Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Databases Security Networking

Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys (fossbytes.com) 41

Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes: Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.

etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.

Another security research independently verified the results, and reported that one MySQL database had the root password "1234".
This discussion has been archived. No new comments can be posted.

Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys

Comments Filter:
  • I just discovered the first System Shock. One of the most intense games I've ever played. Wow!

  • by Anonymous Coward

    This is 2018 you shouldn't be using 1234 anymore 12345 should be default. That'll keep the pesky hackers at bay for a while longer.

  • by Anonymous Coward

    This site has been around for a while, why has this story just been posted now? Seems like something that should have been noticed already...

  • Accountability (Score:2, Insightful)

    by Anonymous Coward

    Admins running servers with no authorization need to be fired a lot more often. It ruins the entire industry.

    • Consider the people we work for, who, if prompted several dozen times, can almost remember *one* password. And don't understand the necessity of having multiple, difficult passwords. It's a war of attrition, brought on by laziness.

  • I suggest that we just forget all this security software stuff and just go back to the honor system.
  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Saturday March 24, 2018 @10:47PM (#56321381)
    Comment removed based on user account deletion
    • by gweihir ( 88907 ) on Saturday March 24, 2018 @11:10PM (#56321457)

      Very much so. And one reason is that a good system administrator is expensive (but well worth the money). Hence the bean-counters, with their complete lack of understanding how things actually work, have eliminated these positions. And then they moved on to coders: I now have had to explain several times to "senior" web developers (>5 years experience) in a large organization (Fortune 500 around the middle) what an HTTP request and HTTP response looks like, because that happens to be important for what is sent to the client (browser). Also, these people are incapable of even changing tiny details in their servers. I have one application that is incapable of adding an additional port to a virtual web server configuration after 9 months and countless tries. This whole thing is a train-wreck in the making with more and more application teams being comprised of 100% people without a clue. And this is not a specific problem with this customer. All other large ones are in a similar state.

      I predict that we will see some large organization fail this or the next decade because they have completely lost control of their IT and problems simply cannot be fixed anymore.

      • by Antique Geekmeister ( 740220 ) on Sunday March 25, 2018 @03:28AM (#56321993)

        It's not just the expense of our expertise. We interfere with day to day productivity when we tell developers or our own businesses to follow basic security practices, and are told by managers and our clients to stop wasting people's time. I've certainly forbidden transmitting passwords via email in plaintext, and storing passwords in source control repositories in plain text, or storing default permanent passwords in public setup instructions. I've then seen the written instructions published by department heads of network operation center groups or developers to always send the passwords via email and never force password changes, just to avoid wasting customer time and so that the business has a record of that password for later support use.

        I'm afraid that security is almost always treated as a cost. The failure to pay that cost can be tragic. But the cost often isn't large enough or immediate enough for people to remember to pay it until it's much too late.

        • by Bert64 ( 520050 )

          Changing passwords regularly can often bad a bad thing, it forces people to remember new passwords which will result in them writing them down somewhere, or picking weaker passwords which are easier to remember. Having a strong password that doesn't change is often better, passwords should only be changed if there is suspicion of compromise.

          Security *is* a cost, not just financial but also the inconvenience it causes. Most companies save money on security and then get lucky because no major incidents occur.

      • by Bert64 ( 520050 )

        It's partly down to marketing from companies like microsoft... their whole push in the nt vs novell vs unix was that you didnt need to hire an expensive sysadmin...

        Another factor is that the industry has expanded much faster than the talent pool, there simply aren't enough people with good enough skills to fill the available roles, so companies take whatever they can get. Identifying people with the appropriate skill is also hard unless you already have someone with such skills who can grill people properly

      • by JaredOfEuropa ( 526365 ) on Sunday March 25, 2018 @05:37AM (#56322205) Journal
        You're absolutely right to blame the bean counters; they are doing to IT what fast-food chains did to their restaurants: breaking jobs into easy to manage chunks for which you can hire lower-qualified but much cheaper labour. And the result actually is easier to manage; someone called this "predictable mediocrity". The difference is that in fast-food chains, they managed to set the bar at an acceptable level: when you walk into a McD or whatever, you know exactly what you're going to get. There's no joy at getting an awesome burger, but you're also sure you're not going to be disappointed.

        In IT, predictable mediocrity doesn't result in an acceptable level of quality. Moreover, I predict that we'll see fewer well-rounded, intelligent professionals in the future, because there's almost no structural demand for that type of individual any more. What I see already happening is that companies who finally realise the value of having at least a couple of such individuals on board, find that they can't hire them because the way they set up IT means they cannot offer these professionals a satisfying work environment or any sort of meaninful career path.

        IT needs a revolution, and not a technical one. Neither Agile.
        • "You're absolutely right to blame the bean counters"

          No, it's much deeper than that: it is entrenched into IT culture and the promotion system and even Peter with his Principle was wrong.

          First, you have youngster, that as the youngsters they are, are full of shit (that's not a problem on itself, it's just human nature): they simply don't pay attention to what their elders learnt, so each generation on IT reinvents the wheel from anew and, of course fail into the same mistakes. Then, in order to gain the abi

          • I don't think the situation is as dire as all that, but I agree that the problem is with the way we organise IT (and I still blame the bean counters for that). But:

            because the system neither nurtures them, nor have any ability to recognize them

            ... this is spot on, and it's one of the reasons I quit my last job years ago and became an independent consultant: I wasn't allowed to nurture new talent. We couldn't spend any time on coaching, and when doing performance reviews, I constantly got challenged by my manager when I gave high marks for technical excellence.

        • by gweihir ( 88907 )

          Excellent points. In a sense, the bean-counters expect a McD kitchen to turn out full-custom meals. That cannot work.

        • This isn't just happening in the IT world, this is happening in every profession. I can tell you with industrial machine automation, there are no longer good operators nor maintenance people. Multimillion dollar machines grinding to a halt because no one knows how to fix it or operate it. It has gotten to the point where companies are buying equipment and the manufacturers of the equipment are now running and operating these machines, because the owners are completely incompetent, in management and hiring p

    • In defense of stack-overflow, I found it quite useful and helpful on occasion where the man pages were not.
  • by gweihir ( 88907 ) on Saturday March 24, 2018 @10:55PM (#56321401)

    That is what happens if you have "cheaper than possible" developers and nobody actually being punished when things goes wrong. What we urgently need is management responsibility with criminal sanctions. Have your data stolen, cannot conclusively prove due diligence, _including_ independent verification? Go to jail!

    Instead nothing happens and the demented public forgets about it in a few week. With that situation, all those breaches are not a surprise. They are merely an expected side-effect of cost-optimization.

    • by Bert64 ( 520050 )

      And if you introduce regulation, then people will follow it grudgingly, while still trying to reduce cost, while also being at a financial disadvantage to those not encumbered by the same regulation. It's always a race to the bottom, with many people who don't even understand what they're racing.

"All we are given is possibilities -- to make ourselves one thing or another." -- Ortega y Gasset

Working...