Shodan

[Hashi Lebwohl]

Although it has been around for several years, Shodan is just now making its way into the broader public. According to its own description, it is "the world's first search engine for Internet-connected devices". In other words, any device which receives an IP address may be cataloged in Shodan's engine, including iPhones, web-connected baby monitors, home security systems, etc. all of which are searchable via Shodan...as well as viewable in real time. According to tihs article from Vocativ the author(s) were able able to set up a free account, search for home cameras, then view images from the insides of people's houses, including the ability to pan the camera, in only a few minutes. Most of the devices reachable via Shodan are not password protected or have really weak passwords like 'admin', 'password', '123456', or any of the others from often-published lists of "most-used passwords". In short, most people are stupid when it comes to security.

My password for our network at the house is 17 characters, alpha/numeric/symbolic, and is not found in any dictionary; even the most intense brute force cracking attempts would take billions of centuries to hack such a password. The number one key to password security is length--the password "k1ttYk4t!!!!!!!!!!!" is more secure than "f8N9)$h2wo_z6Fv" because the first password is 19 characters long and the second is only 15 characters long even though the first one isn't as "complex".

Anyway...most people and business are still stupid when it comes to Internet connectivity and security--their devices are cataloged in this search engine for anyone to use. Am I going to sign up for a free account on Shodan? Yes, of course I will. Am I going to look for connected yet unprotected devices? Yes, I will probably do so for a lark but I am not going to get seriously into it.

[Avatar]

Only my PC connects to the net in my home. I'm not part of the "internet of things" thank gods. Interesting, thanks.

--A

[Hashi Lebwohl]

As interesting as it is--and it really is--one must remember that Internet connections go both ways. If you look at someone else's camera or system then their system is looking at you, too, and may actually be a honey pot or may result in an attack of opportunity. Caveat browser.

[Cord Hurn]

As interesting as it is--and it really is--one must remember that Internet connections go both ways. If you look at someone else's camera or system then their system is looking at you, too, and may actually be a honey pot or may result in an attack of opportunity. Caveat browser.

A timely warning. Appreciated!

[Avatar]

Proxies.

--A

[Cord Hurn]

Proxies.

--A

That idea works for me. Who should I frame?

[Vraith]

Proxies.

--A

That idea works for me. Who should I frame?

Better hope no one---especially your target---has real access and knowledge.
Apparently the bleeding edge observers don't bother with your IP or proxies, or any of that crap. They'll take it if they can get it of course, and are running old-school methods to do it as background apps. Makes it easier to know stuff, but isn't necessary.

No, the real action is directly collecting info from/about your device. All kinds of info---even the state/rate/statistics of your battery...not kind/model/specs in general...your specific battery itself. The number of pixels on your screen [and which ones are "dead."]
Even if you could encrypt everything [which you can't. Your device would not function] they can build a profile of you based on the data about the encryption. Change your encryption all the time? Over time, THAT reveals/builds your profile.

Not to make anyone paranoid, or anything.

[Avatar]

The only way to be 100% safe online is to not go online.

However, you can make things counter-productively difficult for the casual abuser.

--A