Stories
Slash Boxes
Comments

SoylentNews is people

Thousands of Servers Found Leaking 750MB Worth of Passwords and Keys

posted by mrpg on Sunday March 25 2018, @05:43PM   Printer-friendly
from the is-etcd-like-inetd? dept.
Security

Fnord666 writes:

"Leaky etcd servers could be a boon to data thieves and ransomware scammers."

etcd is described as "A distributed, reliable key-value store for the most critical data of a distributed system.".

Thousands of servers operated by businesses and other organizations are openly sharing credentials that may allow anyone on the Internet to log in and read or modify potentially sensitive data stored online.

In a blog post published late last week, researcher Giovanni Collazo said a quick query on the Shodan search engine returned almost 2,300 Internet-exposed servers running etcd, a type of database that computing clusters and other types of networks use to store and distribute passwords and configuration settings needed by various servers and applications. etcd comes with a programming interface that responds to simple queries that by default return administrative login credentials without first requiring authentication. The passwords, encryption keys, and other forms of credentials are used to access MySQL and PostgreSQL databases, content management systems, and other types of production servers.

Maybe it's just me, but if the phrases "store for the most critical data of a distributed system" and "Internet facing" both occur in your description of a node of your architecture, you're probably doing it wrong.

Original Submission

This discussion has been archived. No new comments can be posted.
Thousands of Servers Found Leaking 750MB Worth of Passwords and Keys | Log In/Create an Account | Top | 7 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 5, Funny) by BsAtHome on Sunday March 25 2018, @06:59PM

    by BsAtHome (889) on Sunday March 25 2018, @06:59PM (#658017)

    Face, meet Palm; hello Palm.
    Palm, meet Face; hello Face.

    Face: your seem a bit sweaty, Palm.
    Palm: Yes, its your tears, Face.

  • (Score: 0) by Anonymous Coward on Sunday March 25 2018, @07:35PM

    by Anonymous Coward on Sunday March 25 2018, @07:35PM (#658030)

    Oh yeah? Here, hold my beer ...

  • (Score: 1, Insightful) by Anonymous Coward on Sunday March 25 2018, @09:26PM

    by Anonymous Coward on Sunday March 25 2018, @09:26PM (#658077)

    Do first, think later... if at all.
    We must be fast, the first if possible, we must win the mind share at any price.
    And we must keep backwards compatibility with wrong things and by default (that goes for "without first requiring authentication", which should be "never" for anything created in the 90s or later).

  • (Score: 1, Interesting) by Anonymous Coward on Sunday March 25 2018, @09:35PM (1 child)

    by Anonymous Coward on Sunday March 25 2018, @09:35PM (#658080)

    Both are cut from the same mould of technical incompetence.

    People need to be held to account for design of broken shit, particularly if it is designed so poorly that it increases attack surfaces and reduces data security and privacy.

    Fuck the Linux world, it’s being reduced to extreme mediocrity.

    • (Score: 2) by arcz on Monday March 26 2018, @04:33AM

      by arcz (4501) on Monday March 26 2018, @04:33AM (#658232) Journal
      While I agree to some extent linux also had a usability problem. I.e. linux can only do certain things, if you wanted it to do anything complex it was terrible at it. I'm not sure that systemd should have been rammed down everyone's throats like it was (having a choice would have been nice) it's still necessary to develop something along these lines. (to fix various limitations and stop using interpreted scripts when interpretation is expensive on modern cpus) That being said systemd is definitely beta quality software and should not be running on production servers IMO.

  • (Score: 2) by realDonaldTrump on Sunday March 25 2018, @10:42PM

    by realDonaldTrump (6614) on Sunday March 25 2018, @10:42PM (#658103) Homepage Journal

    I know a lot about hacking. You know, if you have something really important, write it out and have it delivered by courier, the old-fashioned way. Because I’ll tell you what: no computer is safe. I don’t care what they say.

  • (Score: 1, Touché) by Anonymous Coward on Monday March 26 2018, @08:14AM

    by Anonymous Coward on Monday March 26 2018, @08:14AM (#658289)

    etcd is described as "A distributed, reliable key-value store for the most critical data of a distributed system.".

    You know which word does not appear in that description? Right: "secure".

    So I'd say it is working as advertised: It reliably distributes the most critical data. ;-)

(1)