25 comments

[ 3.3 ms ] story [ 65.6 ms ] thread
Using shodan.io you can search for Internet-facing db servers without authentication. Shodan has been around for 12 years already.
Yeah, this feels like a thinly-veiled advertisement for their service.
Shodan is great. I’ve used it quite a lot for my work.
Could you explain a bit more? Are you looking for public vulns in your work machines/networks?
I was googling someone's email address the other day and was able to access the admin panel of a corporate mailing list management software where I was able to view their data and accessed every email they had, including notes about them.

Totally messed up. I didn't try but knowing the slugs now I recon not too hard to find similar instances

I did that too with an old home address. Contacted an admin (easy to find obviously), and they took it down pretty fast.

Of course this only happens if you fail to exclude this in robots.txt, so there’s probably plenty more wide open but not indexed.

There is a talk from a security researcher about visiting random HTTP servers exposed to the internet.

He found the control panel for a power plant, an ice skating rink, traffic lights, etc.

There was even a button that you could press to put the traffic lights on test mode, that had a message saying "Warning: injury or death can occur".

No authentication was required for any of those systems. Why? because some people wrongly believe that not being behind a domain name and not being on a search engine (other than shodan, of course), makes their shit secure.

That's why sometimes I think working in IT or software should require a license.

Until then, it would be helpful if projects prompted during installation to setup authentication (and didn't continue without) and were bound to localhost.

I wonder why MySQL and postgresql databases don't show up on these lists.

> That's why sometimes I think working in IT or software should require a license.

IMO the problem isn't lack of training or another licensing scheme but the lack of budget companies allocate to QA & Security.

And a license and code of ethics would be a concrete way to push back against employers cutting coats or time.
Licenses can be revoked.

When you know you can lose your license, being a duct tape programmer becomes a liability.

People will want to understand what they do, and be reluctant to work for tech debt mills.

As a result, tech debt mills would die and be forbidden from making software. It would be a wonderful world.

(comment deleted)
The presentation mentioned below in the thread is not bad.Sounds like its the one you were referring to, but for complete madness and awe I recommend to watch this one:

"115 batshit stupid things you can put on the internet in as fast as I can go" by Dan Tentler

https://youtu.be/hMtu7vV_HmY

There is a point where they find a large Dam in France with water gates control available in the Internet. They use the US Embassy to contact the French government department responsible and urgently do something about it. They are told: "Not right now, we are currently on holidays..." :-)

>We chose to keep this very non-intrusive by making use of a uniform single packet scan across the entire IPv4 space

Heh.

Only two of these database types have any presence on the US west coast?? Seems odd…
It's just the map image that does not show any of the exposed DBs west of the Mississippi for several of the DB types.
The idea was not to detect how many databases are there on the internet, but rather unauthenticated/vulnerable ones. It is possible that the databases exist on US west coast, but aren't vulnerable. The maps were generated using ipinfo.io (linked in the article).
It is a bit odd that only Mongo and Rethink are showing any of the exposed DBs west of the Mississippi in the map image of the article.
This can be mitigated (at least to some extent) if database vendors forced requirement of passwords (at least semi strong) during installation, no? Is there a reason why I should be allowed to access a database (even if it is local, on my laptop) without a password?
This is the correct answer. Literally every equipment vendor does this.

Why must we reinvent everything? Even obvious things…