We're seeing a lot of attacks against large online assets that are being successfully executed by very under-skilled adversaries, very often children. Much of the reason behind this is due to very low-hanging vulnerabilities that are easily exploited combined with a prevalence of tools that make it a simple task for anyone with a bit of curiosity. In this Play by Play, you'll explore "the Internet of vulnerabilities", that is to draw awareness to how fundamentally flawed much of the Internet is.
Niall is a solutions architect and security professional based in Norway. He
specializes in Web Application, Network, and Social Engineering style attacks and can be found
travelling the world, telling people how these attacks work.
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.
Course Overview Welcome to this Play by Play with Pluralsight. A Play By Play is a series where we sit down with an expert and talk through a problem or topic in a very candid natural way. There's very minimal scripting. We just get down to business. In this Play by Play, I talk with my good friend and fellow security researcher, Niall Merrigan, about the Internet of Vulnerabilities. And what I really wanted to spend time showing you with Niall is just how many problems there are out there on the web. We show you how easy it is to find exposed connected devices. Everything from machines with Remote Desktop Protocol open to webcams to IoT things connected to the web. We go on to talk about just how easy it is to find vulnerable systems on the internet, not just vulnerable systems but step-by-step instructions about how to exploit them. And that can be done using a combination of Google and some easily accessible, freely available tools. We talk a lot about Wi-Fi, just how vulnerable our devices are, how much information they all share about us without us even knowing it. We even touch on the Wi-Fi rubbish bins. And, finally, the dark markets. They sound a lot scarier and inaccessible than what they actually are. Dark markets on the web are extremely prevalent and very easy to locate. This is a really practical somewhat scary Play by Play. I hope you enjoy watching it.
Shodan Overview I'm here with Niall Merrigan, a good friend of mine who also does many different security things. Niall, why don't you tell everyone who you are and what it is that you do. Hi, my name is Niall Merrigan. I'm a solution architect working in Norway, and I also have a very strange fascination with security much like Troy and do a lot of kind of traveling around the world speaking on that type of subject. So, obviously, you and I are at a lot of the same events together. We do a lot of security things. I do a lot of stuff about how to protect systems. I also have a Pluralsight course on how to protect systems. But it's also kind of interesting to see how easy it is to break systems, particularly to have a look at the Internet of Vulnerabilities. So shall we go and have a look? We should, and I think I'll lead off by showing you how to find the Internet of Things on the internet. So, I've been to your talks before, and one of the things that you talk about a lot is Shodan. So why don't you tell us what Shodan is and some of the frankly kind of scary stuff that you can find there. Shodan is a search engine for the Internet of Things. It's written by a guy called John Matherly. And what he decided to do was he got very curious as to what type of devices were on the internet and how to find them because people generally assume that you've got---it's very hard to find things online. And we use Google, and we find information that way, but there was nothing for devices. So he wrote this big web crawler, called it Shodan, and it just captures an amazing amount of data all over the world. Now there's a ton of different things it searches for, everything from refrigerators to TVs to databases, video game servers, you name it. And if it's connected to the internet, it will probably find it.