Slashdot Mirror
Security Lapse Exposed New York Airport's Critical Servers For a Year (zdnet.com)
An anonymous reader quotes a report from ZDNet: A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found. The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents. Since April last year, the airport had been inadvertently leaking its own highly-sensitive files as a result of the drive's misconfiguration. Vickery, who also posted an analysis of his findings, said the drive "was, in essence, acting as a public web server" because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist. When contacted Thursday, the contractor dismissed the claims and would not comment further. Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured. The files contained eleven disk images, accounting for hundreds of gigabytes of files and folders, which when mounted included dozens of airport staff email accounts, sensitive human resources files, interoffice memos, payroll data, and what appears to be a large financial tracking database. Many of the files we reviewed include "confidential" internal airport documents, which contain schematics and details of other core infrastructure.
specialist should be removed from this bonehead's reference...
What is up with companies putting every machine they have on an open internet connection?
Once there used to be well considered decisions on what bits of the corporate infrastructure needed to be exposed at all.
Do they now hire just anybody who knows how to type a password by himself, and say "go for it! set up our security!".
If I had a DeLorean... I would probably only drive it from time to time.
specialist should be removed from this bonehead's reference...
Or quoted:
Installed by a contract third-party IT "specialist"
My eyes reflect the stars and a smile lights up my face.
This is short for "My cousin Vinnie's 13 year old son. He's a whiz at these things"
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Now there's an enterprise class backup solution! I take it this "IT specialist" was promoted from the ranks of Yahoo.
"National Security is the chief cause of national insecurity." - Celine's First Law
Low level set up to look accidental.
I have NO proof this is just a funny guess.
As an independent IT specialist myself, you can't believe the boneheaded clients that will either demand an uncomplicated "no password" policy, fail to follow directions or too cheap to update or go in and make these type of setting themselves after the fact.
Could easily be that the IT contractor set it up for a particular IP range and then the customer wanted to do something from home or allow remote workers, saw the bill and said "removing this line makes it work", became the office IT fixer and then at their next employee review "I saved the company $15000/year in consulting cost".
There are plenty of idiots in IT, but the cheap-skate know-it-all customers are way worse. I think computers and "IoT" devices should go back to defaulting to a command prompt only accessible by serial cable or local terminal and bring nothing online unless explicitly configured.
Custom electronics and digital signage for your business: www.evcircuits.com
Stewart is a relatively small airport They handle a relatively small number of commercial flights in a day. A minor number are international. It qualifies as an international airport by virtue of having customs and handling a few international flights, but at least this somewhere like Newark Liberty or JFK, it's an airport way out in the country in Orange County, an hour from NYC. Making a mistake like this at an airport this size, while in excusable, is not a shock.
There's no proof that the posts to reddit asking how to hide information from a subpoena were his. They could have been from anyone. The "important VIP" wasn't necessarily Hillary.
His post to reddit isn't proof he was hiding anything despite the fact he asked for help in hiding.
I can believe it was the client's idea. As an IT guy, I would have walked away, after explaining that I wasn't going to be party to people too cheap or too stupid to do their job correctly, and risk the safety of everyone that uses that airport.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Idk.... He seems pretty "special" to me...
Altho i worry he's not wearing a helmet.
Stewart International Airport is a place...? With International connections?!
Best part:
Airport code is SWF...No honey, I swear I was looking for an .
Second best part:
Orbitz: We've searched more than 400 airlines that we sell, and couldn't find any Nonstop flights from San Francisco (SFO) to Newburgh (SWF)
This is short for "My cousin Vinnie's 13 year old son. He's a whiz at these things"
Barron is really good at the cyber
Pain is merely failure leaving the body
Just because he asked for help in hiding information doesn't mean he was trying to hide it.
No.
As an IT guy myself, I would have (and did -- now retired) talked to anyone who would listen, including managing partners, and insisted on implementing best practices.
Then I would send an email to the whomevers and let them reject my recommendations for the record.
Business makes the final call. but I always covered my ass and had evidence that installations were to their specs, despite having been warned.
If the install was something they'd never actually have to manage, I'd change the admin password to one of my own and never tell a soul..
Later, when another tech from another firm came on site to do shit, I'd just tell them, "Dunno ... maybe a factory reset?"
It little behooves the best of us to comment on the rest of us.
Where there's smoke, there's fire.
Have they tracked down both of the passengers who landed at SWF last year? Do they have plans to replace their single disused jetway with a different, more secure disused jetway?
Have they put up a fence around the tarmac yet?
I used to do the same. I don't any more. After being thrown under the bus for doing EXACTLY what the customer said, against my recommendations(documented no less), no thank you.
WHICH happens to be a great way to make your point even stronger. Telling a customer "no, I won't" gets them to think, perhaps a little. I've had a couple people ask me why I won't, and basically say, "When the shit hits the fan, I don't want to be involved, don't want to clean the mess up, and don't want to take the fall for anyone but me".
I now use a phrase that sums up everything perfectly. "Good IT is expensive, bad IT is costly".
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
You are an idiot.
I've been flown out of Stewart a couple of times. It's the departure point for New York area Federal prisoners bound for FTC Oklahoma City and other points. The US Marshals drive buses and vans from all over the area (MDC Brooklyn, MCC Manhattan, Danbury, Ft. Dix, etc.) every Tuesday and Thursday afternoon to Stewart to meet a white, unmarked JPATS jet (737 or MD-80). Prisoners are usually in paper jumpsuits, shackled ankles, wrists, and waist, and are patted down on the apron next to the jet.
Transfer takes place next to the NY Air National Guard helicopter hangars. Perimeter security consists of four or five US Marshals with 12-gauge shotguns or M4/M16 rifles and sidearms. Transfer time takes about 90 minutes, unless there's a mechanical problem with the plane, which is more often than not.
High-value prisoners (e.g., a Whitey Bulger or a convicted terrorist) are not transported with the general population.
BTW, the buses are unmarked intercity (i.e., Greyhound) buses. You can tell they're FBOP because there's a separate door on the left side at the back for a US Marshall who sits in a caged seat with a shotgun, along with a GPS antenna in an external dome on the roof over the drivers' compartment. Side windows are tinted black.
k.
smoke machine?
Scan everything regularly from inside and outside. Close off everything that isn't supposed to be open in the first place, especially from the WAN side.
The external I.T. support guy didn't know you can shut that shit off, or at the very least put a decent hardware firewall in front of it?
I fail to see why enabling someone to work from home would have to cost $15,000/yr.
"Trump!!", the new Godwin.
"Good IT is expensive, bad IT is costly".
I like it.
It little behooves the best of us to comment on the rest of us.
It's an accumulation of "little things" that some bozo decides he can do himself resulting in initial savings until the shit hits the fan.
I've gone to plenty of customer sites (I'd say 75% of them) where routers and switches, backup drives and even servers appear all on their own. "Oh yeah we bought that to do x" and often I unplug it and have to tell them "well this is your problem" "but it worked for a couple of weeks" "and then you had a power outage and now there are 2 different DHCP ranges on your network"
Custom electronics and digital signage for your business: www.evcircuits.com
Having worked with PANJNY "IT" people on several occasions, I am not surprised in the least. Those that oversee infrastructure are non-existent or prefer to not interact with contractors. Everything else is managed by bottom dollar contractors that come and go depending on whose price is the lowest. No one actually employed (not contracted) by the org has any IT knowledge beyond where to find the power button on their motorized cup holder.
Ok, and then you charge $15,000?
"Trump!!", the new Godwin.
The $15,000 in "cumulative savings" I referred to will probably cost more in the long term. In the router case, the issue did cost them more in the end. I had to bill them for an unscheduled emergency call, troubleshoot what was going wrong, then I had to take out the $50 router and walk around and reboot every terminal. In this instance, they did save the $250 initially quoted ($200 if you count the $50 they gave the bartender's nephew) but ended up paying $400 and the money spent prior was also wasted (because the hardware is now just collecting dust on a shelf).
This is what the customer thinks (almost uniformly):
Every time I have to call this guy, it costs me $150, if I can do it myself, it costs me $0 (or $25-50 for cousin IT to do it).
For small-midsize organizations, you're dealing with perhaps a couple or so contractors charging you $50k or more for IT services, still cheaper than hiring a dedicated IT. So one of the HR people "knows about computers" and becomes the "IT guy", they don't have to "pay" the contractors anymore for small stuff because "that guy from HR" knows about computers, right? That "IT guy" can probably "save" the organization $15k over a year, which he obviously makes very clear to his superiors which is technically true, they don't have to call the contractor nearly as often because "that guy from HR" knows about computers.
That is, until things go wrong. Then suddenly, the $15,000 savings last year becomes a mandatory $50,000 PCI or HIPAA (or whatever your regulation is) audit or a huge fine from Microsoft or Adobe. The issues still have to be fixed because the number of 'fixes' accumulates and you're dealing with an extra 100 systems that have never been updated, no patch management etc. That could easily cost $15,000 if not more depending on licensing costs.
Custom electronics and digital signage for your business: www.evcircuits.com