Slashdot Mirror
An ISP Left Corporate Passwords, Keys, and All Its Data Exposed On the Internet (vice.com)
Security researchers at UpGuard discovered that a Washington-based ISP called Pocket iNet left 73 gigabytes of essential operational data publicly exposed in a misconfigured Amazon S3 storage bucket for months. "Said bucket, named 'pinapp2,' contained the 'keys to the kingdom,' according to the security firm, including internal network diagramming, network hardware configuration photos, details and inventory lists -- as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees," reports Motherboard. From the report: Upguard says the firm contacted Pocket iNet on October 11 of this year, the same day the exposed bucket was discovered, but the ISP took an additional week before the data was adequately secured. "Seven days passed before Pocket iNet finally secured the exposure," noted the firm. "Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset."
According to UpGuard, the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points. "Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business," noted UpGuard. "If such documents must exist, they should be strongly encrypted and stored in a known secure location," said the firm. "Unfortunately, a single folder of PocketiNet's network operation historical data (non-customer) was publicly accessible to Amazon administrative users," the ISP said in a statement to Motherboard. "It has since been secured."
According to UpGuard, the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points. "Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business," noted UpGuard. "If such documents must exist, they should be strongly encrypted and stored in a known secure location," said the firm. "Unfortunately, a single folder of PocketiNet's network operation historical data (non-customer) was publicly accessible to Amazon administrative users," the ISP said in a statement to Motherboard. "It has since been secured."
Has nothing to do with the government, although their competence is questionable, too.
A few of the ISPs I work with have their act together. More often, there's a handful that are the Three Stooges. The Cpanel artists are perhaps the worst and least competent... followed by the VPS folks that offer IaaS that I swear are on I386-class hardware running at 10MHz clock and ST-225s for disk.
No heads will roll. No customers will leave, horrified. No FBI investigation, just business as usual will ensue. Have a nice day, please give us the code on the back of your credit card.
---- Teach Peace. It's Cheaper Than War.
nothing
the ISP will announce that they will file for bankruptcy and the original owners will take on the customers through some shell companies removing all liability
(there will be small loss's of customers and cash flow but nothing unmanageable)
meanwhile all the users have been thoroughly plundered for data by well paid offshore contractors, nothing connectable just good old fashioned rip off
Yes, donâ(TM)t make s3 buckets with your most important shit public, hope that helps
The Cloud Strikes Back
ROFL!!!! Only chickenshit Russian trolls use the phrase "libtard".
---- Teach Peace. It's Cheaper Than War.
Even 20 years ago the ISP I worked at went to some lengths (custom patches for easy management of it) to use per-admin SSH keys to mediate access to anything with SSH available, instead of having everyone needing access to a password. This not only requires access to the private half of the passphrased key, but also means you can revoke one admin's access without immediately affecting anyone else (yes, I know, a malicious admin might have used the access they had to install a backdoor).
So now I'm wondering if this particular ISP's admins/management (they might have overridden the admins on this) were just that incompetent, or if the article is glossing over details.