Hacker News new | comments | ask | show | jobs | submit login
I scanned Austria (blog.haschek.at)
326 points by mpweiher 12 days ago | hide | past | web | favorite | 67 comments

This was a really interesting idea and inspired me to do something similar. I had some Shodan credits from a Humble Bundle, so searched for all servers on port 80 in my city. Then I wrote a very simple Python program to screenshot each of those (using wkhtmltoimage), with 20 concurrent threads.

I didn't stitch the images together and didn't try to login to any of the sites (that would be crossing a line, and simply mapping geographically local, public servers seems harmless). Just flicking through the 7,000-ish screenshots has been pretty fun.

Lots and lots of:

- router admin panels on the WAN interface. Loads of different brands and models

- DVR and NAS units

- HikVision CCTV (like, hundreds of these - I wonder if they're being used at local hospitals or city centre surveillance by the police)

- IIS servers (especially IIS 7)

- 403s (mostly with the IIS default template)

- University department and team websites (there are a few universities in my city so there are lots of these)

Some weird and wonderful personal websites. Lots of one-line jokes just to fill a space on a public server, presumably. A few wikis.

Overall it's been really fun looking at all the servers that are public but just not really indexed, physically surrounding me.

I once found a control panel for a power plant in the megawatt range in a neighbour country. I don't know exactly how powerful since no sane person would start clicking around, but there was easy access to maintenance things.

I called the Swedish government agency responsible for the same thing in Sweden and was quickly escalated and ended up with someone who knew what they were talking about. Hours later the page was down.

I suspect this was the correct path since having a foreign national calling about "hacking" a mw power plant might have ended with me in trouble.

Similarly I did come across some water treatment plant SCADA panels in another country because I didn't limit my Shodan query to my own country. Turns out my city's name exists in another country where there are a bunch of exposed SCADA systems with web interfaces... I didn't touch anything but it doesn't seem very safe.

It does raise the issue of responsible disclosure. I've approached companies in the past after identifying security flaws and had the whole range of responses. Thanks for telling us, we'll take it from here. Let us reward you for telling us. Let us sue you for hacking us... Now it's safer, if less socially responsible, to stay quiet. ️

HikVision has been really popular with old-school analog CCTV installers, so odds are it's one very large deployment, or one/a few companies all using HV.

That's interesting! There is a HikVision office in town too. Thinking about the possible deployment scenarios, you're probably right. Municipal project, hospitals, even a large supermarket chain with 20+ cameras per store. I was just surprised by the sheer volume. I reckon if I compile some stats it'll be one of the most popular devices in the city. That and Alien DVR. Hundreds of those too.

I'm surprised so many of these at internet connected, with their own public IP. No NAT, no VPN, no firewall. I'd expect that on one-off DIY deployments at grocery stores but this was pretty surprising.

I think soon or later we will need some kind of public institution that will do this sort of scans; all those unsecured IoT printers, vacuum cleaners, fridges, abandoned servers, Synology servers, etc. would become a real threat at some point and the costs of dealing with issues caused by them like identity theft, false accusations because on someone's server there is child porn uploaded by a cracker, bot nets will be more costly than having some institution running routine scans and sending warnings.

In germany the federal bureau of security in IT actually does that. They send the admins an email: https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/CERT-...

Actually I once got a mail by them, forwarded via several intermediate admins in a university network. It was an information about a public reachable DNS server on my server. Nowadays, this can be abused for DNS replay attacks or so. What a pity. Things where so easy 20 years ago.

Japan is doing this: https://www.zdnet.com/article/japanese-government-plans-to-h...

In the US, DHS does this for the federal government, as well as some state and private organizations: https://www.us-cert.gov/resources/ncats

What's the best way to self scan? I recently bought a wifi camera and digging through the settings I couldn't find a way to block external access. Ultimately I had to block is access via my router, however consumer models are terrible about blocking access to the internet.

Phone a friend! Go to a friend's house and run nmap (zenmap for a GUI if you like, https://nmap.org/download.html most common OSs supported). Do the same for them in return.

You might also like to explore this: https://www.shodan.io/ and if you have some time on your hands this: https://www.kali.org/

Most consumer routers will by default block a connection _from_ the Internet. They use a private address range and apply NAT to outgoing connections, so explicit configuration is needed to do something with an incoming connection.

Well. UPnP does end up being supported on many consumer routers.

The big issue for consumer routers is, admittedly, the shoddy quality of the firmware and the fact that even on the occasion where vulnerabilities are fixed, those releases often do not get installed.

And that is why they implement UPnP to punch holes through it to avoid users having to manually configure routers.

Say it with me

NAT Is Not A Firewall

I believe you, but I have little expertise. Could you explain or give examples why?

Some people would state "this box is not on the internet" while it actually is only behind nat. As soon as you have two such boxes being able to communicate, for instance "two laptops playing online together" you realize they ARE on the internet. With home-routers allowing UPNP and such things, its even more open than that.

So the general idea that things will be safe from being behind nat is more or less wrong, unless you have 100% control over all possible traffic generated from the inner host(s), at which point you could have had it without firewall more or less. Will your robo-hover never phone home, never look for tuesday patches, java updates, OTA firmwares or talk to some license server or whatever? Then nat is ok, but if any of this can happen in some situation, then it is "on the internet" even if it started out behind nat.

It moves a machine along the scale from unreachable closer to unprotected-and-exposed-to-everything even if it's not all the way there.

Unfortunately thats the opposite of my experience with the camera

If only the NSA dragnet threw us a bone.

it's like getting your kids vaccinated

We don't need public institutions. It's the responsibility of ISPs to prevent security problems, spam zombie servers/appliances etc. in their networks, so they should perform these scans and warn first, then disconnect customers with problematic devices.

I like the distributed spirit of this, but it only works where there is another layer holding the ISPs accountable - whether it's other ISPs or a government body. Right now their incentives are only to satisfy customers' perceived needs, which leaves nobody incentivized to prevent endpoint-to-endpoint harm.

But the ISPs are not held responsible. They can externalize costs to society, and so they do so - because that is what capitalism mandates. Without an institution that puts those costs back where they belong, nothing will change, because it is cheaper not to change.

I'd recommend reading up on the Cuyahoga River, the Clean Water Act, and the formation of the EPA - it's pretty much the same problem. Industry creating problems by abdicating its responsibility, necessitating a legal solution. And enforcing that requires a public institution.

Charge per device access? And those devices need certificates of worthiness similar to cars MOT certificates (UK example)

An interesting idea.

What is the minimum viable "superhighway-fitness" of a device?

I scanned public writable ftps for months back between 97-99 to distribute warez. I Think it was those gov ranges that cost me the relationship with a few ISPs.

Tell us more (I love to hear things about the wares days).

This was for fxp sites. I was a mod on a fxp board. We would make locked directories eg with deep paths and Lots of Whitespace that ftp clients couldent handle easy and Hence not Enter without knowing the tricks. Also using reserved Windows names like aux would prevent owner to delete or even crash his server trying anything. Later came tricks like undeletable files as different sites would fight over the same ftps. I did however find a way to make the undeletable files 0 bytes to reclaim space. Later we just started to hack servers and install our own protecteed ftp server but by that time i has moved into the Real scene and running multi TB top rated sites in unis in US, netherlands and Korea with affiliation to top traders and release groups. Thats how my programming interrest started being the guy who set up glftpd servers and bots for IRC. After a few big FBI operations in 99 and 2001 i had enough excitement and left the scene.

Here is a pretty good explaination of how it worked. https://www.reddit.com/r/CrackWatch/comments/92uz49/the_ware... I have No idea how it is today but back then it was pretty organised. We would have people funding eg a university apartment and servers and paying for eg 10x100mbit we would Bond or Having direct access to oc connections just so they could get leech.

What it doesnt explain is that this was very hard work to be eg a trader for top sites near impossible to even get access to one. You would work 8-16 hours a day to always be ready for a release and then when a release hit your Heartrate would double as you rushed to transfer files to the sites the allowed it All of Whom had hundreds of rules and Which you had to know by heart as the races on the Best sites were over in less than a minute and you would be lucky to transfer 5x15mb rar. 20-30 times a day you would have this short but intense moment. If your group dident perform Well it would be changed for another as top groups were rated against eachother. It became an addiction. Getting into building sites was much better for my health.

I'm pretty sure that today all trading is automated. And the quality of releases have also gone (relatively) down - for movies good P2P is better than any scene pre.

It would make sense. Taking on good groups was nessasary to build a good rated site but it was up to the groups to hand out the slots and you never knew who you were really dealing with. It could be FBI or some hacker. There was however scriptet ftp clients but even though they were known many places had a ban on them and did a client not obey site rules then too many nukes or banned content would get them kicked off sites.

BTW, nowadays it seems the power is held at least by some degree by the nukenets

I remember the 2001 busts. I was in college at the time and a friend of mine was busted as a part of it. I don't think they took any legal action, just confiscated his hardware.

Not OP but I did some stuff as a kid.

On the script kiddie level, you had different options. The easiest was simply scanning for public FTPs and IIS IPs and posting those in the member section of whatever forum you were a member of (or in public to get that access). The next level was using checking them for vulnerabilities (or in the case of FTPs checking if you had anonymous write access), those lists obviously were worth more. The higher level people would have their high-end servers (usually hacked, fast internet was expensive) and would use server to server transfer to go from their high-value FTP to some lower value ftp or IIS server for normal people to download from.

I always enjoyed seeing how quickly the warez puppies would arrive when a clueless sysadmin put up a world-writable anonymous FTP server. Like moth to flame they would come.

great work. Pretty sure you can find a lot more scary stuff online by looking for IoT (CoAP, MQTT, etc).

There was a rather scary talk by Lukas Lundgren at defcon 2016 on unauthenticated MQTT[0][1] ... the things he found exposed were just insane. He also used MASSCAN[2], a phenomenal tool, which isn't just useful to probe endpoints but also to actually send payloads (with all its performance/speed benefits).

[0] https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20pre...

[1] https://www.youtube.com/watch?v=o7qDVZr0t2c

[2] https://github.com/robertdavidgraham/masscan

Shodan indexes both MQTT and CoAP if you want to see the current exposure for those protocols:



It's amazing to me just how much of "security" is an illusion, random happenstance, and just being really lucky.

Considering how open, exploitable devices like this represent a significant public risk from their ability to be used to launch attacks on others, it would seem that it is high time for public regulation bureaus with the authority to issue shutdown notices and in extreme cases sequester non-compliant systems. We have radio broadcast regulators that will come physically to a pirate radio station and shut it down. We have registration and inspection systems for vehicles running on public roads to ensure a minimum safety standard. We need to do the same for the public information network.

For the screenshot collage, the author might have wanted to compare the screenshots and double the size of one of them appeared four times, etc. Similar page would pop-out a bit more (there seem to be quite a few).

Webcam with an Orwellian sense of humor. https://www.insecam.org/en/view/638839/

Not loading for me. I'm guessing it was overwhelmed by your comment?

It was overlayed with a giant ASCII-art styled to write "1984".

It looks like a lot of the webcams just went down on the first few pages of that https://www.insecam.org site. Probably the HN affect giving the back some privacy.

Exposed (Open/NoAuth) Databases in Austria: MongoDB: 26 ElasticSearch: 14 Memcached: 4 Redis: 6

Others: Synology DiskStation NAS ftpd: 299

What's the best way to inform owner of unsecured device about vulnerabilities and simple ways to fix them? On printers one could just print out a message, but what about webcams or home automation systems?

I wouldn't do anything myself, too risky. Printing on somebody's else printer could get me sued.

What about a state level authority doing this scans, contacting owners, maybe even fining them? That would be like authorities for food safety, etc. It would put pressure on manufacturers because people don't want to buy things that get their owners fined.

What's the reasoning for fining someone for leaving stuff available? Should self-hosting a site be made illegal? If not, how do you distinguish the two?

Unsecured cameras, internet facing lights, etc. It's not like leaving the home door open, which harms only me. Those devices can be used to harm others. IMHO fines for customers will lead to more secure devices, by design.

Ooooo and we can fine them for leaving doors unlocked, and for not being inside after curfew!

I explicitly wrote this is not the case.

The 100% legal route would be to whois the IP address and send the contact an email; presumably they can identify a user and pass it on.

Slightly off topic, but I noticed it in the article. You can run "wc" directly, you don't need to pipe from cat. Especially since cat on any sufficiently large file takes quite a while.

It's sometimes easier when you're composing command lines: `cat foo | bar` is easier to transform into `cat foo | baz` (esp. when foo or bar are rather long).

Also, piping doesn't mean that cat does all its work and only then will it be passed into wc, cat only acts as a rather tiny buffer.

Just get into the habit of typing < foo bar which is then easier to edit to < foo baz | grep hamspam.

Wc will give you filename, if you only need number use cat first.

<filename wc

Y'all should try to scan a large subnet of an ISP with lots of corporate clients. You can't imagine how many open (as in r/w access) KNX systems you'll find. Lights, doors, fire alarms, cameras, thermostats, speaker systems, displays, HVACs and shutters.

There are too many to responsibly disclose to the parties affected. Some buildings are so connected one could cause quite a havoc.

This actually gave me an idea of doing the same in the neighbouring Switzerland, thanks!

I see this as progress. I would imagine that an exercise like this done a decade ago would be much worse.

It's actually getting worse in some ways. We've tracked industrial control systems connected to the Internet for nearly 10 years now and the number of them has only ever increased. We're seeing a 10% YoY growth in exposure for ICS devices despite news coverage, security research etc.

you can also checkout app.binaryedge.io for more data like this from other countries! it's crazy the amount of stuff that is out there. to me the most baffling is still the amount of DBs with customer information on 'em

For an overview of Internet exposure by country I created a bunch of dashboards, including Austria:


This looks really cool, and would probably be cooler if I could understand what is going on here.

What exactly are the columns 1 and 2 in csv file?

There are more Zope servers than IIS servers!

Site is offline for me - server not found

mb != MB, regarding the screenshot.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact