• by Laurie Sullivan , Staff Writer @lauriesullivan, November 4, 2010

In a move straight out of a scientific espionage plot to hack into the world's resources through the underbelly of the Internet, hackers could use the search engineShodan to locate Internet-connected devices and steal information. The site can locate and identify vulnerabilities in system control equipment at gasoline refineries, power plants and other industrial facilities. And though I'm not a security expert, I wonder if consumer connected devices and advertising will someone get involved.

Shodan interrogates ports and grabs the banners. Optimizing search results requires some basic content in banners, which advertise generic user names and passwords that people don't typically change. The search engine is available to anyone who knows how to use it to find specific computers, routers and servers through a variety of filters.

A video on the site describes how "to find and break things," though the creators of Shodan did not intend it to be used that way, according to Michael "theprez98" Schearer, speaking at The Next HOPE conference.

Consumer privacy stepped into the forefront with the entrance of Facebook and Google services, but what about patching holes in business applications that seem to leak intellectual property, passwords and more through Internet connected devices? Shodan's database is built by indexing metadata contained in headers that the hardware broadcasts to other devices. The search engine can identify a Solaris server located in Pakistan that remains vulnerable to a known exploit, for example.

I tried to ignore this report from the Industrial control Systems Cyber Emergency Response Team I found through The Register, but couldn't. It suggests remote systems that control most of the wide area networks in the United States use inadequate authentication and password protection and can be controlled and stolen through this search engine. Or common vendor accounts for remote access into Internet-connected portals and systems.

The ICS-CERT Alert issued Oct. 28 provides recommendations and warns that through Shodan the systems are readily accessible from the Internet and resources required to identify them has been greatly reduced.