Shodan Safari, where hackers heckle the worst devices put on the internet

If you leave something on the internet long enough, someone will hack it.

The reality is that many device manufacturers make it far too easy by using default passwords that are widely documented, allowing anyone to log in as “admin” and snoop around. Often, there’s no password at all.

Enter “Shodan Safari,” a popular part-game, part-expression of catharsis, where hackers tweet and share their worst finds on Shodan, a search engine for exposed devices and databases popular with security researchers. Almost anything that connects to the internet gets scraped and tagged in Shodan’s vast search engine — including what the device does and internet ports are open, which helps Shodan understand what the device is. If a particular port is open, it could be a webcam. If certain header comes back, it’s backend might be viewable in the browser.

Think of Shodan Safari as internet dumpster diving.

From cameras to routers, hospital CT scanners to airport explosive detector units, you’d be amazed — and depressed — at what you can find exposed on the open internet.

Like a toilet, or prized pot plant, or — as we see below — someone’s actual goat.

The reality is that Shodan scares people — and it should. It’s a window into the world of absolute insecurity. It’s not just exposed devices but databases — storing anything from two-factor codes to your voter records, and where you’re going to the gym tonight. But devices take up the bulk of what’s out there. Exposed CCTV cameras, license plate readers, sex toys, and smart home appliances. If it’s out there and exposed, it’s probably on Shodan.

If there’s ever a lesson to device makers, not everything has to be connected to the internet.

Here’s some of the worst things we’ve found so far. (And here’s where to send your best finds.)

An office air conditioning controller. (Screenshot: Shodan)

 

A weather station monitor at an airport in Alabama. (Screenshot: Shodan)

 

A web-based financial system at a co-operative credit bank in India. (Screenshot: Shodan)

 

For some reason, a beef factory. (Screenshot: Shodan)

 

An electric music carillon near St. Louis. used for making church bell melodies. (Screenshot: Shodan)

 

A bio-gas production and refinery plant in Italy. (Screenshot: Shodan)

 

A bird. Just a bird. (Screenshot: Shodan via @Joshbal4)

 

A brewery in Los Angeles. (Screenshot: Shodan)

 

The back end of a cinema’s projector system. Many simply run Windows. (Screenshot: Shodan via @tacticalmaid)

 

The engine room of a Dutch fishing boat. (Screenshot: Shodan)

 

An explosive residue detector at Heathrow Airport’s Terminal 3. (Screenshot: TechCrunch)

 

A fish tank water control and temperature monitor. (Screenshot: Shodan)

 

A climate control system for a flower store in Colorado Springs. (Screenshot: Shodan)

 

The web interface for a Tesla PowerPack. (Screenshot: Shodan via @xd4rker)

 

An Instagram auto-follow bot.(Screenshot: Shodan)

 

A terminal used by a pharmacist. (Screenshot: Shodan)

 

A controller for video displays and speakers at a Phil’s BBQ restaurant in Texas. (Screenshot: Shodan)

 

A Kodak Lotem printing press. (Screenshot: Shodan)

 

Someone’s already hacked lawn sprinkler system. Yes, that’s Rick Astley. (Screenshot: Shodan)

 

A sulfur dioxide detector. (Screenshot: Shodan)

 

An internet-connected knee recovery machine. (Screenshot: Shodan)

 

Somehow, a really old version of Windows XP still in existence. (Screenshot: Shodan)

 

Someone’s workout machine. (Screenshot: Shodan)

Opera Touch is a solid alternative to Safari on the iPhone

Browser company Opera is back doing what it does best, offering you beautifully-designed alternatives to the stock browsers from the likes of Google and Apple . This week the company brought its ‘Opera Touch’ browser to iOS to give iPhone owners a new alternative to the basic Safari browser.

The app was first launched for Android in April and, as we noted at the time, it reinvents a lot of the established paradigms to work well on mobile and particularly large screens that don’t have a home button — which is steadily becoming every premium devices on the market today.

Touch for iOS — which you can download here — will be particularly of interest to owners of the iPhone X or Apple’s newest iPhone XS, iPhone XS Max and (upcoming) iPhone XR devices since it is optimized for one-handed use. That’s to say it employs the same nifty user interface seen on the Android app (see below), which lets you open or close tabs, switch to search, go back or forward using a menu bar located at the bottom of the screen. One thing it is missing, for now, is more comprehensive management of bookmarks.

The app also includes Opera’s ‘Flow’ technology which lets a user pass links, images and notes from their phone to an Opera browser on their computer using a “secure and private” connection.

As ever, the Opera browser comes with ad blocking built-in and there’s the company’s usual protection from cryptojacking — that’s the process of being hacked and having your CPU used to mine crypto for someone else.

All in all, the browser is worth taking for a spin if you have Apple’s new home buttonless devices and seek an alternative to the pre-loaded Safari browser. Other options might include Google Chrome, recently given a redesign for its tenth anniversary, as well as Mozilla, UC Web, Dolphin and Brave.

A new CSS-based web attack will crash and restart your iPhone

A security researcher has found a new way to crash and restart any iPhone — with just a few lines of code.

Sabri Haddouche tweeted a proof-of-concept webpage with just 15 lines of code which, if visited, will crash and restart an iPhone or iPad. Those on macOS may also see Safari freeze when opening the link.

The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use, Haddouche told TechCrunch. He explained that nesting a ton of elements — such as <div> tags — inside a backdrop filter property in CSS, you can use up all of the device’s resources and cause a kernel panic, which shuts down and restarts the operating system to prevent damage.

“Anything that renders HTML on iOS is affected,” he said. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email, he warned.

TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone. Thomas Reed, director of Mac & Mobile at security firm Malwarebytes confirmed that  the most recent iOS 12 beta also froze when tapping the link.

The lucky whose devices won’t crash may just see their device restart (or “respring”) the user interface instead.

For those curious, you can see how it works without it running the crash-inducing code.

The good news is that as annoying as this attack is, it can’t be used to run malicious code, he said, meaning malware can’t run and data can’t be stolen using this attack. But there’s no easy way to prevent the attack from working. One tap on a booby-trapped link sent in a message or opening an HTML email that renders the code can crash the device instantly.

Haddouche contacted Apple on Friday about the attack, which is said to be investigating. A spokesperson did not immediately respond to a request for comment.

Apple got even tougher on ad trackers at WWDC

Apple unveiled a handful of pro-privacy enhancements for its Safari web browser at its annual developer event yesterday, building on an ad tracker blocker it announced at WWDC a year ago.

The feature — which Apple dubbed ‘Intelligent Tracking Prevention’ (IPT) — places restrictions on cookies based on how frequently a user interacts with the website that dropped them. After 30 days of a site not being visited Safari purges the cookies entirely.

Since debuting IPT a major data misuse scandal has engulfed Facebook, and consumer awareness about how social platforms and data brokers track them around the web and erode their privacy by building detailed profiles to target them with ads has likely never been higher.

Apple was ahead of the pack on this issue and is now nicely positioned to surf a rising wave of concern about how web infrastructure watches what users are doing by getting even tougher on trackers.

Cupertino’s business model also of course aligns with privacy, given the company’s main money spinner is device sales. And features intended to help safeguard users’ data remain one of the clearest and most compelling points of differentiation vs rival devices running Google’s Android OS, for example.

“Safari works really hard to protect your privacy and this year it’s working even harder,” said Craig Federighi, Apple’s SVP of software engineering during yesterday’s keynote.

He then took direct aim at social media giant Facebook — highlighting how social plugins such as Like buttons, and comment fields which use a Facebook login, form a core part of the tracking infrastructure that follows people as they browse across the web.

In April US lawmakers also closely questioned Facebook’s CEO Mark Zuckerberg about the information the company gleans on users via their offsite web browsing, gathered via its tracking cookies and pixels — receiving only evasive answers in return.

Facebook subsequently announced it will launch a Clear History feature, claiming this will let users purge their browsing history from Facebook. But it’s less clear whether the control will allow people to clear their data off of Facebook’s servers entirely.

The feature requires users to trust that Facebook is doing what it claims to be doing. And plenty of questions remain. So, from a consumer point of view, it’s much better to defeat or dilute tracking in the first place — which is what the clutch of features Apple announced yesterday are intended to do.

“It turns out these [like buttons and comment fields] can be used to track you whether you click on them or not. And so this year we are shutting that down,” said Federighi, drawing sustained applause and appreciative woos from the WWDC audience.

He demoed how Safari will show a pop-up asking users whether or not they want to allow the plugin to track their browsing — letting web browsers “decide to keep your information private”, as he put it.

Safari will also immediately partition cookies for domains that Apple has “determined to have tracking abilities” — removing the 24 window after a website interaction that Apple allowed in the first version of IPT.

It has also engineered a feature designed to detect when a domain is solely used as a “first party bounce tracker” — i.e. meaning it is never used as a third party content provider but tracks the user purely through navigational redirects — with Safari also purging website data in such instances.

Another pro-privacy enhancement detailed by Federighi yesterday is intended to counter browser fingerprinting techniques that are also used to track users from site to site — and which can be a way of doing so even when/if tracking cookies are cleared.

“Data companies are clever and relentless,” he said. “It turns out that when you browse the web your device can be identified by a unique set of characteristics like its configuration, its fonts you have installed, and the plugins you might have installed on a device.

“With Mojave we’re making it much harder for trackers to create a unique fingerprint. We’re presenting websites with only a simplified system configuration. We show them only built-in fonts. And legacy plugins are no longer supported so those can’t contribute to a fingerprint. And as a result your Mac will look more like everyone else’s Mac and will it be dramatically more difficult for data companies to uniquely identify your device and track you.”

In a post detailing IPT 2.0 on its WebKit developer blog, Apple security engineer John Wilander writes that Apple researchers found that cross-site trackers “help each other identify the user”.

“This is basically one tracker telling another tracker that ‘I think it’s user ABC’, at which point the second tracker tells a third tracker ‘Hey, Tracker One thinks it’s user ABC and I think it’s user XYZ’. We call this tracker collusion, and ITP 2.0 detects this behavior through a collusion graph and classifies all involved parties as trackers,” he explains, warning developers they should therefore “avoid making unnecessary redirects to domains that are likely to be classified as having tracking ability” — or else risk being mistaken for a tracker and penalized by having website data purged.

ITP 2.0 will also downgrade the referrer header of a webpage that a tracker can receive to “just the page’s origin for third party requests to domains that the system has classified as possible trackers and which have not received user interaction” (Apple specifies this is not just a visit to a site but must include an interaction such as a tap/click).

Apple gives the example of a user visiting ‘https://store.example/baby-products/strollers/deluxe-navy-blue.html’, and that page loading a resource from a tracker — which prior to ITP 2.0 would have received a request containing the full referrer (which contains details of the exact product being bought and from which lots of personal information can be inferred about the user).

But under ITP 2.0, the referrer will be reduced to just “https://store.example/”. Which is a very clear privacy win.

Another welcome privacy update for Mac users that Apple announced yesterday — albeit, it’s really just playing catch-up with Windows and iOS — is expanded privacy controls in Mojave around the camera and microphone so it’s protected by default for any app you run. The user has to authorize access, much like with iOS.

Apple patches zero-day vulnerabilities in Safari and OS X

Gigster Hackers The apparently government-sponsored hackery aimed at activist Ahmed Mansoor last week prompted a quick response from Apple, with a patch for iOS arriving the day of the news. Turns out the three (!) zero-day exploits deployed against Mansoor kind of worked against Safari and OS X, as well. Apple issued a patch today to fix that, but you’ll need Yosemite or El Capitan to receive… Read More

Apple lays the groundwork to kill online advertising

Close-Up Of Chess Pieces On Chess Board Their products help us learn, communicate and navigate the world. The companies behind these innovations are battling for the future of computing. Each one is defending their core businesses while placing bets on the future. Their tangled business relationships help mask the underlying strategies that drive them; however, Apple’s strategy to stifle Google’s chief revenue source… Read More

Apple releases first Safari Technology Preview update with Web Inspector, ES6 enhancements

Safari Technology Preview release 9.1.1.

Apple today released the first update to its Safari Technology Preview version of Safari designed for software developers.

This second release (version 9.1.1) comes with several changes that have to do with JavaScript, CSS, accessibility, the browser’s Web Inspector feature, and most generally, the latest from the WebKit open source browser engine.

With respect to JavaScript in particular, the browser now ships with enhanced support for ECMAScript 6, as that has previously come to other modern browsers, like Chrome, Edge, and Firefox. You can find a full list of changes in the Release Notes.

The new version is becoming available two weeks after the initial release.

You can get the new version directly from Apple’s website, or alternatively you can grab it from the Updates section in the Mac App Store (Mac only).

More information:

Get more stories like this on TwitterFacebook









Hands-on with Apple’s Safari Technology Preview for OS X

The Safari Technology Preview browser. It looks a lot like regular Safari.

Apple today made the first release in the Safari Technology Preview, a program that gives developers early access to new builds of Safari that use “upcoming Web technologies.”

The new software can run on Macs right alongside the regular version of Safari, Apple says in the release notes — just as Chrome Canary can run at the same time as the stable version of Chrome. In order to try Safari Technology Preview, you’ll need to have the latest version of the Mac operating system, OS X 10.11.4, or later.

The browser doesn’t look distinct from the Safari browser Mac users are accustomed to. The Developer dropdown menu — with options like Open Page With, Enter Responsive Design Mode, Empty Caches, Show Web Inspector, Start/Stop Timeline Recording, and Disable Images — is enabled by default, but that’s about it.

Parts of the Web Inspector have been revamped. Now the Timelines section charts memory usage for timeline recordings.

Charting memory usage in the Web Inspector.

Above: Charting memory usage in the Web Inspector.

Image Credit: Screenshot

Having “preview” in the name is not just for show; the browser does have one big peculiarity: I can’t scroll using the trackpad, although I can alternatively use the up and down arrows, and the trackpad does support zooming in and out.

Performance-wise, the HTML 5 speed test shows that the new browser delivers a speed-up relative to the classic Safari. Here are the results for this first Safari Technology Preview release:

The HTML5 benchmark result for Safari Technology Preview, which I got after several tests.

Above: The HTML5 benchmark result for Safari Technology Preview, which I got after several tests.

Image Credit: Screenshot

And here are the results for Safari 9.1:

The HTML5 benchmark result for Safari 9.1, which I got after several tests.

Above: The HTML5 benchmark result for Safari 9.1, which I got after several tests.

Image Credit: Screenshot

But for an average person browsing the Web, the difference may seem barely discernible.

So if anything, this is a useful addition for Web developers who want to see how their applications work in Safari with features like ECMAScript 6 and the B3 JavaScript JIT compiler.

The software isn’t available for iOS yet, and given its description — “get a sneak peek at upcoming web technologies in OS X and iOS and experiment with these technologies in your websites and extensions” — that should be changing eventually. When it does, we’ll be sure to give the browser a try on the iPhone and the iPad.

We’ll also be sure to check out future Safari Technology Preview releases for OS X.

More information:

MoreBreaking news from Microsoft's biggest event of the year.  









Pwn2Own 2016: Chrome, Edge, and Safari hacked, $460,000 awarded in total

pwn2own_logo

Once again, major browsers fell at the two-day security contest Pwn2Own. Security flaws in Google Chrome, Microsoft Edge, and Apple Safari were all successfully exploited. A total of $460,000 was awarded for 21 vulnerabilities across the three browsers as well as Windows, OS X, and Flash. Last year’s total was $557,500.

Pwn2Own has been held annually since 2007 at the CanSecWest security conference. The goal is to exploit widely used software and mobile devices with vulnerabilities that have not yet been publicly disclosed, in exchange for the device in question and cash prizes. The name is derived from the fact that contestants must “pwn” (another way to say “hack”) the device in order to “own” it (win it).

Of the trio, Chrome fared the best. Two attempts were made to hack Google’s browser: One failed and one was deemed a partial success. The successfully exploited vulnerability in Chrome had already been independently reported to Google, so it wasn’t given full points.

Edge and Safari meanwhile didn’t survive any attacks. Two attempts were made to hack Microsoft’s browser and three attempts were made to hack Apple’s browser. All attempts were successful (2/2 for Edge and 3/3 for Safari). The biggest cash prize for a single attempt was $85,000 for pwning Microsoft Edge.

Here’s the full breakdown for the 21 vulnerabilities:

  • Microsoft Windows: 6
  • Apple OS X: 5
  • Adobe Flash: 4
  • Apple Safari: 3
  • Microsoft Edge: 2
  • Google Chrome: 1 (duplicate of an independently reported vulnerability)

Operating systems are included in the list because the attackers exploited them to gain access outside of the browser. In fact, every successful attack at Pwn2Own this year achieved system or root privileges, which has never happened at the event before. Adobe Flash was included because it was unsurprisingly often used to circumvent browser security.

11 attempts were made in total this year by five teams:

  • Tencent Security Team Sniper (KeenLab and PC Manager): 3/3
  • 360Vulcan Team: 1.5/2
  • JungHoon Lee (lokihardt): 2/3
  • Tencent Security Team Shield (PC Manager and KeenLab): 1/2
  • Tencent Xuanwu Lab: 0/1

If you’re curious about the teams and their attacks, security firm Trend Micro has recaps available for both days:

Get more stories like this:  twitter  facebook