Earlier this week, a threat alert from Check Point singled out Shodan as a risk to enterprise operations. The advisory warns Check Point customers about the service, highlighting some of the instances where sensitive data was exposed to the public because Shodan indexed it.
When asked about the advisory [archive], Ron Davidson, Head of Threat Intelligence and Research at Check Point, said the company was seeing an increase in the variety and frequency of suspect scans, "including scanners operated by threat actors that mimic the network signatures of legitimate security scanners."
From the look of things, Check Point's advisory is warning customers to block Shodan because hackers use it and sensitive information has been discovered via the platform. Strictly speaking, that isn't a false claim or assumption; Shodan has been used to expose several significant data repositories in the past – many of them covered here on Salted Hash.
Davidson also added that blocking Shodan or other scanners "in no way fixes security gaps and existing vulnerabilities."
"Check Point certainly recommends all customers to conduct security scanning often, in a professional manner, and to address all security gaps that are revealed in these scans. Check Point understands, however, the preference of many of its customers that the results of their security scans are not exposed widely and openly, so we provide relevant controls for customers to deploy according to their policies," Davidson said.
But that isn't how the advisory reads, and that's the problem.
The technical advice offered to customers, and the statements given to the media are out of alignment.
There are no mentions of regular security scans in the advisory. There are no notes that state blocking scanners isn't really going to fix anything.
In fact, if it weren't for Davidson's statement to Salted Hash, Check Point's external thoughts on the matter would never be known, because they're certainly not in the advisory developed internally.
As for organizations that wish to hide, rather than fix their security shortcomings recorded by a passive scan, that's a different problem. Sadly, security by obscurity is still viewed as a viable option by some organizations.
So how does this advisory look to a security practitioner?
Security Researcher Dan Tentler, no stranger to Shodan himself, feels that Check Point's advisory has some massive, glaring issues, especially from a firewall vendor that has been around for as long as they have.
Shodan, Tentler explained in an email to Salted Hash, is a search engine. Just like Google. However, blocking Google isn't going to fix an organization's security problems.
"Shodan is not the only search engine that has found vulnerable things on the internet. Just blocking Shodan won't stop access to your poorly written Web app, or your publicly exposed admin interface," Tentler said.
Moreover, he added, hiding a vulnerability from a search engine such as Shodan doesn't make the vulnerability itself magically disappear. But the kicker, and what makes the Check Point advisory so bad in his opinion, is that they're advocating blocking the good guys.
"Check Point is advocating to it's customers that it should block the good guys. They're insinuating that extranational actors that are clearly 'acting shady' haven't already been scanning us for 20 years. You'd think a 20+ year old security vendor would have some idea of what the threat landscape is now, has been in the past, and how it has changed in two decades," Tentler added.
Indeed, criminals and rogue nations have been scanning the Internet long before such things were considered cool. They're the hipsters of strange Internet traffic and packets.
As Tentler explained in his email, criminals were scanning the Web back when the good guys were still prevented from doing so (either by law or cost), and now that the good guys have somewhat caught-up on their scanning game, Check Point wants to stop them.
"If nothing else, this is a 'bore sample' of the computer security industry as it is today. People who don't understand security, trying to sell security hardware and security services, simply because they have the marketing teams to reach enough people and sell enough equipment to stay afloat or even make a profit," Tentler said.
Another interesting thing about the advisory that stands out to Salted Hash is the narrow focus. The services listed by Check Point are just the base scans. For example, MongoDB isn't included – yet five of the last eight stories on this blog (including this one) are all sourced from Shodan research focused on MongoDB.
Blocking industrial control, VPN, or building automation-based scans does nothing if the engineering, human resources, and IT databases are exposed to the public.
Shodan isn't the enemy.
In fact, Shodan is a seriously useful tool. Instead of blocking it, integrate it within your security process and use it to discover things you might not know about.
Use it to search for information on your IP blocks. Look for things that were exposed by accident, and if you're lucky, you'll find them before a researcher does – which almost always leads to someone like me calling you up to chat about a data breach.