Slashdot Mirror
Botnet Uses Default Passwords To Conduct "Internet Census 2012"
An anonymous reader writes "By using four different login combinations on the default Telnet port (root/root, admin/admin, root/[no password], and admin/[no password]), an anonymous researcher was able to log into (and upload a binary to) 'several hundred thousand unprotected devices' and run 'a super fast distributed port scanner' to scan the enitre IPv4 address space."
From the report: "While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study."
267 months in federal prison?
All data gathered during our research is released into the public domain for further study
More like: All data gathered during our research is released into the public domain for further getting the researchers arrested for unauthorized access and usage of computers systems. It adds up to almost 1 million years in prison if it's under current US law (I used that high school teacher who loaded a folding @ home calculating screen saver onto all school computers as a rough basis for the math. He was on the hook for like 300 years in prison).
I don't know if it's hilarious or frightening that they did this with default words. I *do* wonder if they;re going to get into some trouble for doing this tho. You could make some serious money off a botnet like that.
C|N>K
Useful research into vulnerabilities, wasn't used for personal gain, was reported to educate others and so security lapses could be fixed.
They're so going to jail.
This Space Intentionally Left Blank
Thanks for your test of the internet devices. Although I do not know what this means we have been able to determine that you have committed several criminal acts, and should expect at least a few years of jail time. Don't worry though, it's all for the greater good.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
"Anonymous researcher" indeed.
If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world), he wouldn't be called an "anonymous researcher", he'd be called a "mad scientist".
If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world), he wouldn't be called an "anonymous researcher", he'd be called a "mad scientist".
And how do you know he didn't conduct these scans from his underground lair? For all we know, he may even own a Persian cat!
John
Slashdot "editors".
Otherwise, this seems even more blatant than the case a few days ago: 41 Months In Prison For Man Who Leaked AT&T iPad Email Addresses. And these guys actually cracked passwords, despite them being trivial defaults, that still crossed over a legal line.
Man, some people are a paranoid bunch. If someone leaves a flyer on my door that says "You had 2 open windows and one unlocked door", and a similar flyer is on everyone's door, I'll actually thank the good Samaritan. If I see someone looking at doors and windows, taking notes, then putting a flyer on my door, I'll ask him what he's doing, why, and find out what he's actually up to. If he's friendly and forthcoming, I'll thank him and send him on his way. If he's belligerent, then maybe I'll start to consider self-defense.
But to shoot someone just because they are walking around the neighborhood, surveying every house? Yeah, the US doesn't have a gun problem. We have a response problem.
Those who can, do. Those who can't, sue.
I don't like the idea of someone going around testing all of these devices any better than I like the idea of some guy going around my neighborhood checking to see if all the doors and windows are locked.
Ah, the ostrich plan. Don't run away; don't protect yourself; just stick your head in the sand, or put on the Beeblebrox safety glasses.
If he can do this, *please* imagine what a true black hat could do with it. FFS!!!111
BTW, seeing if a doorknob turns != opening the door.
"Tongue tied and twisted, just an Earth bound misfit
If no actual harm was done then chasing after the researchers for prosecution is a waste of public money in my opinion, speaking as a tax payer.
And I mean actual harm, not the made-up harm of "unlawful use of computer equipment" or similar ones which are just infringements in principle, without actual harm done.
There are so many really bad guys out there to chase that this researcher should be way down on the priority list for enforcement, or using a bit of commonsense, not on it at all. And if he is identified then all he really deserves is a rap across the knuckles just for being unethical.
The FBI only cares if you embarass a major campaign contributor. e.g. AT&T is the largest campaign contributor in the country, beating out even Goldman Sachs.
Or if you use BitTorrent for completely lawful purposes.
http://yetanotherpoliticalrant.blogspot.com
Postings all go about how this is illegal and not about the technical situation.
It is sad times when people are more worried about the legal thread and ruining their lives and not about the technical implications.
How many people do not dare to bring solutions because they might be punished?
Don't fight for your country, if your country does not fight for you.
"After a reboot the device was back in its original state including weak or no password with none of our binaries or data stored on the device anymore."
How do you calculate damages for lost uptime?
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
While I personally support this kind of research,
The author is presumably an academic or industry professional (based on the formatting). As such, he knew what he was doing was illegal and had a significantly detrimental effect on low-resource systems. Furthermore, he can't blame a conviction on over-zealous prosecution or recent anti-hacker sentiment because he's obviously emulating Robert Morris (who received three years jail time for the Morris worm - convicted in 1990).
I also question how useful his scientific contribution is. While arguably more complete than other sources of data, there are a multitude of other projects offering data of similar(if not better) accuracy.
Which is why I always use admin/root for username and password on my systems. You'd think these people would learn not to be so careless. :-)
Is it just my observation, or are there way too many stupid people in the world?
+ lots of smart meters, ect. I imagine.
Very nice work. The article is well written too.
Have a team go door-to-door during working hours, when most people are not home. If they find an empty house with an unlocked door, go inside and use the phone to call a bunch of people and conduct your research. As long as you publish the addresses of all of the houses for academic purposes, nobody should mind.
If I see someone looking at doors and windows, taking notes, then putting a flyer on my door, I'll ask him what he's doing, why, and find out what he's actually up to.
He's a double glazing salesman. Shoot first!
Watch this Heartland Institute video
I mean it should be possible to create a system that emulates an "open" server, but when a hacker opens up a connection and tries to upload or download data, then fire off a counter measure that will cripple the hacker's system?
I mean after 30+ years of connected networks there is no such thing as an offensive strike in cyber terrorism?
I can't believe that hackers are that smart as to outwit servers attempting to back-deploy payloads onto their systems, or even could block a counter attack. I mean with the mentioned botnet hack, it would seem pretty easy that if it "broke" into an unprotected server that server could send back a crippling packet or something. The botnet is running a service that scans and returns data so the violated server should be able to exploit that and dump terabytes of garbage data back to cripple the botnet. A Denial of Hack.
Actually if I was an active hacker I would rather enjoy luring other hackers to my "unprotected" servers only to f**k with them and mess up their systems.
I haven't thought of anything clever to put here, but then again most of you haven't either.
If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world) ...
What "infection" did this researcher transmit to his "victims"? Isn't this more like someone offering free susceptability tests? They're on the net, meaning they're open to the offer. The net's always a potentially dangerous place if you're connected to it. Researcher tests to see if they're in any way vulnerable. Shazam, they are. Where's the story?
"Tongue tied and twisted, just an Earth bound misfit
Way to go xkcd, you've been referenced in a legitimate research paper!
To get a visual overview of ICMP records we converted the one-dimensional, 32-bit IP addresses into two dimensions using a Hilbert Curve, inspired by xkcd.
They did slightly more than look to see what was open. This is more like, "you had 2 open windows and one unlocked door, so I left some yogurt in your fridge and took pictures of your wife while she was sleeping. I will be posting the pictures to the world as proof, you are welcome for the yogurt. Enjoy!"
This wasn't a simple port scan. I RTFA, so let me help you out.
He ( there is no They or We, read the end of the article ) compromised devices and uploaded his own code. He was 'nice' about it, in the sense he set the priority to 'NICE' and he put in some watchdogs and throttled bandwidth usage. He then used those compromised devices to further utilize other devices to do even more work ( like using your Router HTTP interface to execute Traceroute on his behalf, possibly inside your network ).
For the vast majority of the IP's he just NMAP/ICMP sure, that's nothing these days. For the half a million devices he turned into his own bot net.... that's illegal.
Also, he then released all the data. You could say that's good, or you can say that as a script kiddie, all I have to do is d/l that torrent to get a list IP's that run a version/flavor that I have a 0day on. No more need to scan the net myself.
This is going to accelerate bot net growth. That may be good, maybe we'll finally figure out some way to detach/block IP's that fail to patch.
-Malakai
A Dragon Lives in my Garage
Since testing doors and windows requires trespassing... Besides, I am allowed to leave my door unlocked and still have the expectation of random people not opening it.
He uploaded a binary to 'insecure' devices, to run his code and build his own 'ethical' botnet.
This isn't just checking ports and default logins and reporting back.
-Malakai
A Dragon Lives in my Garage
I have to disagree with you on this....
First of all, I'm not sure there's really that much useful gained from such a project? An Internet Census for 2012 made with questionable code loaded onto all sorts of devices in unknown states without anyone's permission? How much validity can I put into those results? (How many devices didn't perform as intended while doing the port scans due to all sorts of possibilities outside the control of the people doing this research? Anything from people having firewalls blocking results from coming back on some of them to people realizing something was wrong when their bandwidth was consumed for no known reason and shutting the devices down would affect the information.....)
Beyond that, it's not even something all that original.... Plenty of people have attempted to estimate the number of IP addresses in use and who has which IP blocks, etc. Plenty more have looked at all of these studies, shrugged,and said "Who cares?" After all, the Internet is so dynamic, any tallies taken are but mere snapshots in time of a rapidly changing landscape. How many people will it really affect to know the approximate number of users/devices out there as long as they know it numbers in the "many millions" or more?
I'm pretty sure this story is a very elaborate piece of fiction. That makes way more sense than somebody clearly so smart going to so much trouble to earn themselves a life sentence in prison.
Maybe last year we could expect someone to do this for real, but not this post-1/11 world.
The only result I can see from this guy's "research" is to announce to the world the existence of a low barrier to entry DDOS platform.
What could possibly go wrong...
I'm tired of seeing people jailed who are curious about security. But he needs a clue. Guys like this are why I expect Bill Joy wrote his treatise. One man's Epic h4ck is another man's Epic FAIL.
Of course his ethics are canted at an angle to reality, but if he had just gone a bit farther off the deep end and actually fixed all the password vulnerabilities he might have made history. Not that I am recommending anyone do it.
Except he did not activate any webcams or gathered any data beyond what ports were available and whether he was able to install his rootkit. Why didn't you extend the analogy even further to raping my daughters and defecating in my bed? I mean, why not go all out in the attempt to generate an emotional response to a completely unrelated problem? Does your post also mean that you would shoot the writer of this study, if you found out who he was?
And I feel again confirmed that the US doesn't have a gun problem, but a response problem: you conflate one thing with something vastly different, then determine response based on the emotional reaction you have to the vastly different thing.
Those who can, do. Those who can't, sue.
Windows machines compromised via remote exploits in Windows: Windows sucks!
Windows machines compromised via stupid users who install anything? Windows users suck!
Linux machines compromised via default passwords: Administrators suck!
Go green: turn off your refrigerator.
The end-result was a list of ports that I may have open on my router/computers. Yes, the process used was illegal. Big fucking deal, so are a lot of things that are ok among civilized people. See for example betting on sports. But there was zero impact while his scan was on-going, and there was zero footprint left behind.
As for your comment that know a script kiddie has a list of unsecured IPs: that's my problem if my IP is on that list. He did a trivial scan, and if I take my security seriously, I should not be on there. If anything, it should be a test whether I can even talk about security in my own house, and I should be thankful for it.
Was it all clear, and would I have liked to get a heads-up? Sure. But if he did find my network, it's an incentive for me take a closer look at security. Not to shoot the guy.
Those who can, do. Those who can't, sue.
But should you shoot anybody who opens your door? Every time? Think carefully about it.
Those who can, do. Those who can't, sue.
What should the punishment be? A fine? Prison? Banned from the Internet?
He should be punished. Jail time is expensive for the taxpayers and harsh for somebody who, however misguided, was trying not to hurt anybody. I would suggest lots of community service.
Go green: turn off your refrigerator.
Ostriches do not stick their heads in sand or ever try to simply ignore danger.
Ostriches are not cowardly, they will definitely put up a fight when they believe they have a good chance of winning. If you have ever seen an ostrich close up, you probably realize that they are big-ass birds that could easily wipe the floor with a good percentage of other creatures in the animal kingdom. If they encounter a situation that they cannot mitigate, however, then they will run away... being exceptionally good at it (they are the fastest running creature on two legs).
If, and only if, they have nowhere to run to, and they cannot mitigate the danger themselves, then they will lie very still, presumably in the hope that they will be ignored. They do not pretend that the danger is not there, however... and will generally resort to fleeing at the first opportunity. Their practice of lying still is where the myth that they stick their head in the sand comes from, and it's ironic that what is actually a very atypical behavior for that type of bird ever got to be somehow associated as something that they generally practice.
File under 'M' for 'Manic ranting'
Home routers with factory defaults (linksys, netgear, etc)? Something else? Like single board computers in the desert collecting rainfall data?
TFA:
The vast majority of all unprotected devices are consumer routers or set-top boxes which can be found in groups of thousands of devices. A group consists of machines that have the same CPU and the same amount of RAM. However, there are many small groups of machines that are only available a few to a few hundred times. We took a closer look at some of those devices to see what their purpose might be and quickly found IPSec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, big Cisco/Juniper equipment and so on. We decided to completely ignore all traffic going through the devices and everything behind the routers. This implies no arp, dhcp statistics, no monitoring or counting of traffic, no port scanning of LAN devices and no playing around with all the fun things that might be waiting in the local networks.
As I (cursorily) read it, they're targeting MIPS-based devices for the botnet.
I am not a crackpot.
Oddly there are plenty of houses with no front garden... Not to mention people are generally allowed (and expected) to walk up to a door and then politely knock. Just not actually turn the handle.
If you did it in the dead of night... then yes. I might shoot you. the OP did not say you would get shot every time, but that you run the risk of getting shot.
I see a lot of people complaining about the actions of the researcher, but what about the actions of the manufacturer? If Medeco made a lock that had the equivalent of "admin/admin telnet" on it, they'd be strung up. I'm not saying the researcher is not responsible for his actions, however putting all the blame on him isn't reasonable either.
Join the Slashcott! Feb 10 thru Feb 17!
Why didn't you extend the analogy even further to cyber-raping my daughters and cyber-defecating in my bed? I mean, why not go all out in the attempt to generate an emotional response to a completely unrelated problem?
FTFY
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
If all he did was see if the doorknob turned, then how is it he turned it into a botnet?
He should have to, at his own expense, visit each individual whose equipment he access and apologize as well as explain to whatever technical detail they desire exactly what he did with their equipment. Plus he should have to pay any incurred costs from his access. And he should have to do this beginning now and engage in continuous effort and not do anything else -- beyond the fundamental tasks of living (eat/sleep/crap) -- until he is done.
Fundamentally accessing someone's property without their consent is harm. Even if, by your own estimates, you cause no harm.
Better than second-world countries, where they forbid possession of weapons.
Doesn't the ostrich plan involve leaving your rear end out in the open while keeping your eyes unawares of who's raping you from behind?
And you're already bent over presenting. Enjoy. Hum God Save The Queen if it helps.
"Tongue tied and twisted, just an Earth bound misfit
He uploaded a binary to 'insecure' devices ...
Ah. I'll take a slap to the back of the head for not RTFA or understanding the summary. /. SOP bites again. Thx.
"Tongue tied and twisted, just an Earth bound misfit
You insensitive clod! Depending on where you live, double glazing can decrease your power bill and the country's carbon emissions by a lot.
Expanding on that...
Seeing how the internet is more of a virtual thing, I think the physical location of the router is not relevant in this case. Having a router unsecured is like leaving a box of cookies on the sidewalk, in the middle of town. Folks can't get upset when someone has a look at the contents of the box. The 'intruder' has no idea where the router is physically located.
It's like the following differences...
1) Someone peeking into your window.
2) You standing naked in front of your window.
3) You standing naked in town.
The unsecured router would be 3 more so than 2. definitely not 1. :)
The government which is strong enough to protect you from everything is strong enough to take everything from you.
Ostriches do not stick their heads in sand or ever try to simply ignore danger.
Actually, I knew all of that, but the concept is what I was trying to use. Blame the Brits for not understanding what they were seeing. Perhaps that's akin to racism or stereotyping of some kind. I applaud your eloquent defence of that mighty bird (or dinosaur remnant, whatever :-).
"Tongue tied and twisted, just an Earth bound misfit
But but but, he BROKE the RULES!
"When information is power, privacy is freedom" - Jah-Wren Ryel
BTW, seeing if a doorknob turns != opening the door.
Note, I've since been educated to the fact that he UL'd a binary. I missed that.
If all he did was see if the doorknob turned, then how is it he turned it into a botnet?
Interesting question.
For example (no cars, sorry), if I embed a URL in my /. .sig that goes to a malicious iframe (or whatever), did I do anything wrong? I didn't ask anyone to click on it. If that URL adds them to a botnet, was that really my fault? They chose to click on it. I just stuck it out there offering it to them, and *everyone knows* that clicking on that sort of thing is anathema, right? Who's more guilty: the fraudster, or the too greedy mark?
"Tongue tied and twisted, just an Earth bound misfit
Better that than taking pictures of my fridge and leaving yogurt in my sleeping wife..
Alright, let's play the analogy game :) If they did what you say, then it would be closer to grey hat territory, but they didn't.
What they did was more like walking down the street and trying doors. If unlocked, they go inside, steal some valuables, and fund "research" with the proceeds. Grey hats my ass. They say they took care to make it as gentle as possible and put things back where they were, but that's like a house thief saying: I only stole $1 from each house, and I closed doors behind me.
I don't care about the legality. Considering how little harm they did, prosecution is unnecessary, IMHO (a fine would be OK). It is more pertinent that their "research" and conclusions are total trash. If they think it's OK to trespass, steal resources, potentially harm, and then present it as a "hack" and a valid research methodology (they are obviously proud of themselves), why should I believe in their academic integrity?
They never say it's a "hack". But they clearly mean it.
This is one of the most amazing things I've read on slashdot - a very interesting dataset gathered in a just as interesting way, with fascinating results, all fully documented and released to the public domain. The nay-sayers who can't see past the legality issue to the technical achievement and gold-mine of a dataset below, should hand in their geek-card on they way out. This is news for nerds, not news for lawyers.
Double (or, rather triple) glazing good.
Double glazing salesmen - spawn of the devil.
Watch this Heartland Institute video
Yes he should face jail time. To not give any just encourages (or perhaps, fails to discourage) future similar behavior. And what happens the day that someone thinks 'oh I'll do this it will be cool and won't fuck anything up' and well.. it does?
Mind you I'm not saying put the guy away for 25 years but I think 2 years and an equal amount of post jail community service would be appropriate. That it costs something to put him in jail is not reason enough to not put him there.
Well I picked up the gun and pointed it at you and pull the trigger. But damn it, I missed. Guess I should go scott free because well, zero damage was caused? No? Ok, suppose I knew there were no bullets in the gun and nothing would happen to you? Now can I go free?
Consider that people (especially non-violent offenders) come out of prison more likely to commit a greater crime than before they went in.
Go green: turn off your refrigerator.
Consider that some may come out more likely to commit another crime. And again, that alone is not a reason not to incarcerate. And there are any number of nonviolent crimes which society should reconsider if they are crimes at all and if still so, make the punishment more in line with the offense.
I do find many of the mandatory minimums to be far to long, while it does seem that some very violent offenders get far too short a stay. But again, we can't as a society just give what amount to free passes when laws are broken, egregiously in this case. The jail time is not just a punishment but also a deterent to others.
The problem I have here is that this was a person who really knew better than to do what they did. This wasn't some 15 year old without the exposure to or full understanding of the possible ramifcations of the act. Instead, he did it because a) he wanted to and b) he decided that his view that the 'research' was valuable was to take precedent over society saying unauthorized access is a nono.