Thousands Of People Oblivious To Fact That Anyone On The Internet Can Access Their Computers

[InfoSec News <alerts () infosecnews org>]

http://www.forbes.com/sites/kashmirhill/2014/08/13/so-many-pwns/

By Kashmir Hill
Forbes Staff
8/13/2014

There are technologists who specialize in “scanning the Internet.” They 
are like a search team making its way through a neighborhood, but instead 
of checking the knob of every door, they check Internet entrances to 
online devices to see which ones are open. These people have been 
screaming for some time that there is a lot of stuff exposed on the 
Internet that shouldn’t be: medical devices, power plants, surveillance 
cameras, street lights, home monitoring systems, and on and on. But 
incredibly, their message doesn’t seem to get through, because their scans 
keep on picking up new devices.

While talking about the issue at hacker conference Defcon on Sunday, 
security engineer Paul McMillan sent his winged monkey scanners out 
looking for computers that have remote access software on them, but no 
password. In just that short hour, the results came pouring in: thousands 
of computers on port 5900 using a program called VNC for remote access. 
The total number is likely over 30,000. Those using the program failed to 
password-protect it, meaning anyone who comes looking can see what they’re 
doing, and manipulate their computers. McMillan set a scanner to take a 
screenshot of every exposed computer it came across. I went through the 
screens captured Sunday and saw people checking Facebook, playing video 
games, watching Ender’s Game, reading Reddit, Skyping, reviewing 
surveillance cameras, shopping on Amazon, reading email, editing price 
lists and bills, and, of course, watching porn. I saw access screens for 
pharmacies, point of sale systems, power companies, gas stations, tech and 
media companies, a cattle-tracking company, and hundreds of cabs in Korea. 
This isn’t just about watching people use their computers; the fact that 
the scanner got in means anyone could manipulate the devices, changing the 
power company’s settings, pausing the porn stream, going through a 
company’s records, or reviewing the prescriptions for a pharmacy’s 
patients.

There is no need for hackers to go to great lengths to compromise these 
computers; their owners have built in backdoors with no locks. “It’s like 
leaving your computer open, unlocked and ready to rock in a crowded bus 
terminal and walking away,” says security engineer Dan Tentler, who 
presented with McMillan. Increasingly, everything is connected to the 
Internet, and unfortunately, people don’t always know how to connect their 
things securely.

“It’s important to remember that this scan only scratches the very surface 
of the problem,” says McMillan. “We can’t legally scan for default 
passwords, but I’m certain if we did, the results would be orders of 
magnitude worse.”

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/