[ISN] Thousands Of People Oblivious To Fact That Anyone On The Internet Can Access Their Computers

http://www.forbes.com/sites/kashmirhill/2014/08/13/so-many-pwns/ By Kashmir Hill Forbes Staff 8/13/2014 There are technologists who specialize in “scanning the Internet.” They are like a search team making its way through a neighborhood, but instead of checking the knob of every door, they check Internet entrances to online devices to see which ones are open. These people have been screaming for some time that there is a lot of stuff exposed on the Internet that shouldn’t be: medical devices, power plants, surveillance cameras, street lights, home monitoring systems, and on and on. But incredibly, their message doesn’t seem to get through, because their scans keep on picking up new devices. While talking about the issue at hacker conference Defcon on Sunday, security engineer Paul McMillan sent his winged monkey scanners out looking for computers that have remote access software on them, but no password. In just that short hour, the results came pouring in: thousands of computers on port 5900 using a program called VNC for remote access. The total number is likely over 30,000. Those using the program failed to password-protect it, meaning anyone who comes looking can see what they’re doing, and manipulate their computers. McMillan set a scanner to take a screenshot of every exposed computer it came across. I went through the screens captured Sunday and saw people checking Facebook, playing video games, watching Ender’s Game, reading Reddit, Skyping, reviewing surveillance cameras, shopping on Amazon, reading email, editing price lists and bills, and, of course, watching porn. I saw access screens for pharmacies, point of sale systems, power companies, gas stations, tech and media companies, a cattle-tracking company, and hundreds of cabs in Korea. This isn’t just about watching people use their computers; the fact that the scanner got in means anyone could manipulate the devices, changing the power company’s settings, pausing the porn stream, going through a company’s records, or reviewing the prescriptions for a pharmacy’s patients. There is no need for hackers to go to great lengths to compromise these computers; their owners have built in backdoors with no locks. “It’s like leaving your computer open, unlocked and ready to rock in a crowded bus terminal and walking away,” says security engineer Dan Tentler, who presented with McMillan. Increasingly, everything is connected to the Internet, and unfortunately, people don’t always know how to connect their things securely. “It’s important to remember that this scan only scratches the very surface of the problem,” says McMillan. “We can’t legally scan for default passwords, but I’m certain if we did, the results would be orders of magnitude worse.” […]