back to article Elasticsearch server with no password or encryption leaks a million records

Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub. Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not …

  1. andy 103
    Joke

    Clue's in the name

    You just can't have a camel cased 2-word company name that ends "Hub" and be taken seriously.

    It's associated with one thing with a notable orange and black logo.

    In terms of this particular story though... crikey.

    1. Tom 38

      Re: Clue's in the name

      GitHub doesn't have orange on its logo? Instructions unclear.

      1. andy 103

        Re: Clue's in the name

        @Tom 38 To give you some numbers on how relatively few people use GitHub here are some stats...

        GitHub: 32 million visitors / month

        PornHub: 2.4 billion visitors / month

        Yep, turns out porn is more popular than code.

        1. Anonymous Coward
          Anonymous Coward

          Re: Clue's in the name

          I can't believe it!

        2. This post has been deleted by its author

    2. captain veg Silver badge

      Re: Clue's in the name

      camelCase has initial lowercase. And looks stupid.

      PascalCase (or ProperCase) is what you have in mind.

      -A.

    3. Ken Moorhouse Silver badge

      Re: ...ends "Hub" and be taken seriously.

      Are you suggesting that changing the name to StoreSwitch should help deter eavesdroppers?

  2. Pascal Monett Silver badge

    A "misconfigured" server

    Nice.

    I'll have to remember that the next time I need to explain why somebody fucked up.

  3. Anonymous Coward
    Anonymous Coward

    Why do Governments

    around the world (in particular, the U.K. and the E.U.) feel the need to "break" encryption?

    All they need to do is wait for a company, (with an I.T. section comprised of total fuckwits) to go online and, voila, instant free access to info they feel they "need".

    Though yes. It is managements fault. For employing said fuckwits in the first place.. So sack the fuckwits and also the totally fuckwitted management as well. Or is that too much to expect?

    Cheers... Ishy

    1. ThatOne Silver badge
      Devil

      Re: Why do Governments

      "Fuckwits"? Why, those are just efficient managers who only care about what's important, their bottom line. Why bother secure that server and complicate access (unnecessarily wasting money)? It doesn't contain anything of value to them, and if somehow things get ugly, OMG we got hacked, so sorry...

      The fact that your name is John Doe, you live 123 Main Street and you just mail ordered suspiciously large-sized female lingerie might be of importance to you, but certainly isn't worth protecting for them... Never ever expect commercial entities to stand up and defend you, you're just another line in the account book.

      1. Yet Another Anonymous coward Silver badge

        Re: Why do Governments

        Also by having no passwords you can safely put out a statement saying no passwords were stolen. Clever

    2. Cliffwilliams44 Silver badge

      Re: Why do Governments

      Yeah, what are they thinking! They should just hire consultants! What could possibly go wrong!

  4. Mike 137 Silver badge

    Cultural misapprehension

    Almost everyone seems to believe that their cloud service provider will also be fully responsible for the security of the client's data. What they don't understand (primarily because they haven't been told) is that individual clients are of negligible value to a cloud provider - the service is only profitable in bulk. Consequently the 'security' you get inclusive is generic only - nothing specifically related to your individual enterprise needs. In fact it's primarily the security needed to protect the provider, not the customer. There may be security facilities (e.g. 2 factor support) on offer but it's the client's responsibility to make use of them - and indeed to determine its needs and implement security according to those needs.

    When a cloud provider states that it's 'secure' it means they believe it's hard to breach their infrastructure. It doesn't mean you can forget about the security of your data, because they leave that to you.

  5. Ozumo

    So, their POS system was a POS?

    1. chivo243 Silver badge
      Thumb Up

      So, their POS system was a POS?

      So the Piece of $h1t as a Point of Sale system? Gotcha!

  6. Anonymous Coward
    Anonymous Coward

    Burn the fuckers.

    Start with their board of directors.

    1. A random security guy

      Re: Burn the fuckers.

      That is like stating that Johnson was responsible for the party in 10 Downing Street. Geez. He just lived there.

  7. A random security guy

    5 Eyes

    The 5 Eyes of security: Australia, Canada, New Zealand, the United Kingdom, and the United States.

    The 5 Eyes of Cyber Security: No password, no TLS, No Firewall, No Monitoring, No Remediation.

    1. Suragai

      Re: 5 Eyes

      That seems like the "5 nays of Cyber Security"...

  8. captain veg Silver badge

    "partially masked credit card information"

    'Customers’ orders, plus the locations they ordered from and the times at which they ordered, were also open to the world. Safety Detectives asserts that order details included “partially masked credit card information.”'

    Is that where they replace the last four digits with XXXX? So, only 1000 combinations to brute force. Or just look for the same individual in some other breach where they masked the *first* four digits instead of the last.

    -A.

    1. Falmari Silver badge

      Re: "partially masked credit card information"

      @captain veg “Is that where they replace the last four digits with XXXX? So, only 1000 combinations to brute force.”

      I think you missed a zero should it not be 10000 combinations 0000 > 9999.

      I thought partially masked credit card numbers, normally mask all but the last 4 numbers XXXX XXXX XXXX nnnn.

      1. ThatOne Silver badge
        Happy

        Re: "partially masked credit card information"

        Indeed the last, because the first digits are all technical (codes for VISA/AMEX/Mastercard/Whatever). Don't know for sure, but I think only the last 8 digits code for the specific client.

        Point being that if you keep the first 4 numbers, the result will be identical for all the cards of a given credit card brand...

  9. yetanotheraoc Silver badge

    Security is so easy

    chmod -R 0777 /

    (ring, ring) "oh" , "...pledged to do much better in future..."

    chmod -R 0776 /

    There, all better (for certain values of all and better).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like