Of Shells and Cigarettes

Popular articles

01 / 03 / 2017

Of Shells and Cigarettes

As a follow-up to the widely-reported MongoDB apocalypse, I’d like to share a few past discoveries that are noteworthy, but were not reported in the media.

During the beginning of 2017, the security community witnessed an Armageddon of sorts for publicly exposed, unsecured MongoDB databases. Several groups of criminal hackers utilized automated scripts to locate and delete this class of database while leaving behind false ransom notes that, if paid, would not actually result in returned data.

I use the word “criminal” here because the databases were maliciously altered (i.e. deleted). Merely accessing a publicly exposed database is, in my contention, not a crime.

The result is tens of thousands of empty databases scattered throughout the web and many heartbroken administrators. It feels appropriate at this point to go through my breach backlog and reminisce about a couple of exposed MongoDBs that were never reported on for one reason or another.

Shell Oil Logins

A Shell Oil subcontractor in Singapore appears to have been exposing login credentials, and other data, for oil well monitoring systems during at least mid-2016. I discovered over 90 Shell Oil username and password hash combinations in this exposed MongoDB.

While there was plenty of oil well statistical and day-to-day operations data, I was never able to figure out if this system could have been abused to actually cause harm. It would have been illegal for me to use the login data in order to explore and much of the data would only make sense to an oil well engineer.

So, this one has been sitting quietly in my backlog. Although at this point it has probably been deleted by the malicious ransom-seekers.

Philip Morris International

Smoking cigarettes is bad for your physical health, but what were the admins at Philip Morris smoking when they apparently included plain text, non-hashed employee passwords in this marketing-centric database?

Based upon the server’s IP address and the included employee names, I’m fairly certain this one was located somewhere around Sweden.

Not only were the passwords completely exposed, most of the passwords were either reused or only one incremental digit away from another employee’s password. It does little good to have a capital letter, symbol, and length requirement if the passwords are repeated or only one increment away from each other.

These aren’t the exact Philip Morris logins, but they illustrate what I’m talking about:

Employee A password:  “Thursday#17”

Employee B password:  “Thursday#18”

Employee C password:  “Thursday#19”

Employee D password:  “Thursday#18”

Employee E password:  “Thursday#18”

If your company logins look like that, you need to think about the purpose of a password system.

Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher, Chris Vickery. 

Do you have security tips or suggestions? Contact: cvickery@kromtech.com or security@kromtech.com
Stay tuned to the latest security news by visiting MacKeeper Security Watch blog with Chris Vickery.