There’s an old saying that products aren’t good or bad, it’s how they’re used. The Shodan search engine is a prime example.
Most users turn to hunt for so-called service banners, information about devices connected to their Internet and their systems. It’s ideal for security pros to find out where there might be holes in their networks.
But that also makes Shodan an ideal tool for those wanting to attack organizations. One of the latest articles to point this out ran Tuesday on CSO Online, where writer Maria Korolov called it “a playground for hackers and terrorists” as well as a tool for legitimage security practitioners.
The Shodan blog lists a variety of protocol-specific information the search engine can discover, including
–The Heartbleed on all SSL services,
–a list of peers from a Bitcoin server
–whether a DNS server allows recursive lookups
–all the MongoDB databases
–the SSL certificate for all SSL services
–the robots.txt for HTTP services.
In fact the site has an REST API to help users pull down data for a fee (developers US$ a month; enterprises who need more data US$499 a month).
As Shodan founder John Matherly says in the piece, the site can be used by enterprises to find unsecure devices. But bad guys (and gals) can use this data as well. Among other things, Shodan search information won’t look like a hacker probe. Matherly is quoted as saying the search engine has “numerous technical measures” to prevent abuse.
“In reality, it is much cheaper and effective for the bad guys to use a botnet or a compromised host running [open source network scanning tools] zmap or masscan than to search Shodan.”
The next time you use Shodan think about it. At the very least it should be a spur to IT departments to increase their efforts to secure their environments.