back to article Crooks exploit OpenMetadata holes to mine crypto – and leave a sob story for victims

Crooks are exploiting now-patched OpenMetadata vulnerabilities in Kubernetes environments to mine cryptocurrency using victims' resources, according to Microsoft. OpenMetadata is a suite of open-source software for organizing and working on non-trivial amounts of information, making it possible to search, secure, and export …

  1. Pascal Monett Silver badge

    "avoid using the default credentials"

    I'm sorry but, in this day and age, if you are a company installing a product and you use the default credentials, you deserve all the pain you get.

    1. dkjd

      Re: "avoid using the default credentials"

      In this day and age why do products allow default credentials to work forever?

      1. hoola Silver badge

        Re: "avoid using the default credentials"

        Even more basic, why is there even a default credential.

        It really is no that complicated to generate a unique password or force a change a the point of install. Heck even Windows does that,

        1. Anonymous Coward
          Anonymous Coward

          Re: "avoid using the default credentials"

          Complicated? Not from a technical point of view, no. But they can be politically complicated.

          My team just did that (randomly-generated initial credentials, and other more-secure-upon-installation features) with the upcoming release of one of our major product lines, and you should have heard the complaints from other development teams on the product. We took a lot of flak. That's despite announcements, training, demonstrations of vulnerabilities in previous versions, providing a mechanism to turn all the security back off after installation, and so on.

          Security features,1 as I tried to explain to people, are going to cause you some discomfort. That's their job: to make some things more difficult. The intent is that legitimate users pay a small cost now, to use those security features, and in exchange don't pay a large cost later, when the system is subverted.

          So often developers shy away from implementing even basic security features like randomly-generated initial credentials, or are instructed not to implement them, because they're unpopular.

          1That is, user-observable security mechanisms in the system, and not transparent security improvements like bug fixes, code quality, and the like.

  2. sitta_europea Silver badge

    And who in his right mind puts something like that on the Internet?

    1. Michael Wojcik Silver badge

      Yeah. People need to stop exposing stuff on the public network. While we know the "egg" model (hardened perimeter, soft inside) is desperately flawed and we really need "zero-trust" (authenticate and authorize even inside), and VPNs are riddled with bugs, blocking public traffic is at least a start. Come on, people. Raise the work factor just a little.

      I really have very, very little sympathy for people who leave services like this exposed. Or for people who go a month leaving them unpatched.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like