Critical Infrastructure Security , Governance & Risk Management , IT Risk Management
US Physics Laboratory Exposed Documents, Credentials
Fermilab Particle Accelerator Has Fixed Exposed Ports, ServicesThe Fermilab physics laboratory in the U.S. has tidied up its systems after security researchers found weaknesses exposing documents, proprietary applications, personal information, project details and credentials.
The findings were released on Thursday by Robert Willis, John Jackson and Jackson Henry of Sakura Samarai, a collaborative group of security researchers.
Fermilab, which is part of the U.S. Department of Energy, is a world-famous particle accelerator and physics laboratory in Batavia, Illinois.
Willis, who wrote a blog post about the group's findings, tells Information Security Media Group that he sees poor security controls often on government sites, but the group's findings with Fermilab were surprising given the sensitive work the lab does.
Fermilab's security issues could have made it a target for ransomware operators, who have been on a yearslong rampage. "It's a real possibility that with the access we had, ransomware could have been dropped on the network and equipment," Willis says.
Sakura Samurai avoided downloading or opening documents, but it was clear the lab was unintentionally exposing loads of information. One database the researchers discovered allowed unauthenticated access to 5,795 documents and 53,685 file entries.
"We stopped once we discovered/validated one of the server's credentials," Willis says. "We didn’t continue because we had enough evidence and wanted to quickly get the report together with multiple findings so they could be fixed as soon as possible."
In statement, the physics laboratory notes: "Fermilab makes the data described in the article publicly accessible to researchers in support of our worldwide collaboration in open science. Fermilab takes all reports of potential cybersecurity vulnerabilities seriously, and we are continuing to review the matter."
Exposed Data
The researchers enumerated Fermilab's subdomains by using Amass and then hunted for open directories using dirsearch and Nmap to discover open ports and enumerate services, Willis writes in his blog post. Those probes revealed multiple entry points, Willis writes.
One entry point led into Fermilab's IT ticketing system, which displayed 4,500 trouble tickets. Viewing the ticketing system revealed project names as well as configuration data and communication information. Clicking on any person in the system who had been assigned a ticket revealed their email address and title.
"In addition, many of the tickets had file attachments with sensitive information," Willis writes.
The researchers also found credentials to run a physical trolley that is part of a Fermilab Muon g-2 experiment.
Another discovery was a FTP server that required no password and allowed anyone to log in anonymously. The server contained data for internal applications, Willis writes, including configuration data for Fermilab’s NOvA Project, which studies neutrinos.
Within NOvA's files was one called "tomcat_tomcat_NULL.tar.gz" that contained Tomcat credentials. Those proved to be valid, and the researchers stopped pushing any further, as Willis humorously notes: "Knowing the target was Fermilab, we didn’t want to accidentally cause the creation of a black hole by touching the wrong thing."
On yet another part of the system, the researchers found that part of a web application exposed full names, emails, user IDs and the security workgroups and assigned login groups as well as documents.
Another one of Fermilab's subdomains also revealed credentials, Willis writes.
"One of Fermilabs’ subdomains was identified as an internal Electronic Logbook system used to communicate project data and analysis logbook entries," he writes. "Using the 'Words' filter query, we were able to identify service passwords and the IPs the services were hosted on. It’s never a good idea to put IPs and their credentials in an open log book."
Fermilab was quick to respond to the group's findings. "The time from initial contact to their validation and impact analysis to remediation was less than two weeks," Willis says.