Robo-drop: Factory bot biz 'leaks' automakers' secrets onto the web Yet another organization has allegedly been caught accidentally exposing more than 100GB of sensitive corporate data to the open internet. This time it's Canadian outfit Level One Robotics, which specializes in building factory robots for automakers. The exposed information includes, it is claimed, confidential documents …
Things like this seem to be a common mistake. I'm guessing the bosses feel that the computers are locked up, the building is secure, but forget about that cable leaving the building for when they want to log in during off hours. The methods of access may be different due to software but the results are the same.
Admins are human and in the rush (it's always a "rush", right?) they forget the basics or get moved to another project before they finish.
It's not
""Level One takes these allegations very seriously and is diligently working to conduct a full investigation of the nature, extent and ramifications of this alleged data exposure,”
but more likely :
"Level One takes these allegations very seriously and is diligently working to create a lot of professional-sounding noise and pantomime to cover the issue up, brush it under the rug and get its incompetence forgotten as soon as possible,”
I know sysadmins are always harassed by new rush jobs, but the professionals I know are not going to drop anything concerning security just to get the boss his access to YouPr0n - not until the security stuff is finished. Normally, they wouldn't even put something online until the security has been properly configured.
Most people don't get security untill after they have been victims.
An analogy, on exercises in the army, you would get recruits all cammed up, face paint, hiding in a hole under a bush waiting to ambush someone at night.
The trouble would be that they would sneak a crafty smoke at the bottom of the trench or chat in Whispers and only be looking in the direction they were expecting the enemy from.
With a ligh intensifying scope you can see the glow when someone is drawing on a ciggy from a few hundred metres out, you can hear whispers from a couple of hundred metres.
Because they are not concentrating while chatting or smoking, it is fairly easy to sneak up and drop a smoke grenade down their trench or something much worse, usually after that, they learn to be a little more serious when they realise the difference is being alive or dead in reality.
If security is not taken 100 percent seriously it is not secure.
Why doesn't a company with that level of spending, 'expertise' and commercial sensitivity get professional PEN-testers to regularly try to break into their network?
It sounds like Upguard should have a regular monthly gig trying to break into Level One Robotics and other places.
"Level One takes these allegations very seriously and is diligently working to conduct a full investigation of the nature, extent and ramifications of this alleged data exposure,”
But no mention of working, even casually, to fix it? After all it's only an allegation.
Is this sort of response just PR or does it also reflect the thinking of the management that got them into this position?
It may not have been the well-known port, but yes, it appears to be the bare rsync protocol.
While it's common these days to run rsync through an SSH tunnel (for some value of "common"), when rsync was first released in the mid-1990s SSH was much less common. SSHv1 (which has major security issues) is only about a year older than rsync, and SSHv2 wasn't released for another decade.
Consequently, there are plenty of UNIX sysadmins who grew up using bare rsync "because it's a private network", or even "no one knows our IP addresses". (I heard that latter excuse from a sysadmin at a US DoD facility once in the late 1990s...)
And bad habits persist.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
