Communications of the ACM
Fermilab Exposes Proprietary Data for All to See
Fermilab data found by researchers included Apache Tomcat server credentials in plaintext.
Credit: STV Inc.
Security researchers of the Sakura Samurai ethical hacking group used multiple unsecured entry points to access data, code, messages, and passwords belonging to Fermilab, a particle physics and accelerator lab supported by the U.S. Department of Energy.
The researchers used commonly available tools to peek inside fnal.gov subdomains and discovered open directories, open ports, and unsecured services that attackers could have used to extract proprietary data.
Among the exposed assets was Fermilab's FTP server containing heaps of data that allowed "anonymous" login without a password. In another set of unrestricted subdomains, the researchers found over 4,500 tickets used for tracking Fermilab's internal projects.
"Crazy to see the ease in which we acquired sensitive data, which included credentials to scientific equipment and servers," said researcher John Jackson.
Fermilab responded quickly to the researchers' initial report and squashed the bugs.
From ARS Technica
View Full Article
No entries found