Tag Archives: Shodan

Details on Millions of Car Buyers Available Online

If you bought a car in the last few years, it is possible that your data is available for sale on the black market.

Names, addresses, phone numbers and socials for both customers and employees for over a hundred car dealerships were exposed.  For how long and to whom is unknown.

The system that got hacked is a centralized system by DealerBuilt.  They provide management software for car dealerships around the country.  The system manages sales, customer relations and employee payroll for these dealerships.

Mackeeper researchers discovered 128 dealerships backing their data up to the cloud without any encryption or security.

The database was found on the search engine Shodan that is often used for finding Internet of Things devices.

The server had port 873 open.  Port 873 is often used for the rsync protocol.  Rsync is used to synchronize databases, say, between a car dealership and a central server.

A few of the databases were shared with ZDNet and they verified the data was real.

The best guess as to the number of customer and employee records affected is in the millions, possibly around 5 million.

The car dealerships that ZDNet spoke with were somewhat dismayed, to be polite.

Apparently, the system has been secured now, but the company is keeping quiet about the breach.  While I am not an attorney and don’t even play one on the Internet, it would seem like this breach is reportable and probably in a number of different states.

The bigger point here is that while cloud based solutions are cool, it is still up to the customer to make sure that the security of the cloud systems that they use is up to snuff.

While it is possible that the contracts with DealerBuilt make DealerBuilt responsible for all data breaches, but I doubt that.

In fact, more than likely, it is the other way around – that DealerBuilt is not responsible for anything and the dealer is responsible for everything.

For an organization like a car dealership, an organization like DealerBuilt probably seems like a safe bet.  They probably have hundreds if not thousands of customers, so a dealership figures it would be safe.

In the mean time the dealers are caught in the middle of a breach and DealerBuilt is letting them swing in the breeze by not saying anything or even admitting that there is a breach.

For all companies using line of business cloud based services, having a vendor risk assessment program to analyze the risks and make informed decisions might be a really good plan.

In the mean time, there may be 5 million customers and employees of over a hundred car dealerships that are victims of a data breach.

Information for this post came from ZDNET.


Dell, Lenovo, AOL and Shodan Make Life Easy For Hackers and Foreign Intelligence Services

Here is an interesting group of vulnerabilities that make life easy for hackers and the Chinese (or Russians, or Ukrainians or pick your country).

  1. Dell has a couple of features in Dell Foundation Services.  One allows an unauthenticated user to get the Service Tag (Dell’s version of a serial number) over the net.  With that, you can go to Dell’s web site and get the complete hardware and software configuration of the computer – useful to hackers, intelligence agencies and scammers.  Another bug allows an attacker to remotely execute Windows WMI commands which allow you to access the system configuration including running processes and the file system and remotely run programs.  Dells service runs on port 7779 and provides a SOAP interface – for ease of exploit.  Err, ease of use.
  2. Lenovo has a bug in Lenovo Solution Center.  It listens on port 55555 and allows an attacker to remotely execute any program – with SYSTEM privileges based on a whole series of flaws described in the article below.  This could also allow a local attacker to execute programs with more privileges than the user has.

Both of these, most likely, are done to make support easier for either the vendor or enterprise users – without regard to the security consequences.

In theory these ports should be closed from the Internet – but not always – read below.  Still, if an attacker gets onto your local network some other way, this is an easy way to increase the attacker’s footprint in your network.

3. AOL Desktop, an absolutely antique piece of software from the early 1990s is still being run by some users.  It was an early attempt to access the web in a graphical fashion when the only connectivity users had was slow dialup.  It uses a proprietary language called DFO which allows AOL’s servers to execute functions remotely on a user’s desktop.  Given this was written more than two decades ago, no one thought about requiring authentication and it did not use SSL to protect the data stream.  This means that all an attacker needs to do is find a system that is still running this antique and it can own it in a heartbeat.

Potentially, attacks from the outside should be mitigated by the user’s firewall, but apparently not always.

John Matherly of Shodan, the search engine for Internet of Things attacks, did a quick search to see if he could find systems that responded.  For the Dell feature, he found around 12,800 webservers that responded to that port.  Of those, about 2,300 are running software that looks like it is from Dell,  He ran a quick script and was able to collect about 1,000 Dell service tags.  He didn’t try this for the other exploits – that I know about.


Obviously, we did not know, until now, about these wonderful Dell, Lenovo and AOL features.  That doesn’t mean that hackers and foreign (or domestic) intelligence agencies didn’t know about them.

Why bother with really obscure and hard attacks to get into computers that you want to when you can just, basically, walk in the front door.

The big question is how many more of these features exist that we have not found.

And since manufacturers have no liability as a result (other than getting a little bad press that blows over quickly), they have no incentive to do things securely.  And also, since they don’t even tell you that they are doing it, you as a user cannot make an educated decision as to whether you want the manufacturer’s “help” in this manner.

Soooooo, HOW MANY MORE FEATURES ARE THERE?  Features that are here today or will be here tomorrow.  As vendors try to help users without considering the security implications. This is just from a quick round up of the news that I happened to hear about today.


Information on the Shodan search can be found here.

For information on the Dell feature, go to LizardHQ.

For information the Lenovo feature, go to PC World.