So... what does this mean? I mean, if there are so many hydropower plans et al vulnerable for VNC, how come we didn't have some major catastrophe? Is it simply more common to have a "read only" VNC vulnerability? (which is still a huge problem). Is VNC by default not password protected for read only viewing (and requires password for taking control?)
Obviously nothing should be password-less by default, and should not have a "changeit" password (I'm looking at you glassfish) but I really hope that even if VNC lets you be in "guest view only mode" without a password by just knowing an IP (who does that?!) then at least I hope they still require a password to also take control, right? please tell me they do. (otherwise I'll be surprised we are all still alive to be honest)
I mean there are some controls there that I'm sure if the wrong person pushes that red button, something will go kaboom.
And there is no shortage of people out there who would not think twice to blow things up.
So yes, this is scary, but also makes me be very surprised that statistically we are probably not supposed to be alive by now if so many critical control systems have VNC exposed like that in a way that allows full control on the system and not just viewing.
Perhaps it's just selection bias, if the world have ended by now then I would be able to type this.
But still seriously, with all these screenshots, I assume this is not something new, so how come I didn't hear yet on a major real world damage due to a VNC vulnerability?
Is this really most likely to be a read only privacy issue? (which is not to be taken lightly, but not the same as being able to press "shutdown" on some power plant controls)
And there is no shortage of people out there who would not think twice to blow things up.
I think this may be the essential flaw in the logic that says we should be dead by now. Maybe there is a shortage of people who want to blow things up without thinking.
Agreed. Given that airports have been closed because of an empty cardboard box with BOMB written in marker, if a lot of people wanted to mess up with everybody else they could have done so easily.
Hah! People always say this sort of stuff, and while I don't believe it, I could never come up with an answer simpler than "go read that Better Angels book." I never looked at it like that before. I am going to use this line now, I hope you don't mind!
I think survivorship bias is the central flaw in "why aren't we dead by now". If survival depends on an event not occurring, I'd be extra careful in estimating its odds.
How many nuclear power plants have been blown up by hackers?
For whatever reason, civilizations suffer incredibly small damage relative the amount of technical insecurity. The worst destruction comes from large scale war, not attacks.
That only seems to apply to "why wasn't I hit by a SCADA exploit". Unless an exploit that affects everyone in one fell swoop is given a material likelihood.
Judging by the continuous stream of people convicted for buying what they think are explosives from undercover FBI agents posing as jihadists, there are a lot of people that want to blow things up. Or take the 53,000 to 258,000 people that are estimated to be part of ISIS's military forces and allied groups. Thankfully, most of them are pretty stupid, but there are also plenty of highly educated terrorists and they tend to be engineers.
The flaw in the argument is likely GP's inference that "there are some controls there that I'm sure if the wrong person pushes that red button, something will go kaboom." Critical infrastructure tends to be better engineered than that. Cybersecurity threats are newer, less widely understood, and inadequately guarded against, but human error is an age-old problem.
> Judging by the continuous stream of people convicted for buying what they think are explosives from undercover FBI agents posing as jihadists, there are a lot of people that want to blow things up.
Well. If it were the case that there are lots of people trying to buy explosives from fbi agents posing as jihadists, I would go so far as to conclude that there are a lot of people who want _the ability_ to blow things up.
If there were a lot more office bombings, infrastructure bombings, etc, then I would agree that there appear to be a lot of people who want to actually blow things up.
By running these stings, the FBI has made it very hard for real terrorist plotters to get in contact with real would-be foot-soldiers. If someone agrees to carry out a bombing when a fake terrorist is asking, what makes you think they wouldn't do it when a real terrorist asks?
There's also this: "For months, the FBI used a confidential source to get close to Cornell, who allegedly said he wanted to hatch a plot inside the U.S."
"Get close to" in law enforcement parlance means "encourage criminal activity". If you read the details in these court cases, you repeatedly see an almost universal pattern of activity on the part of law enforcement to egg their targets on towards the criminal act. Drug "dealers" hassled for months to purchase LSD and repeatedly being told "no", only to finally give in and then get arrested. "Terrorists" being repeatedly contacted by informants or agents and plugged pro-terrorist encouragements for months until they agree to a part in some kind of "plot".
You have to remember that the vast majority of people won't take action by themselves. Even the crazy people that want to blow something up won't go out of their way to do it. It's the leaders you should be worried about. People that coordinate or incite others. Part of my career as an infantryman involved "riot police" training. The number one thing for arrest teams to do is to isolate and detain the people inciting the others. And this is why the powers that be are so hungry for mass surveillance: It's actually pretty easy to make giant relationship graphs of these networks to find the leaders. Remember the military talking about dropping five hundred pound bombs on phone numbers? They don't know who the person is, but they know he's a leader. Those people are easy to identify with enough information (and no, they don't need to unlock our iPhones to get at it).
It is in their best interest to keep pushing this idea that any random anti-government person is capable of an Oklahoma City bombing. The fact is, they're not.
OK, does that sound like the FBI's marketed image of a guy hanging around a playground giving out free samples to get kids hooked? They pick people who aren't dealers, and pressure them into dealing.
Exactly! Because that is what our system incentivizes! Those law enforcement and intelligence organizations have grotesquely enormous budgets and let's face it: They are shit-awful at stopping legitimate threats. That means they need to offset that terrible lack of efficiency with some number of "busts", even if they involve people that otherwise wouldn't be "dealers" or "terrorists" without the police egging them on. There is a huge incentive to go out and find dealers and terrorists, even in places where there actually aren't any.
>"Get close to" in law enforcement parlance means "encourage criminal activity". If you read the details in these court cases, you repeatedly see an almost universal pattern of activity on the part of law enforcement to egg their targets on towards the criminal act.
Do you think that real terrorist plotters just ask nicely once and then leave you alone?
Also, we're talking about mass murder here, not selling some acid. Maybe you're right about some of these drug cases crossing over into entrapment. A lot of people feel that drugs "aren't that bad" and if a friend bugged them enough, maybe they would try to find some. I don't know the facts sufficiently to conclude either way. But that's not what we're talking about here.
Right. It's all about people with power targeting people susceptible to those kinds of pressures. We have this habit in the developed world of shunning and shutting out people that are in or have been to prison. But you would do well to talk to those kinds of people. Our justice system takes the word of law enforcement over anyone else. That is a pretty precarious amount of trust in what is nothing more than another human being.
"Out of the crooked timber of humanity, no straight thing was ever made."
That's a myth. The FBI radicalizes mentally unstable people (which frankly most people are to some extent) (where radicalize means basically getting to say the kind of shit people spam Facebook and reddit with all the time) and then arrest them. The reality is vanishingly few people are both radical and have any notion of initiative and means to perpetrate an attack.
They target people who have said things online or in person, or have met with certain people, indicating their support for terrorism. Voicing support for terrorism is not illegal in this country, so you're totally wrong that that's what they're arresting people for. They then run the sting to see if the person is willing to carry out an attack, and takes concrete action toward that, like acquiring "explosives" or guns. At that point, they're guilty of a conspiracy.
How would a real terrorist find recruits inside a Western country? They'd find people that posted something indicating their support, and then they'd try to talk them and coach them into carrying out attack.
People do all kinds of things under peer pressure and coercion they wouldn't do otherwise
There's plenty of stories of tptb totally overstepping the bounds of peer pressure and coercion. I'd even argue that most people will choose to follow the crowd to fit in, not rock the boat, rather than go against their peers.
>People do all kinds of things under peer pressure and coercion they wouldn't do otherwise
So should we wait for the real terrorists to apply this "peer pressure and coercion" instead?
We're talking about mass murder here, not pushing a little dope. Under what possible logic is an FBI agent able to convince someone to kill people, but a real terrorist isn't?
The only conclusion we can draw is that there are more FBI agents in a given part of the US than real terrorist recruiters. FBI agents also have training in persuasion (watch a segment from Last Week Tonight about interrogation to see an example).
As other comments have suggested, there are plenty of "ordinary" people who could easily be radicalized if 5/6 of their friends were actually agents telling them they had to do something for God and Country. We don't round them up in stings because they function just fine in society with nobody trying to push them over the edge. What the FBI is doing is entrapment.
Have any of the attacks in the US since 9/11 been caused by people recruited on the ground in the manner used by the FBI stings? No, they come from people acting spontaneously. The challenge isn't recruiters on the ground, it's extremist ideology. And FBI entrapment fuels that ideology, rather than tempering it.
>Have any of the attacks in the US since 9/11 been caused by people recruited on the ground in the manner used by the FBI stings?
There have been way more attacks in Europe, and people have been recruited with those tactics. Coincidentally, these kinds of sting operations aren't very common in Europe, and are even banned in many countries. If we want to win this battle, there's no room for bleeding-hearts. We must be methodical, cunning, and ruthless against those who would kill us.
This same bleeding-heart attitude is what leads to people serving a measly four years in prison for shooting at police officers with an AK-47 while trying to get away after committing a bank robbery. No one should be surprised that this same person was one of the Brussels bombers.
>The older brother, Ibrahim el-Bakraoui, robbed a Western Union branch in Brussels in 2010, spraying gunfire at police from a Kalashnikov as he attempted to flee, according to his lawyer at the time and government officials. Mr. Bakraoui was caught and sentenced to 10 years in prison. In 2014, he was released with an obligation to contact his parole officer once a month.
> Then, a shock wave hits the Enterprise and Timothy says that his ship was also hit by a shock wave. Picard tells Worf to raise shields but a new shock wave is even stronger than the first one. More power is diverted to the shields and another wave hits and is even stronger. Picard and Geordi discuss putting the energy of the warp engine to the shields. Timothy states that is what they said on his ship.
> Data suddenly asks Picard to lower shields and Worf does so. The next shock wave is harmless and the Enterprise is safe. Data realized that giving energy to the shields caused even heavier shock waves (the more power the ship generated, the heavier the shock), and these were ultimately responsible for the destruction of Timothy's ship.
The lesson learned is that a strong and more vicious front may be met by an even stronger response. Obviously analogies and metaphors are only illustrations, not arguments, but judging from what I know of human nature amidst intense opposition, I don't think that a "ruthless" approach will do anything but breed more ruthlessness.
I loved TNG, but it is also one of the most outrageously politically correct and moral relativist shows I've ever watched. And Voyager was even worse. One particularly sorry episode featured Janeway willing to sacrifice members of her crew, just to avoid turning off a holodeck that spawned interesting characters. In another episode, the captain would again rather let crewman die than use a medical treatment derived from historical unethical research. One episode of TNG comes to mind, where Picard is unwilling to beam a kid from his crew out of prison on some ass backwards totalitarian planet, where they are planning to execute him, because of the prime directive and "respect for their laws". Are you kidding me? Of course in the show, there's always some deus ex machina that saves the day and none of the good guys have to die. In fiction, you can have your cake and eat it too. In real life, bad decisions have real consequences, like people dying.
Another line comes to mind now, where Picard wonders in amazement about how silly we were to let differences about "economic systems" drive us apart during the Cold War. Star Trek is like the poster child for wishy-washy moral relativism.
I'll take my political and moral cues from reality, not fun scifi shows written by an eccentric with a political agenda.
I'm sick and tired of this "realpolitik" bull. The reason we can't have nice things is because people give up on trying to have nice things. It's this bizarre combination of defeatism and selfishness that leads to bad foreign policy decisions and people dying.
I already pointed out that I was using TNG as an illustration, not an argument. But if you want reality, here's reality: people get pissed off when you attack and marginalize them and their friends and family. It's the role of the greater power to deescalate and try to integrate the oppressed, not wipe them out. Reality is that ruthlessness begets ruthlessness, and if your best counterargument to that is to call a TV show "wishy-washy", then you already know it's true.
Yeah, the issue has existed for years and is widely documented in the security community. There are a few reasons why we haven't seen more widespread chaos:
1. Lack of network visibility by the owners of ICS
2. Availability > Forensics
3. VNC interfaces don't always provide full access
And keep in mind that there aren't a huge number of these anonymous VNC instances to begin with. We're talking less than 10,000 instances of servers that don't have any authentication and only a fraction of them are ICS-related.
I've written/ presented on the topic a few times, see:
It's important to understand that VNC is an open standard implemented by hundreds of different client and server packages. VNC does specify a password-authentication mechanism, but whether or not it's used, or how it's used, is entirely up to the implementation. Likewise with whether or not clients have control of the mouse and keyboard.
Historically, open VNC servers have been relatively difficult to find. I don't really mean difficult, just that you had to put some concerted effort into it and very few people did. It's a reasonably modern phenomenon that things like Shodan and other large-scale network scans (including accidental ones, like Google sometimes) can be used to quickly find them, and it's quite recent that someone has nicely packaged it into a website. So this is a problem with very little visibility until today. And it still doesn't really have that much visibility in the right place, which is the somewhat insular ICS industry (and a couple dozen other industries to a lesser extent).
SCADA HMIs and other ICS systems of that sort do often expose a VNC interface with no mouse and keyboard control - effectively a 'read-only' interface as you say. This is certainly less of a concern than allowing people on the internet control, but it is a significant and unnecessary security exposure. The kind of information revealed there can be very helpful to an adversary in finding a way to gain control.
In most cases, access to change configuration is protected, although it's often not protected well. I expect common vandalism against internet-exposed ICS to become more and more common going forward. In most cases it doesn't really have the potential to cause permanent damage, only reduced productivity or mere irritation to the real operators. This is not always the case, though. Idaho National Laboratories conducted a notable demonstration of causing permanent and disabling damage to a diesel generator via unauthorized access to a SCADA interface (the Aurora demonstration).
FYI: Websites like this have actually existed since late 2013 when Paul McMillan scanned the Internet for VNC images live during his talk and made the results available via a website in real-time. He did it again in 2014 at Defcon together with Dan Tentler and Rob Graham. Later that year people at CCC released a VNC roulette and they did the same again in 2015. And Shodan has been grabbing VNC images as well since 2014, made available at https://images.shodan.io
I consider this timeframe to be quite recent, for the reason that most of these systems, in ICS especially, have been installed for quite a bit longer. One of the biggest problems in that industry, as I'm sure you're aware, is the relatively very long lifecycle of equipment, and low rate of in-the-field updates.
Yes, you're right. Compared to how long these systems have actually been connected to the Internet it's only recently that we've started measuring the extent of their exposure.
Not saying VNC is to blame, but there are a number of folks very gravely concerned about the insecurity of most SCADA systems. When your infrastructure and operations are built on hardware and software expected to last 30+ years, it's hard to consider the security implications so far out.
I think it is unreasonable to expect networked software to stay secure for that long. If it isn't networked in any way then sure, that might work but then again, 30 years is a long time.
Adding remote software control to physical things like water treatment and electrical systems adds a lot of convenience, safety, and saves loads of money but perhaps some of that savings should be spent on more vigilance in regards to security.
> if there are so many hydropower plans et al vulnerable for VNC, how come we didn't have some major catastrophe?
> And there is no shortage of people out there who would not think twice to blow things up.
From my observation, those people tend to be those that care more about doing "flashy" things (i.e. be seen), rather than solving problems and bypassing protections. People that get access to important systems or acquire the skills to mess things up tend to be satisfied by having solved a puzzle and being able to mess things up.
Of course, some have. See Stuxnet (actually somewhat serious). The point is that this intersection is fairly small and only a fraction of compromised systems will actually get things messed up.
I hope I'm wrong but I feel that if a group like ISIS could do some major damage using a click of s button, then they would. And they are probably actively trying.
They can kidnap / recruit hackers and force them / brainwash them into doing anything.
They are not stupid and we saw they have no red lines. Instead of banning encryption the FBI and Interpol should force dangerous infrastructure to close their security gaps first.
I just browsed around a bit (with a VNC client) and while most are closed now maybe about one out of five-ten are still open. And they are not just read-only access. Some of them are demo systems though.
I didn't even know read-only vnc was a thing, and I feel a lot less mortified about the various control panels with instrument status we're seeing. I dont give a crap if the wider Internet can see the temperature of the walk-in fridge at the lab.
I just found a PracticeFusion machine at a pediatrics' office, with patient names, addresses and dates of birth. Not quite the same scale as taking down a dam, but I would surely be unhappy if my daughter's credit score tanked before her age hit single digits.
I just spent two hours trying to get in contact with the owner of a small Swedish hydropower plant that had an open vnc connection, where anyone could turn on/off generators, open the damn completely etc.
Once I got in contact with him, this is the conversation we had:
1. I explain the critical situation
2. he pretends there's a bad reception and ask for my number and quickly says 'I'll call you tomorrow'
3. I explain that I am not trying to sell him anything and that I spent 2 hours to find him to tell him about how anyone can control his powerplant
4. He nonchalantly ignores my warning and says "I have two powerplants that you can control like this, nothing to worry about."
5. I try to explain that a LARGE group of people now know about his powerplant and that I could garantuee that people will login and tamper with it
6. "Hmm, it is a really bad reception here right now, i'll call you tomorrow.'
If the hydropower plant that is referenced here is "Nordansjö Kraftverk" - then it's been fixed yesterday, through a tipoff to CERT-SE at MSB (Swedish Civil Contingencies Agency).
People in Sweden made that joke as well. Kind of worried I will get in trouble legally because of this. If there is gonna be any issues with the damm, he will probably blame me. :(
Your periodic reminder that under US law, you do not have to somehow get past a login page to be exceeding authorized access to a computer system. A prosecutor needs only to show that a reasonable person, looking at the same computer system, would have known they had no authorized access to it.
That makes things like this a pretty bad idea. At least, in the US.
By any chance, do you know what's the legal status of, say, shodan.io in US?
If the screenshots weren't reviewed - or, worse, hand-picked - by a human, but fetched in completely automated and unsupervised manner, then it's essentially the same as any other crawler bot (like Shodan or even Google/Bing) does. Connecting to random public services running on globally-routeable addresses and politely asking them what they do (then storing the result) can be argued to be perfectly legal.
The technical details don't much matter. What matters is what the users do with it, and whether their uses can be shown, by a prosecutor, to represent the kind of access that a reasonable person looking at the same computer system would know was not authorized.
To be fair to the post, and anyone viewing the page, all you're seeing is a screenshot of what I am assuming a bot or crawler made when it successfully connected to various IPs over port 5900.
at this moment we got 91 reports from random companies claiming we breached their networks, i guess they gonna force us to take it down since they are so fucking stupid to add a 8 digits password to their vnc server! lolz
I saw patient data for a some healthcare provider (including patient date of birth, phone # and addresses) and corporate emails that are obviously not intended to be public. Wow
EDIT: It looks like a pediatrician's practice too - so all those patients are children. And all their information is just out there in the open....this doctor needs to be contacted asap and secure their system.
Each character is a 16*16 dot matrix encoded by the 16-bit integer. Old systems (from the beginning of IBM compatibles until early 1990-ish) had hardware accelerators if they wanted to use multiple fonts, IIRC one of the few breakthrough products made by Lenovo.
This one synthesized characters from geometric decomposition (and not a completely artificial one either, but Cangjie which is actually widely used to this day for computer text entry).
The stored data representation exactly matched the input form (perhaps not so surprising to users of ASCII).
which appears to be controls for a small hydropower plant, also in Sweden.
A few other bad ones I spotted include lots of industrial refrigerators, small scale wind power (mainly German), an oil futures trading platform, a fire & gas alarm system control, and someone's Outlook open with some customer complaint emails.
Edit: oh, and there was a Tesco checkout register (although closed).
"Upgrade your VNC Server license in order to benefit from premium security features ..."
"An anonymous user has connected. Number of connected users: 1"
Some of the things he found would allow a malicious person to do some real damage, that part is terrifying. But it's also really funny, so I'll go with that.
Weeeeell, if somebody turned of the cooling of a warehouse full of shrimp, that would be kind of funny (except for the poor people who live downwind and have to cope with the smell...).
If somebody turned off the backup power supply of a hospital, that would be slightly less funny.
(Full disclosure: I am a native German speaker, so the concept of Schadenfreude is quite familiar... even though I try to refrain from enjoying others' misfortunes, unless they were really, really asking for it, for example by hooking up their shrimp warehouse's climate system to the Internet without even password protection...)
is fake error generated in the php we are runing , we have so many hacking attempts like this , & even our site don't have a SQL database is runing on flat files as a server ! thanks for your point
Oh God, haha. I also have that reflex of putting 's everywhere in URLs. I've found lots of surprises, but not many, to be honest. Not even 0.1% of times I've tried.
It's Swedish. Heading says "Main menu" and the boxes seem to be rooms marked "freezer" and "cooler/freezer" as well as "freeze house". Upper left you've got the outside temperature.
Looks like these URLs are not permalinks. Yesterday, this URL was showing something with two electrical pylon icons and rather large numbers like 9,000 kWh. Today, it's changed to some TV thing like you said.
this is not a honeypot is for research stuff & to bring a security awareness, please contact me at twitter.com/1x0123 if you found something should be remove from the site
I wonder how many installs date from before the facility was put online, or are online because someone plugged something in that acts as a router without anyone's knowledge.
Meaning that this happened over years, if not decades, because admin A left and admin B was not informed that some box somewhere is serving up something for the general internet net to see.
Considering how many are a readout, I'm imagining they're read-only and are a shortcut on some other desktop to check the temperature and pressure of their gizmos.
Honestly, read-only public makes sense for that. What do I care if somebody can see the position of my overhead crane?
I think we need some sort of awareness day for the general public to understand what internet security _really_ is. Whenever I see news reports, it's always cast as "hackers broke in to..." such and such. Yet if some brick-and-mortar business is robbed because the owner left the front door unlocked, people would rightfully put the onus mostly on the store owner.
EDIT: Wow. I'm being modded into the basement. When did Hacker News become so PC? Victim-blaming? Seriously? The VNC connections illustrated on this site are that way because of incompetence and ignorance. The reason there are no unlocked brick-and-mortar businesses is because it is due diligence to protect one's assets from not just criminals, but simple mischief.
> Yet if some brick-and-mortar business is robbed because the owner left the front door unlocked, people would rightfully put the onus mostly on the store owner.
No, there were days when people did not even lock their cars and their houses (but maybe you are too young to have known that time where you live) because it was not expected that anyone would actually rob anything. Especially in communities where everyone knew everyone else. And if a robbery happened, the blame would still have been put on the thief, not the owner.
This is a sensible argument, but here is my counterpoint.
Such situation rely on mutual trust, and only work on small scales (village, loose neighborhood). On the Internet, there are billions of people that live close by.
I think the main discrepancy is that people really do not understand either that the Internet connect them to everyone or how vast the world really is.
there were days when people did not even lock their cars and their houses
These are still are such days. There still are thousands of communities, even in California, where you can get away with this. The difference is not time but population density. There was probably never a time when you could leave your home unlocked and unguarded in urban cities.
>>The difference is not time but population density. There was probably never a time when you could leave your home unlocked and unguarded in urban cities.
There was and not so long ago (e.g. 40 years ago in Portugal or Poland. Probably many other countries). So I would change your statement:
The difference is not time but population density and specially politics/religion.
I'm 46, and yes I remember those days. In fact I live in Canada, and in my neighbourhood it is not uncommon for people to leave their doors unlocked. But if I lived in a different neighbourhood with a high crime rate, my doors would not only be locked, but probably bolted and an alarm system would be set every time I left the building.
The burden and responsibility to protect my home is mine. This isn't an either/or as to who to blame, it's a both/and. So back to the link. If you have a high-value service like an electrical grid, or dam, or nuclear plant that is open to the Internet (the most crime-ridden neighbourhood on the planet), do you really honesty think the media's typical response of "hackers broke in to..." is the correct narrative?
I pick number four: education. Which goes back to my point, that we need some sort of public awareness day on what Internet security _really_ is, or something - I don't really care what it is - to change the narrative. Otherwise we're going to have some huge disaster to some major infrastructure because of an unprotected remote connection like the article shows, and the company that committed it will likely cover up the cause.
People make well-meaning assumptions about security. For example, most of the oscilloscopes that we use at work have remote access turned on with a trivial password (the scopes themselves run windows, and have a VNC server installed [1]).
If you go read Tektronix's instructions - their screenshots show "no authentication" selected.
This itself isn't really an issue, since the networks that we're connecting these to are isolated, inbound-only lab networks. We know that. Our lab admins know that. The network security guys know that. There are exceptions filed for the IPs of these devices.
However, if someone ever -changed- that network configuration and opened it up to the rest of the corporate network (or for some terrible reason, the internet), those scopes would be just as ripe for takedown as the stuff shown in TFA.
It just takes that small network change to enable something -else- to access the WWW (code download for security updates, anyone?) that exposes our other items on the network. In fact, I can think of several reasons why someone might expose a VNC:
1. Actual remote control -within- a facility, but probably in the deployment guide says "use a secure network"
2. Someone wrote a cool Web GUI to "modernize" something, and used VNC (undocumented and poorly-configured) to pull off what they pulled off
3. Someone exposed a subnet to the internet to enable remote access for something -else- which was probably properly-secured, but happened to -also- expose the thing hosting the VNC server.
I live in one of the largest cities in Finland, and I routinely see people leave their bicycles unlocked in the town center, because bike theft is so rare that most people don't worry about it, or only take minimal precautions.
Meanwhile, in my tiny town in the States bike theft was basically the single most common form of crime, and I know of one house I would walk by every week that would openly have as many as half-a-dozen stolen bikes displayed for sale in their front yard.
About 4000 bikes were stolen in Helsinki ([0], pop. 600k) in 2014. This is about the same number as in the city I live in (Germany, around the same population), where I'd never leave a bike unlocked, and where bike theft is considered a problem. Though I am sure there are places where it's much worse, and conversely that it's much better in other cities in Finland.
In Japan street crime is very low but both bicycles and umbrellas are 'borrowed' on a routine basis. Kind of like an informal bike sharing system. Consequently most bicycles are of the $80 made in China variety.
Here in Canberra Australia I would regularly come back to my bike to find new marks in the plastic around my chain where somebody had tried to cut through. Your chain has to go through both wheels if you have quick release on the front, and you can't leave any clip on lights or your water bottle or it will be gone.
A few years ago I watched a junky go from bike to bike in a bike rack testing each lock to see if it would open easily. Right in plain view of everybody. When I confronted him he launched into some long and carefully rehearsed sob story about how his friend told him to come and get his bike but didn't know which one it was.
I actually accidentally left my bike beside a busy street last night here in Seoul unlocked. I went back and got it today (Sunday night) and not a single person had touched it.
I don't think that it's population density as much as the shared culture of the place you live. I would have totally blamed myself if my bike wasn't there today, and I think it would be stupid to blame anyone else.
Density, shared culture, and perhaps a functioning social services. Thus there is less of a incentive for petty crime, as basic needs are covered via less risky means.
I wouldn't leave my bike unlocked in Helsinki. Just last year my bike was stolen near the Parliament house (Kiasma) even though it was locked to the stand.
Just because locks have existed for thousands of years doesn't mean they are used everywhere. When I lived on the countryside in Australia we didn't lock the doors. That's not "an extremely long time ago" ;)
Most often people had nothing to steal and often couldn't afford good locks anyway. When the last of my grandparents 13 kids left the house and they actually started to have enough money to buy nice stuff, they also bought and used a lock.
While I agree with the sentiment for physical objects it doesn't apply to things connected to the Internet. An old "smart" TV may have no resale value whatsoever but that doesn't mean it has no value from an attacker's perspective.
From the attacker's perspective something like a connected smart TV has extremely high value as a mechanism for further penetrating a network. Black boxes that no one can login to under normal circumstances are the perfect secret strongholds to maintain a persistent presence on any given network.
These days still exist. And nearby some people even leave their keys on the cars. However, in a city, you just can't do it. Too many risks and people barely know each other.
Now comes the Internet. It's a huge giga-city. Expect robbery, larceny, hacking, and more.
That not locking the door stuff was simply because back then people didn't fetish objects, and also because they were too poor to have anything worth stealing. Rich people always made sure their stuff was protected (from the poor).
But do we blame Google when their robot indexes some completely unprotected webpage that the host owner didn't mean to be public but haven't did anything to claim so?
> I think we need some sort of awareness day for the general public to understand what internet security _really_ is.
Nope. This would never work. People don't understand how much of it works. Taking a day out of the year to explain / re-explain isn't going to do a single thing. Instead you need to make computer classes mandatory in K-12 and get people educated on how they work so they can understand the issues.
Take a topic you know absolutely nothing about. Let's say it's aerospace. Now every year we have an aerospace day to try and explain to you how various types of fan and jet engines work. You certainly wouldn't expect everyone to be able to handle fixing one after that one day, do you? Same with internet security.
> owner left the front door unlocked, people would rightfully put the onus mostly on the store owner.
So just because the store owner does something stupid you think most people would consider it his fault? That's...that's horrible. Yeah he possibly could have prevented it (though you don't actually know that as they could have broken in anyway; people don't just go up to stores at night to randomly test doors then go home).
I taught high-school computer science. I taught about how the internet works, password security, encryption as well as programming.
I once had a lad declare that GitHub was stupid, because it locked out our IP for 5 minutes after the class tried to login to their accounts with at least half of them forgetting the strong passwords I insisted they use.
I watched a girl log into her vps by running her finger across the top row of her keyboard. When I insisted she change her password, she ran her finger across the keyboard in the opposite direction.
Many people know and understand basic security, they just don't care. They think they have nothing of worth losing, and so don't need to be secure. Even after I explained to the student that their vps could be used to mine bitcoin, fetch pornographic material or send out phishing emails, their attitude was very much - meh!
I'm all for educating people on these issues, but the true way to protect them from their own stupidity is to ensure that it is impossible for them to start up a vnc server without enforcing a strong password. Security by design will be even more important as iot becomes more prevalent.
tl;dr - You can't rely on users to protect themselves.
> I'm all for educating people on these issues, but the true way to protect them from their own stupidity is to ensure that it is impossible for them to start up a vnc server without enforcing a strong password.
What is a 'strong password'? Minimum 12 characters, 2 symbols, 2 caps, 2 lower case? "1!qQaAzX2@wWsSxX" fits (and exceeds) those requirements.
Trying to enforce strong passwords doesn't work; people just make up new insecure passwords.
> Take a topic you know absolutely nothing about. Let's say it's aerospace. Now every year we have an aerospace day to try and explain to you how various types of fan and jet engines work. You certainly wouldn't expect everyone to be able to handle fixing one after that one day, do you? Same with internet security.
People don't interact with jet engines, but they do interact with planes. And they're lectured about airplane safty evey single time they get in a plane. So this might actually be an argument in favor of educating people about internet security.
Bottom line: please don't overuse analogies. They don't prove anything.
People also don't interact with security on their computer pretty much ever but they do interact with their computer / the internet. Seems like a perfect analogy to me.
> Now every year we have an aerospace day to try and explain to you how various types of fan and jet engines work. You certainly wouldn't expect everyone to be able to handle fixing one after that one day, do you? Same with internet security.
Actually, I'd expect a lot of increase in awareness of what the relevant issues are. No, I wouldn't expect someone exposed to aerospace day to be able to fix a jet engine. But they're much more likely to know what problems commonly occur and who can fix them.
School District policies and (ultimately) curriculum are driven by public opinion. How can a public demand better if they are not able to understand the issue?
It's a nice thought, but I suspect it to work as well as "safe electrical circuits" day would. The internet security equivalent is that companies are selling completely unsafe circuitry with live wires exposed, and we should mount an education campaign to teach people how to cover up the live wires. I suspect once the hardware/software industry matures, we'll see insurance companies become involved and there will be strict regulation around what is and is not safe.
The latest episode of ATP[0] had a section at the end about people roaming in the neighborhood checking car doors to see if any cars was unlocked and steal stuff when hiting the jackpot.
The owner of the car can blame himself for forgeting to lock the car, the insurance won't blame anyone but won't pay for reparation, the justice system puts the blame on the thief but would not do much about it if it's petty.
And of course if it was a bank leaving bags of notes on an unlocked cabinet in the entrance, people would go bat-shit about irresponsible behavior on the banks side.
I feel that's how it would go for the online world as well.
Pretty sure theft is still theft, even if the door was unlocked. Of course negligence can make it your fault, but even if you find a million dollars on the street - legally - it's not yours.
Sure, but when Target, LinkedIn, et. al. are hacked, why don't people blame them for poor security practices? It's always the "hacker's" fault. Sure, it's wrong to exploit those weaknesses, but so is robbing an unlocked store. The hacker (robber) is still wrong, but only in the physical world do people put some blame on the "hackee" (store).
When I get robbed: the robber hurt me, and I failed to protect myself. Failing to protect myself is not a social problem.
When my bank gets robbed: the robber hurt me and the bank, and the bank failed to protect me. The robber is at fault, and the bank is at fault for breaking it's promise to me. That's a social problem.
Sure, but when Target, LinkedIn, et. al. are hacked, why don't people blame them for poor security practices?
Security is hard. Blaming the victim of a hack is pointless because usually you have no idea whether they did something wrong or if they were the target of a particularly clever attacker.
Maybe when the victim isnt a billionaire organization that is true.
In the case of these large corps being hacked, they are 100% responsible, and most of them we do know how they got hacked; its usually through very humdrum (if organized) means.
Sure, but when you find plain text passwords or unencrypted credit card info (two of the basics of starting ANY business), victim blaming seems warranted.
There can be a door, but there is arguably no burglary or theft.
1. You drive to a random address(es), accessible from the public premises (IP).
2. You knock on the door (TCP SYN).
3. Someone comes and opens it for you (TCP SYN+ACK).
4. You ask what's here (VNC handshake).
5. You're told it's a power plant or doctor's office or whatever (VNC frame data).
6. Sometimes the replies aren't fun, sometimes it's really weird - some pal seems to be willing to control a nuclear reactor for you, no questions asked.
7. You blog about your experience, including a conversation transcript.
It could be wrong to publicly announce (step 7) that there's a weird person in there (with full address details) that can do anything for you, as this can put others in danger. It's ethically unclear: it requires a human review and judgment (a robot can't tell if it's weird, so if data collection is fully automatic and unsupervised it becomes complicated), and even for humans it's probably not completely wrong to disclose, if done responsibly.
But just driving by and knocking on the random doors asking what's there - it would be really weird to me if we'd say this is anything wrong with this.
"Blame" is a complicated concept entangled with morality that a lot of people have conflicting and illogical opinions about.
I think that unless you want to start conversation about what "blame" is, it's safer to use words describing strict logical causation instead. Unlike "blame", causation is objective and doesn't depend on morality.
Stuff should be secure by default. No default passwords. No open by default. Temporary dialing down of security should reset itself to secure mode by itself after a short time. Etc.
Reasonable people don't have their doors locked all the time. Maybe they should, but mistakes and oversights happen
Edit: After some additional research, people on message boards pointed out that many home invasions are done with lock-pick kits, or the burglar breaks a window and unlocks the door. Homes are often broken into without any damage to the lock or door, so the insurance company would never even know if you locked the door or not. It just doesn't come up in the investigation.
One of these ip addresses where still reachable. Seems to be an desk computer taking order for pharmaceuticals, I could see a clerk write a persons name, what he ordered, everything!
Just awful! I tried to figure out what company it was and how I how to reach them, but nope, couldn't find anything..
This is why I just want to hide under a rock, since it is obvious that a lot of people doesn't know how to protect the data they have collected about me.
I don't think Ubuntu and Linux desktops prevalence in open VNCs is indicative of prevalence. They definitely seem to be over-reprensented in the various exemples I've seen of publicly accessible VNC servers, I would be curious to know why.
Maybe there are more users on Linux who know how to setup a VNC server or maybe some popular VNC package has bad security defaults ?
This reminds me of a program I once wrote when I first learnt SQL, a sort of randomizing port scanner that would just try random combinations of hosts and ports and store its results into a database.
Later, I added stuff like attempting AXFR zone transfers, which was interesting, and I came across some university that apparently had no firewalls in place whatsoever.
I found a few devices with open telnet ports, mostly printers. I remember clearly the thrill I felt when I realized I could make this printer refuse any print jobs or remove jobs from its queue.
I also found a few devices I had no clue about. The latter where the ones I found most fascinating, although I never took the trouble to research what those devices might have been. I suspect, though, that nowadays there must be a whole lot more of such devices around, with IoT and all that.
(My scanner never looked at VNC or RDP, though... This site makes me wish I had thought of that.)
Scary, here is a screenshot showing very sensitive patient information from practicefusion. Just because VNC is open, doesn't give you the right to show everybody in the world. I'm torn about this site.
The round bit? That's a heavy tarp, it's put over fermenters with biomass (pigs poop or similar), as the biomass ferments the tarp balloons up, due to the generated gas. The gas can be extracted later and used in power plants.
Even though most of these probably have read only access, the fact that its even there shows that the person that set it up didn't have security on their mind. Sure you may not be able to do anything via VNC, but what about other attack vectors on these services? Are they updated, is the os up to date, is it using easy usernames/passwords so you can ssh in for example?
VNC Server is an application that allows you to have remote access to my PC. Once installed you can use any other PC (or a phone/tablet) that has the client VNC software installed to connect to it and remotely login as if you were sitting in front of it. VNCRoulette is a site that is scanning for these servers on the Internet, logging in, and taking a screenshot of the desktop. VNC can be secure with an extra logon password, but a lot of systems and users don't bother. It's this vulnerabiltiy that VNCroulette is exploiting. Most of the PCs it's connecting to are 'read only' so the remote access can only see the desktop and not interact with it, but a good many are read/write with no restrictions.
Think of it this way. Is browsing to a random HTTP address via IP on the internet and then screencapping the picture produced on your browser legal?
Then using a VNC client in the same way would fall under the same legal purview. I think as long as there is no interaction to carry out functions, attempt password/username combos, then it's fairgame.
A prosecutor armed with the CFAA would probably disagree with you.
Browsing to an address with your browser is like checking to see whether a shop on main street is open right now. Attempting to connect to a an address with VNC is more akin to walking around the back of a house and checking if the rear door is locked or not.
I count 541 examples - I wonder how many more are this easily accessible ... I hope each and every one of them has been contacted or at least left if message if possible ...
Yeah could be a vm fullscreen but have anyone thought this could be just random screenshots stolen from somewhere? I can make up a very nice story about a flying spaghetti monster given google images index.
QEMU and VirtualBox have VNC servers too. Can be a handy feature.
Why this would be exposed to the public Internet, I have no idea. Maybe some poor soul was doing this in a combination of being directly plugged in, no NAT/router in the way, and lack of or weak OS-side firewall.
Speaking of NAT, IPv6 might make these things even riskier, but I hope most people are running a firewall on their OS. The built-in ones on Windows, Mac, Linux should all do fine.
I mean there are some controls there that I'm sure if the wrong person pushes that red button, something will go kaboom.
And there is no shortage of people out there who would not think twice to blow things up.
So yes, this is scary, but also makes me be very surprised that statistically we are probably not supposed to be alive by now if so many critical control systems have VNC exposed like that in a way that allows full control on the system and not just viewing.
Perhaps it's just selection bias, if the world have ended by now then I would be able to type this.
But still seriously, with all these screenshots, I assume this is not something new, so how come I didn't hear yet on a major real world damage due to a VNC vulnerability?
Is this really most likely to be a read only privacy issue? (which is not to be taken lightly, but not the same as being able to press "shutdown" on some power plant controls)