Journalists warned system owners and Norwegian NSA of 2500 critical data flaws

How two journalists set out on a mission to test the data security in the whole of Norway.

(Dagbladet): Imagine being able to control your neighbor's webcam, open your competitor's data base or take control of vital control systems with a few keystrokes.

In a series of articles, the Norwegian newspaper Dagbladet reveals how easily this can be done.

Journalists Linn Kongsli Hillestad and Espen Sandli have tested everything from surveillance cameras to data bases and control systems publicly available online.

They found everything from youngsters snogging to «national security at risk».

Thus far, they have found:
• 290 vulnerable control systems, in banks, schools, nursing homes - and a military camp
• 2048 surveillance cameras in private homes, night clubs, shops and restaurants
• 2500 control systems connected to the Internet with minimal or no security
• 500 of these control industrial or critical infrastructure
• Thousands of data bases and servers that give away content without passwords

These are all found in Norway. Guess if it is any better in your country?

- Probably not. But Norway is of a size possible to investigate as a whole - if you have the time to do it. So we did just that, says journalist Linn Hillestad.

Alarm! The series uncover what failed computer security may lead to, not in theory, but in reality. On the road, the journalists confronted people and businesses unaware of their security issues.

For example:
• Open servers belonging to 39 of 44 fire departments in one county
• Sensitive civil documents about the new military airport
• 15 entry points into the Railway Administration's fire alarm system
• Sensitive data about children with secret identities
• Control of apartment buildings
• People making out in front of the camera

Amateurs - What can individuals with no specialized computer security or hacking skills find online? That is the elementary level we started at, says journalist Espen Sandli.

- Mountains of articles are written about security risks on the Internet. We wanted to take it a step further. We wanted to show precisely what fails, where it happens, and what the consequences are for real people, Hillestad says.

- It frightens me to see what Dagbladet's journalists, with no specialized computer skills, are able to find. What, then, about state powers, organized criminals and hackers, asks senior advisor Vidar Sandland at Norwegian center for information security (NORSIS).

You have been tested! With the help of in-house developer Ola Strømman, Dagbladet have also developed a test, where you can see if there are any known security gaps registered on your IP-address. The test engine is considered a guide, and is by no means exhaustive or a guarantee of someone's full and complete data security.

The search engine is connected to a Shodan-archive.

Take the test here.

So far, the test shows that one in four has a potential flaw in their security.

What goes wrong? As an introduction to the readers, Dagbladet has created an interactive guide to possible security holes.

See the interactive graphics here (in English).

During this project Dagbladet has investigated 535 320 unique Norwegian IP-addresses and 707 358 open gateways.

Not Like Google The search engine Shodan is a vital tool. It is a search engine that finds units connected to the Internet, like servers, cell phones, web cams, hard drives or large critical control systems (so-called SCADA systems). Shodan works very differently from Google and other search engines familiar to most people.

- Google lets you search web pages, and these are only a small part of the internet. There are a number of types of software that Google can't see. Shodan discovers these units, explains Shodan founder John Matherly.

- Shodan focuses on devices and the software, while Google's focus is on the data delivered. In other words, Shodan searches for the meta data, while Google searches for the data as such, he says.

Fingerprints - Shodan is not easy, like Google. We search for «fingerprints», like the version number of a particular unit from a particular manufacturer, says Hillestad.

The team behind the series «Null CTRL» (Zero CTRL) has found and refined several hundred such search terms.

CAMERAS: 2048 surveillance cameras found in private homes, night clubs, shops and restaurants. Vis mer

- Stories based on Shodan have been done before, but then with experts doing the research. The two journalists in Dagbladet have done the work themselves, and on an immensly large scale. It's seriously impressive and far beyond any expectations I had, Matherly says.

He wish there would be more journalists who realize what a research tool this is in drawing greater attention to the issue of computer security.

This is where we stop - Has Dagbladet taken up hacking?

- Definitely not. We ran through the legal and ethical elements of the project with lawyers and experts before we started. We feel it is important to emphasize the fact that Dagbladet is not involved in hacking, Hillestad says.

OPEN SERVER: Sensitive civil documents about Norway's new military airport was available online. Foto: Øistein Norum Monen/Dagbladet Vis mer

- If we are asked for a password to gain entrance somewhere, we do not proceed, Sandli states.

Which means that Dagbladet's mapping of failing security stops where someone has set a password. This is as true in the cases where the password is easily guessed.

- Many people never change the password that came with the device. That makes it very easy to acquire access for individuals who make other ethical and legal assessments than we do, says Hillestad.

Handed over lists The journalists have alerted the owners, network providers and/or security authorities prior to publication, making sure security holes are fixed.

HOT OR COLD?: Dagbladet was able to control the heating in a whole block of apartment buildings here in the city Drammen. Vis mer

The Norwegian newspaper has published more than 60 separate stories on its findings. In addition to news stories, huge amounts of  flaws add up in statistics.

But from time to time, findings are so severe that someone really need to be told. Dagbladet has handed over lists of 2500 possibly critical IP-addresses to the national security authorities, owners and/or network providers.

Read also:
The graphic guide
Our story
The project homepage
Take the test
About the test

SPY IN THE BEDROOM: The journalists traced people visiting a web camera placed in a bedroom at a cabin. The owner knew nothing about the 98 visits per week - apparently from 12 different countries. Vis mer
HIDDEN IDENTITIES: The team found 6000 files on taxi customers on an open data base. Much of the data is sensitive and private, among them information about children with hidden identities and secret addresses. Vis mer
Contact us: [email protected] Vis mer