A recent round of media buzz has swarmed around the search engine called Shodan. If you’ve seen any stories like this or this, you've read that Shodan may be "the scariest search engine on the Internet." The penetration testing search engine, it is said, reveals critical infrastructure like network servers, routers and even printers, empowering hackers to attack victims ranging from small businesses to public utilities.

Before panic ensues, let's zoom out. Shodan is actually not new. The site was launched in 2009. According to its own slogan, Shodan is different from Google because it is designed to "find computers" rather than content. It sounds like black magic, but at its core the voodoo behind Shodan is really quite simple.

When you connect to a server listening on a given port, the server usually responds with what is called a "banner." The banner is a block of text with details about the service. The banner identifies the version of software running.

What Shodan's crawler does is query IP addresses around the world, looking for and saving banner responses at several common ports. The Shodan search engine lets users query keywords in these banners, filtered by metadata like port and IP address or domain name.

Any "scary" vulnerabilities revealed by Shodan come down to the information in the banners. Keep in mind that banners are just that: information, which may not always be accurate.

For example, some banners like the example above reveal a default password. But this doesn't mean that is actually the password configured for that site; it is just the software default. A security-aware administrator would (should) have changed the password when configuring the server.

The types of devices most at risk from a tool like Shodan are those which unnecessarily face the public Internet and possess default configuration profiles. Shodan is not the only way for hackers to discover these devices, but it does lower the barrier to making such discovery easier.

Some of the same discoveries that can be revealed by Shodan have long been available through Google as well. Even though Google indexes content rather than server banners, hackers have long known that particular query strings can reveal mis-configured servers, printers, and webcams. These query templates are known as "Google dorks" and they long predate Shodan.

The point is, neither Google dorks nor Shodan are putting organizations are risk. Organizations put themselves at risk by leaving devices exposed. Sound security practices can minimize or eliminate your risks from penetration testing tools like Shodan.