Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Data Storage Network Privacy Security The Internet Technology

An ISP Left Corporate Passwords, Keys, and All Its Data Exposed On the Internet (vice.com) 53

Security researchers at UpGuard discovered that a Washington-based ISP called Pocket iNet left 73 gigabytes of essential operational data publicly exposed in a misconfigured Amazon S3 storage bucket for months. "Said bucket, named 'pinapp2,' contained the 'keys to the kingdom,' according to the security firm, including internal network diagramming, network hardware configuration photos, details and inventory lists -- as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees," reports Motherboard. From the report: Upguard says the firm contacted Pocket iNet on October 11 of this year, the same day the exposed bucket was discovered, but the ISP took an additional week before the data was adequately secured. "Seven days passed before Pocket iNet finally secured the exposure," noted the firm. "Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset."

According to UpGuard, the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points. "Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business," noted UpGuard. "If such documents must exist, they should be strongly encrypted and stored in a known secure location," said the firm. "Unfortunately, a single folder of PocketiNet's network operation historical data (non-customer) was publicly accessible to Amazon administrative users," the ISP said in a statement to Motherboard. "It has since been secured."

This discussion has been archived. No new comments can be posted.

An ISP Left Corporate Passwords, Keys, and All Its Data Exposed On the Internet

Comments Filter:
  • by johnjones ( 14274 ) on Tuesday October 23, 2018 @07:23PM (#57526991) Homepage Journal

    nothing

    the ISP will announce that they will file for bankruptcy and the original owners will take on the customers through some shell companies removing all liability
    (there will be small loss's of customers and cash flow but nothing unmanageable)

    meanwhile all the users have been thoroughly plundered for data by well paid offshore contractors, nothing connectable just good old fashioned rip off

    • by tsqr ( 808554 )

      TFS says nothing about about any customer data being exposed.

      • They don't know whether or not customer data was exposed. When you give up the keys to the kingdom, logs can't be trusted.
        • by tsqr ( 808554 )

          They don't know whether or not customer data was exposed. When you give up the keys to the kingdom, logs can't be trusted.

          That's an assumption based on ... what, pray tell? From TFA: Said bucket, named “pinapp2,” contained the “keys to the kingdom,” according to the security firm, including internal network diagramming, network hardware configuration photos, details and inventory lists—as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees.

          Also: “Documents containing long lists of administrative passwords may be convenient for operations, but they create sing

  • by bigmacx ( 135216 ) on Tuesday October 23, 2018 @08:30PM (#57527219)

    The Cloud Strikes Back

    • by boulat ( 216724 )

      Um no.

      AWS is secure by default. It takes a deliberate, incompetent effort to expose your data to the internet, and anyone who has a breach like that deserved to be sued into the stone age.

  • the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points

    Even 20 years ago the ISP I worked at went to some lengths (custom patches for easy management of it) to use per-admin SSH keys to mediate access to anything with SSH available, instead of having everyone needing access to a password. This not only requires access to the private half of the passphrased key, but also means you can revoke one admin's access without immediately affecting anyone else (yes, I know, a malicious admin might have used the access they had to install a backdoor).

    So now I'm wondering if this particular ISP's admins/management (they might have overridden the admins on this) were just that incompetent, or if the article is glossing over details.

  • I find it difficult to believe that a default Amazon "file share" would simply be open to the world. Even an internal Microsoft Windows Share is closed by defaultand you have to try pretty hard to make it "Everyone." (although that wasn't true under Win95/Win2k). MS learned that it had to be secure out of the box.

    People have been "misconfiguring" WordPress for years leading to some spectacular thefts. I've never setup an Amazon storage - it sure seems that Amazon should deliver it properly configured a

  • This story ain't got nothin' on Illuminati Online of Austin, TX, aka IOCOM aka io.com. While still in operation, and after "hardening" their network so they could offer "security services" of some kind, they still featured a completely world-visible file browser and downloader for their system files and customer folders!

    IOCOM is defunct now, but there's a mirror of their old website at io.fondoo.net

    From the mirror website:
    "Fun fact: you could telnet to password.io.com from anywhere in the world, and log on

Keep up the good work! But please don't ask me to help.

Working...