I mean there are some controls there that I'm sure if the wrong person pushes that red button, something will go kaboom.
And there is no shortage of people out there who would not think twice to blow things up.
So yes, this is scary, but also makes me be very surprised that statistically we are probably not supposed to be alive by now if so many critical control systems have VNC exposed like that in a way that allows full control on the system and not just viewing.
Perhaps it's just selection bias, if the world have ended by now then I would be able to type this.
But still seriously, with all these screenshots, I assume this is not something new, so how come I didn't hear yet on a major real world damage due to a VNC vulnerability?
Is this really most likely to be a read only privacy issue? (which is not to be taken lightly, but not the same as being able to press "shutdown" on some power plant controls)
I think this may be the essential flaw in the logic that says we should be dead by now. Maybe there is a shortage of people who want to blow things up without thinking.
The flaw in the argument is likely GP's inference that "there are some controls there that I'm sure if the wrong person pushes that red button, something will go kaboom." Critical infrastructure tends to be better engineered than that. Cybersecurity threats are newer, less widely understood, and inadequately guarded against, but human error is an age-old problem.
Well. If it were the case that there are lots of people trying to buy explosives from fbi agents posing as jihadists, I would go so far as to conclude that there are a lot of people who want _the ability_ to blow things up.
If there were a lot more office bombings, infrastructure bombings, etc, then I would agree that there appear to be a lot of people who want to actually blow things up.
By running these stings, the FBI has made it very hard for real terrorist plotters to get in contact with real would-be foot-soldiers. If someone agrees to carry out a bombing when a fake terrorist is asking, what makes you think they wouldn't do it when a real terrorist asks?
"Get close to" in law enforcement parlance means "encourage criminal activity". If you read the details in these court cases, you repeatedly see an almost universal pattern of activity on the part of law enforcement to egg their targets on towards the criminal act. Drug "dealers" hassled for months to purchase LSD and repeatedly being told "no", only to finally give in and then get arrested. "Terrorists" being repeatedly contacted by informants or agents and plugged pro-terrorist encouragements for months until they agree to a part in some kind of "plot".
You have to remember that the vast majority of people won't take action by themselves. Even the crazy people that want to blow something up won't go out of their way to do it. It's the leaders you should be worried about. People that coordinate or incite others. Part of my career as an infantryman involved "riot police" training. The number one thing for arrest teams to do is to isolate and detain the people inciting the others. And this is why the powers that be are so hungry for mass surveillance: It's actually pretty easy to make giant relationship graphs of these networks to find the leaders. Remember the military talking about dropping five hundred pound bombs on phone numbers? They don't know who the person is, but they know he's a leader. Those people are easy to identify with enough information (and no, they don't need to unlock our iPhones to get at it).
It is in their best interest to keep pushing this idea that any random anti-government person is capable of an Oklahoma City bombing. The fact is, they're not.
> Drug "dealers" hassled for months to purchase LSD and repeatedly being told "no", only to finally give in and then get arrested.
That sounds exactly like pretty real dealers I know, who don't sell to people until they think they know them.
Do you think that real terrorist plotters just ask nicely once and then leave you alone?
Also, we're talking about mass murder here, not selling some acid. Maybe you're right about some of these drug cases crossing over into entrapment. A lot of people feel that drugs "aren't that bad" and if a friend bugged them enough, maybe they would try to find some. I don't know the facts sufficiently to conclude either way. But that's not what we're talking about here.
"Out of the crooked timber of humanity, no straight thing was ever made."
How would a real terrorist find recruits inside a Western country? They'd find people that posted something indicating their support, and then they'd try to talk them and coach them into carrying out attack.
There's plenty of stories of tptb totally overstepping the bounds of peer pressure and coercion. I'd even argue that most people will choose to follow the crowd to fit in, not rock the boat, rather than go against their peers.
So should we wait for the real terrorists to apply this "peer pressure and coercion" instead?
We're talking about mass murder here, not pushing a little dope. Under what possible logic is an FBI agent able to convince someone to kill people, but a real terrorist isn't?
As other comments have suggested, there are plenty of "ordinary" people who could easily be radicalized if 5/6 of their friends were actually agents telling them they had to do something for God and Country. We don't round them up in stings because they function just fine in society with nobody trying to push them over the edge. What the FBI is doing is entrapment.
Have any of the attacks in the US since 9/11 been caused by people recruited on the ground in the manner used by the FBI stings? No, they come from people acting spontaneously. The challenge isn't recruiters on the ground, it's extremist ideology. And FBI entrapment fuels that ideology, rather than tempering it.
There have been way more attacks in Europe, and people have been recruited with those tactics. Coincidentally, these kinds of sting operations aren't very common in Europe, and are even banned in many countries. If we want to win this battle, there's no room for bleeding-hearts. We must be methodical, cunning, and ruthless against those who would kill us.
This same bleeding-heart attitude is what leads to people serving a measly four years in prison for shooting at police officers with an AK-47 while trying to get away after committing a bank robbery. No one should be surprised that this same person was one of the Brussels bombers.
>The older brother, Ibrahim el-Bakraoui, robbed a Western Union branch in Brussels in 2010, spraying gunfire at police from a Kalashnikov as he attempted to flee, according to his lawyer at the time and government officials. Mr. Bakraoui was caught and sentenced to 10 years in prison. In 2014, he was released with an obligation to contact his parole officer once a month.
> Then, a shock wave hits the Enterprise and Timothy says that his ship was also hit by a shock wave. Picard tells Worf to raise shields but a new shock wave is even stronger than the first one. More power is diverted to the shields and another wave hits and is even stronger. Picard and Geordi discuss putting the energy of the warp engine to the shields. Timothy states that is what they said on his ship.
> Data suddenly asks Picard to lower shields and Worf does so. The next shock wave is harmless and the Enterprise is safe. Data realized that giving energy to the shields caused even heavier shock waves (the more power the ship generated, the heavier the shock), and these were ultimately responsible for the destruction of Timothy's ship.
The lesson learned is that a strong and more vicious front may be met by an even stronger response. Obviously analogies and metaphors are only illustrations, not arguments, but judging from what I know of human nature amidst intense opposition, I don't think that a "ruthless" approach will do anything but breed more ruthlessness.
Another line comes to mind now, where Picard wonders in amazement about how silly we were to let differences about "economic systems" drive us apart during the Cold War. Star Trek is like the poster child for wishy-washy moral relativism.
I'll take my political and moral cues from reality, not fun scifi shows written by an eccentric with a political agenda.
I already pointed out that I was using TNG as an illustration, not an argument. But if you want reality, here's reality: people get pissed off when you attack and marginalize them and their friends and family. It's the role of the greater power to deescalate and try to integrate the oppressed, not wipe them out. Reality is that ruthlessness begets ruthlessness, and if your best counterargument to that is to call a TV show "wishy-washy", then you already know it's true.
1. Lack of network visibility by the owners of ICS
2. Availability > Forensics
3. VNC interfaces don't always provide full access
And keep in mind that there aren't a huge number of these anonymous VNC instances to begin with. We're talking less than 10,000 instances of servers that don't have any authentication and only a fraction of them are ICS-related.
I've written/ presented on the topic a few times, see:
Historically, open VNC servers have been relatively difficult to find. I don't really mean difficult, just that you had to put some concerted effort into it and very few people did. It's a reasonably modern phenomenon that things like Shodan and other large-scale network scans (including accidental ones, like Google sometimes) can be used to quickly find them, and it's quite recent that someone has nicely packaged it into a website. So this is a problem with very little visibility until today. And it still doesn't really have that much visibility in the right place, which is the somewhat insular ICS industry (and a couple dozen other industries to a lesser extent).
SCADA HMIs and other ICS systems of that sort do often expose a VNC interface with no mouse and keyboard control - effectively a 'read-only' interface as you say. This is certainly less of a concern than allowing people on the internet control, but it is a significant and unnecessary security exposure. The kind of information revealed there can be very helpful to an adversary in finding a way to gain control.
In most cases, access to change configuration is protected, although it's often not protected well. I expect common vandalism against internet-exposed ICS to become more and more common going forward. In most cases it doesn't really have the potential to cause permanent damage, only reduced productivity or mere irritation to the real operators. This is not always the case, though. Idaho National Laboratories conducted a notable demonstration of causing permanent and disabling damage to a diesel generator via unauthorized access to a SCADA interface (the Aurora demonstration).
Not saying VNC is to blame, but there are a number of folks very gravely concerned about the insecurity of most SCADA systems. When your infrastructure and operations are built on hardware and software expected to last 30+ years, it's hard to consider the security implications so far out.
Adding remote software control to physical things like water treatment and electrical systems adds a lot of convenience, safety, and saves loads of money but perhaps some of that savings should be spent on more vigilance in regards to security.
> And there is no shortage of people out there who would not think twice to blow things up.
From my observation, those people tend to be those that care more about doing "flashy" things (i.e. be seen), rather than solving problems and bypassing protections. People that get access to important systems or acquire the skills to mess things up tend to be satisfied by having solved a puzzle and being able to mess things up.
They can kidnap / recruit hackers and force them / brainwash them into doing anything.
They are not stupid and we saw they have no red lines. Instead of banning encryption the FBI and Interpol should force dangerous infrastructure to close their security gaps first.
Once I got in contact with him, this is the conversation we had:
1. I explain the critical situation
2. he pretends there's a bad reception and ask for my number and quickly says 'I'll call you tomorrow'
3. I explain that I am not trying to sell him anything and that I spent 2 hours to find him to tell him about how anyone can control his powerplant
4. He nonchalantly ignores my warning and says "I have two powerplants that you can control like this, nothing to worry about."
5. I try to explain that a LARGE group of people now know about his powerplant and that I could garantuee that people will login and tamper with it
6. "Hmm, it is a really bad reception here right now, i'll call you tomorrow.'
What the actual fuck!
People in Sweden made that joke as well. Kind of worried I will get in trouble legally because of this. If there is gonna be any issues with the damm, he will probably blame me. :(
That makes things like this a pretty bad idea. At least, in the US.
If the screenshots weren't reviewed - or, worse, hand-picked - by a human, but fetched in completely automated and unsupervised manner, then it's essentially the same as any other crawler bot (like Shodan or even Google/Bing) does. Connecting to random public services running on globally-routeable addresses and politely asking them what they do (then storing the result) can be argued to be perfectly legal.
EDIT: It looks like a pediatrician's practice too - so all those patients are children. And all their information is just out there in the open....this doctor needs to be contacted asap and secure their system.
This one synthesized characters from geometric decomposition (and not a completely artificial one either, but Cangjie which is actually widely used to this day for computer text entry).
The stored data representation exactly matched the input form (perhaps not so surprising to users of ASCII).
Does anyone know what exactly this is?: http://vncroulette.com/images/184.108.40.206.jpg
The worst one I've found so far is this
which appears to be controls for a small hydropower plant, also in Sweden.
A few other bad ones I spotted include lots of industrial refrigerators, small scale wind power (mainly German), an oil futures trading platform, a fire & gas alarm system control, and someone's Outlook open with some customer complaint emails.
Edit: oh, and there was a Tesco checkout register (although closed).
This seems like a French hydroelectric plant :/
Well, not any more I don't...
"Please secure your VNC!"
"Upgrade your VNC Server license in order to benefit from premium security features ..."
"An anonymous user has connected. Number of connected users: 1"
I'm glad this screen is sanitized regularly.
If somebody turned off the backup power supply of a hospital, that would be slightly less funny.
(Full disclosure: I am a native German speaker, so the concept of Schadenfreude is quite familiar... even though I try to refrain from enjoying others' misfortunes, unless they were really, really asking for it, for example by hooking up their shrimp warehouse's climate system to the Internet without even password protection...)
If we want to raise awareness of this issue, this might be an appropriate use of "won't somebody please think of the children".
Fryshus: Cold Storage
The horn button on this one is tempting. Not "go commit a felony" tempting, but still.
That one looks to have some root term open.
Poster above noted an implied SQL injection vulnerability in your site. Somewhat ironic, eh?
Couldn't get passed that.
Meaning that this happened over years, if not decades, because admin A left and admin B was not informed that some box somewhere is serving up something for the general internet net to see.
note that doing this is a very good way to get angry letters from your ISP
Apparently tons and tons of people!
Honestly, read-only public makes sense for that. What do I care if somebody can see the position of my overhead crane?
EDIT: Wow. I'm being modded into the basement. When did Hacker News become so PC? Victim-blaming? Seriously? The VNC connections illustrated on this site are that way because of incompetence and ignorance. The reason there are no unlocked brick-and-mortar businesses is because it is due diligence to protect one's assets from not just criminals, but simple mischief.
It breaks the HN guidelines to do this in comments here, so please don't.
Will modify future behaviour :)
No, there were days when people did not even lock their cars and their houses (but maybe you are too young to have known that time where you live) because it was not expected that anyone would actually rob anything. Especially in communities where everyone knew everyone else. And if a robbery happened, the blame would still have been put on the thief, not the owner.
Such situation rely on mutual trust, and only work on small scales (village, loose neighborhood). On the Internet, there are billions of people that live close by.
I think the main discrepancy is that people really do not understand either that the Internet connect them to everyone or how vast the world really is.
These are still are such days. There still are thousands of communities, even in California, where you can get away with this. The difference is not time but population density. There was probably never a time when you could leave your home unlocked and unguarded in urban cities.
There was and not so long ago (e.g. 40 years ago in Portugal or Poland. Probably many other countries). So I would change your statement:
The difference is not time but population density and specially politics/religion.
The burden and responsibility to protect my home is mine. This isn't an either/or as to who to blame, it's a both/and. So back to the link. If you have a high-value service like an electrical grid, or dam, or nuclear plant that is open to the Internet (the most crime-ridden neighbourhood on the planet), do you really honesty think the media's typical response of "hackers broke in to..." is the correct narrative?
Of course it isn't, but when did media stop at that ? Link baits and ad revenue are more tempting then integrity.
Freedom of press, monetization and responsibility - pick two.
If you go read Tektronix's instructions - their screenshots show "no authentication" selected.
This itself isn't really an issue, since the networks that we're connecting these to are isolated, inbound-only lab networks. We know that. Our lab admins know that. The network security guys know that. There are exceptions filed for the IPs of these devices.
However, if someone ever -changed- that network configuration and opened it up to the rest of the corporate network (or for some terrible reason, the internet), those scopes would be just as ripe for takedown as the stuff shown in TFA.
It just takes that small network change to enable something -else- to access the WWW (code download for security updates, anyone?) that exposes our other items on the network. In fact, I can think of several reasons why someone might expose a VNC:
1. Actual remote control -within- a facility, but probably in the deployment guide says "use a secure network"
2. Someone wrote a cool Web GUI to "modernize" something, and used VNC (undocumented and poorly-configured) to pull off what they pulled off
3. Someone exposed a subnet to the internet to enable remote access for something -else- which was probably properly-secured, but happened to -also- expose the thing hosting the VNC server.
Meanwhile, in my tiny town in the States bike theft was basically the single most common form of crime, and I know of one house I would walk by every week that would openly have as many as half-a-dozen stolen bikes displayed for sale in their front yard.
A few years ago I watched a junky go from bike to bike in a bike rack testing each lock to see if it would open easily. Right in plain view of everybody. When I confronted him he launched into some long and carefully rehearsed sob story about how his friend told him to come and get his bike but didn't know which one it was.
I don't think that it's population density as much as the shared culture of the place you live. I would have totally blamed myself if my bike wasn't there today, and I think it would be stupid to blame anyone else.
"Hi everyone, my bike is stolen last week. If you see it anywhere please text me! Thanks !"
That must have been an extremely long time ago: http://www.ancientresource.com/lots/roman/romankeys_locks.ht...
Well of course you don't; the robbers die while still crossing the perilous deserts and/or trying to avoid lethal wildlife.
Nope. I can tell there are still people alive these days who remember that this was still the case in most places of Western Europe.
when you have nothing worth stealing, it is not worth investing in security
From the attacker's perspective something like a connected smart TV has extremely high value as a mechanism for further penetrating a network. Black boxes that no one can login to under normal circumstances are the perfect secret strongholds to maintain a persistent presence on any given network.
Now comes the Internet. It's a huge giga-city. Expect robbery, larceny, hacking, and more.
FWIW, crime rates have been monotonically decreasing for a long time.
Nope. This would never work. People don't understand how much of it works. Taking a day out of the year to explain / re-explain isn't going to do a single thing. Instead you need to make computer classes mandatory in K-12 and get people educated on how they work so they can understand the issues.
Take a topic you know absolutely nothing about. Let's say it's aerospace. Now every year we have an aerospace day to try and explain to you how various types of fan and jet engines work. You certainly wouldn't expect everyone to be able to handle fixing one after that one day, do you? Same with internet security.
> owner left the front door unlocked, people would rightfully put the onus mostly on the store owner.
So just because the store owner does something stupid you think most people would consider it his fault? That's...that's horrible. Yeah he possibly could have prevented it (though you don't actually know that as they could have broken in anyway; people don't just go up to stores at night to randomly test doors then go home).
I once had a lad declare that GitHub was stupid, because it locked out our IP for 5 minutes after the class tried to login to their accounts with at least half of them forgetting the strong passwords I insisted they use.
I watched a girl log into her vps by running her finger across the top row of her keyboard. When I insisted she change her password, she ran her finger across the keyboard in the opposite direction.
Many people know and understand basic security, they just don't care. They think they have nothing of worth losing, and so don't need to be secure. Even after I explained to the student that their vps could be used to mine bitcoin, fetch pornographic material or send out phishing emails, their attitude was very much - meh!
I'm all for educating people on these issues, but the true way to protect them from their own stupidity is to ensure that it is impossible for them to start up a vnc server without enforcing a strong password. Security by design will be even more important as iot becomes more prevalent.
tl;dr - You can't rely on users to protect themselves.
What is a 'strong password'? Minimum 12 characters, 2 symbols, 2 caps, 2 lower case? "1!qQaAzX2@wWsSxX" fits (and exceeds) those requirements.
Trying to enforce strong passwords doesn't work; people just make up new insecure passwords.
User-hurting policies like "Thou shalt have at least 2 symbols in thine password" are partly to blame.
And it's hard to enforce people not using phrases.
People don't interact with jet engines, but they do interact with planes. And they're lectured about airplane safty evey single time they get in a plane. So this might actually be an argument in favor of educating people about internet security.
Bottom line: please don't overuse analogies. They don't prove anything.
Actually, I'd expect a lot of increase in awareness of what the relevant issues are. No, I wouldn't expect someone exposed to aerospace day to be able to fix a jet engine. But they're much more likely to know what problems commonly occur and who can fix them.
The owner of the car can blame himself for forgeting to lock the car, the insurance won't blame anyone but won't pay for reparation, the justice system puts the blame on the thief but would not do much about it if it's petty.
And of course if it was a bank leaving bags of notes on an unlocked cabinet in the entrance, people would go bat-shit about irresponsible behavior on the banks side.
I feel that's how it would go for the online world as well.
When I get robbed: the robber hurt me, and I failed to protect myself. Failing to protect myself is not a social problem.
When my bank gets robbed: the robber hurt me and the bank, and the bank failed to protect me. The robber is at fault, and the bank is at fault for breaking it's promise to me. That's a social problem.
Security is hard. Blaming the victim of a hack is pointless because usually you have no idea whether they did something wrong or if they were the target of a particularly clever attacker.
In the case of these large corps being hacked, they are 100% responsible, and most of them we do know how they got hacked; its usually through very humdrum (if organized) means.
1. You drive to a random address(es), accessible from the public premises (IP).
2. You knock on the door (TCP SYN).
3. Someone comes and opens it for you (TCP SYN+ACK).
4. You ask what's here (VNC handshake).
5. You're told it's a power plant or doctor's office or whatever (VNC frame data).
6. Sometimes the replies aren't fun, sometimes it's really weird - some pal seems to be willing to control a nuclear reactor for you, no questions asked.
7. You blog about your experience, including a conversation transcript.
It could be wrong to publicly announce (step 7) that there's a weird person in there (with full address details) that can do anything for you, as this can put others in danger. It's ethically unclear: it requires a human review and judgment (a robot can't tell if it's weird, so if data collection is fully automatic and unsupervised it becomes complicated), and even for humans it's probably not completely wrong to disclose, if done responsibly.
But just driving by and knocking on the random doors asking what's there - it would be really weird to me if we'd say this is anything wrong with this.
I think that unless you want to start conversation about what "blame" is, it's safer to use words describing strict logical causation instead. Unlike "blame", causation is objective and doesn't depend on morality.
Most home burglaries involve breaking a window or kicking in a door, which is why people say "locks just keep an honest man honest".
I can't remember what it's called but my insurance polcy has a clause that I have to do what a "reasonable" person would do to secure my belongings.
Edit: After some additional research, people on message boards pointed out that many home invasions are done with lock-pick kits, or the burglar breaks a window and unlocks the door. Homes are often broken into without any damage to the lock or door, so the insurance company would never even know if you locked the door or not. It just doesn't come up in the investigation.
I also never leave my house unlocked, even when I'm inside.
Makes sense. I will conduct myself differently in the future. Cheers :)
Just awful! I tried to figure out what company it was and how I how to reach them, but nope, couldn't find anything..
This is why I just want to hide under a rock, since it is obvious that a lot of people doesn't know how to protect the data they have collected about me.
Many UIs for industrial control systems are very simple.
Ubuntu is more prevalent than I would have imagined.
Maybe there are more users on Linux who know how to setup a VNC server or maybe some popular VNC package has bad security defaults ?
The dates on the screenshots range from 31 December 2015 to 5 March 2016, with many at either the beginning or end of February.
The computer name of the hacker doing this also appears to be "want.some.vodka".
Later, I added stuff like attempting AXFR zone transfers, which was interesting, and I came across some university that apparently had no firewalls in place whatsoever.
I found a few devices with open telnet ports, mostly printers. I remember clearly the thrill I felt when I realized I could make this printer refuse any print jobs or remove jobs from its queue.
I also found a few devices I had no clue about. The latter where the ones I found most fascinating, although I never took the trouble to research what those devices might have been. I suspect, though, that nowadays there must be a whole lot more of such devices around, with IoT and all that.
(My scanner never looked at VNC or RDP, though... This site makes me wish I had thought of that.)
OK, this looks like a system that really shouldn't have a security flaw like this
"Upgrade your VNC server license in order to benefit from premium security features and performance enhancements."
* Removed the link to the screenshot
(I'm obsessed with this)
Then using a VNC client in the same way would fall under the same legal purview. I think as long as there is no interaction to carry out functions, attempt password/username combos, then it's fairgame.
Browsing to an address with your browser is like checking to see whether a shop on main street is open right now. Attempting to connect to a an address with VNC is more akin to walking around the back of a house and checking if the rear door is locked or not.