hngopher.com

       [HN Gopher] Thousands of unauthenticated databases exposed on th...
       ___________________________________________________________________
        
       Thousands of unauthenticated databases exposed on the internet -
       study
        
       Author : rhlresearcher
       Score  : 51 points
       Date   : 2021-07-02 07:38 UTC (15 hours ago)
        
 (HTM) web link (redhuntlabs.com)
 (TXT) w3m dump (redhuntlabs.com)
        
       | seventytwo wrote:
       | Only two of these database types have any presence on the US west
       | coast?? Seems odd...
        
         | frankfrankfrank wrote:
         | It's just the map image that does not show any of the exposed
         | DBs west of the Mississippi for several of the DB types.
        
         | achillean wrote:
         | There definitely are instances of those databases on the west
         | coast. For example:
         | https://www.shodan.io/search?query=product%3Aelastic+state%3...
        
       | 29athrowaway wrote:
       | Using shodan.io you can search for Internet-facing db servers
       | without authentication. Shodan has been around for 12 years
       | already.
        
         | unstatusthequo wrote:
         | Shodan is great. I've used it quite a lot for my work.
        
           | thinkingemote wrote:
           | Could you explain a bit more? Are you looking for public
           | vulns in your work machines/networks?
        
         | batch12 wrote:
         | Yeah, this feels like a thinly-veiled advertisement for their
         | service.
        
       | akudha wrote:
       | This can be mitigated (at least to some extent) if database
       | vendors forced requirement of passwords (at least semi strong)
       | during installation, no? Is there a reason why I should be
       | allowed to access a database (even if it is local, on my laptop)
       | without a password?
        
         | foobiekr wrote:
         | This is the correct answer. Literally every equipment vendor
         | does this.
         | 
         | Why must we reinvent everything? Even obvious things...
        
       | easytiger wrote:
       | I was googling someone's email address the other day and was able
       | to access the admin panel of a corporate mailing list management
       | software where I was able to view their data and accessed every
       | email they had, including notes about them.
       | 
       | Totally messed up. I didn't try but knowing the slugs now I recon
       | not too hard to find similar instances
        
         | Scoundreller wrote:
         | I did that too with an old home address. Contacted an admin
         | (easy to find obviously), and they took it down pretty fast.
         | 
         | Of course this only happens if you fail to exclude this in
         | robots.txt, so there's probably plenty more wide open but not
         | indexed.
        
         | 29athrowaway wrote:
         | There is a talk from a security researcher about visiting
         | random HTTP servers exposed to the internet.
         | 
         | He found the control panel for a power plant, an ice skating
         | rink, traffic lights, etc.
         | 
         | There was even a button that you could press to put the traffic
         | lights on test mode, that had a message saying "Warning: injury
         | or death can occur".
         | 
         | No authentication was required for any of those systems. Why?
         | because some people wrongly believe that not being behind a
         | domain name and not being on a search engine (other than
         | shodan, of course), makes their shit secure.
         | 
         | That's why sometimes I think working in IT or software should
         | require a license.
        
           | [deleted]
        
           | DyslexicAtheist wrote:
           | > That's why sometimes I think working in IT or software
           | should require a license.
           | 
           | IMO the problem isn't lack of training or another licensing
           | scheme but the lack of budget companies allocate to QA &
           | Security.
        
             | jimktrains2 wrote:
             | And a license and code of ethics would be a concrete way to
             | push back against employers cutting coats or time.
        
             | 29athrowaway wrote:
             | Licenses can be revoked.
             | 
             | When you know you can lose your license, being a duct tape
             | programmer becomes a liability.
             | 
             | People will want to understand what they do, and be
             | reluctant to work for tech debt mills.
             | 
             | As a result, tech debt mills would die and be forbidden
             | from making software. It would be a wonderful world.
        
           | achillean wrote:
           | It was probably one of @Viss's talks. Here's one he did at
           | DEFCON: https://www.youtube.com/watch?v=-T-3buBwMEQ
        
             | 29athrowaway wrote:
             | Thank you, this was the talk I was referring to. I had
             | forgotten the exact name. Entertaining yet worrying.
        
           | heurisko wrote:
           | Until then, it would be helpful if projects prompted during
           | installation to setup authentication (and didn't continue
           | without) and were bound to localhost.
           | 
           | I wonder why MySQL and postgresql databases don't show up on
           | these lists.
        
       | tyingq wrote:
       | >We chose to keep this very non-intrusive by making use of a
       | uniform single packet scan across the entire IPv4 space
       | 
       | Heh.
        
       | frankfrankfrank wrote:
       | It is a bit odd that only Mongo and Rethink are showing any of
       | the exposed DBs west of the Mississippi in the map image of the
       | article.
        
       ___________________________________________________________________
       (page generated 2021-07-02 23:02 UTC)