יום שלישי, 16 באוקטובר 2018

האם יש הבדל בין בין ריגול ליזמות? - חברת RedCrow

-מעקב-
מאת אמיתי דן


לפני כשנתיים חשפתי לראשונה בעברית, ובעזרת המגזין  Israel Defence את הפעילות המודיעינית של חברת הייטק פלסטינית ביטחונית הרשומה בארצות הברית.

החברה מבצעת שימוש במקורות open source, מקורות מידע אנושיים ועוד ומספקת בין היתר מידע חי ואסטרטגי על כוחות הביטחון.

הם משתמשים בטכנולוגיות NLP וכלים אוטומטיים לאיסוף מידע, וזאת במקביל לעבודת אנליסטים ושירותים אחרים.

מדובר בדוגמה ראשונית ליזמות בתעשייה הביטחונית הפלסטינית שמתמחה במודיעין בזמן אמת, וניתוחים אסטרטגיים באזור MENA.

נכון להיום עיקר הפעילות שלהם היא ישראל/עזה/גדה ירדן מצריים ולבנון.

פעילות החברה, כוללת איסוף ומסירת מידע בזמן אמת על פעילות כוחות הביטחון בישראל, ולכן גם מאתגרת בפועל את רשויות החוק וכוחות הביטחון.

בניגוד לעבר, לאחרונה הם פתחו אפליקציה בסיסית, שאליה ניתן להצטרף על ידי מנוי שמשולם דרך חנות האפליקציות, ומיועדת לעיתונאים וגורמים אחרים שרוצים לקבל מידע על איומים באזור גאוגרפי נתון.

מצב זה, מאפשר הצטרפות של ארגוני טרור לשירות הבסיסי, ולקבל ממנו מידע שימושי מבלי לעבור סינון מקדים.


בניגוד לפתרונות רבים בשוק, ההתמחויות שלהם אשר כוללות גם ביטחון פיזי, גם מידע מאנשים וגם קצירת מידע ממקורות OSINT מספקות מוצר שמוביל כיום את המענה למודיעין גאופיזי ללקוחות אזרחיים בזמן אמת באזור MENA.


מאחר שהחברה פותרת בעיות ללקוחות לגיטימיים רבים, היכולות להתמודד עם הפעילות המקומית שלה, מקבל אתגר גדול יותר מבחינת נראות ומבחינה חוקית.
הם מאתגרים את המערכת ואת המושג ריגול ומסירת מידע לגורם זר.

האינטרס של מדינת ישראל לעודד יזמות, יפגע אם יפריעו לפעילות שלה, ומנגד בעידן שבו כוחות חמאס אוספים מידע על חיילים דרך חדירה למכשירי טלפון, כדאי להבין שמידע רב על כוחות הביטחון, מפורסם בזמן אמת תוך יכולת לניצול לרעה על ידי ארגוני טרור.

מקורות:
RedCrow Lite

RedCrow

כתבה ב Israel Defence
2016



Sources: redcrow
From UNICEF article





יום רביעי, 10 באוקטובר 2018

Lets detect the IoT search engines, from Fofa to Shodan


By Amitay Dan  
11.10.2018

Hunting the hunters is fun, but let’s starts from the background

In this article I will show how can we detect Shodan and Fofa user-agents, and who already made a progress. 





What do you know about Shodan Censys ZoomEye and Fofa ?
Those search engines are dedicated to map the Internet Of Things and other sensitive devices.

I like them very much, but I think it come with a price, everything beings exposed at once, with no time to fix vulnerabilities. Legally those scanners activities are against the ruling made by the Supreme Court of Israel, but let’s leave it for now focus on the technical aspect .

---

What can you do in order to prevent IoT search engine from leaking sensitive database, and scanning exploited devices, like smart houses?

As we all know, now days many houses are being connected to the internet.
Just like critical infrastructure and other devices which has connected to the internet for many years.
Now, it's a race to the internet, even connected microwave is being provided by Amazon so you can talk to Alexa everywhere.

Unlike google which is focusing mostly on websites, those search engines are dedicated for cataloging sensitive finding, connected devices, databases and other things which we want to prevent from felling into the wrong hands.

Is there any solution? can we implement something in PLC or RTU to prevent IoT search engine form detecting and cataloging them? 
What smart house vendors should do to protect users from those search engines?
Is that even legal to scan the house?

Today I had an interesting finding.
I were looking at error in IoT search engine called Fofa, and realized something interesting
It was saying: 

 E\x00\x00\x00\xffj\x04Host '*.*.*.*' is not allowed to connect to this MySQL server 

 


It was very interesting because I never saw anyone speaking about how to prevent those engines from entering into houses. I did spoke about the legal aspect of it, but let's forget about the law and keep digging.

After realizing that this is Fofa user-agent, I were using Google to check if anyone mention this string before, none. only Google were mapping Fofa activity in the wild.

So I were thinking, let’s see what Fofa done before? how many times it get blocked while using this string? well numbers were very high, 840696 times.

Query: "E\x00\x00\x00\xffj\x04Host '*.*.*.*'", Total results: 840696took 4545 msmode: normal.
认只显示一年内的数据,点击 all 链接查看所有

 




Now I was thinking, what about Shodan, can we look for Shodan in the wild?

Googling this subject were leading me into a results from a website called "Webmaster World" back
to Jun 2016 someone shared information about strange behavior of Shodan.

 

While reading the post, I gain user agents which seems to be used by Shodan

shodanscanprint

shodanscanprint(chr(49).chr(55).chr(73).chr(53).chr(51).chr(48).chr(86).chr(65).chr(117).chr(52))

 

 g3shodanscanprint

 



Now I had dorks to hunt

 





Then came new results

shodanscan'ls -la'
g3shodanscan');ls -la;/* 
g3shodanscan'{${print(chr(49).c
 
 


While analyzing the findings, I was thinking maybe it's a starts. why don't we build a database of IoT search engine, so developer can use it and try to prevent them from adding devices and sensitive data?

However, after some searching, I've realized that some researchers from the academic field, already made a progress and published a research about this subject during the 2017 Ninth International Conference on Ubiquitous and Future Networks (ICUFN 2017).

 The article name is "Abnormal Behavior-Based Detection of Shodan and Censys-Like Scanning"
The researcher are  Seungwoon Lee; Seung-Hun Shin ; Byeong-hee Roh all based on South Korea.

Here is the abstract they wrote:

"Shodan and Censys, also known as IP Device search engines, build searchable databases of internet devices and networks. Even these tools are useful for security, those also can provide the vulnerabilities to malicious users. To prevent the information disclosure of own IP devices on those search engines, a fundamental solution is blocking the access from the scanners of them. Therefore, it is needed to understand and consider their scanning mechanism. Therefore, we propose an abnormal behavior based scan detection of Shodan and Censys. To do this, several traditional scan detection approaches are combined and applied to satisfy their specification. Proposed idea is monitoring packets whether it is abnormal or not and adding on the suspicious list if it is. This is based on traditional threshold approaches. To figure out it is abnormal, stateful TCP stateful packet inspection is used. The response behavior during the connection can be identified with TCP flag and abnormal behavior can be classified with SYN Scan, Banner Grabbing, and Combined SYN and Banner Grabbing. Demonstration is simulated in a Censys-like environment and detected time variation per variance of distributed detectors and Threshold value is analyzed."

Later, I saw two projects in Github focusing on Shodan Only, posts about it and other projects
The most effective and updated service seems to be given by SANS ISC (Internet Storm Center ) InfoSec, it's called DShield API.

Most of the projects are giving solutions based on IPs list, and less user agents, or just looking only on Shodan and censys, without giving attention to the Chinese based competitors.
 
As for Censys, in their website, they have explanation of how to prevent them from scanning, yet, they won't delete results.

"Can I opt-out of Censys scans?


Censys scans help the scientific community accurately study the Internet. The data is sometimes used to detect security problems and to inform operators of vulnerable systems so that they can fixed. If you opt-out of the research, you might not receive these important security notifications. 

However, if you wish to opt-out, you can configure your firewall to drop traffic from the subnets we use for the measurements: 141.212.121.0/24 and 141.212.122.0/24. We do not remove results from Censys, but if you have blocked these subnets, the results will automatically be pruned out."
Conclusion
 
To summarize, I think IoT search engine are something great, they are really helping for security researcher and basically for the safety. Scanning engines activities might be illegal in some countries, yet, it's helping to detect problem and push vendors into solutions.
As from the vendors and the end users’ aspects, they might be unhappy to know that their house or product are now out here, not protected and easy to attack.

I know that tools which detect port scanning are nothing new, but being focused on search engine activity, and banning and blocking them locally from adding sensitive information into the catalog of things, might help in many cases when solution is not coming soon, and fixing won't be done before the attacker will take advantages.

We should balance between the freedom to know everything, the interest of security researcher to get data about exploited devices, and the rights for personal and public safety.

Giving the public abilities to detect user-agents of internet of things devices, it’s something to start with.


Now, let’s hunt the hunters
Let’s hunt Shodan, ZoomEye Fofa and Censys.

Let’s build database of user agents belongs to IoT search engine.  

Can bot spy on IoT bot?

Today I was trying to compare the anti robot rules between the major IoT search engine.

Starting from Shodan later Censys and ZoomEye and finalizing with Fofa. 

 Shodan



User-Agent: Twitterbot
Allow: /host/

# Every bot that might possibly read and respect this file.
User-agent: *
Crawl-delay: 10
Disallow: /search*
Disallow: /host/
Disallow: /report/

 Censys






User-agent: *
Disallow: /ipv4
Allow:    /ipv4/
Disallow: /ipv4/metadata
Disallow: /ipv4/*/
Disallow: /certificates
Allow:    /certificates/
Disallow: /certificates/metadata
Disallow: /certificates/*/
Disallow: /domain
Allow:    /domain/
Disallow: /domain/metadata
Disallow: /domain/*/
Disallow: /data/scansio
Disallow: /login
Disallow: /logout
Disallow: /account



ZoomEye






As you can see in ZoomEye there are no rules.


Fofa



# See http://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file
#
# To ban all spiders from the entire site uncomment the next two lines:
# User-agent: *
# Disallow: /