Misconfigured Port Opens Door to Attackers

Wednesday, August 9, 2017 @ 02:08 PM gHale

Redacted screenshot of “computer stuff.docx” and the sensitive access data contained therein.

An open port used for rsync server synchronization left the network of Power Quality Engineering (PQE) wide open to attackers, researchers said.

Attacks hitting companies’ electrical systems are falling under the spotlight these days also possible, specifically when data from those systems’ is freely accessible online.

Black Hat: ICS Security Movement
Black Hat: Hacking a Wind Farm
Black Hat: Human Side of Grid Attack
Black Hat: Security Needs to Change

“On July 6th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an open port configured to accept packets at an IP address which, when entered into a command-line interface, returned a fully downloadable data repository originating from Power Quality Engineering,” UpGuard analyst Dan O’Sullivan said in a blog post. PQE is a Cedar Park, TX-based electrical engineering operator.

Vickery was able to access and pilfer 205 GB of data from PQE’s servers, up until the moment the company secured its systems two days after UpGuard notified them of the problem.

PQE’s customers include Oracle, Dell, Texas Instruments and the City of Austin.

Among the documents that Vickery managed to cull were reports containing electrical infrastructure data of those customers’ facilities.

“Beyond this highlighting of potential weak points and trouble spots in customer electrical systems, publicly downloadable schematics reveal the specific locations and configurations of government-operated top secret intelligence transmission zones within at least one Dell facility,” O’Sullivan said.

“The exposed port granting public access to these systems, 873, is the default port used for rsync (remote synchronization), a command line utility that allows for the easy and rapid copying of data to another machine,” O’Sullivan said. “While the IP addresses able to access these systems via this port can be easily restricted by IT administrators using rsync’s ‘hosts allow/deny’ functions, this requires an extra step once the rsync utility is configured. This default accessibility, while simple to restrict, can be missed.”

Among other attacks, Vickery was able to gain access to a plain text file of internal PQE passwords, potentially enabling further access to more company systems.

This is not necessarily a report to focus on slamming PQE, but it is a cautionary tale to warn others of the ease of the potential to get into Internet facing systems.

It is also a case of where a simple misconfiguration can open the doors to attackers.

That means companies need to have a plan in place to make sure gaps end up identified and closed immediately.

Leave a Reply

You must be logged in to post a comment.