Security Lapse Exposed New York Airport's Critical Servers For a Year

An anonymous reader quotes a report from ZDNet: A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found. The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents. Since April last year, the airport had been inadvertently leaking its own highly-sensitive files as a result of the drive's misconfiguration. Vickery, who also posted an analysis of his findings, said the drive "was, in essence, acting as a public web server" because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist. When contacted Thursday, the contractor dismissed the claims and would not comment further. Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured. The files contained eleven disk images, accounting for hundreds of gigabytes of files and folders, which when mounted included dozens of airport staff email accounts, sensitive human resources files, interoffice memos, payroll data, and what appears to be a large financial tracking database. Many of the files we reviewed include "confidential" internal airport documents, which contain schematics and details of other core infrastructure.

Re:installed by a contract third-party IT speciali

[guruevi]

As an independent IT specialist myself, you can't believe the boneheaded clients that will either demand an uncomplicated "no password" policy, fail to follow directions or too cheap to update or go in and make these type of setting themselves after the fact.

Could easily be that the IT contractor set it up for a particular IP range and then the customer wanted to do something from home or allow remote workers, saw the bill and said "removing this line makes it work", became the office IT fixer and then at their next employee review "I saved the company $15000/year in consulting cost".

There are plenty of idiots in IT, but the cheap-skate know-it-all customers are way worse. I think computers and "IoT" devices should go back to defaulting to a command prompt only accessible by serial cable or local terminal and bring nothing online unless explicitly configured.