Finnish phone giant Nokia denied a security firm’s claims that it uncovered a treasure trove of personal credentials, encryption and API keys in a server that it unintentionally left revealed and directly accessible over the Web. The difficulty at hand concerns an etcd server found by HackenProof researcher Bob Diachenko.
Etcd is a database server that’s most frequently utilized in company and cloud computing environments. They’re a customary a part of CoreOS. A working system developed for cloud internet hosting environments, the place they’re used as a part of the OS’ clustering system. CoreOS makes use of an etcd server as a central storage setting for passwords and entry tokens for purposes deployed through its clustering/container system. Diachenko informed last week that he got here throughout one such etcd server last week, on December 13. He says he found the server utilizing the Shodan search engine for web-linked units. Diachenko mentioned it was instantly apparent that the server belonged to Nokia.
In a weblog publish at this time, the researcher lastly detailed final week’s findings, after Nokia had secured the uncovered server earlier this week. In keeping with Diachenko, the server included credentials for functions equivalent to Heketi, Redis, and Weave, but additionally Kubernetes secret encryption keys, a Gluster consumer personal key, SSH and RSA, cluster keys, AWS S3 secret keys “and a few others.”
Nokia is not the only firm having this downside. Earlier this yr, a safety researcher first raised the difficulty of uncovered etcd servers when he identified that there had been over 2,200 etcd databases directly accessible by way of Shodan, and most have been storing an unlimited amount of passwords and API keys. Immediately, that quantity is over 2,600, following the same Shodan search question, that means that server owners haven’t heeded his preliminary warning.