Slashdot Mirror

← Back to Stories (view on slashdot.org)

An ISP Left Corporate Passwords, Keys, and All Its Data Exposed On the Internet (vice.com)

Posted by BeauHD on from the out-in-the-open dept.

Security researchers at UpGuard discovered that a Washington-based ISP called Pocket iNet left 73 gigabytes of essential operational data publicly exposed in a misconfigured Amazon S3 storage bucket for months. "Said bucket, named 'pinapp2,' contained the 'keys to the kingdom,' according to the security firm, including internal network diagramming, network hardware configuration photos, details and inventory lists -- as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees," reports Motherboard. From the report: Upguard says the firm contacted Pocket iNet on October 11 of this year, the same day the exposed bucket was discovered, but the ISP took an additional week before the data was adequately secured. "Seven days passed before Pocket iNet finally secured the exposure," noted the firm. "Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset."

According to UpGuard, the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points. "Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business," noted UpGuard. "If such documents must exist, they should be strongly encrypted and stored in a known secure location," said the firm. "Unfortunately, a single folder of PocketiNet's network operation historical data (non-customer) was publicly accessible to Amazon administrative users," the ISP said in a statement to Motherboard. "It has since been secured."

53 comments

  1. training? by Anonymous Coward · · Score: 0

    I see reports of this happening all the time -- is there a good collection of traing material or website that describes these examples and what to do so the same mistake doesn't happen again?

    1. Re: training? by Anonymous Coward · · Score: 2

      Yes, donâ(TM)t make s3 buckets with your most important shit public, hope that helps

    2. Re: training? by Anonymous Coward · · Score: 0

      Iâ(TM)d like info on this as well. Answering what was misconfigured. You see this all the time. Iâ(TM)d like to move more operations to AWS or Azure and then I see stuff like this.

    3. Re:training? by Anonymous Coward · · Score: 0

      That's never going to happen.

      Consider the average usual human mix of carelessness, negligence, arrogance, stupidity, laziness and ignorance. It's bad enough when we're dealing with clear, visible and concrete dangers, like nitroglycerin, nuclear waste etc. Now compound the situation above with intangible things like "data" living practically invisibly on "computers" which are way more complex than any single individual understands today, which, just to complicate things further, are interconnected via systems which are equally complicated and impossible to get a complete grip on.

      It's obvious that putting stuff in the cloud is a disaster just waiting to happen. One small mistake, and you're screwed. And completely predictably, disaster strikes, over and over again. And nobody actually cares, because there is money to be made or saved, convenience to be had. That's tangible. Security is too complicated, causes trouble and costs money, screw that noise.

    4. Re: training? by x_t0ken_407 · · Score: 1

      Replying to undo downmod...meant to mod HILARIOUS lmao.

      All jokes aside, seems easy enough and if not, we're bombarded with similar stories like this seemingly daily. How tf does anyone ever leave a public-facing anything unsecured? I just don't get it, smh.

    5. Re:training? by Anonymous Coward · · Score: 0

      It's obvious that putting stuff in the cloud is a disaster just waiting to happen.

      So right. Stuff on networked computers is a disaster waiting to happen. But in your own org, you at least has the power to fire people for sloppiness. And you can test, and pay the occational white-hat to test stuff you didn't think of. You can audit your own security.

      The cloud? You can loose stuff even if none of your staff makes any mistake - the mistakes being done by the cloud company. And so, the mistake is to use the cloud. Also, you can't punish them other than stop using their service - which isn't dramatic. They have so many other clueless customers. You can't audit their security. You can't put their security to a real test - because that would be an attack upon another company's servers.

    6. Re: training? by Anonymous Coward · · Score: 0

      Its because no one understands DEVOPS or securing it in the cloud. DEVOPS just does and worry comes later or never.

    7. Re: training? by Cowardly+Lurker · · Score: 1

      So you want to stuff something on the cloud securely? I could probably give this some more thought, but at a bare minimum I would ...

      1) Go to step 5.

      2) Use pre-internet encryption. That is, encrypt everything locally before you upload to the cloud. ...and don't get stingy on the key lengths. Don't use dumbass passwords either, get good.

      3) Make sure your cloud storage has been access restricted. Test it. Unauthenticated public access is not what you want.

      4) Now you can take that encrypted bit-blob and transfer it to your cloud-hole via encrypted tunnel (TLS 1.2+).

      5) Now would probably be a good time to revisit your 'convenience' expectations of cloud storage. Still interested? Go to step 2.

    8. Re:training? by Anonymous Coward · · Score: 0

      In order for someone to access your computer, they first need intranet access from an authenticated device. In the cloud, there is no intranet and no authentication required.

  2. Fucking idiots by Anonymous Coward · · Score: 0

    This makes going to IaaS tougher for all of us. Not because AWS or Azure is at fault, but because an idiot millennial thinks security by obscurity actually works.

    1. Re:Fucking idiots by Anonymous Coward · · Score: 0

      Because everybody craves to finally go IaaS.

      Said no one ever.

  3. Self-owned by Anonymous Coward · · Score: 0

    You left everything on Amazon. Welcome to the world of doing things properly, by yourself, assholes.

    captcha: Consent - you sure as fuck didn't have consent to allow this sort of security breach!

  4. Crazy by Anonymous Coward · · Score: 0

    100% crazy

  5. Re: goverment incompetence by postbigbang · · Score: 3, Insightful

    Has nothing to do with the government, although their competence is questionable, too.

    A few of the ISPs I work with have their act together. More often, there's a handful that are the Three Stooges. The Cpanel artists are perhaps the worst and least competent... followed by the VPS folks that offer IaaS that I swear are on I386-class hardware running at 10MHz clock and ST-225s for disk.

    No heads will roll. No customers will leave, horrified. No FBI investigation, just business as usual will ensue. Have a nice day, please give us the code on the back of your credit card.

    --
    ---- Teach Peace. It's Cheaper Than War.
  6. governments/regulators will do ? by johnjones · · Score: 2

    nothing

    the ISP will announce that they will file for bankruptcy and the original owners will take on the customers through some shell companies removing all liability
    (there will be small loss's of customers and cash flow but nothing unmanageable)

    meanwhile all the users have been thoroughly plundered for data by well paid offshore contractors, nothing connectable just good old fashioned rip off

    1. Re:governments/regulators will do ? by tsqr · · Score: 1

      TFS says nothing about about any customer data being exposed.

    2. Re:governments/regulators will do ? by mmdurrant · · Score: 1

      They don't know whether or not customer data was exposed. When you give up the keys to the kingdom, logs can't be trusted.

      --
      I see my shadow changing, stretching up and over me...
    3. Re:governments/regulators will do ? by tsqr · · Score: 1

      They don't know whether or not customer data was exposed. When you give up the keys to the kingdom, logs can't be trusted.

      That's an assumption based on ... what, pray tell? From TFA: Said bucket, named “pinapp2,” contained the “keys to the kingdom,” according to the security firm, including internal network diagramming, network hardware configuration photos, details and inventory lists—as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees.

      Also: “Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business,” noted UpGuard.

      “If such documents must exist, they should be strongly encrypted and stored in a known secure location,” said the firm.

      “Unfortunately, a single folder of PocketiNet’s network operation historical data (non-customer) was publicly accessible to Amazon administrative users,” the ISP said in a statement to Motherboard. “It has since been secured.”

      The report from UpGuard is interesting and informative reading. As nasty as this breach was, there's certainly no indication that customer data was exposed other than a list of priority corporate customer names. There's certainly the possibility that PocketiNet’s network could have been breached if a bad actor stumbled across the exposed AWS bucket, but there's no evidence that this actually happened.

  7. "misconfigured" == shifting blame by Anonymous Coward · · Score: 0

    "misconfigured" == shifting blame

  8. Comedy Gold by Anonymous Coward · · Score: 0

    @PocketiNet
    Well played Sir!!!
    Nice job of playing corporate an hero for the amusement of the internets. We can only hope that LART will be employeed and your IT staff will experience their own version of Krystallnacht.

  9. Should be criminal by Anonymous Coward · · Score: 0

    This kind of thing should be classified as Criminal Negligence.
    But instead, it wouldn't be surprising if the firm who found the bucket was the one getting sued for it. Yay 'murica...

    1. Re: Should be criminal by Anonymous Coward · · Score: 0

      #rekt

  10. (points and laughs) Ha Ha! by bigmacx · · Score: 2

    The Cloud Strikes Back

    1. Re:(points and laughs) Ha Ha! by boulat · · Score: 1

      Um no.

      AWS is secure by default. It takes a deliberate, incompetent effort to expose your data to the internet, and anyone who has a breach like that deserved to be sued into the stone age.

  11. Service still better than Comcast by Anonymous Coward · · Score: 0

    As someone who has a choice other than Comcast, I'm not sure how bad a blunder would have to be in order to leave my cable ISP.
    If my ISP did this, I'd stay over switching to Comcast.

  12. Timekeeper by Anonymous Coward · · Score: 0

    Ah well you know if the good guys find it first, you can take your time fixing the problem.

  13. Re: goverment incompetence by postbigbang · · Score: 2

    ROFL!!!! Only chickenshit Russian trolls use the phrase "libtard".

    --
    ---- Teach Peace. It's Cheaper Than War.
  14. Training, and constant / daily scans by raymorris · · Score: 1

    Amazon has an AWS security training course on their site.
    It wouldn't be a bad idea to say anyone allowed to create or change things on AWS needs to take and pass the course first. That'll reduce, but not eliminate, things like this.

    There are a few security companies which will check all of your AWS (and other systems) for security problems like this, at very reasonable prices. They write scripts that intergrate with AWS to watch for things like people are public buckets, and other more complex issues. Since it's all scripted, it's pretty affordable. You can set it up right there in the AWS marketplace.

    One such company that is integrated with AWS (and also does non-AWS security) is Alert Logic. Full disclosure, I happen to work for another part of Alert Logic. If I didn't work for them, I'd check out their AWS related products. There are other companies too, but Alert Logic has some very AWS-focused offerings which take advantage of all of the AWS offerings to catch stuff immediately, and cheaply.

  15. Typo: AWS APIs by raymorris · · Score: 1

    That last sentence should say they take advantage of the AWS *APIs* to warn you immediately of insecure configurations. Under the hood it's just a script that checks things like "is this bucket public", so the cost is low.

  16. "security researchers" by Anonymous Coward · · Score: 0

    "security researchers" sure are faggots these days..

    "look ma! an open amazon link! I'm a 'security researcher'"

    I like to sniff ass and write 0 lines of code, I know "security"!

  17. Re:APK Hosts File Engine for MacOS... apk by mmdurrant · · Score: 1

    GSLB breaks your stupid idea.

    --
    I see my shadow changing, stretching up and over me...
  18. Sigh... by Anonymous Coward · · Score: 0

    Stuck between a honeypot and a honeytrap, what's a master hacker to do?

  19. Re: goverment incompetence by Anonymous Coward · · Score: 0

    Thank god the government regulates companies. Can you imagine nobody giving a shit about your user data? Without regulation, you know that Equifax breach that affected millions of end users? They would have done NOTHING to help end-users. Someone makes a fradulent payment on your card? What are you going to do, switch to another credit card that also uses Equifax?

  20. Any attempt to use SSH keys instead of passwords? by Athanasius · · Score: 2

    the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points

    Even 20 years ago the ISP I worked at went to some lengths (custom patches for easy management of it) to use per-admin SSH keys to mediate access to anything with SSH available, instead of having everyone needing access to a password. This not only requires access to the private half of the passphrased key, but also means you can revoke one admin's access without immediately affecting anyone else (yes, I know, a malicious admin might have used the access they had to install a backdoor).

    So now I'm wondering if this particular ISP's admins/management (they might have overridden the admins on this) were just that incompetent, or if the article is glossing over details.

  21. Re: goverment incompetence by mangastudent · · Score: 0

    ROFL!!!! Only chickenshit Russian trolls use the phrase "libtard".

    Possibly, but I got the vague imprecision they were generally competent enough to avoid such weak sauce labels. We Americans to the right of Mao prefer the much more accurate "shitlib", we after all have seen you up close and personal, it's in fact personal for us, and getting more so every day as you escalate your attacks on us.

  22. Re: goverment incompetence by Anonymous Coward · · Score: 0

    I don't suppose you have ever had the "Pleasure" of working with Frontier or Mediacom?

  23. Re:Any attempt to use SSH keys instead of password by Anonymous Coward · · Score: 0

    About the only part this likely has to do with management is hiring incompetent sysadmins. Thats what happens when you get the bargain basement employees on H1Bs or fresh out of college, since you can hire four of them for the cost of one competent sysadmin!

    You pay for what you get.

  24. Re:Any attempt to use SSH keys instead of password by Athanasius · · Score: 1

    I'm quite sure management is also capable of overriding any such use of SSH keys on the ground that they can't put them in a safe in the same way, and don't really understand what all this public key cryptography nonsense is about. Or, you know, similar ignorant motivations.

  25. AWS options by Anonymous Coward · · Score: 0

    Amazon needs to create a higher cost service. Storage that can't be public.

  26. Only Sane Response To NSA by Anonymous Coward · · Score: 0

    When the NSA shows up at yout ISP and installs surveillance of your traffic THIS is the only sane option. Burn it all down rather than let those bastards and their letters destroy America quietly.

  27. c6gunner's impersonating me & lying by Anonymous Coward · · Score: 0

    See subject: c6gunner's name on this post as submitter yet signed "APK" https://linux.slashdot.org/com... & he ran from a fair challenge I put to him https://linux.slashdot.org/com... after insulting me.

    * I never say hosts cure Spectre/Meltdown OR it'd be on the Start64.com download page & I do NO MacOS X one!

    I cut him to pieces for his lies:

    https://tech.slashdot.org/comm...

    https://tech.slashdot.org/comm...

    https://tech.slashdot.org/comm...

    https://news.slashdot.org/comm...

    APK

    P.S.=> You say hosts = shit https://slashdot.org/comments.... ? /.ers & security pros + RESULTS say DIFFERENT:

    1st: /.ers https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments....

    2nd: SECURITY PROS https://slashdot.org/comments....

    3rd: REAL RESULTS w/ hosts vs. threats https://slashdot.org/comments....

    EAT YOUR WORDS

  28. Is Cloud setup the next WordPress? by ripvlan · · Score: 1

    I find it difficult to believe that a default Amazon "file share" would simply be open to the world. Even an internal Microsoft Windows Share is closed by defaultand you have to try pretty hard to make it "Everyone." (although that wasn't true under Win95/Win2k). MS learned that it had to be secure out of the box.

    People have been "misconfiguring" WordPress for years leading to some spectacular thefts. I've never setup an Amazon storage - it sure seems that Amazon should deliver it properly configured and attached to the customers domain. i've read many "we found an Amazon share open" reports lately.

    What button are people missing during setup?? Share mode: "Make Secure" or "Share with the World" ?

  29. AWS S3 bucket security by Anonymous Coward · · Score: 0

    AWS has built-in security warning if S3 bucket contents are publically available because of reasons like this.
    This is gross incompetence.

  30. "Stupid idea" WORKS vs. threats... apk by Anonymous Coward · · Score: 0

    "Stupid idea" WORKS vs. threats + speeds you up 2 ways https://hardware.slashdot.org/... (does GSLB w/ DNS' kaminsky redirect poisoning flaws?)

    Does GSLB speed you up 2 ways (adblocking + hardcoded favorite sites @ TOP of hosts for fastest possible resolution from LOCAL system RAM cache (that also proof you vs. hijacked redirected DNS)) too?

    * Tell us won't you, mmdurrant?

    APK

    P.S.=> Lastly: @ least I have IDEAS OF MY OWN (that work & a PROGRAM to make it moreso OF MY OWN: DO YOU?) Plus - I can PROVE hosts proofs you vs. TONS of threats - see link above where DNS TRACKS you, is remote SLOWER & goes down quite a lot + has the KAMINSKY REDIRECT POISONING FLAW that 99% of ISP DNS is NOT patched against)... apk

  31. Stolen by Anonymous Coward · · Score: 0

    I like how the link in this post has a referrer of reddit.com. Good job, OP, we've come full circle; people gleaning links for slashdot posts from reddit.

  32. torrent? by Anonymous Coward · · Score: 0

    is there a leak torrent?

  33. Illuminati Online Public File Browser by pepsikid · · Score: 1

    This story ain't got nothin' on Illuminati Online of Austin, TX, aka IOCOM aka io.com. While still in operation, and after "hardening" their network so they could offer "security services" of some kind, they still featured a completely world-visible file browser and downloader for their system files and customer folders!

    IOCOM is defunct now, but there's a mirror of their old website at io.fondoo.net

    From the mirror website:
    "Fun fact: you could telnet to password.io.com from anywhere in the world, and log on as guest. Lynx, a text-only web browser, was configured as the shell, and you would then be presented with a sparse version of the web-based customer account tools found at http://password.io.com/. This was so customers could reset their own password, update their address, set their PLAN file, etc.

    IO forgot to disable browsing the filesystem (press g, period, enter). Also, IO never enforced uniform file and directory permissions or audited active accounts. As a result, through 2004, after IO was taken over by Prismnet (or later), you could roam around and directly view many customer's private files, email, and IO's sensitive system areas. You could also open the Lynx config to define a custom "editor" and thus actually edit files, or run executables. This was a direct back-door into everything! This continued a full two years after IOCOM "hardened" their network to sell network security services."

    Whoever runs the mirror probably didn't enjoy working with all of their co-workers:
    io.fondoo.net/io/staff.html
    io.fondoo.net/home/lori/
    io.fondoo.net/home/kitten/

  34. Re:Any attempt to use SSH keys instead of password by Anonymous Coward · · Score: 0

    The article is glossing over a great deal.