Extensive Breach at Intl Airport ...
In what should be considered a complete compromise of network integrity, New Yorks Stewart International Airport was recently found exposing 760 gigs of backup data to the public internet. No password. No username. No authentication whatsoever.
The leaky data set includes everything from sensitive TSA letters of investigation to employee social security numbers, network passwords, and 107 gigabytes of email correspondence. Until I notified the facilitys management this past Tuesday, there existed a real risk to the security and safety of this US airport.
This is an important case study in how business practices can result in data breaches. According to the materials present, the Port Authority of New York & New Jersey contracts out management of Stewart International to a private company named AvPORTS. That company then contracts with a sole IT guy that is only on site two or three times per month.
You cannot expect one person to maintain an airport network infrastructure. Doing so is a recipe for security lapses. This is a classic example of what can go wrong with privatization. For-profit companies have every incentive to, all too often, prioritize revenue over best practices.
This is emphasized by the AvPORTS incident response performance. In an industry at the level of airport management, every employee needs to have at least cursory data breach readiness training. The first person I spoke with at AvPORTS was very nice to me, but at one point asked me if this “could wait until tomorrow”.
The answer to that question is no. When your company is leaking government-created documents with phrases such as “Confidential”, “For Official Use Only”, and “Unauthorized release may result in civil penalty or other action”, you cannot simply wait until tomorrow. It requires immediate action.
I was somewhat relieved when an AvPORTS COO did call me back a few minutes later, around 12pm Pacific US time. He assured me that I would be hearing from their IT staff shortly to further investigate and remedy the situation.
Three and a half hours later I had not heard back from anyone and the data breach was still live. I decided to call the Port Authority. They instructed me to call the Stewart terminal and provided a phone number. During that next call, to the terminal operators, the servers exposed port was closed off to the outside world. Its unknown whether or not this was coincidental timing, as the terminal guys claimed that their department cannot make such a change.
The IT Guy
A few hours later, around 7pm Pacific, I finally received a call from the IT guy. The conversation took an initial downturn. He informed me that I had committed a crime by downloading this data and used the analogy of breaking in and stealing items from someones home (which could not be further from the truth).
Fortunately, the conversation evened out when I explained to him that my actions were in no way criminal. The device had been configured in a manner which was distributing these files publicly without a single username, password, or other authentication measure in place. Regardless of intention, this machine was, in essence, acting as a public web server.
So, how did this happen? Here are some clues-- The IT guy I spoke with informed me that a few months ago the airport had experimented with using a backup software known as ShadowProtect. I was informed that part of the process involved opening port 873 on the firewall and that the ShadowStream service, part of ShadowProtect, may have been utilizing some aspect of the remote synchronization service (rsync). This is just what I was told in that conversation.
That may be a bit of a red herring though and only part of the puzzle. Within the backups I was able to locate an email chain indicating that AvPORTS purchased at least one Buffalo Terastation backup NAS device in March of 2016.
Those of you that keep up with my work may recall this same make and model of NAS device being at the center of a recently reported Ameriprise Financial data breach. In fact, I have made several other recent breach findings involving this particular device.
My hypothesis is that there may be a default opening of port 873 on some number of Buffalo Terastations. Keep in mind that port 873 had been intentionally opened on Stewart Internationals firewall during part of the experiment with ShadowProtect.
The current working theory is that these two factors aligned and resulted in a breach scenario. But all of this begs the question: Would such an oversight happen if AvPORTS employed even one full-time IT guy at Stewart?
You get what you pay for, even in IT.
For more info, see the ZDNet article here: http://www.zdnet.com/article/unsecured-servers-at-new-york-airport-left-exposed-for-a-year
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org