Security researchers at UpGuard discovered that a Washington-based ISP called Pocket iNet left 73 gigabytes of essential operational data publicly exposed in a misconfigured Amazon S3 storage bucket for months. “Said bucket, named ‘pinapp2,’ contained the ‘keys to the kingdom,’ according to the security firm, including internal network diagramming, network hardware configuration photos, details and inventory lists — as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees,” reports Motherboard. From the report: Upguard says the firm contacted Pocket iNet on October 11 of this year, the same day the exposed bucket was discovered, but the ISP took an additional week before the data was adequately secured. “Seven days passed before Pocket iNet finally secured the exposure,” noted the firm. “Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset.” According to UpGuard, the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP’s firewalls, core routers and switches, servers, and wireless access points. “Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business,” noted UpGuard. “If such documents must exist, they should be strongly encrypted and stored in a known secure location,” said the firm. “Unfortunately, a single folder of PocketiNet’s network operation historical data (non-customer) was publicly accessible to Amazon administrative users,” the ISP said in a statement to Motherboard. “It has since been secured.”
Read more of this story at Slashdot.