Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys (fossbytes.com) 41
Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes:
Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.
etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.
Another security research independently verified the results, and reported that one MySQL database had the root password "1234".
etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.
Another security research independently verified the results, and reported that one MySQL database had the root password "1234".
Clever Hackers, Love the Name (Score:2)
I just discovered the first System Shock. One of the most intense games I've ever played. Wow!
System Shock 3 is in the works! (Score:2)
System Shock 3 is in the works!
Come on! (Score:1)
This is 2018 you shouldn't be using 1234 anymore 12345 should be default. That'll keep the pesky hackers at bay for a while longer.
Re: (Score:2)
That's a good one! It's what I use on my luggage. [youtube.com]
Just Now? (Score:1)
This site has been around for a while, why has this story just been posted now? Seems like something that should have been noticed already...
Accountability (Score:2, Insightful)
Admins running servers with no authorization need to be fired a lot more often. It ruins the entire industry.
Re: (Score:2)
Consider the people we work for, who, if prompted several dozen times, can almost remember *one* password. And don't understand the necessity of having multiple, difficult passwords. It's a war of attrition, brought on by laziness.
Re: (Score:2)
Imagine if PRISM had to create a new login every day to get back into all the big US brands?
The easy way around that hard crypto work is to have an open front door, open back door, open trap door.
The US gov asked for plain text wide open network facing systems as the way it likes to collect on big US brands data.
Collect it all globally slows when every big network has to have real working crypto set up.
No new crypto and collect it all keeps col
Re: (Score:3)
Why is no security the default on so many software and hardware products?
Several reasons:
1. To make the software easier to install. Many software packages are installed by first-time users that don't like to RTM or spend a lot of time configuring security when they just want to try it in a pre-deployment mode.
2. Because "default security" is in fact an oxymoron. For example if the default username/password is "admin" and "admin" how is that any better than having no security enabled at all?
3. Many packages have the ability to use different security frameworks. LDAP,
Re: (Score:2)
I agree with point 1: to make the software easy to install (and first-time test). There's a long history of good software that gets passed over by not so good one just because it's easier on the very first hours/days.
The others? not so much: having a software secure by default is in fact quite easy even without the need of an interactive feedback.
Just tie it only to loopback and let it produce a random password that gets logged on an only-root-can-read file (or at least to a 0700 owned by the user launchin
Re: (Score:2)
Just tie it only to loopback and let it produce a random password that gets logged on an only-root-can-read file (or at least to a 0700 owned by the user launching it).
I think that is a good approach. MySQL does the first part -- tied to loopback only to start off but not the second part. Note one of the examples in the article was a MySQL with a trivial password where the user must have opened up the port and created that password both.
Re: (Score:2)
Simple: "Developers" have gotten so incompetent that with security by default, they cannot get anything to work anymore. Users are worse. And system administrators are becoming extinct.
Re: (Score:2)
Back when Slashdot was at its peak, Microsoft took a regular beating here for its approach to no SA password on SQL Server new installs, and the subsequent attacks on public facing SQL Server instances as a result...
Today, pretty much no one here bats an eyelid at the fact that significant amounts of critical open source infrastructure projects are shipped in the same manner - mongo, redis, etcd, consul, MySQL etc etc etc.
Re: (Score:2)
A sad state of affairs. I do not think the people from back then (and today's equivalent) have gotten less competent, bit I do think there has been a vast influx into the field of semi-competent and outright incompetent people.
There must be a solution (Score:2)
Re: (Score:2)
Comment removed (Score:5, Interesting)
Re:Real McCoy sys-admin position is dead, that's w (Score:4, Insightful)
Very much so. And one reason is that a good system administrator is expensive (but well worth the money). Hence the bean-counters, with their complete lack of understanding how things actually work, have eliminated these positions. And then they moved on to coders: I now have had to explain several times to "senior" web developers (>5 years experience) in a large organization (Fortune 500 around the middle) what an HTTP request and HTTP response looks like, because that happens to be important for what is sent to the client (browser). Also, these people are incapable of even changing tiny details in their servers. I have one application that is incapable of adding an additional port to a virtual web server configuration after 9 months and countless tries. This whole thing is a train-wreck in the making with more and more application teams being comprised of 100% people without a clue. And this is not a specific problem with this customer. All other large ones are in a similar state.
I predict that we will see some large organization fail this or the next decade because they have completely lost control of their IT and problems simply cannot be fixed anymore.
Re:Real McCoy sys-admin position is dead, that's w (Score:4, Insightful)
It's not just the expense of our expertise. We interfere with day to day productivity when we tell developers or our own businesses to follow basic security practices, and are told by managers and our clients to stop wasting people's time. I've certainly forbidden transmitting passwords via email in plaintext, and storing passwords in source control repositories in plain text, or storing default permanent passwords in public setup instructions. I've then seen the written instructions published by department heads of network operation center groups or developers to always send the passwords via email and never force password changes, just to avoid wasting customer time and so that the business has a record of that password for later support use.
I'm afraid that security is almost always treated as a cost. The failure to pay that cost can be tragic. But the cost often isn't large enough or immediate enough for people to remember to pay it until it's much too late.
Re: (Score:2)
Changing passwords regularly can often bad a bad thing, it forces people to remember new passwords which will result in them writing them down somewhere, or picking weaker passwords which are easier to remember. Having a strong password that doesn't change is often better, passwords should only be changed if there is suspicion of compromise.
Security *is* a cost, not just financial but also the inconvenience it causes. Most companies save money on security and then get lucky because no major incidents occur.
Re: (Score:3)
It's partly down to marketing from companies like microsoft... their whole push in the nt vs novell vs unix was that you didnt need to hire an expensive sysadmin...
Another factor is that the industry has expanded much faster than the talent pool, there simply aren't enough people with good enough skills to fill the available roles, so companies take whatever they can get. Identifying people with the appropriate skill is also hard unless you already have someone with such skills who can grill people properly
Re:Real McCoy sys-admin position is dead, that's w (Score:4, Interesting)
In IT, predictable mediocrity doesn't result in an acceptable level of quality. Moreover, I predict that we'll see fewer well-rounded, intelligent professionals in the future, because there's almost no structural demand for that type of individual any more. What I see already happening is that companies who finally realise the value of having at least a couple of such individuals on board, find that they can't hire them because the way they set up IT means they cannot offer these professionals a satisfying work environment or any sort of meaninful career path.
IT needs a revolution, and not a technical one. Neither Agile.
Re: (Score:3)
"You're absolutely right to blame the bean counters"
No, it's much deeper than that: it is entrenched into IT culture and the promotion system and even Peter with his Principle was wrong.
First, you have youngster, that as the youngsters they are, are full of shit (that's not a problem on itself, it's just human nature): they simply don't pay attention to what their elders learnt, so each generation on IT reinvents the wheel from anew and, of course fail into the same mistakes. Then, in order to gain the abi
Re: (Score:2)
because the system neither nurtures them, nor have any ability to recognize them
... this is spot on, and it's one of the reasons I quit my last job years ago and became an independent consultant: I wasn't allowed to nurture new talent. We couldn't spend any time on coaching, and when doing performance reviews, I constantly got challenged by my manager when I gave high marks for technical excellence.
Re: (Score:2)
Excellent points. In a sense, the bean-counters expect a McD kitchen to turn out full-custom meals. That cannot work.
Re: Real McCoy sys-admin position is dead, that's (Score:3)
This isn't just happening in the IT world, this is happening in every profession. I can tell you with industrial machine automation, there are no longer good operators nor maintenance people. Multimillion dollar machines grinding to a halt because no one knows how to fix it or operate it. It has gotten to the point where companies are buying equipment and the manufacturers of the equipment are now running and operating these machines, because the owners are completely incompetent, in management and hiring p
Re: Real McCoy sys-admin position is dead, that's (Score:2)
No skills, no penalties (Score:3)
That is what happens if you have "cheaper than possible" developers and nobody actually being punished when things goes wrong. What we urgently need is management responsibility with criminal sanctions. Have your data stolen, cannot conclusively prove due diligence, _including_ independent verification? Go to jail!
Instead nothing happens and the demented public forgets about it in a few week. With that situation, all those breaches are not a surprise. They are merely an expected side-effect of cost-optimization.
Re: (Score:2)
And if you introduce regulation, then people will follow it grudgingly, while still trying to reduce cost, while also being at a financial disadvantage to those not encumbered by the same regulation. It's always a race to the bottom, with many people who don't even understand what they're racing.