Slashdot Mirror
Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys (fossbytes.com)
Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes:
Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.
etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.
Another security research independently verified the results, and reported that one MySQL database had the root password "1234".
etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.
Another security research independently verified the results, and reported that one MySQL database had the root password "1234".
I just discovered the first System Shock. One of the most intense games I've ever played. Wow!
This is 2018 you shouldn't be using 1234 anymore 12345 should be default. That'll keep the pesky hackers at bay for a while longer.
This site has been around for a while, why has this story just been posted now? Seems like something that should have been noticed already...
Admins running servers with no authorization need to be fired a lot more often. It ruins the entire industry.
"With the default settings, its programming interface can return administrative login credentials without any authentication upfront." Why is no security the default on so many software and hardware products?
nuf siad
This is truly the most important news story of the last 3 seconds.
So the police and security services can get in and stay in.
Imagine if PRISM had to create a new login every day to get back into all the big US brands?
The easy way around that hard crypto work is to have an open front door, open back door, open trap door.
The US gov asked for plain text wide open network facing systems as the way it likes to collect on big US brands data.
Collect it all globally slows when every big network has to have real working crypto set up.
No new crypto and collect it all keeps collecting. No keys, shared keys, an open widow.
Its all part of what the government needs to keep the nations computers open to secure collection.
Secure networks stop the government from seeing what hackers are doing deep in networks.
Wide open networks allow the government to watch everyone using a network.
Domestic spying is now "Benign Information Gathering"
Like 1234 does.
I suggest that we just forget all this security software stuff and just go back to the honor system.
Why is no security the default on so many software and hardware products?
Several reasons:
1. To make the software easier to install. Many software packages are installed by first-time users that don't like to RTM or spend a lot of time configuring security when they just want to try it in a pre-deployment mode.
2. Because "default security" is in fact an oxymoron. For example if the default username/password is "admin" and "admin" how is that any better than having no security enabled at all?
3. Many packages have the ability to use different security frameworks. LDAP, Kerberos, Active Directory, etc. Defaulting to one of those will put off users wanting to use something else.
Much of this can be addressed by having a decent install system involving an interactive script but that tends to be costly to implement and many projects would prefer spending what resources they have elsewhere.
That's my take anyway.
Hi, I was a major contributor on etcd. Your assessment simply is not true and was not congruent with my philosophy or the other developers working on the project that I personally knew. The default configuration of etcd is secure and what a developer would typically want: it binds to localhost and will not accept connections from the outside under typical circumstances. Anything else is user configuration. There is excellent TLS authentication support for those that need it.
The more I see of this over my 20+ year career and going, just reminds me of the thinning (and dying) crowd of truly experienced, intelligent, well-rounded and top-shelf skilled folks who call or hold a position of sys/network admin. I've always tried to come to some sane conclusion that it was just another configuration mistake, oversight and being in an overwhelming/demanding position, over pressured in getting something done now vs right, being purely lazy, or any other myriad of workplace excuses I want to try to explain shit like this and it really comes down to: most people are NOT good at a job like that and having an absolute polished computing and work experience background to do a good job.
Just kind of like going to a national chain restaurant, coffee shop or what-the-fuck ever in some other side of town, city or state: They all have the same ingredients, recipes and tools to make it the same, but don't the intellect, care, skill, tenacity and drive that my Applebee's burger or Starbucks Cafe Misto tasted way fucking better over here than it did over there?
Making the argument that I didn't know how to run the grill, espresso machine or cash register isn't any different than fake-victimizing yourself about configuring user-land tools or services, reading a fucking 'man' page (yes they skill exist and are maintained, kids), thinking about something before you do it and relying on intuition or experience, reading a book/manual/whitepaper, doing shit the 'right' way vs googling or stack-overflowing your way through it IMHO.
That is what happens if you have "cheaper than possible" developers and nobody actually being punished when things goes wrong. What we urgently need is management responsibility with criminal sanctions. Have your data stolen, cannot conclusively prove due diligence, _including_ independent verification? Go to jail!
Instead nothing happens and the demented public forgets about it in a few week. With that situation, all those breaches are not a surprise. They are merely an expected side-effect of cost-optimization.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
System Shock 3 is in the works!
Very much so. And one reason is that a good system administrator is expensive (but well worth the money). Hence the bean-counters, with their complete lack of understanding how things actually work, have eliminated these positions. And then they moved on to coders: I now have had to explain several times to "senior" web developers (>5 years experience) in a large organization (Fortune 500 around the middle) what an HTTP request and HTTP response looks like, because that happens to be important for what is sent to the client (browser). Also, these people are incapable of even changing tiny details in their servers. I have one application that is incapable of adding an additional port to a virtual web server configuration after 9 months and countless tries. This whole thing is a train-wreck in the making with more and more application teams being comprised of 100% people without a clue. And this is not a specific problem with this customer. All other large ones are in a similar state.
I predict that we will see some large organization fail this or the next decade because they have completely lost control of their IT and problems simply cannot be fixed anymore.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Simple: "Developers" have gotten so incompetent that with security by default, they cannot get anything to work anymore. Users are worse. And system administrators are becoming extinct.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Back when Slashdot was at its peak, Microsoft took a regular beating here for its approach to no SA password on SQL Server new installs, and the subsequent attacks on public facing SQL Server instances as a result...
Today, pretty much no one here bats an eyelid at the fact that significant amounts of critical open source infrastructure projects are shipped in the same manner - mongo, redis, etcd, consul, MySQL etc etc etc.
It's not just the expense of our expertise. We interfere with day to day productivity when we tell developers or our own businesses to follow basic security practices, and are told by managers and our clients to stop wasting people's time. I've certainly forbidden transmitting passwords via email in plaintext, and storing passwords in source control repositories in plain text, or storing default permanent passwords in public setup instructions. I've then seen the written instructions published by department heads of network operation center groups or developers to always send the passwords via email and never force password changes, just to avoid wasting customer time and so that the business has a record of that password for later support use.
I'm afraid that security is almost always treated as a cost. The failure to pay that cost can be tragic. But the cost often isn't large enough or immediate enough for people to remember to pay it until it's much too late.
It's partly down to marketing from companies like microsoft... their whole push in the nt vs novell vs unix was that you didnt need to hire an expensive sysadmin...
Another factor is that the industry has expanded much faster than the talent pool, there simply aren't enough people with good enough skills to fill the available roles, so companies take whatever they can get. Identifying people with the appropriate skill is also hard unless you already have someone with such skills who can grill people properly in an interview.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Changing passwords regularly can often bad a bad thing, it forces people to remember new passwords which will result in them writing them down somewhere, or picking weaker passwords which are easier to remember. Having a strong password that doesn't change is often better, passwords should only be changed if there is suspicion of compromise.
Security *is* a cost, not just financial but also the inconvenience it causes. Most companies save money on security and then get lucky because no major incidents occur.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You're absolutely right to blame the bean counters; they are doing to IT what fast-food chains did to their restaurants: breaking jobs into easy to manage chunks for which you can hire lower-qualified but much cheaper labour. And the result actually is easier to manage; someone called this "predictable mediocrity". The difference is that in fast-food chains, they managed to set the bar at an acceptable level: when you walk into a McD or whatever, you know exactly what you're going to get. There's no joy at getting an awesome burger, but you're also sure you're not going to be disappointed.
In IT, predictable mediocrity doesn't result in an acceptable level of quality. Moreover, I predict that we'll see fewer well-rounded, intelligent professionals in the future, because there's almost no structural demand for that type of individual any more. What I see already happening is that companies who finally realise the value of having at least a couple of such individuals on board, find that they can't hire them because the way they set up IT means they cannot offer these professionals a satisfying work environment or any sort of meaninful career path.
IT needs a revolution, and not a technical one. Neither Agile.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
I agree with point 1: to make the software easy to install (and first-time test). There's a long history of good software that gets passed over by not so good one just because it's easier on the very first hours/days.
The others? not so much: having a software secure by default is in fact quite easy even without the need of an interactive feedback.
Just tie it only to loopback and let it produce a random password that gets logged on an only-root-can-read file (or at least to a 0700 owned by the user launching it).
"You're absolutely right to blame the bean counters"
No, it's much deeper than that: it is entrenched into IT culture and the promotion system and even Peter with his Principle was wrong.
First, you have youngster, that as the youngsters they are, are full of shit (that's not a problem on itself, it's just human nature): they simply don't pay attention to what their elders learnt, so each generation on IT reinvents the wheel from anew and, of course fail into the same mistakes. Then, in order to gain the ability to do "big things" you need to climb the corporate ladder and you won't do that out of your technical acumen (which can't even be recognized as those around of you -and above you, lack it almost completely) but because of your "social abilities", which critically includes the ability to please your (clueless) higher ups, something much easier to do when you are clueless yourself and you expend your time and focus on learning how to better sucking up the proper people than about the subtleties of your supposed job. Rinse and repeat, and you are ready for the next generation of clueless youngster starting a new cycle.
So, no, Peter's Principle is not at work because, on IT, people is not promoted because they are good on their old position till they find their level of incompetence: they get promoted for the totally wrong reasons, disregarding their abilities on their previous one. And then, the most common way of breaking up Peter's Principle, starting the hierarchy anew on some middle point, is also flawed because MBAs which start their career right into IT's middle management are even more clueless than their ranks.
Then, as you say, if for some miracle someone can and want to break the chain, he finds there's no pool of good professionals to take people from, basically at any cost because the system neither nurtures them, nor have any ability to recognize them.
because the system neither nurtures them, nor have any ability to recognize them
... this is spot on, and it's one of the reasons I quit my last job years ago and became an independent consultant: I wasn't allowed to nurture new talent. We couldn't spend any time on coaching, and when doing performance reviews, I constantly got challenged by my manager when I gave high marks for technical excellence.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Just tie it only to loopback and let it produce a random password that gets logged on an only-root-can-read file (or at least to a 0700 owned by the user launching it).
I think that is a good approach. MySQL does the first part -- tied to loopback only to start off but not the second part. Note one of the examples in the article was a MySQL with a trivial password where the user must have opened up the port and created that password both.
A sad state of affairs. I do not think the people from back then (and today's equivalent) have gotten less competent, bit I do think there has been a vast influx into the field of semi-competent and outright incompetent people.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Excellent points. In a sense, the bean-counters expect a McD kitchen to turn out full-custom meals. That cannot work.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
In defense of stack-overflow, I found it quite useful and helpful on occasion where the man pages were not.
This isn't just happening in the IT world, this is happening in every profession. I can tell you with industrial machine automation, there are no longer good operators nor maintenance people. Multimillion dollar machines grinding to a halt because no one knows how to fix it or operate it. It has gotten to the point where companies are buying equipment and the manufacturers of the equipment are now running and operating these machines, because the owners are completely incompetent, in management and hiring practices.
It's quite a sad state of affairs. It's also affecting the quality of people you can hire off the streets who require major retraining now. It's rare I find a company that even has a plant engineer. I have a plant engineer and people get shocked when they meet him.
Maintenance teams? Plant Engineers? Good competent operators that can also fix the machine? IT guys to deal with networking and communication issues? A lot of these things don't exist anymore and a lot of companies fail to realize how many of these positions actually blended in with each other before, which made things actually work.
Nowadays, they expect the minimum wage operator to do everything and require the knowledge of a PHD in multiple fields. Of course that never works, I see their production numbers, it's terrible.
man pages should just display proper syntax directly, not telling a story or a novel.
/?
It should be similar to a windows help switch like:
foo
or in Linux machines:
foo --help