SoylentNews is people
SoylentNews
Earlier this summer, the team at Inversoft published a comprehensive and sophisticated guide to user data security. The guide spans from hardening servers from provisioning, up through the IP and SSH layers, and all the way to application-level techniques for password hashing, SQL injection protection, and intrusion detection. As proof that they stood behind their advice, the Inversoft team provisioned a pair of Linode hosts, a web server and database server, and gave them the hardening treatment. Inversoft offered up a fully-loaded MacBook to anyone who could break in, taunting all comers by naming the hardened web server hackthis.inversoft.com.
Needless to say, they found a way in.
[...] After discovering an unpatched, unfirewalled Elasticsearch instance using nmap, we gained shell access on a utility server used for various functions at Inversoft. On there, we found API keys for Linode left behind by a human operator. Those keys allowed us to detach disks from running servers and attach them to servers we controlled, stealing sensitive user data (all to win a prize).
(Score: 3, Interesting) by Anonymous Coward on Saturday August 27 2016, @09:33PM
OK, so what we can learn from this?
a) All your machines must be at the "same level" and "separate"? IE, no weak link, all strongholds, no exceptions. Including "jack of all trades" or "test" ones. If not needed, off?
b) Keep "passwords" and other "keys" offline/cyphered as much as possible? If the system insists keeping things visible (crap system), find a workaround like a cyphered mount?
c) Limit connections to well known machines? IE, don't talk to anyone not intended.
d) Disallow unsupervised automation as much as possible? Like the IP swap, etc. See c) question.
More? Yes, I know, it will never be perfect (I have not mentioned social engineering or 0-days, eg) but I am talking about learning how to do it better.