Sign In

Communications of the ACM

ACM Careers

Fermilab Exposes Proprietary Data for All to See

View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook

Fermilab data found by researchers included Apache Tomcat server credentials in plaintext.

Credit: STV Inc.

Security researchers of the Sakura Samurai ethical hacking group used multiple unsecured entry points to access data, code, messages, and passwords belonging to Fermilab, a particle physics and accelerator lab supported by the U.S. Department of Energy.

The researchers used commonly available tools to peek inside subdomains and discovered open directories, open ports, and unsecured services that attackers could have used to extract proprietary data.

Among the exposed assets was Fermilab's FTP server containing heaps of data that allowed "anonymous" login without a password. In another set of unrestricted subdomains, the researchers found over 4,500 tickets used for tracking Fermilab's internal projects.

"Crazy to see the ease in which we acquired sensitive data, which included credentials to scientific equipment and servers," said researcher John Jackson.

Fermilab responded quickly to the researchers' initial report and squashed the bugs.

From ARS Technica
View Full Article


No entries found