An ISP Left Corporate Passwords, Keys, and All Its Data Exposed On the Internet (vice.com) 53
Security researchers at UpGuard discovered that a Washington-based ISP called Pocket iNet left 73 gigabytes of essential operational data publicly exposed in a misconfigured Amazon S3 storage bucket for months. "Said bucket, named 'pinapp2,' contained the 'keys to the kingdom,' according to the security firm, including internal network diagramming, network hardware configuration photos, details and inventory lists -- as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees," reports Motherboard. From the report: Upguard says the firm contacted Pocket iNet on October 11 of this year, the same day the exposed bucket was discovered, but the ISP took an additional week before the data was adequately secured. "Seven days passed before Pocket iNet finally secured the exposure," noted the firm. "Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset."
According to UpGuard, the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points. "Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business," noted UpGuard. "If such documents must exist, they should be strongly encrypted and stored in a known secure location," said the firm. "Unfortunately, a single folder of PocketiNet's network operation historical data (non-customer) was publicly accessible to Amazon administrative users," the ISP said in a statement to Motherboard. "It has since been secured."
According to UpGuard, the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points. "Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business," noted UpGuard. "If such documents must exist, they should be strongly encrypted and stored in a known secure location," said the firm. "Unfortunately, a single folder of PocketiNet's network operation historical data (non-customer) was publicly accessible to Amazon administrative users," the ISP said in a statement to Motherboard. "It has since been secured."
Re: goverment incompetence (Score:4, Insightful)
Has nothing to do with the government, although their competence is questionable, too.
A few of the ISPs I work with have their act together. More often, there's a handful that are the Three Stooges. The Cpanel artists are perhaps the worst and least competent... followed by the VPS folks that offer IaaS that I swear are on I386-class hardware running at 10MHz clock and ST-225s for disk.
No heads will roll. No customers will leave, horrified. No FBI investigation, just business as usual will ensue. Have a nice day, please give us the code on the back of your credit card.
Re: (Score:3)
ROFL!!!! Only chickenshit Russian trolls use the phrase "libtard".
Re: (Score:1)
Possibly, but I got the vague imprecision they were generally competent enough to avoid such weak sauce labels. We Americans to the right of Mao prefer the much more accurate "shitlib", we after all have seen you up close and personal, it's in fact personal for us, and getting more so every day as you escalate your attacks on us.
Re: (Score:1)
Re: training? (Score:2)
Yes, donâ(TM)t make s3 buckets with your most important shit public, hope that helps
Re: (Score:2)
Replying to undo downmod...meant to mod HILARIOUS lmao.
All jokes aside, seems easy enough and if not, we're bombarded with similar stories like this seemingly daily. How tf does anyone ever leave a public-facing anything unsecured? I just don't get it, smh.
Re: (Score:1)
So you want to stuff something on the cloud securely? I could probably give this some more thought, but at a bare minimum I would ...
1) Go to step 5.
2) Use pre-internet encryption. That is, encrypt everything locally before you upload to the cloud. ...and don't get stingy on the key lengths. Don't use dumbass passwords either, get good.
3) Make sure your cloud storage has been access restricted. Test it. Unauthenticated public access is not what you want.
4) Now you can take that encrypted bit-blob an
Training, and constant / daily scans (Score:2)
Amazon has an AWS security training course on their site.
It wouldn't be a bad idea to say anyone allowed to create or change things on AWS needs to take and pass the course first. That'll reduce, but not eliminate, things like this.
There are a few security companies which will check all of your AWS (and other systems) for security problems like this, at very reasonable prices. They write scripts that intergrate with AWS to watch for things like people are public buckets, and other more complex issues. Since
Typo: AWS APIs (Score:2)
That last sentence should say they take advantage of the AWS *APIs* to warn you immediately of insecure configurations. Under the hood it's just a script that checks things like "is this bucket public", so the cost is low.
governments/regulators will do ? (Score:3)
nothing
the ISP will announce that they will file for bankruptcy and the original owners will take on the customers through some shell companies removing all liability
(there will be small loss's of customers and cash flow but nothing unmanageable)
meanwhile all the users have been thoroughly plundered for data by well paid offshore contractors, nothing connectable just good old fashioned rip off
Re: (Score:2)
TFS says nothing about about any customer data being exposed.
Re: (Score:1)
Re: (Score:2)
They don't know whether or not customer data was exposed. When you give up the keys to the kingdom, logs can't be trusted.
That's an assumption based on ... what, pray tell? From TFA: Said bucket, named “pinapp2,” contained the “keys to the kingdom,” according to the security firm, including internal network diagramming, network hardware configuration photos, details and inventory lists—as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees.
Also: “Documents containing long lists of administrative passwords may be convenient for operations, but they create sing
(points and laughs) Ha Ha! (Score:3)
The Cloud Strikes Back
Re: (Score:1)
Um no.
AWS is secure by default. It takes a deliberate, incompetent effort to expose your data to the internet, and anyone who has a breach like that deserved to be sued into the stone age.
Any attempt to use SSH keys instead of passwords? (Score:3)
Even 20 years ago the ISP I worked at went to some lengths (custom patches for easy management of it) to use per-admin SSH keys to mediate access to anything with SSH available, instead of having everyone needing access to a password. This not only requires access to the private half of the passphrased key, but also means you can revoke one admin's access without immediately affecting anyone else (yes, I know, a malicious admin might have used the access they had to install a backdoor).
So now I'm wondering if this particular ISP's admins/management (they might have overridden the admins on this) were just that incompetent, or if the article is glossing over details.
Re: (Score:2)
Is Cloud setup the next WordPress? (Score:2)
I find it difficult to believe that a default Amazon "file share" would simply be open to the world. Even an internal Microsoft Windows Share is closed by defaultand you have to try pretty hard to make it "Everyone." (although that wasn't true under Win95/Win2k). MS learned that it had to be secure out of the box.
People have been "misconfiguring" WordPress for years leading to some spectacular thefts. I've never setup an Amazon storage - it sure seems that Amazon should deliver it properly configured a
Illuminati Online Public File Browser (Score:2)
This story ain't got nothin' on Illuminati Online of Austin, TX, aka IOCOM aka io.com. While still in operation, and after "hardening" their network so they could offer "security services" of some kind, they still featured a completely world-visible file browser and downloader for their system files and customer folders!
IOCOM is defunct now, but there's a mirror of their old website at io.fondoo.net
From the mirror website:
"Fun fact: you could telnet to password.io.com from anywhere in the world, and log on