Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday August 27 2016, @06:07PM   Printer-friendly
from the don't-go-through,-go-around dept.

Earlier this summer, the team at Inversoft published a comprehensive and sophisticated guide to user data security. The guide spans from hardening servers from provisioning, up through the IP and SSH layers, and all the way to application-level techniques for password hashing, SQL injection protection, and intrusion detection. As proof that they stood behind their advice, the Inversoft team provisioned a pair of Linode hosts, a web server and database server, and gave them the hardening treatment. Inversoft offered up a fully-loaded MacBook to anyone who could break in, taunting all comers by naming the hardened web server hackthis.inversoft.com.

Game on.

Needless to say, they found a way in.

[...] After discovering an unpatched, unfirewalled Elasticsearch instance using nmap, we gained shell access on a utility server used for various functions at Inversoft. On there, we found API keys for Linode left behind by a human operator. Those keys allowed us to detach disks from running servers and attach them to servers we controlled, stealing sensitive user data (all to win a prize).


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by frojack on Saturday August 27 2016, @08:16PM

    by frojack (1554) on Saturday August 27 2016, @08:16PM (#394028) Journal

    I fail to see how that matters, since they found keys to the server on another server in a totally different location.
    Like breaking into your house to steal the keys to your office.

    --
    No, you are mistaken. I've always had this sig.
    Starting Score:    1  point
    Moderation   +3  
       Informative=3, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 0) by Anonymous Coward on Saturday August 27 2016, @08:42PM

    by Anonymous Coward on Saturday August 27 2016, @08:42PM (#394031)

    Seems more like a lack of dogfooding by the people who put together the security paper and servers.

  • (Score: 1) by fubari on Saturday August 27 2016, @08:43PM

    by fubari (4551) on Saturday August 27 2016, @08:43PM (#394032)

    frojack: Was going say this, so +1 instead.

    all: TFA is a fascinating read, and frojack's home vs. office metaphor is quite good.