US Physics Lab Fermilab Exposes Proprietary Data For All To See

Multiple unsecured entry points allowed researchers to access data belonging to Fermilab, a national particle physics and accelerator lab supported by the Department of Energy. Ars Technica reports: This week, security researchers Robert Willis, John Jackson, and Jackson Henry of the Sakura Samurai ethical hacking group have shared details on how they were able to get their hands on sensitive systems and data hosted at Fermilab. After enumerating and peeking inside the fnal.gov subdomains using commonly available tools like amass, dirsearch, and nmap, the researchers discovered open directories, open ports, and unsecured services that attackers could have used to extract proprietary data. The server exposed configuration data for one of Fermilab's experiments called "NoVa," which concerns studying the purpose of neutrinos in the evolution of the cosmos. The researchers discovered that one of the tar.gz archives hosted on the FTP server contained Apache Tomcat server credentials in plaintext. The researchers verified that the credentials were valid at the time of their discovery but ceased experimenting further so as to keep their research efforts ethical.

Likewise, in another set of unrestricted subdomains, the researchers found over 4,500 tickets used for tracking Fermilab's internal projects. Many of these contained sensitive attachments and private communications. And yet another server ran a web application that listed the full names of users registered under different workgroups, along with their email addresses, user IDs, and other department-specific information. A fourth server identified by the researchers exposed 5,795 documents and 53,685 file entries without requiring any authentication. [...] Fermilab was quick to respond to the researchers' initial report and squashed the bugs swiftly.

Re: At least it wasn't the. . .

[BAReFO0t]

Science knows no borders to other places.
The only border we draw is to dictator spreading hate and their moronic livestock.
So be nice or stay out.

Re:

[account_deleted]

Comment removed based on user account deletion

Didnâ(TM)t we pay for it?

[fermion]

Personal data, sure, it needs to be protected. But data gathered funded by the taxpayer, this brings us back to pay for research, then the papers. Paying for development of drugs, then high prices for the drugs because the pharmcos want to be paid again. But data out of context can be embarrassing, and a well funded lab that canâ(TM)t secure its computers is embarasing. But neither can well funded private firms

Re:

[iggymanz]

That "personal" stuff wasn't private for most Fermilab's history, the staff directory including position, group, office location, mail station, direct dial telephone extension was public anyway, and username was part of email address.

Re:

[quanminoan]

I'd generally agree with you, but other countries don't make their taxpayer funded data and engineering open. Even projects the US helps pay for like ITER and CERN the data isn't nearly as freely shared with us as you would think. If we opened it up and others didn't follow, it would just be an advantage for everyone else. I would however like to see a more open standard for collaborations of this kind. ITER, CERN, and other international projects should have everything from control code to engineering blue

Re:

[jim_deane]

Data is often embargoed so that no one can swoop in and 'scoop' the researchers that put millions of hours and grant dollars into a research project, but once the embargo is over, the data is fairly public. Sometimes even placed out in the open,. I've used data from https://opendata.cern.ch/ [opendata.cern.ch] in my physics classes.

I've also recently started looking at what LIGO shares. https://www.gw-openscience.org... [gw-openscience.org]

Re:

[Calinous]

I totally agree that data generated by institutions like Fermilab need to be accessible read-only to all.

However, the article didn't say if the data could be modified... corrupted... ahem... improved.

This should be public information

[Anonymous Coward]

Fermilab is taxpayer-funded, how do they have "proprietary" data? That's the news and biggest crime here.

Re:

[joe_frisch]

Yes...and no The problem is that the government has to decide which labs to fund. One of the ways they do that is based on publications. If one lab goes to all the effort and expense of doing an experiment, then some other group can take the data and publish it, you create a situation where there is no motivation to do experiments. Its not a system I like - but its not easy to figure out how non-scientists can evaluate the performance of a science lab

Re: This should be public information

[BAReFO0t]

Wat . . .

Who cares who published it? It's gonna be useful for us either way.
They still produced the data. And they can still publish findings based on it, even if another entity does publish their findings on it first.

This competitive and exclusivist thinking has no place in a system whose point is to benefit us all. We're not enemies. We're a team.

(Compare: US, EU, Russian and Chinese astrophysics and space faring scientists cooperating, no matter what their dicktatorships think of each other.)

Re:

[The Evil Atheist]

I'm pretty sure modern research has to tell people where they got the data from, so shouldn't they be counting how many publications have used Fermilab data, rather than how many Fermilab scientists published papers? And wouldn't the Fermilab scientists get co-authorship anyway, as is basically the case with experimental physics papers with hundreds of co-authors?

I can think of no better way for a lab to demonstrate performance than to point to the explosion of the number of studies utilizing the data -

Re:

[joe_frisch]

That isn't a bad system, but its not how its done now. None of these work very well - counting papers just encourages scientists to spew out useless papers. In an ideal world, the work would be judged by experts in the file, but unfortunately science, like all other fields, is political and social.

Re:

[habig]

In my collaboration, we've looked over what of ours was dumped: and actually, it all seems to be stuff that we're publicly posting anyway. Apparently some l33t Hax0rs have an overinflated view of what "proprietary" means and Ars Technica bought it hook, line, and sinker.

Re:

[habig]

As an example: our code repo browser and wiki. Which as a result of this dump, just got taken down by the lab out of an abundance of caution. Even though it was intended to be public in the first place. Now we'll probably have to migrate to a public github instead. Thanks, "security researchers", for creating a lot of extra work for us in our effort to be transparent.

Re:

[minotaurbb]

Just because the security researchers claimed that the data is "proprietary" doesn't mean it is. Since I am on one of the collaborations mentioned, I can say that none of it is in our case, and all of it was *intended* to be public, so the fact that they found that it was available wasn't exactly a shock.

Re:

[PPH]

Not everything that FermiLab (and other gov't funded labs) do is unclassified. We have an applied physics lab at the local university. There's lots of interesting theoretical work being done there. But occasionally you walk by a doorway with an armed guard.

Re:

[habig]

Actually, Fermilab is the only DoE lab where everything _is_ unclassified. But, they do inherent a lot of security regulations that apply to all DoE labs, even though there's no classified stuff at that particular lab.

Inconceivable!

[RightwingNutjob]

There's all sorts of regulations on the books that prohibit this sort of laxity.

Since the lab is obligated to follow the regs, clearly the hackers are mistaken.

Harumph!

Discovered a new particle:

[Tablizer]

the breachon

Re:

[Joe_Dragon]

gordon freeman

What's impressive to me...

[Haydn]

Is that they swiftly fixed all of the issues.

This is very different from Equifax, Facebook, etc.

Re:

[The Evil Atheist]

That's because, compared to Facebook, the funding for their systems is tiny, so their systems aren't as complex, and so is more easier to plug the holes.

jhylkema's lament

[jhylkema]

And the people who did this have full-time, good-paying jobs with benefits.

heyy

[WaldtrautCam]

() Looking for serious relationship that will lead to marriage() ==>> gg.gg/nrpmj

Wait, aren't they govenment?

[BAReFO0t]

If so, isn't all that information public by law?

And the potential hackers will do what?

[wakeboarder]

Analyze the data and produce papers? Copy the data and hold it for ransom/release?