At the beginning of the year, Check Point issued a threat alert, urging companies to start banning Shodan's crawlers through its security solutions.
Shodan is a search engine for discovering Internet-connected devices, but which can also be used to search for server settings, options, and other technical details that Google, Bing, and DuckDuckGo usually ignore. The service has grown in popularity like very few technologies did in the past year.
Shodan has been at the core of multiple security alerts and data leak incidents that have singled out companies for running improperly configured servers.
Shodan has done more good than bad
Researchers have used Shodan to discover vulnerable SOHO routers, SCADA equipment, outdated SSL certificates, and misconfigured MongoDB databases.
Most of you must already be aware of Chris Vickery's work, a security researcher that used Shodan to scan corporate networks and bring to light huge data breaches. Using only Shodan, Mr. Vickery discovered a database of 191 million US voter records, 3.3 million Hello Kitty accounts, 13 million MacKeeper user details, and many other more. Instead of stealing and selling this data on the black market, Mr. Vickery contacted each company and helped them secure their data.
Check Point's decision to recommend its clients to ban Shodan's crawlers is bizarre because it doesn't make that much sense.
The company tried to explain its decision by blaming Shodan for being "the tool" in a cybercrook's hands when "a massive data hack in the UK, attributed to Shodan scans, exposed sensitive data including family photographs, medical records and bank statements."
Shodan is not the enemy
Check Point has completely ignored the fact that Shodan is also used by the good guys, and that tools similar to Shodan have existed long before the service, most of which were developed by cybercrime groups.
In an interview with Salted Hash, Ron Davidson, head of Threat Intelligence and Research at Check Point, has even admitted that "scanners operated by threat actors [/..] mimic the network signatures of legitimate security scanners."
Instead of focusing on the real threat, Check Point has decided to throw an umbrella ban on Shodan, with no guarantee that threat actors won't stop scanning the Web with other similar search engines or their own scanners.
The infosec community has also reacted to this news, with Vectra Network's Gunter Ollmann writing: "It’s a sad indictment of current network security practices that a reputable security vendor felt the need and justification to add detection rules for Shodan scans and that their customer organizations may feel more protected for implementing them."
Softpedia has contacted John Matherly who was kind enough to answer a few questions via email.
What was your initial reaction when finding out that Check Point has recommended blocking Shodan's scanners?
I was disappointed that a firewall company would encourage security by obscurity. And I couldn't believe that they used a tabloid (DailyMail) as an actual reference.
Has anyone from Check Point contacted you about their intentions in blacklisting Shodan (before or after)?
I've spoken and worked with people at Check Point in the past, but they didn't contact me before posting the article.
Any plans of circumventing the Check Point ban, or are you going to respect their decision?
I don't think they understand how the Shodan infrastructure works or what it looks for. But I'm not taking any extra steps to circumvent their decision.
Isn't Check Point doing more harm than good by giving sysadmins an excuse to continue to operate improperly configured equipment instead of using Shodan's presence to force them to update their configurations?
Yes, it's only taking information away from the good guys. Attackers have their own tools of the trade to discover insecure equipment, blocking Shodan does nothing to prevent harm. Hundreds of thousands of devices have been secured on the Internet because a security researcher used Shodan to find improperly configured services and notified proper authorities. The most recent example is the leaking of data via public MongoDB instances, which were only detected and secured because of Shodan.
Does this ban raise questions about the need to differentiate between the good guys using Shodan and the bad guys?
The bad guys have had similar tools long before Shodan existed and they will continue to use those because Shodan isn't an anonymous service. We take many steps to limit abuse and make sure the data is only used by good guys. There is an overwhelming amount of evidence to show that Shodan has been a force for good and helped make the Internet safer.
Most companies actually take the opposite stance of Check Point: use Shodan to check whether you're running anything on the Internet that you didn't expect! This is especially true for organizations that don't have a large IT security budget (ex. small businesses and universities).
Our bet is that Shodan will get banned and blocked from scanning many corporate networks. Companies tend to err on the safe side of things, and if a small ban will avoid all the bad publicity that comes with an accidental data leak, any CSO would take Check Point's advice without batting an eye. Unfortunately, this won't mean they're safer.