Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys

Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes: Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.

etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.
Another security research independently verified the results, and reported that one MySQL database had the root password "1234".

Accountability

Admins running servers with no authorization need to be fired a lot more often. It ruins the entire industry.

Re:Real McCoy sys-admin position is dead, that's w

[gweihir]

Very much so. And one reason is that a good system administrator is expensive (but well worth the money). Hence the bean-counters, with their complete lack of understanding how things actually work, have eliminated these positions. And then they moved on to coders: I now have had to explain several times to "senior" web developers (>5 years experience) in a large organization (Fortune 500 around the middle) what an HTTP request and HTTP response looks like, because that happens to be important for what is sent to the client (browser). Also, these people are incapable of even changing tiny details in their servers. I have one application that is incapable of adding an additional port to a virtual web server configuration after 9 months and countless tries. This whole thing is a train-wreck in the making with more and more application teams being comprised of 100% people without a clue. And this is not a specific problem with this customer. All other large ones are in a similar state.

I predict that we will see some large organization fail this or the next decade because they have completely lost control of their IT and problems simply cannot be fixed anymore.

Re:Real McCoy sys-admin position is dead, that's w

[Antique+Geekmeister]

It's not just the expense of our expertise. We interfere with day to day productivity when we tell developers or our own businesses to follow basic security practices, and are told by managers and our clients to stop wasting people's time. I've certainly forbidden transmitting passwords via email in plaintext, and storing passwords in source control repositories in plain text, or storing default permanent passwords in public setup instructions. I've then seen the written instructions published by department heads of network operation center groups or developers to always send the passwords via email and never force password changes, just to avoid wasting customer time and so that the business has a record of that password for later support use.

I'm afraid that security is almost always treated as a cost. The failure to pay that cost can be tragic. But the cost often isn't large enough or immediate enough for people to remember to pay it until it's much too late.