One of my favorite activities is using search engines to hunt for things that, realistically, I should not be able to find. Recently, I was able to find thousands of sites with their databases exposed. This time I was able to unearth a treasure trove of configuration files on a wide range of devices. These configuration files showed routes, rules and even passwords.
The part that I find particularly odd is, why would this ever be made accessible in the first place? In some cases this is just poor set up on the part of the administrators. In other cases it is just poor design of the products. In one case I found a series of FTP servers that were exposing their configurations including passwords.
I won’t share exactly the terms that I searched for in order to discover these exposed configuration files. That would be foolish on my part. What I will point out that it is beyond trivial to find these if you know what you’re looking for. I was able to discover all manner of configuration files for switches, servers and so forth. I mentioned this to someone who said, “aren’t you going to get in trouble for accessing all of these systems?” Well, the problem there is that I’m actually not accessing them. I’m simply pulling them from Google’s cache.
Here is one example that I have redacted,
In the case of the system configurations that I could view online many had passwords in them that were easily puzzled out using a simple script.
So, this begs the question as to why I’m talking about this in the first place. Simple. I want organizations to start doing a better job of securing their infrastructure. This is not a huge ask. So many problems on networks that lead to breaches can be addressed through doing a better job on the fundamentals. Patching, QA testing, defined repeatable processes. As much as people love to grump about these items, they can make your lives easier if you spend the time to tackle them.
Take the time to review what your organization is presenting to the Internet. Don't end up inadvertently laying out a welcome mat and ending up as a breach headline for something as simple as a poorly configured network device.
(Used under CC from alborzshawn)