Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys

Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes: Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.

etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.
Another security research independently verified the results, and reported that one MySQL database had the root password "1234".

Accountability

Admins running servers with no authorization need to be fired a lot more often. It ruins the entire industry.

Re:Why is no security the default on so many thing

[AlanObject]

Why is no security the default on so many software and hardware products?

Several reasons:

1. To make the software easier to install. Many software packages are installed by first-time users that don't like to RTM or spend a lot of time configuring security when they just want to try it in a pre-deployment mode.

2. Because "default security" is in fact an oxymoron. For example if the default username/password is "admin" and "admin" how is that any better than having no security enabled at all?

3. Many packages have the ability to use different security frameworks. LDAP, Kerberos, Active Directory, etc. Defaulting to one of those will put off users wanting to use something else.

Much of this can be addressed by having a decent install system involving an interactive script but that tends to be costly to implement and many projects would prefer spending what resources they have elsewhere.

That's my take anyway.

Real McCoy sys-admin position is dead, that's why

[adosch]

The more I see of this over my 20+ year career and going, just reminds me of the thinning (and dying) crowd of truly experienced, intelligent, well-rounded and top-shelf skilled folks who call or hold a position of sys/network admin. I've always tried to come to some sane conclusion that it was just another configuration mistake, oversight and being in an overwhelming/demanding position, over pressured in getting something done now vs right, being purely lazy, or any other myriad of workplace excuses I want to try to explain shit like this and it really comes down to: most people are NOT good at a job like that and having an absolute polished computing and work experience background to do a good job.

Just kind of like going to a national chain restaurant, coffee shop or what-the-fuck ever in some other side of town, city or state: They all have the same ingredients, recipes and tools to make it the same, but don't the intellect, care, skill, tenacity and drive that my Applebee's burger or Starbucks Cafe Misto tasted way fucking better over here than it did over there?

Making the argument that I didn't know how to run the grill, espresso machine or cash register isn't any different than fake-victimizing yourself about configuring user-land tools or services, reading a fucking 'man' page (yes they skill exist and are maintained, kids), thinking about something before you do it and relying on intuition or experience, reading a book/manual/whitepaper, doing shit the 'right' way vs googling or stack-overflowing your way through it IMHO.

No skills, no penalties

[gweihir]

That is what happens if you have "cheaper than possible" developers and nobody actually being punished when things goes wrong. What we urgently need is management responsibility with criminal sanctions. Have your data stolen, cannot conclusively prove due diligence, _including_ independent verification? Go to jail!

Instead nothing happens and the demented public forgets about it in a few week. With that situation, all those breaches are not a surprise. They are merely an expected side-effect of cost-optimization.

Re:Real McCoy sys-admin position is dead, that's w

[gweihir]

Very much so. And one reason is that a good system administrator is expensive (but well worth the money). Hence the bean-counters, with their complete lack of understanding how things actually work, have eliminated these positions. And then they moved on to coders: I now have had to explain several times to "senior" web developers (>5 years experience) in a large organization (Fortune 500 around the middle) what an HTTP request and HTTP response looks like, because that happens to be important for what is sent to the client (browser). Also, these people are incapable of even changing tiny details in their servers. I have one application that is incapable of adding an additional port to a virtual web server configuration after 9 months and countless tries. This whole thing is a train-wreck in the making with more and more application teams being comprised of 100% people without a clue. And this is not a specific problem with this customer. All other large ones are in a similar state.

I predict that we will see some large organization fail this or the next decade because they have completely lost control of their IT and problems simply cannot be fixed anymore.

Re:Real McCoy sys-admin position is dead, that's w

[Antique+Geekmeister]

It's not just the expense of our expertise. We interfere with day to day productivity when we tell developers or our own businesses to follow basic security practices, and are told by managers and our clients to stop wasting people's time. I've certainly forbidden transmitting passwords via email in plaintext, and storing passwords in source control repositories in plain text, or storing default permanent passwords in public setup instructions. I've then seen the written instructions published by department heads of network operation center groups or developers to always send the passwords via email and never force password changes, just to avoid wasting customer time and so that the business has a record of that password for later support use.

I'm afraid that security is almost always treated as a cost. The failure to pay that cost can be tragic. But the cost often isn't large enough or immediate enough for people to remember to pay it until it's much too late.

Re:Real McCoy sys-admin position is dead, that's w

[Bert64]

It's partly down to marketing from companies like microsoft... their whole push in the nt vs novell vs unix was that you didnt need to hire an expensive sysadmin...

Another factor is that the industry has expanded much faster than the talent pool, there simply aren't enough people with good enough skills to fill the available roles, so companies take whatever they can get. Identifying people with the appropriate skill is also hard unless you already have someone with such skills who can grill people properly in an interview.

Re:Real McCoy sys-admin position is dead, that's w

[JaredOfEuropa]

You're absolutely right to blame the bean counters; they are doing to IT what fast-food chains did to their restaurants: breaking jobs into easy to manage chunks for which you can hire lower-qualified but much cheaper labour. And the result actually is easier to manage; someone called this "predictable mediocrity". The difference is that in fast-food chains, they managed to set the bar at an acceptable level: when you walk into a McD or whatever, you know exactly what you're going to get. There's no joy at getting an awesome burger, but you're also sure you're not going to be disappointed.

In IT, predictable mediocrity doesn't result in an acceptable level of quality. Moreover, I predict that we'll see fewer well-rounded, intelligent professionals in the future, because there's almost no structural demand for that type of individual any more. What I see already happening is that companies who finally realise the value of having at least a couple of such individuals on board, find that they can't hire them because the way they set up IT means they cannot offer these professionals a satisfying work environment or any sort of meaninful career path.

IT needs a revolution, and not a technical one. Neither Agile.

Re:Real McCoy sys-admin position is dead, that's w

[turbidostato]

"You're absolutely right to blame the bean counters"

No, it's much deeper than that: it is entrenched into IT culture and the promotion system and even Peter with his Principle was wrong.

First, you have youngster, that as the youngsters they are, are full of shit (that's not a problem on itself, it's just human nature): they simply don't pay attention to what their elders learnt, so each generation on IT reinvents the wheel from anew and, of course fail into the same mistakes. Then, in order to gain the ability to do "big things" you need to climb the corporate ladder and you won't do that out of your technical acumen (which can't even be recognized as those around of you -and above you, lack it almost completely) but because of your "social abilities", which critically includes the ability to please your (clueless) higher ups, something much easier to do when you are clueless yourself and you expend your time and focus on learning how to better sucking up the proper people than about the subtleties of your supposed job. Rinse and repeat, and you are ready for the next generation of clueless youngster starting a new cycle.

So, no, Peter's Principle is not at work because, on IT, people is not promoted because they are good on their old position till they find their level of incompetence: they get promoted for the totally wrong reasons, disregarding their abilities on their previous one. And then, the most common way of breaking up Peter's Principle, starting the hierarchy anew on some middle point, is also flawed because MBAs which start their career right into IT's middle management are even more clueless than their ranks.

Then, as you say, if for some miracle someone can and want to break the chain, he finds there's no pool of good professionals to take people from, basically at any cost because the system neither nurtures them, nor have any ability to recognize them.

Re: Real McCoy sys-admin position is dead, that's

[nnull]

This isn't just happening in the IT world, this is happening in every profession. I can tell you with industrial machine automation, there are no longer good operators nor maintenance people. Multimillion dollar machines grinding to a halt because no one knows how to fix it or operate it. It has gotten to the point where companies are buying equipment and the manufacturers of the equipment are now running and operating these machines, because the owners are completely incompetent, in management and hiring practices.

It's quite a sad state of affairs. It's also affecting the quality of people you can hire off the streets who require major retraining now. It's rare I find a company that even has a plant engineer. I have a plant engineer and people get shocked when they meet him.

Maintenance teams? Plant Engineers? Good competent operators that can also fix the machine? IT guys to deal with networking and communication issues? A lot of these things don't exist anymore and a lot of companies fail to realize how many of these positions actually blended in with each other before, which made things actually work.

Nowadays, they expect the minimum wage operator to do everything and require the knowledge of a PHD in multiple fields. Of course that never works, I see their production numbers, it's terrible.