Data Center Equipment Exposed With Default Manufacturer User and Pass

Shodan Cataloging of Liebert & APC

(Disclaimer – It is not the intent of this post to point out a particular BAS software vendor.  The intent is to show that we, the system integrator, still have work ahead of us to do our part)

Last week I searched for Niagara systems on Shodan and the numbers were 27k plus in just the US.  This week the US number is down just over 15k.  This does not necessarily mean it will continue to go down.  It just means that is the number Shodan has picked up thus far.

This week I search for Liebert and APC.  These are typically used in data centers and you would not expect to find them exposed.  However, I was able to find some.  And the US is once again the leader in the pack of most exposed.

The good news is the number was only in the double digits for Liebert.  The number of exposed APC devices were significantly less than Niagara, but numbered close to 4,000.  The US was number one with 3,819 and the UK was number two with 578.

Checking out the details page of some sample units show the information available is fairly descriptive.

The image on the right shows a Liebert Challenger that (according to the location description) is in a server room.The application software is listed as well as the firmware version. 20150817_OB_CRAC_Bacnet
The image on the right is the detailed information for this public IP.It also list:

  • City
  • Country
  • Internet Service Provider
  • Last Update (this is the date and time Shodan last connected to the the site which was four hours before this screen capture)
  • Services – Telnet Port 23
  • Ports – 23, 80, 47808 (all default)
  • Etc.

Notice at the top is the street map.

 

20150817_OB_CRAC_LOC

Another example of potentially critical equipment that is exposed and cataloged by Shodan is APC.

The image below shows an APC SNMP device with an exposed IP which happens to be a power strip that controls VM, APP, and SQL servers.

The details for the exposed IP listed are:

  • City
  • Country
  • Internet Service Provider
  • Last Update (this is the date and time Shodan last connected to the the site which was three hours before this screen capture)
  • Services – Telnet Port 23
  • Ports – 23, 80, 161 (all default)
  • MIB version
  • Etc.

Notice at the top is the street map.

20150817_OB_APC_LOC800W

Like I said in the last post, we all know this is something that we cannot change overnight, and at the end of the day we cannot force the end user to spend the money and make the changes necessary to make their systems safer.  However, we need to architect new systems securely and make the necessary recommendation to our customers on how to secure their legacy systems.

If you would like more information on any of my other post, email me at fred.gordy@smartcore.com.

Top US Cities With Exposed Niagara Systems

And Other Scary Stats

(Disclaimer – It is not the intent of this post to point out a particular BAS software vendor.  The intent is to show that we, the system integrator, still have work ahead of us to do our part)

The information I list below I got by running a report on Shodan today (8/13/2015).  And it didn’t cost a dime and I didn’t have to use any query language… just plain ole English.

I opened the site (https://www.shodan.io/) and in the search bar I typed “niagara”.

20150813_searchText

 

20150813_searchText2

Next I clicked the United States.

At this point I clicked “Create Report” to save this search in case I want to review the data later on.

Notice in the image above the number of exposed Niagara systems in the United States is 27,182.  I ran a report last week and the number was 15,948.  The numbers should be heading down, not up.

This number represents (if you divide it by the number states) an average of 543.64 Niagara systems per state that are exposed to the world with the only thing between them and a hack is a username and password in the Niagara station.

 

20150813_topCities

The top five cities are listed on the left from the search results.

  • Houston —– 384
  • Chicago —— 308
  • Denver ——- 301
  • Seattle ——– 104
  • Indianapolis –  83

The next thing listed is equally disturbing.  Not only are the systems exposed on the web with only a username and password to protect the system, most are riding on top of an operating system that is no longer supported by Microsoft.  Almost twice as many systems are running Windows XP than Windows 7 or 8.  Support ended for XP April 8, 2014.

The next most common operating system listed is Windows 7 or 8 (lumped together).  Mainstream support for Windows 7 ended January 13, 2015.  Windows 8.# still has support for a few years yet. This report does not distinguish between the two.

20150813_TopOS

 

The image below shows the AX versions that are running.  This statistic is both encouraging and discouraging.

Apparently AX versions have been upgraded to more secure versions, but based on the statistics listed above, they were left exposed on the web and on an operating system that is no longer supported.

 

20150813_TopAXVersions

We all know this is something that we cannot change overnight, and at the end of the day we cannot force the end user to spend the money and make the changes necessary to make their systems safer.  However, we need to architect new systems securely and make the necessary recommendation to our customers on how to secure their legacy systems.

If you would like more information on any of my other post, email me at fred.gordy@smartcore.com.

 

Real-Time Threat Maps

If you haven’t seen these maps, it can be eye opening.  These are real-time and/or near real-time threat maps that are readily available online. 

  They cover traffic such as:

  • DDoS (distributed denial of service) the intentional paralyzing of a computer network by flooding it with data sent simultaneously from many individual computers
  • IDS (intrusion detection systems) network attacks detection flow
  • VUL (vulnerability scan) vulnerability detection flow
  • MAV (mail anti-virus) malware detection flow during Mail Anti-Virus scan when new objects appear in an email application
  • WAV (web anit-virus) shows malware detection flow during Web Anti-Virus scan when the html page of a website opens or a file is downloads
  • OAS (on-access scan) shows malware detection flow during On-Access Scan, i.e. when objects are accessed during open, copy, run or save operations
  • ODS (on demand scanner) shows malware detection flow during On-Demand Scan, when the user manually selects the “Scan for viruses
  • Attack types against (all types not listed):
    • telnet
    • SQL
    • domain
    • http
    • ssh

Various companies who are touting their cyber security offering like to throw these up behind them during photo ops.  They are impressive, but more importantly they show us the unseen cyber world and the fact we are under attack.


The list below includes pictures of the sites and the links to view them in real-time.


Live Norse Attack Map Norse collects and analyzes live threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors.

Norse Corp Live Threat Map

Norse Corp Live Threat Map


Kaspersky Lab’s CYBERTHREAT Real-Time Map – Kaspersky Lab has launched an interactive cyberthreat map that visualizes cyber security incidents occurring worldwide in real time. The types of threats displayed include malicious objects detected during on-access and on-demand scans, email and web antivirus detections, as well as objects identified by vulnerability and intrusion detection sub-systems.

Kaspersky

Kaspersky CyberThreat Real-TIme Map


Digital Attack Map – The Digital Attack Map displays global DDoS activity on any given day. Attacks are displayed as dotted lines, scaled to size, and placed according to the source and destination countries of the attack traffic when known

Digital Attack Map - Top daily DDoS attacks worldwide

Digital Attack Map – Top daily DDoS attacks worldwide


Fortinet Threat Map – Remote execution attacks, memory related attacks, remote location attacks, denial of service attacks (DoS), etc.

Fortinet Threat Map

Fortinet Threat Map

There are more maps that do some of the same type of tracking as well as other threats.  The list below includes the site listed in this article as well as others.

http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16643&view=map
http://map.norsecorp.com/
http://map.honeynet.org/
https://cybermap.kaspersky.com/
http://threatmap.fortiguard.com/
https://www.stateoftheinternet.com/trends-visualizations-security-real-time-global-ddos-attack-sources-types-and-targets.html
http://dds.ec/pewpew/index.html
http://www.trendmicro.com/us/security-intelligence/current-threat-activity/global-botnet-map/index.html
https://www.stateoftheinternet.com/trends-visualizations-security-real-time-global-ddos-attack-sources-types-and-targets.html

MUST RUN THIS ONE IN CHROME
https://labs.opendns.com/global-network/

ControlTalk NOW Week Ending December 22, 2013

ControlTalk NOW thanks this week’s Industry Leaders and 2013 ControlTrends Awards Sponsors: Belimo, Connect-Air, and Contemporary Controls. The 2013 ControlTrends Awards voting ballots have been emailed to all registered voters. If you still need to register, click here!

Mike MarstonHanging Out With Easy IO’s Mike Marston in Korea: Stromquist & Company’s Rob Allen was joined by Easy IO’s Mike Marston to discuss the Easy IO training class coming to Stromquist’s Atlanta location January 13, 2014. Want to come to Atlanta and hang out with Mike and Rob and learn about how to use the amazing Easy IO controllers.

OMEControlTalk Now welcomes its first guest Richard K. Warner, PE, CEM, DCEP, CxA, EBCP of OM|E out of Baltimore, MD. Rick’s company is one of the only premiere master system integrators in the country, taking integration to where the brave and the bold dare not go. An astute believer and practitioner of core competency, Rick shares his vantage point, experience, and visions of what is to come in the world of high-level integration.

cyberproLynxspring’s 2013 ControlTrends Awards Best Building Application of the Year Nominee-Lynxspring’s LYNX CyberPRO the industry’s first cyber-threat protection solution designed specifically to enhance the cyber protection of commercial building automation and energy management systems.

Ed_EricTridium’s Ed Merwin Stops By For A Chat. “Here’s my Problem, How can Technology Fix it?” This is a one-of-a-kind industry insight with Ed Merwin, Director, VYKON Automation Energy Security, and nominee for the 2013 ControlTrends Person of the Year. Ed Merwin is one of the most respected voices in the Building Automation Industry and Ed explains the enormous success of the Niagara Framework. Tridium is a software company that provides building automation services. Often starting at “Here’s my problem, how can technology fix it?” Tridium has emerged as the industry’s great web-enabled integration solution that continues to create a growing ecosystem around the Niagara Framework.

google-thermostatGoogle Puts “More” Skin in the Thermostat Game! Houston, We Have…”> EnergySense: Google Puts “More” Skin in the Thermostat Game! Houston, We Have… Google reportedly testing smart thermostats in ‘EnergySense’ program. By Alexis Santos, 1 day ago on engadget. Google called it quits on a smart thermostat two years ago, but it looks like the company couldn’t resist circling back to the idea. According to two of The Information’s sources and a document reviewed by the outlet, Mountain View has been conducting a trial of Internet-connected thermostats to help users keep tabs on their energy use and adjust accordingly.

Thermokon_ImageThermokon: Energy Harvesting meets Display — No Batteries, No Wires! The SR06LCD is the highlight of Thermokon’s new and innovative series. With its maximum power energy management the unit operates without external supply voltage. The custom solar cell self-sufficiently powers the device and the energy is harvested by artificial or natural light sources in a room. A continual indication temperature and humidity, set point, fan stages, presence and window status without user wake up is displayed and the ability to control room comfort levels with set point and fan stages buttons.

MVN_VALVEHoneywell MVN Actuator Update: Short Order Codes Now Available. In October, Honeywell released the MVN Rotary Valve Actuator that is used with the VBN and VRN valve product families. This innovative actuator provides easy assembly and dramatically cuts installation time. The new compact design and flexible wiring configurations give installers the ability to meet strict requirements for any project.

Bill's_BalloonHappy Holidays. CONTROL TRENDS NEWS FLASH: Control Trends is releasing to you, ALL our valued readers…A HAPPY HOLIDAY MESSAGE… The Message is SIMPLE: ” We want to express our deepest Holiday Wishes to you and your Families.” We hope that EVERYONE will receive this message…

Perisope ControlTrends welcomes its second guest, Greg Barnes from ActiveLogix. Greg Barnes is pure pedigree Niagara integration and Activelogix, LLC is one of the most prolific providers of Internet-based enterprise automation solutions in the US. Featuring Periscope, one of the most flexible and versatile enterprise integration tools available, ActiveLogix provides design services, consulting, custom applications and technologies to enable management and optimization of sustainable, energy-efficient, and secure facilities in a multi-vendor, cross platform environment.

OSCREnHaystack Coming from one Direction, OSCRE, and the Real Estate Industry, are Coming from the Other! We are just getting to know and realize the enormous benefits nHaystack has to offer and the prodigious efforts being made by the nHaystack Community. Project Haystack is an open source initiative to develop tagging conventions and taxonomies for building equipment and operational data. Looks like there’s an equally serious initiative with a different perspective rising from within the Real Estate Industry to implement its own information standard to deal with the challenges of information exchange.

GS Ohm Critical Inventions and Discoveries: Ken’s TOP 5 Information Pivot Points of Week 51: 2. Georg Simon Ohm, (born March 16, 1789, Erlangen, Bavaria [Germany]—died July 6, 1854, Munich), German physicist who discovered the law, named after him, which states that the current flow through a conductor is directly proportional to the potential difference (voltage) and inversely proportional to the resistance.

ControlTalk NOW will continue to provide a weekly episode featuring the people, products, and the News of the Week shaping our world of controls, building automation, and the HVAC industry.

<ahref=”http://traffic.libsyn.com/hvaccontroltalk/67_Episode_67__ControlTalk_Now__HVAC_and_Building_Automation_Control_News_You_Can_Use.mp3″ target=”_blank”>Click here to listen to or download the Podcast version of ControlTalk Now.

Want to subscribe and listen to ControlTalk now as a Podcast? Followme_230x40_white

The Tom Rosback Interview

A special thanks to Honeywell’s Tom Rosback. Ken and I had the chance to have a candid conversation with Tom about the changes at Honeywell, and the direction the company is headed. Tom was very open and addressed concerns, including Honeywell Spyder issues and the shake up at Tridium. As one of my teachers, a renown expert on leaders and leadership, once told me… “If everyone agrees with what you are doing you are not leading.” After spending time with Tom, I believe that he is a true leader and Honeywell and the Industry are lucky to have him.

ControlTalk Now For The Week Ending July 28, 2013

BelimoControlTalk NOW thanks Belimo — this week’s Platinum sponsor! Innovations in Comfort, Energy Efficiency and Safety Solutions. Belimo Americas, a world leader in the design and manufacture of damper actuators and control valves used in commercial HVAC systems. Known for its direct-coupled actuator and innovations in pressure independent control valve technology, Belimo has solutions to maintain an energy efficient building environmen

Make a Splash This Summer with the “Dive into FIN” Program: Throughout Summer 2013, J2 Innovations is running a special program designed to help System Integrators and Distributors quickly become experts in FIN by providing personalized one-on-one support. [Read more…]

ControlTalk Now For The Week Ending July 21, 2013

Easy-IO ControlTalk NOW thanks EasyIO — this week’s Platinum sponsor! The EasyIO range of Controllers are rugged, network centric, high performance and very flexible to use. They represent a paradigm shift in the BAS and Energy related industries, whereby, an Area Controller is not mandatory anymore.

ControlTalk NOW referenced these links: McKenney’s, Tridium, EasyIO, Stromquist, DGLogik, GSA, Johnsons Controls, Honeywell,
McKenney’s Training on Cylance IT Security Information [Read more…]

Niagara Solutions — Back to the Future: The Intelligent Building by Tridium

Niagara Nobody does it better. This is the who/what/where/when/how of the integration industry. Great link to a great solution! Tridium is the global leader in open platforms, application software frameworks, automation infrastructure technology, energy management and device-to-enterprise integration solutions. Tridium’s technology and applications have fundamentally changed the way devices and systems connect, integrate and interoperate with each other and the enterprise — worldwide!

ControlTalk Now For Week Ending July 14, 2013

Johnson-ControlsControlTalk NOW thanks Johnson Controls — this week’s Platinum sponsor!

Johnson Controls delivers products, services and solutions that increase energy efficiency and lower operating costs in buildings for more than one million customers.

ControlTalk NOW referenced links: CGNA, CABA, DOE, LinkedIn ControlTrends Awards Group

ControlTrends Hangout: Episode Two – Using Social Media in The HVAC Industry: Ken Smyers and I continued our “hangout” discussion on how to use social media to [Read more…]