Over 13K iSCSI Storage Clusters Left Exposed Online Without a Password (zdnet.com) 48
Over 13,000 iSCSI storage clusters are currently accessible via the internet after their respective owners forgot to enable authentication. From a report: This misconfiguration has the risk of causing serious harm to devices' owners, as cyber-criminal groups could access these internet-accessible hard drives (storage disk arrays and NAS devices) to replace legitimate files with malware, insert backdoors inside backups, or steal company information stored on the unprotected devices. [...] Over the weekend, penetration tester A Shadow tipped ZDNet about this hugely dangerous misconfiguration issue. The researcher found over 13,500 iSCSI clusters on Shodan, a search engine that indexes internet-connected devices. In an online conversation with ZDNet, the researcher described this iSCSI exposure as a "dangerous backdoor" that can allow cyber-criminals to plant ransomware-infected files on companies' networks, steal company data, or place backdoors inside backup archives that may get activated when a company restores one of these booby-trapped files.
and we at Piped Piper are thankful (Score:1)
"internet-accessible hard drives" (Score:3)
What's wrong with this picture?
Oh yeah, the same thing wrong with "the cloud"
I still can't believe "the cloud" ever took off with the IT world...
Re: (Score:2, Interesting)
Oh yeah, the same thing wrong with "the cloud"
iSCSI dates back to 1998. "The Cloud" dates back to 2006. iSCSI is intended to be used over a LAN, not the internet. This is a "misconfiguration" as said in the second word of the summary, not someone intentionally sharing data to the cloud or whatever you think it is.
why does SAN servers need pub ip's YMCA? (Score:2)
why does SAN servers need pub ip's YMCA?
Whats is going on an local site to need an SAN for storage any ways?
Re: (Score:1)
The cloud is commercial time sharing and that dates back to the 1960s.
Re: (Score:2)
What's wrong with this picture? Oh yeah, the same thing wrong with "the cloud"
I still can't believe "the cloud" ever took off with the IT world...
The cloud took over IT because it made sense.
The problem we are seeing here (not security your shit), that's been an old problem since offices started giving workers PCs connected to a LAN or whatever. Hell, I'll say this is just another manifestation of the same old problem of someone lending badges and id cards to a co-worker (or someone else) in the good old days of timesharing and mainframes.
What we are seeing here is not a problem of "the cloud" or "IoT". It's product designers shipping products t
Internet accessible? (Score:4, Insightful)
I never understood this. Under normal circumstances it's quite difficult to make something internet accessible. Most firewalls, both corporate and consumer, by default use NAT with no forwarding, so under those conditions you'd have to go out of your way to make this happen ( ironic, given that if you have the knowledge necessary to do so, you know what not to do as well ).
The only thing I can think of is that this is an org with a huge block of public IPs that are managed poorly, but I would expect this to be an edge case and not a part of all these risk vectors ( cameras, printers, workstations and now, apparently, disk systems ).
Re:Internet accessible? (Score:4, Informative)
i'll bet a lot of it is ipv6
Re: (Score:2)
I'll bet it's not.
It's trivially easy to exhaustively scan the entire v4 internet space. Trying to do the same to the v6 space isn't going to work. There are ways to pare down the search space somewhat, but ultimately Shodan is going to be listing every single exposed v4 service but not very many of the v6 ones.
Re: (Score:2)
Exposing an iSCSI node to the great big wide world seems to go beyond normal incompetence and borders on utter ineptitude. Not that any device with an IP shouldn't be locked down, even inside a LAN (that's a bad enough failure of security), but wow, the idiocy of actually throwing any iSCSI device on a routable IP just seems so jaw droppingly stupid.
Re: (Score:1)
Typical damn greedy Capitalist, only thinking of himself!
Re: (Score:2)
Same here. The only way this can happen is by sheer ineptitude.
This is the double-edged sword of empowering people by making things simpler and more accessible. While it streamlines things for pros, it also allows dunning-krugers to think that they can punch above their weight, with the end results being what we see today.
I've run into these kinds of people now and then, and... just wow. It's not even the incompetence that bugs me. It's the surety that they know what they're doing, and the completely ob
ceph has better multi host HA (Score:2)
ceph has better multi host HA
Re: (Score:2)
There are a number of IPv6 enthusiasts who insist that NAT is evil and unnecessary and insist that all IP addresses should be public, that all should be left to an intelligently confifured and sophisticated firewall to protect the internal IP addresses even if they are routable. In the last 10 years, I haven't met any of these enthusiasts who competently run their firewalls, or who sensibly use the non-routable IPv6 address spaces for their devices.
Re: (Score:2)
Not just one org, there are piles of orgs, especially in academia that have been on the net since before the eternal september and the IPv4 crunch and still run their networks in much the way they always have. Mostly open to the Internet with maybe some limited firewalling on ports particularly likely to be abused.
Also when ever you rent a server or VM or colocation slot from a hosting provider it comes with a public IP open to the Internet by default. I could easilly see someone fed up with overpriced clou
Re: (Score:2)
Idiots get hired because there is more work (and potential revenue) than there are people employed to do it. The valuable work (interest, challenge, complexity, value) gets shoveled to the competent employees to keep them employees.
The marginal stuff isn't valuable enough to hire higher wage employees, so compromises are made to bring in "just OK" employees to do it, and to demonstrate their value they overreach and fuck things up.
At least this is how it works where I am.
Why would iSCSI have a default route? (Score:2)
Seriously, I can't think of why you would let iSCSI traffic leave your storage VLAN.
Connect everything that needs iSCSI with a dedicated iSCSI NIC or vNIC, and be done with it.
I really don't want a router delaying or otherwise messing with storage packets anyhow.
Re: (Score:2)
I can't understand why anyone is running ANYTHING connected to the public Internet that's not behind a NAT/firewall that would stop all of these kinds of exposure.
I mean, seriously - the problem is not the password. It's that's its even POSSIBLE to send and receive packets to these kinds of devices from the public Internet. It's just ridiculous.
Re: (Score:2)
You're not wrong that it's a bad idea, but I see it happen.
There's a lot of inexpensive (mostly 10 gig) switching out there that can route IP with minimal latency, or at least so little added latency it doesn't matter for a lot of ordinary storage traffic.
The other are data center expansions/contractions and some levels of same-campus, different-building high availability projects that work so long as you're able to route iSCSI traffic. I've also seen poor scaling decisions involving iSCSI subnets require
Complacent enough (Score:2)
I'm not worried if we're being complacent, rather are we being complacent *enough*? (shrugs)
(yawns) Maybe we should schedule a meeting to discuss the pros and cons of checking our storage to see if it's exposed.
(consults calendar) Hmm, looks like the bigwigs are out this week. They won't have anything useful to contribute, but get upset if they're excluded from something important enough to be in the news. Hmm, next week a couple of key people are out for training. Well, the 15th is recuperation from GoT se
dafuq is iScuzzi? (Score:1)
In other words, I should not have to use Google to figure out a
Re: (Score:2)
News for Nerds.
iSCSI has been around for decades. Think of it as SCSI over IP.
And SCSI underpins a lot of things still... I take it you've never heard of SAS (serial attached SCSI) either?
Pretty much anything you buy that's even remotely "server like" or "storage like" (even a cheap Netgear NAS) will offer iSCSI because so many people use it. And it's essential if you want to do things like virtualise your servers and run the storage across the network (so you can replicate your machines, access the same