Configuration Snafu Exposes Passwords For Two Million Marijuana Growers (zdnet.com) 29
An anonymous reader quotes a report from ZDNet: GrowDiaries, an online community where marijuana growers can blog about their plants and interact with other farmers, has suffered a security breach in September this year. The breach occurred after the company left two Kibana apps exposed on the internet without administrative passwords. Kibana apps are normally used by a company's IT and development staff, as the app allows programmers to manage Elasticsearch databases via a simple web-based visual interface. Due to its native features, securing Kibana apps is just as important as securing the databases themselves.
But in a report published today on LinkedIn, Bob Diachenko, a security researcher known for discovering and reporting unsecured databases, said GrowDiaries failed to secure two of its Kibana apps, which appear to have been left exposed online without a password since September 22, 2020. Diachenko says these two Kibana apps granted attackers access to two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points. The first exposed usernames, email addresses, and IP addresses, while the second database also exposed user articles posted on the GrowDiaries site and users' account passwords. While the passwords were stored in a hashed format, Diachenko said the format was MD5, a hashing function known to be insecure and crackable (allowing threat actors to determine the cleartext version of each password). The company secured its infrastructure five days after Diachenko reported the exposed Kibana apps on October 10. It's unknown if someone else accessed the databases to download user data.
But in a report published today on LinkedIn, Bob Diachenko, a security researcher known for discovering and reporting unsecured databases, said GrowDiaries failed to secure two of its Kibana apps, which appear to have been left exposed online without a password since September 22, 2020. Diachenko says these two Kibana apps granted attackers access to two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points. The first exposed usernames, email addresses, and IP addresses, while the second database also exposed user articles posted on the GrowDiaries site and users' account passwords. While the passwords were stored in a hashed format, Diachenko said the format was MD5, a hashing function known to be insecure and crackable (allowing threat actors to determine the cleartext version of each password). The company secured its infrastructure five days after Diachenko reported the exposed Kibana apps on October 10. It's unknown if someone else accessed the databases to download user data.
Oops sorry we were a bit stoned. (Score:5, Funny)
Devs + weed + security = data breach..
Re: (Score:2)
Devs + weed + security = data breach..
And now that Arizona has joined the legalization ranks, we're going to be seeing a new cohort of retired Boomer growers who keep their password on a sticky note attached to their monitor.
Re: (Score:2)
Would you rather have your money go to criminal gangs?
Re: (Score:2, Troll)
Well, they're not criminal gangs - they're just legal gangs now.
Re: (Score:1)
Probably not. Legalization usually brings taxes and regulation.
Re: (Score:2)
There's 100% absolutely still criminal gangs involved with marijuana production.
Also, in some states (notably California, which is still a primary producer of cannabis) the state has managed to gain something of a stranglehold, taxing not just retail sales but also every plant and also charging exorbitant fees for compliance certification and licensing. One might argue that they are also a criminal gang since they are collecting money and providing nothing.
Re: (Score:1)
The exorbitant tax structure ensures there will be a thriving extra-legal market.
Re: (Score:2)
Would you rather have your money go to criminal gangs?
I voted Yes, primarily because I think the Legion Of The Woke will be easier to tolerate if we keep them stoned.
Secondarily, all the War On Drugs has succeeded in getting rid of is a number of our Constitutional rights. All that money and draconian law enforcement powers, and we stil have the same drug program. I say just legalize it all and offer the addicted whatever medical options our tech can come up with.
Re:Oops sorry we were a bit stoned. (Score:4, Informative)
And if that monitor is behind a locked door in a room they only have access to then it's more secure than any online password vault will ever be. It may sound "old school" to you, but there is an inherent level of security to having your passwords stored physically instead of electronically. I can count the number of people allowed into my study on both hands, and the number of people allowed on my PC with one hand (actually 2 fingers). If someone who stores their passwords physically gets "hacked" he doesn't have far to look for the culprit, the same cannot be said with storing passwords online. If your password can be easily remembered it's either too simple or you are reusing your password on multiple sites. Post it notes don't sound so bad now. It all depends on how many people have access to the PC, a sticky note in an open plan office is bad, but on a personal PC in a personal space...
Re: (Score:2)
Re: Oops sorry we were a bit stoned. (Score:2)
MD5 in 2020? (Score:5, Insightful)
What incompetent idiot developer uses MD5 for password hashing in 2020? You should be using SHA2+salt or at least SHA1+salt.
You'd have to be on drugs (Score:3, Funny)
You'd have to be fucking high to use MD5 nowadays. Oh.
Re: (Score:2)
Dave's not here, man.
Re: (Score:2)
What absolutely incompetent crap is that? These people did not fail because of MD5. Ever heard of _iteration_? Or of a large-memory-property? PBKDF2 is the old, insecure and obsolete standard. Anybody not using Argon2 these days for anything new is an incompetent hack.
Re: (Score:3)
Msd5 is totally broken. As in, I've personally broken it.
Pdkf blazed the trail for better variations of the concept.
Pdkf2 and bcrypt aren't great for new development.
Salted SHA256 (with decent passwords / passphrases) shouldn't be used for new development in highly secure systems, but it's not broken. You won't fail an audit for having salted sha2. The problem with sha256 is Bitcoin hardware. Due to Bitcoin, Asics for sha256 are widely available.
Both sha256 and sha512 have the very convenient property tha
Re: (Score:2)
Academic breaks. Some reduction in security level is absolutely normal and standard and _no_ reason to not use it. Some understanding of things required.
For example, there are tons of attacks on AES, all academic. There is no reason to not use AES because of these attacks.
Re: (Score:2)
Msd5 is totally broken. As in, I've personally broken it.
No. MD5 is not broken for password hashing. Or not more broken than other hashes. Seriously. Get some minimal understanding of things.
_Anything_ not iterated (with high iteration count) is broken at this time. Broken as in "gross negligence".
Scrypt is obsolete, the standardization process has been aborted.
Your cluelessness is really impressive, but not a surprise given how often these things get fucked up by incompetent hacks.
Re: (Score:2)
It doesn't *matter* how many times you iterate any Merkel Damgard based hash, when the padding allows me to just length extension to zero. I'll just iterate the same number of times.
It is time to line these people up against a wall (Score:1)
... and shoot them. There is absolutely no excuse for not protection passwords in a database effectively.
And then I got high (Score:2)
Kibana managing ES? (Score:2)
Kibana is merely a visualization component for data living on ES, not as TFS claims:
"Kibana apps are normally used by a company's IT and development staff, as the app allows programmers to manage Elasticsearch databases via a simple web-based visual interface"
Re: (Score:2)
Yeah, that was a bit ... strange.
It does allow you to save ad-hoc queries into the data, and maybe that's the "manage" they're talking about. I'd say it's more "monitor", though.
But that's ability to save queries was one of my big complaints about Kibana. Maybe they've changed it, but when I set it up many years ago, it used the same ES database to save the configuration stuff as the data it was searching against, so you couldn't lock down the database as read-only. (This was pre-ES 5.0, so ES security s
Who uses real names? (Score:4, Interesting)
Especially with things like this.
The only site where I used my real name is my bank, even Amazon delivers everything to my cat.
Hashing (Score:1)
Wait, you said secure hashing? I secured the hash!