SHODAN related infosec assortment

The other Defcon

I never attended DEFCON, though it remains a dream I hope to realize one day, soon. It may soon become too logistically awkward due to increasing numbers of attendees.

Shodan is a remarkable search engine. Traditional search engines use “spiders” to crawl websites. Shodan culls data from ports. It was created by John Matherly in 2007. He continues to develop it.

Shodan is helpful for locating web server vulnerabilities. It is available as a free service, for up to 50 searches. Query syntax includes searches by country, host name, operating system and port. Shodan can search for software AND hardware. It has been acknowledged by mainstream media. The most prominent coverage was in early June, via The Washington Post, when Stuxnet received so much press attention.

Me and Shodan

Next is my Scribd infosec collection. It isn’t exclusively Shodan-related. This is why. (more…)

Zanran is a new data search engine

Something new and different in search has appeared.

Zanran is an internet start-up company that hails from somewhere other than Mountain View or Sunnyvale, California. Nor is it in “Silicon Valley East”, the new incubator of technology ventures otherwise known as the Borough of Manhattan. Zanran is farther than farthest Fishkill, across a span greater than even the Tappan-Zee can bridge. Zanran is a U.K. domiciled company in Islington, London.

Not a Google Universal Search 2.0 competitor

Zanran seems to be more of a database searching tool. It would probably be best classified as a specialized search engine.

Zanran Search Beta screen shot

Zanran’s search method is described as patented but based on open-source programs. The actual patent, which I only glanced at, A Method and System of Indexing Historical Data, should help in clarifying. Zanran distinguishes itself because it is particularly well-suited to web search for information that has embedded numerical or graphical data:

Zanran helps you to find ‘semi-structured’ data on the web… numerical data e.g. a graph in a PDF report, or a table in an Excel spreadsheet, or a bar chart shown as an image in an HTML page. This huge amount of information can be difficult to find using conventional search engines, which are focused primarily on finding text… Put more simply: Zanran is Google for data.

Zanran is not a search engine with obvious uses in text or sentiment analysis. The beta website has a long page of examples demonstrating the speed (fast), breadth (across a very diverse assortment of scientific and analytic use cases) and quality of results.

Arthur Weiss, a competitive analyst and former long-time employee of Dun & Bradstreet UK, did a very thorough review of Zanran Search (April 2011):

I’ve been playing with a new data search engine called Zanran… The site is in an early beta. Nevertheless my initial tests brought up material that would only have been found using an advanced search on Google – if you were lucky. As such, Zanran promises to be a great addition for advanced data searching.

Zanran enters the marketplace

Zanran appears to have retained Mallard Digital Marketing. Mallard Digital’s hallmarks are “Authenticity, Transparency and Engagement”. Mallard features an attractive duck in the company logo, and in this rather engaging 15-second video. I base my conjecture about Mallard and Zanran upon three pieces of evidence:

1. Mallard’s recent announcement, about the acquisition of a search engine as a new client on 29 March 2011
2. The fact that Mallard likes Zanran and Zanran likes Mallard on the Facebook pages of each company
3. The Zanran company dog enjoyed playing with Mallard’s Labrador retriever in March 2011 (also via Facebook)

Analogy and Digression: SHODAN

As a very general analogy, Zanran functionality reminds me of Google Code Search or SHODAN computer search. SHODAN is a search engine that can be used to:

find specific computers (routers, servers, etc.) … [it is] a search engine of banners. Google and Bing are great for finding websites. But what if you’re interested in finding computers running a certain piece of software (such as Apache)?  Maybe a new vulnerability came out and you want to see how many hosts it could infect?

Here’s a screen shot of the main query page:

SHODAN screen shot

I am impressed to no end with SHODAN. It is quite clever, and remains very low profile, much like my blog.

UPDATE

I drafted this on 12 May 2011 but failed to actually post due to my insatiable need to excessively fuss and play with WordPress functionality. In the interim, others (most notably Search Engine Journal) have also found the subject of the following post, the Zanran data search engine. I mention this not as self-promotion, but rather, to emphasize that Zanran may be of greater significance than my casual tone indicates.

Discretion is the Better Part of Valor

This paraphrased list of “Do and Don’t” was targeted specifically to secure exchange of sensitive financial information. However, these are generally applicable suggestions for law-abiding people who don’t want to blather their personal business all over the internet:

1. Don’t email directly from work.
2. If emailing using work resources does not violate your employer’s network security policies, use a web mail provider that offers SSL encrypted browsing. Ever heard of hushmail.com?
3. Don’t use your employer’s resources for personal communications of a sensitive nature e.g. to your attorney.
4. Use robust encryption, such as PGP keys for email (PGP = Pretty Good Privacy?)
5. If you use Instant Message, a secure chat client will give peace of mind.

How to [ Read/ Tip Off ] Zero Hedge Without Attracting The Interest Of [ Human Resources / The Treasury / Black Helicopters ]

Also recommended for those considering front-running of frozen orange-juice futures.

Thoughts about Emotional Data in Wiredset Blog

Foursquare User Numbers Soar

The title of the article Data Driven Experiences: Emotional Data, by Mark Ghuneim in his Wiredset Blog is fascinating. However, I’m concerned about address-level sharing of geo-spatial information as part of social networks such as FourSquare.com.    

FourSquare is a phone application that has seen soaring popularity since the 2010 SXSW event in Austin,Texas in March. Details of how the application works can be found at the Foursquare.com site. I was dismissive initially. It seemed little more than a way of telling others where you are at the moment, maybe make a restaurant recommendation, and earn very cute badges based on level of activity.

Activity is measured by the user’s “check-in” to a location, which is received and time stamped via mobile device by FourSquare and further validated by GIS-type service. Of course there is the element of competition by earning badges and becoming “Mayor” of a location. FourSquare also offers users a less blatant way of informing friends, and possibly everyone else, that you shopped at a great new clothing boutique, or went dancing at an upscale club over the weekend. Better yet, if you made an appearance at not merely one nightclub but three, in a single evening! FourSquare would be very effective for that. Why? Well, the app is new and not yet hacked or gamed by savvy users, it is far more credible than heresay and not subject to human error.      

Foursquare activity @ SXSW 2010, Austin TX

At first glance, FourSquare and similar didn’t seem terribly compelling. Merely more of the popularity contest and conspicuous consumption effect? Well, I didn’t foresee much potential for widespread appeal for another social networking phenomena, different but novel in its own way: the Facebook game, Farmville… and I was so very wrong.

Foursquare Logo

Businesses will certainly find value from subscriptions to FourSquare user data feeds. Geo-spatial data based social network applications, described by the more general term of LBS, location-based services, are attracting attention in unexpected ways. For example, FourSquare advocates introduce the alluring idea that it actually enriches the lives of users with a collectively magnified knowledge base of the world to draw on, leading to a higher level of engagement with everything. 

However, I believe that most possible benefits are far outweighed by the risks of over sharing. The most obvious negative consequence is increased vulnerability, impacting personal, family and property security. Note that FourSquare does have a posted privacy policy , about which I am not informed enough to comment.   

see Mark Ghuneim’s Wiredset Blog which provided the market facts and context for this post.