14 DAY TRIAL // MacKeeper security researcher Chris Vickery, the scourge of all companies that run unprotected MongoDB databases, revealed yesterday another case of such server, this time exposing sensitive data from energy sector giant Pacific Gas and Electric (PG&E).
Vickery says that, sometime last week, he discovered a MongoDB server exposed to the Internet with no administrator account password.
A further investigation revealed to him that the server belonged to PG&E, and the data contained inside was typical for asset management systems, central hubs where network and system administrators keep a central repository of information about hardware equipment and software programs.
Such servers are regularly found in large-scale businesses, where the number of computers can overwhelm even the best sysadmin.
Server contained details of PG&E IT network
Vickery claims that this server contained details about over 47,000 computers from PG&E's network. This included regular PCs, virtual machines, servers, and all sorts of other devices and equipment.
Looking closer at the data, Vickery said he discovered the typical details you'd expect to find in an asset management system, such as IP addresses, MAC addresses, OS versions, hostnames, physical locations, and hashed and cleartext passwords for various PG&E employees.
As you can imagine, and as Vickery pointed out, this data can be a treasure trove of information for any private or nation-backed cyber-espionage group.
Researcher willing to make data available to US authorities
After the researcher told PG&E about the exposed server last Thursday, the company took it down and immediately told Vickery it was only a test server with fake data.
"Fictitious databases do not generally have areas specifically marked development, production, and enterprise," Vickery replied to PG&E's explanation. "Fictitious databases do not generally have over 688,000 unique log record entries. This database did."
The researcher says he currently has a copy of the database on hand, and he'll be willing to provide it to the US Department of Homeland Security for analysis, just in case a state-sponsored group also managed to download this "fake" data as well.
Unlike other databases Vickery discovered in the past, the PG&E instance is of greater importance because the DHS considers any company from the energy sector as part of the country's "critical infrastructure" and will open an inquiry if alerted.
UPDATE: PG&E has supplied Softpedia with a statement in regards to Mr. Vickery's discovery and has recanted on its original response in which it said "the data was fake." A later PG&E investigation proved that the exposed data was actually from a production environment, but used on a test server by one of its third-party showcasing the features of a new platform. The statement is available below.
“ With this incident, it is important to know that none of PG&E’s systems were directly breached in any way and no customer or employee data was involved. A PG&E vendor was hosting an online demonstration using PG&E asset management data to show the capabilities of a platform that they were developing for us. This data contained information on PG&E’s technology assets, such as computers and servers. This data was exposed online by the vendor and was discovered by a third-party researcher. That researcher contacted PG&E security and was unintentionally misinformed that the data was non-sensitive, mocked-up data. We based this feedback on an initial response from the vendor stating that the information in the database was demo or “fake” data. Following further review, we learned that the data was not fake, removed it, and contacted the researcher to correct our statement.We continue working with all of our vendors to have appropriate procedures in place at all times to protect PG&E data in those instances when they have it. ”
