Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Databases Privacy Software The Internet Technology

Researchers Found World-Readable Database Used To Secure Buildings Around the Globe (arstechnica.com) 9

Researchers said they have found a publicly accessible database containing almost 28 million records -- including plain-text passwords, face photos, and personal information -- that was used to secure buildings around the world. Ars Technica reports: Researchers from vpnMentor reported on Wednesday that the database was used by the Web-based Biostar 2 security system sold by South Korea-based Suprema. Biostar uses facial recognition and fingerprint scans to identify people authorized to enter warehouses, municipal buildings, businesses, and banks. vpnMentor said the system has more than 1.5 million installations in a wide range of countries including the U.S., the UK, Indonesia, India, and Sri Lanka. According to vpnMentor, the 23-gigabyte database contained more than 27.8 million records used by Biostar to secure customer facilities. The data included usernames, passwords and user IDs in plaintext, building access logs, employee records including start dates, personal details, mobile device data, and face images. The researchers said the data also included more than 1 million records containing actual fingerprint scans, but the report provided no data to support the claim.

"The vpnMentor researchers said they discovered the exposed database on August 5 and privately reported the finding two days later," reports Ars Technica. "The data wasn't secured until Tuesday, six days later."
This discussion has been archived. No new comments can be posted.

Researchers Found World-Readable Database Used To Secure Buildings Around the Globe

Comments Filter:
  • by raymorris ( 2726007 ) on Wednesday August 14, 2019 @09:09PM (#59088114) Journal

    For all of the developers out there, you never, ever store passwords.

    What you do is is store a special hash of the password.
    Then whatever the user enters, you apply the same hash function and see if the hashes match.

    I say a special hash - md5 or SHA2 is not good enough.

    What you need to do is every time you set a password, you generate a random salt string. Then compute the SHA2 HMAC of the password with salt. Then, bcrypt that. Now you're safe, you can store bcrypt ( HMAC(salt, password) )

    • And put a password on your database too...

    • What I don't get is: why do we have to keep telling people this?!

      • by Kiuas ( 1084567 ) on Thursday August 15, 2019 @04:33AM (#59088802)

        Because people are lazy and companies like to cut corners to cut costs.

        It's not like people don't know how to securely store passwords, or that you should never have the password for the admin to be 'admin' (which is how the Panama papers got 'hacked' a couple years back: one of their subsidiary companies somewhere in south america had literally never changed their password for the admin for a system that was accessible online and contained millions upon millions of private documents), it's that people will take the easy route quite often. Company says: 'do X and do it fast', and some underpaid guy who doesn't actually give a flying fuck about the client or the implementation 'cause he's just doing it to pay his bills does it the fastest way he can think of. Then, instead of reviewing the implemented solution, his manager who also doesn't give a flying fuck about the actual implementation, 'cause he's under strict time constraints to deliver results lest his bonus is in danger, doesn't want to waste time to actually review the solution but merely asks 'is it done?' and then takes it to his superiors. Those guys are usually high enough that they don't even understand anything about actual coding and will just go 'great work guys, send out the invoices and rake in the cash!"

        Bottom line is this: companies care about profit, and profit only. Doing things securely and properly costs time and money which eats profits, so security and stability are often sacrificed for speed, and this is not just limited to the software industry.

        It's not that they don't know, it's that they do not care.

        • Architects and programmers are expected to know about a lot of things. Sometimes they don't know about security, and that's perfectly understandable. Sometimes they WANT to know about security - 35 of then showed up to my latest class.

          I can't expect programmers to know everything. Especially early in their careers. What I want them to know is when to seek assistance / guidance from the security team. When you're working on authentication and authorization systems is the number one time to come talk to us

  • Not even 12 hours old too!

    https://yro.slashdot.org/story... [slashdot.org]

  • South Korea doesn't have network security. It simply doesn't exist there. The only degree of security that exists in SK is the depdendence on people entering a valid social security number for online services. They don't implement security because they don't need to bother with it.

You know you've landed gear-up when it takes full power to taxi.

Working...