Slashdot Mirror
An ISP Left Corporate Passwords, Keys, and All Its Data Exposed On the Internet (vice.com)
Security researchers at UpGuard discovered that a Washington-based ISP called Pocket iNet left 73 gigabytes of essential operational data publicly exposed in a misconfigured Amazon S3 storage bucket for months. "Said bucket, named 'pinapp2,' contained the 'keys to the kingdom,' according to the security firm, including internal network diagramming, network hardware configuration photos, details and inventory lists -- as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees," reports Motherboard. From the report: Upguard says the firm contacted Pocket iNet on October 11 of this year, the same day the exposed bucket was discovered, but the ISP took an additional week before the data was adequately secured. "Seven days passed before Pocket iNet finally secured the exposure," noted the firm. "Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset."
According to UpGuard, the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points. "Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business," noted UpGuard. "If such documents must exist, they should be strongly encrypted and stored in a known secure location," said the firm. "Unfortunately, a single folder of PocketiNet's network operation historical data (non-customer) was publicly accessible to Amazon administrative users," the ISP said in a statement to Motherboard. "It has since been secured."
According to UpGuard, the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points. "Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business," noted UpGuard. "If such documents must exist, they should be strongly encrypted and stored in a known secure location," said the firm. "Unfortunately, a single folder of PocketiNet's network operation historical data (non-customer) was publicly accessible to Amazon administrative users," the ISP said in a statement to Motherboard. "It has since been secured."
Has nothing to do with the government, although their competence is questionable, too.
A few of the ISPs I work with have their act together. More often, there's a handful that are the Three Stooges. The Cpanel artists are perhaps the worst and least competent... followed by the VPS folks that offer IaaS that I swear are on I386-class hardware running at 10MHz clock and ST-225s for disk.
No heads will roll. No customers will leave, horrified. No FBI investigation, just business as usual will ensue. Have a nice day, please give us the code on the back of your credit card.
---- Teach Peace. It's Cheaper Than War.
nothing
the ISP will announce that they will file for bankruptcy and the original owners will take on the customers through some shell companies removing all liability
(there will be small loss's of customers and cash flow but nothing unmanageable)
meanwhile all the users have been thoroughly plundered for data by well paid offshore contractors, nothing connectable just good old fashioned rip off
Yes, donâ(TM)t make s3 buckets with your most important shit public, hope that helps
The Cloud Strikes Back
Replying to undo downmod...meant to mod HILARIOUS lmao.
All jokes aside, seems easy enough and if not, we're bombarded with similar stories like this seemingly daily. How tf does anyone ever leave a public-facing anything unsecured? I just don't get it, smh.
ROFL!!!! Only chickenshit Russian trolls use the phrase "libtard".
---- Teach Peace. It's Cheaper Than War.
Amazon has an AWS security training course on their site.
It wouldn't be a bad idea to say anyone allowed to create or change things on AWS needs to take and pass the course first. That'll reduce, but not eliminate, things like this.
There are a few security companies which will check all of your AWS (and other systems) for security problems like this, at very reasonable prices. They write scripts that intergrate with AWS to watch for things like people are public buckets, and other more complex issues. Since it's all scripted, it's pretty affordable. You can set it up right there in the AWS marketplace.
One such company that is integrated with AWS (and also does non-AWS security) is Alert Logic. Full disclosure, I happen to work for another part of Alert Logic. If I didn't work for them, I'd check out their AWS related products. There are other companies too, but Alert Logic has some very AWS-focused offerings which take advantage of all of the AWS offerings to catch stuff immediately, and cheaply.
That last sentence should say they take advantage of the AWS *APIs* to warn you immediately of insecure configurations. Under the hood it's just a script that checks things like "is this bucket public", so the cost is low.
GSLB breaks your stupid idea.
I see my shadow changing, stretching up and over me...
Even 20 years ago the ISP I worked at went to some lengths (custom patches for easy management of it) to use per-admin SSH keys to mediate access to anything with SSH available, instead of having everyone needing access to a password. This not only requires access to the private half of the passphrased key, but also means you can revoke one admin's access without immediately affecting anyone else (yes, I know, a malicious admin might have used the access they had to install a backdoor).
So now I'm wondering if this particular ISP's admins/management (they might have overridden the admins on this) were just that incompetent, or if the article is glossing over details.
I'm quite sure management is also capable of overriding any such use of SSH keys on the ground that they can't put them in a safe in the same way, and don't really understand what all this public key cryptography nonsense is about. Or, you know, similar ignorant motivations.
I find it difficult to believe that a default Amazon "file share" would simply be open to the world. Even an internal Microsoft Windows Share is closed by defaultand you have to try pretty hard to make it "Everyone." (although that wasn't true under Win95/Win2k). MS learned that it had to be secure out of the box.
People have been "misconfiguring" WordPress for years leading to some spectacular thefts. I've never setup an Amazon storage - it sure seems that Amazon should deliver it properly configured and attached to the customers domain. i've read many "we found an Amazon share open" reports lately.
What button are people missing during setup?? Share mode: "Make Secure" or "Share with the World" ?
So you want to stuff something on the cloud securely? I could probably give this some more thought, but at a bare minimum I would ...
1) Go to step 5.
2) Use pre-internet encryption. That is, encrypt everything locally before you upload to the cloud. ...and don't get stingy on the key lengths. Don't use dumbass passwords either, get good.
3) Make sure your cloud storage has been access restricted. Test it. Unauthenticated public access is not what you want.
4) Now you can take that encrypted bit-blob and transfer it to your cloud-hole via encrypted tunnel (TLS 1.2+).
5) Now would probably be a good time to revisit your 'convenience' expectations of cloud storage. Still interested? Go to step 2.
This story ain't got nothin' on Illuminati Online of Austin, TX, aka IOCOM aka io.com. While still in operation, and after "hardening" their network so they could offer "security services" of some kind, they still featured a completely world-visible file browser and downloader for their system files and customer folders!
IOCOM is defunct now, but there's a mirror of their old website at io.fondoo.net
From the mirror website:
"Fun fact: you could telnet to password.io.com from anywhere in the world, and log on as guest. Lynx, a text-only web browser, was configured as the shell, and you would then be presented with a sparse version of the web-based customer account tools found at http://password.io.com/. This was so customers could reset their own password, update their address, set their PLAN file, etc.
IO forgot to disable browsing the filesystem (press g, period, enter). Also, IO never enforced uniform file and directory permissions or audited active accounts. As a result, through 2004, after IO was taken over by Prismnet (or later), you could roam around and directly view many customer's private files, email, and IO's sensitive system areas. You could also open the Lynx config to define a custom "editor" and thus actually edit files, or run executables. This was a direct back-door into everything! This continued a full two years after IOCOM "hardened" their network to sell network security services."
Whoever runs the mirror probably didn't enjoy working with all of their co-workers:
io.fondoo.net/io/staff.html
io.fondoo.net/home/lori/
io.fondoo.net/home/kitten/