We are Being Scanned

Riverbank Ruminations:

Observations from the banks of the technology river
TOM EVANS; ASHTON ENGINEER EMERITUS

KIRK: Transmit to Starfleet our sensor readings and log entries on the planet. Surface conditions make it impossible for us to beam down and investigate further. We are therefore going on to our next assignment.
UHURA: Aye, aye, sir.
SULU: Completing final orbit, sir.
KIRK: Prepare to warp us out.
(The red light on the navigation console flashes, and the lights dim)
KIRK: Alert status.
SPOCK: We’re being scanned, Captain. A deep probe, incredibly swift.
(The lights come back up, and the planet disappears from the viewscreen)
MCCOY: Jim!
(On the screen is the image of a man sitting in a large leather chair, and wearing a stove-pipe hat)
LINCOLN [on viewscreen]: Captain Kirk, I believe. A pleasure to make your acquaintance, sir.
The Savage Curtain, Star Trek, the Original Series (Airdate March 7, 1969)

I am reasonably sure that no one reading this is stationed on a star ship, mapping planets. However, if you are connected to the internet in any fashion (phone, PC, tablet, security camera, etc.) you are being scanned. Like so many things on the internet, there are good scans and there are bad scans and then there are scans that are just ‘noise’.

Ideally, when we connect to the internet we want to get what we asked for and not give up anything we want to keep private. When you shop for that new pair of shoes, you don’t want someone on the other end snooping around your computer (or phone), planting malware and otherwise causing mischief. For the most part, things go the way we hope. Unfortunately, there is no shortage of bad guys on the internet who want access to your computer, phone or even security camera.
One way they attempt to infiltrate your systems is by phishing. You are sent an email that tries to convince you to click on a link or open an attachment. When you do, you are prompted to give up information, usually user name and password, to start. Careful scrutiny of the contents of the email and some common sense can mitigate that attack.

Another way to get in is for them to scan your systems, and that includes ANYTHING attached to the internet. It could be a baby monitor, a video doorbell, a router, or even your refrigerator. Many of these devices need to be carefully configured to prevent exposing your network to harm. Sadly, many of the less complicated devices like cameras and refrigerators are not built with security in mind. They may have hard-coded default passwords that can’t be changed. They may have some software vulnerability that prevents them from being secure, even if you took the time to change the default password and do what you could to secure them. These vulnerabilities are found by scanning. A scanner is a computer that, generally speaking, goes to each IP address on the internet and checks to see what is open to the world.

A benign example of a scanner is the website shodan.io. This website shows the results of scanning the internet (yes the whole thing) and posting what it finds. It does so from a fixed set of IP addresses so that if you see a scan from one of those addresses, you know who it is. They are not looking to get in, just checking to see what is open. Then they let the world know about it. You can even sign up for them to monitor the things you own that show up. If your things show up and they shouldn’t, that’s a signal to fix your security.

On the other hand between 10% and 20% of the scans are malicious. That means if they find something open, they will try to exploit it. Businesses often use RDP connections for remote access. To make a connection to the business network from the outside, the business needs to leave a port for RDP open. It can be a standard port (3389) or something else. In any case, once a scanner finds that port, the bad guys will try to connect. When I worked on the help desk at Ashton, one of the clients would get bursts of several hundred connection attempts trying to brute force usernames and passwords to make a connection. Since that client had two factor authentication (2FA) in place, the attacks were not successful; they were just an annoyance.

Getting a scan for a health checkup is a good thing. When the bad guys are scanning you, and they are, that is a bad thing. Do you know how often you are being scanned? Do you know what the scanners are trying to find out? If not, you need to get someone to help you find out. Your network is at stake.