Multiple non-secure entry points allow researchers to access data belonging to Fermilab, a national particle physics and accelerator lab supported by the Department of Energy.
This week, security researchers Robert Willis, John Jacksonwe had Jackson Henry of the Sakura Samurai The ethical hacking group has shared details on how they were able to get their hands on sensitive systems and data hosted at Fermilab.
After enumerating and peeking inside the fnal.gov subdomains using common tools like collect, researcherwe had on the mapresearchers discovered open protocols, open ports, and unprotected services that attackers could have used to extract personal data.
Naked FTP server
The presenter presented configuration data in one of Fermilab’s experiments called “NoVa,” which involved denying the role of neutrinos in the evolution of the cosmos.
The researchers discovered that one of the tar.gz archives hosted on the FTP server contained Apache Tomcat server credentials in the comment text:
The researchers found the evidence valid at the time of their discovery but stopped further testing to make their research efforts ethical.
Thousands of documents and project tickets appeared
Similarly, in another set of unrestricted subdomains, researchers found more than 4,500 tickets used for tracking projects inside Fermilab. Many of these contain sensitive attachments and private communications.
And yet another server runs a web application that lists the full names of users registered under different functional groups, along with their email addresses, user IDs, and other category-specific information.
The fourth batch of researchers identified 5,795 documents and 53,685 file entries without requiring any verification.
“I was surprised that a government entity, which has over half a billion dollars, can have so many security holes,” Willis, Sakura Samurai researcher, told Ars in an interview. “I don’t believe they have even basic computer security behind this engagement, which is enough to keep you up at night. I would not want a malicious actor to steal important data, which costs the US hundreds of millions to generate, while still leaving the ability to manipulate material that could have a major impact.”
Serious defects are resolved quickly
The research work done by Willis, Jackson, and Henry is consistent as well Fermiab’s weak signal mechanism. Fermilab was quick to respond to the researchers’ first report and quickly squashed the bugs.
“Fermilab managed the communication about the findings in a fast and good way. They did not doubt the truth of our weaknesses and immediately dug and patched-that acknowledged the sense of struggle,” said Jackson. “The first thought we have is about the possibility of a national threat actor obtaining this data, especially since it is not surprising that Fermilab works on earth science research.”
“We knew we had to act fast and tell Fermilab. However, it is still crazy to see the ease in which sensitive data is collected, which includes credentials to scientific equipment and servers,” he added.
This discovery of a US government-funded national agency that has serious security flaws that are not necessary to exploit comes as many US federal agencies continue to be targets of cyber attacks.
Last week, Ars reported that threat actors have potentially hacked at least five US government agencies through Pulse Connect Secure VPN vulnerabilities. Separately, the FBI is investigating an attempted extortion by ransomware operators against the Metropolitan Police Department in Washington, DC.
Fermilab declined to comment.
Detailed findings of the researchers related to the study are provided in them blog post.
Ax Sharma is a security researcher, engineer, and journalist who publishes in leading publications. His expertise is in malware research, reverse engineering, and application security. He is an active local member of the OWASP Foundation and the British Association of Journalists.