TCP ports are a fairly low-level topic that don’t really concern anyone who’s not involved in shaping your network traffic, but part of our security audits involves getting a list of the IP addresses for all the locations a customer has control of (even if they don’t actively use them all). Then I run the entire list through Shodan to see what details the search engine has already found.
This has lead to some interesting discoveries in past assessments when organizations assumed the only things they were exposing to the world was their mail server and website. I’ve found things like QNAP devices and even water treatment plant controllers exposed directly to the internet. A normal search engine would never find stuff like that, but Shodan finds them just fine. Plus, just like most other search engines, anyone can use it.
The assumption that something is secure simply because it’s a secret is very dangerous. It may be true, but only as long as the secret really is safe. To make things worse, chances are that nobody will tell you if and when the secret does get out, so you won’t even know the security has been compromised until it’s too late. It’s better to assume that the existence of something is known; then you can focus on effective security safeguards.
The internet is a vast and deep place, and this can be best described by turning to Hamlet Act 1 Scene 5, “There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy.”
If you have any questions about Shodan, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.